ML17212A077

From kanterella
Revision as of 14:50, 4 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Final Safety Analysis Report, Rev. 30, Chapter 7, Instruments and Controls
ML17212A077
Person / Time
Site: Millstone Dominion icon.png
Issue date: 06/29/2017
From:
Dominion Nuclear Connecticut
To:
Office of Nuclear Reactor Regulation
Shared Package
ML17212A038 List:
References
17-208
Download: ML17212A077 (364)


Text

MPS-3 FSAR Millstone Power Station Unit 3 Safety Analysis Report Chapter 7

MPS-3 FSAR CHAPTER 7-INSTRUMENTS AND CONTROLS Table of Contents Section Title Page

7.1 INTRODUCTION

...................................................................................... 7.1-1 7.1.1 Identification of Safety Related Systems.................................................... 7.1-3 7.1.1.1 Safety Related Systems............................................................................... 7.1-3 7.1.1.1.1 Reactor Trip System ................................................................................... 7.1-4 7.1.1.1.2 Engineered Safety Features Actuation System ........................................... 7.1-4 7.1.1.1.3 Instrumentation and Control Power Supply System................................... 7.1-4 7.1.1.2 Safety Related Display Instrumentation ..................................................... 7.1-4 7.1.1.3 Instrumentation and Control System Designers ......................................... 7.1-4 7.1.1.4 Plant Comparison........................................................................................ 7.1-4 7.1.1.5 Alarms......................................................................................................... 7.1-4 7.1.1.6 Communication Systems ............................................................................ 7.1-5 7.1.2 Identification of Safety Criteria .................................................................. 7.1-5 7.1.2.1 Design Bases............................................................................................... 7.1-5 7.1.2.1.1 Reactor Trip System ................................................................................... 7.1-5 7.1.2.1.2 Engineered Safety Features Actuation System ........................................... 7.1-6 7.1.2.1.3 Instrumentation and Control Power Supply System................................... 7.1-7 7.1.2.1.4 Emergency Power ....................................................................................... 7.1-7 7.1.2.1.5 Interlocks .................................................................................................... 7.1-7 7.1.2.1.6 Bypasses...................................................................................................... 7.1-7 7.1.2.1.7 Equipment Protection ................................................................................. 7.1-8 7.1.2.1.8 Diversity...................................................................................................... 7.1-8 7.1.2.1.9 Bistable Trip Set Points .............................................................................. 7.1-8 7.1.2.1.10 Engineered Safety Features Motor Specifications.................................... 7.1-10 7.1.2.2 Independence of Redundant Safety Related Systems............................... 7.1-10 7.1.2.2.1 General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974). 7.1-10 7.1.2.2.2 Specific Systems ....................................................................................... 7.1-11 7.1.2.2.3 Fire Protection........................................................................................... 7.1-13 7.1.2.3 Physical Identification of Safety Related Equipment ............................... 7.1-13 7.1.2.4 Conformance to Criteria ........................................................................... 7.1-14 7.1.2.5 Conformance to Regulatory Guide 1.22 ................................................... 7.1-14 7.1.2.6 Conformance to Regulatory Guide 1.47 ................................................... 7.1-19 7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 ... 7.1-19 7.1.2.8 Conformance to Regulatory Guide 1.63 ................................................... 7.1-19 7.1.2.9 Conformance to IEEE Standard 317-1972 ............................................... 7.1-19 7.1.2.10 Conformance to IEEE Standard 336-1971 ............................................... 7.1-19 7.1.2.11 Conformance to IEEE Standard 338-1971 ............................................... 7.1-20 7.1.3 Reference for Section 7.1.......................................................................... 7.1-21 7-i Rev. 30

MPS-3 FSAR Table of Contents (Continued)

Section Title Page 7.2 REACTOR TRIP SYSTEM ...................................................................... 7.2-1 7.2.1 Description.................................................................................................. 7.2-1 7.2.1.1 System Description ..................................................................................... 7.2-1 7.2.1.1.1 Functional Performance Requirements....................................................... 7.2-2 7.2.1.1.2 Reactor Trips............................................................................................... 7.2-2 7.2.1.1.3 Reactor Trip System Interlocks ................................................................ 7.2-10 7.2.1.1.4 Coolant Temperature Sensor Arrangement .............................................. 7.2-12 7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement ............................. 7.2-12 7.2.1.1.6 Analog System .......................................................................................... 7.2-12 7.2.1.1.7 Solid State Logic Protection System ........................................................ 7.2-13 7.2.1.1.8 Isolators..................................................................................................... 7.2-14 7.2.1.1.9 Energy Supply and Environmental Variations ......................................... 7.2-14 7.2.1.1.10 Setpoints.................................................................................................... 7.2-14 7.2.1.1.11 Seismic Design ......................................................................................... 7.2-15 7.2.1.2 Design Bases Information......................................................................... 7.2-15 7.2.1.2.1 Generating Station Conditions.................................................................. 7.2-15 7.2.1.2.2 Generating Station Variables .................................................................... 7.2-15 7.2.1.2.3 Spatially Dependent Variables.................................................................. 7.2-16 7.2.1.2.4 Limits, Margins, and Setpoints ................................................................. 7.2-16 7.2.1.2.5 Abnormal Events ...................................................................................... 7.2-17 7.2.1.2.6 Minimum Performance Requirements...................................................... 7.2-17 7.2.1.3 Final Systems Drawings ........................................................................... 7.2-18 7.2.2 Analyses.................................................................................................... 7.2-18 7.2.2.1 Failure Mode and Effects Analyses .......................................................... 7.2-18 7.2.2.2 Evaluation of Design Limits ..................................................................... 7.2-18 7.2.2.2.1 Trip Setpoint Discussion........................................................................... 7.2-18 7.2.2.2.2 Reactor Coolant Flow Measurement ........................................................ 7.2-20 7.2.2.2.3 Evaluation of Compliance to Applicable Codes and Standards ............... 7.2-20 7.2.2.3 Specific Control and Protection Interactions ............................................ 7.2-29 7.2.2.3.1 Neutron Flux ............................................................................................. 7.2-29 7.2.2.3.2 Reactor Coolant Temperature ................................................................... 7.2-30 7.2.2.3.3 Pressurizer Pressure .................................................................................. 7.2-30 7.2.2.3.4 Pressurizer Water Level............................................................................ 7.2-31 7.2.2.3.5 Steam Generator Water Level................................................................... 7.2-31 7.2.2.4 Additional Postulated Accidents............................................................... 7.2-32 7.2.3 Tests and Inspections ................................................................................ 7.2-33 7.2.4 References for Section 7.2 ........................................................................ 7.2-33 7-ii Rev. 30

MPS-3 FSAR Table of Contents (Continued)

Section Title Page 7.3 ENGINEERED SAFETY FEATURES SYSTEM ..................................... 7.3-1 7.3.1 Description.................................................................................................. 7.3-1 7.3.1.1 System Description ..................................................................................... 7.3-1 7.3.1.1.1 Function Initiation....................................................................................... 7.3-2 7.3.1.1.2 Analog Circuitry ......................................................................................... 7.3-4 7.3.1.1.3 Digital Circuitry .......................................................................................... 7.3-4 7.3.1.1.4 Final Actuation Circuitry ............................................................................ 7.3-4 7.3.1.1.5 ESF and Essential Auxiliary Support Systems ........................................... 7.3-5 7.3.1.2 Design Bases Information......................................................................... 7.3-58 7.3.1.2.1 Generating Station Conditions.................................................................. 7.3-58 7.3.1.2.2 Generating Station Variables .................................................................... 7.3-58 7.3.1.2.3 Spatially Dependent Variables.................................................................. 7.3-59 7.3.1.2.4 Limits, Margins, and Set points ................................................................ 7.3-59 7.3.1.2.5 Abnormal Events ...................................................................................... 7.3-59 7.3.1.2.6 Minimum Performance Requirements...................................................... 7.3-60 7.3.1.3 Final System Drawings ............................................................................. 7.3-60 7.3.2 Analysis .................................................................................................... 7.3-60 7.3.2.1 Failure Modes and Effects Analysis ......................................................... 7.3-61 7.3.2.2 Compliance with Standards and Design Criteria ...................................... 7.3-62 7.3.2.2.1 Single Failure Criteria............................................................................... 7.3-62 7.3.2.2.2 Equipment Qualification........................................................................... 7.3-62 7.3.2.2.3 Channel Independence .............................................................................. 7.3-62 7.3.2.2.4 Control and Protection System Interaction ............................................... 7.3-62 7.3.2.2.5 Capability for Sensor Checks and Equipment Test Calibration ............... 7.3-62 7.3.2.2.6 Manual Resets and Blocking Features...................................................... 7.3-70 7.3.2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62) ........... 7.3-71 7.3.2.3 Further Considerations.............................................................................. 7.3-71 7.3.2.3.1 Instrument Air and Component Cooling .................................................. 7.3-71 7.3.2.4 Summary ................................................................................................... 7.3-72 7.3.2.4.1 Loss-of-Coolant Protection....................................................................... 7.3-72 7.3.2.4.2 Steam Line Break Protection .................................................................... 7.3-73 7.3.3 References for Section 7.3 ........................................................................ 7.3-74 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN.................................. 7.4-1 7.4.1 Description.................................................................................................. 7.4-2 7.4.1.1 Monitoring Indicators ................................................................................. 7.4-2 7.4.1.2 Controls....................................................................................................... 7.4-3 7.4.1.2.1 General Considerations............................................................................... 7.4-3 7.4.1.2.2 Pumps and Fans .......................................................................................... 7.4-3 7-iii Rev. 30

MPS-3 FSAR Table of Contents (Continued)

Section Title Page 7.4.1.2.3 Emergency Generators................................................................................ 7.4-4 7.4.1.2.4 Valves and Heaters ..................................................................................... 7.4-4 7.4.1.3 Control Room Evacuation .......................................................................... 7.4-5 7.4.1.4 Equipment and Systems Necessary for Cold Shutdown............................. 7.4-5 7.4.1.5 Other Considerations .................................................................................. 7.4-6 7.4.2 Analysis ...................................................................................................... 7.4-6 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION ......................... 7.5-1 7.5.1 Description.................................................................................................. 7.5-1 7.5.1.1 Safety Parameter Display System............................................................... 7.5-2 7.5.1.2 Emergency Response Facilities .................................................................. 7.5-2 7.5.2 Analysis ...................................................................................................... 7.5-2 7.5.3 Compliance with other Regulatory Requirements...................................... 7.5-2 APPENDIX 7.5A Millstone Unit 3 Deviations to Regulatory Guide 1.97 Revision 2 ......... i Table of Contents.............................................................................................. ii 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY ............................. 7.6-1 7.6.1 Instrumentation and Control Power Supply System................................... 7.6-1 7.6.2 Residual Heat Removal Isolation Valves ................................................... 7.6-1 7.6.2.1 Description.................................................................................................. 7.6-1 7.6.2.2 Analysis ...................................................................................................... 7.6-2 7.6.3 Refueling interlocks .................................................................................... 7.6-2 7.6.4 Accumulator Motor-Operated Valves ........................................................ 7.6-2 7.6.5 Reactor Coolant System Loop Isolation Valve Interlocks.......................... 7.6-3 7.6.6 Fuel Pool Cooling and Purification System................................................ 7.6-4 7.6.6.1 Description.................................................................................................. 7.6-4 7.6.6.2 Analysis of Fuel Pool Cooling and Purification System ............................ 7.6-5 7.6.7 Containment Leakage Monitoring System (Containment Atmosphere Pressure and Temperature Monitoring Instrumentation) .......................................... 7.6-6 7.6.7.1 Description.................................................................................................. 7.6-6 7.6.7.2 Analysis ...................................................................................................... 7.6-7 7.6.8 Interlocks for RCS Pressure Control during Low-Temperature Operation.7.6-8 7.6.8.1 Description.................................................................................................. 7.6-8 7.6.8.2 Analysis of Interlock................................................................................... 7.6-8 7.6.8.3 Pressurizer Pressure Relief System............................................................. 7.6-9 7.6.9 Heat Tracing of Safety-Related Systems .................................................. 7.6-10 7.6.10 Shutdown Margin Monitor ....................................................................... 7.6-11 7.6.10.1 Description................................................................................................ 7.6-11 7.6.10.2 Function .................................................................................................... 7.6-11 7-iv Rev. 30

MPS-3 FSAR Table of Contents (Continued)

Section Title Page 7.6.11 References for Section 7.6 ........................................................................ 7.6-12 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY ....................... 7.7-1 7.7.1 Description.................................................................................................. 7.7-1 7.7.1.1 Reactor Control System .............................................................................. 7.7-3 7.7.1.2 Rod Control System.................................................................................... 7.7-4 7.7.1.2.1 Full Length Rod Control System ................................................................ 7.7-4 7.7.1.3 Plant Control Signals for Monitoring and Indicating ................................. 7.7-5 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System .. 7.7-5 7.7.1.3.2 Rod Position Monitoring of Full Length Rods ........................................... 7.7-6 7.7.1.3.3 Control Bank Rod Insertion Monitoring..................................................... 7.7-7 7.7.1.3.4 Rod Deviation Alarm.................................................................................. 7.7-9 7.7.1.3.5 Rod Bottom Alarm...................................................................................... 7.7-9 7.7.1.4 Plant Control System Interlocks ................................................................. 7.7-9 7.7.1.4.1 Rod Stops .................................................................................................... 7.7-9 7.7.1.4.2 Automatic Turbine Load Runback ........................................................... 7.7-10 7.7.1.4.3 Turbine Loading Stop ............................................................................... 7.7-10 7.7.1.5 Pressurizer Pressure Control ..................................................................... 7.7-10 7.7.1.6 Pressurizer Water Level Control............................................................... 7.7-11 7.7.1.7 Steam Generator Water Level Control ..................................................... 7.7-12 7.7.1.8 Steam Dump Control ................................................................................ 7.7-12 7.7.1.8.1 Load Rejection Steam Dump Controller .................................................. 7.7-13 7.7.1.8.2 Plant Trip Steam Dump Controller ........................................................... 7.7-13 7.7.1.8.3 Steam Header Pressure Controller ............................................................ 7.7-13 7.7.1.9 Incore Instrumentation .............................................................................. 7.7-13 7.7.1.9.1 Thermocouples.......................................................................................... 7.7-14 7.7.1.9.2 Movable Neutron Flux Detector Drive System ........................................ 7.7-14 7.7.1.9.3 Control and Readout Description ............................................................. 7.7-14 7.7.2 Analysis .................................................................................................... 7.7-15 7.7.2.1 Separation of Protection and Control System........................................... 7.7-16 7.7.2.2 Response Considerations of Reactivity .................................................... 7.7-17 7.7.2.3 Step Load Changes without Steam Dump ................................................ 7.7-19 7.7.2.4 Loading and Unloading ............................................................................ 7.7-19 7.7.2.5 Load Rejection Furnished by Steam Dump System ................................. 7.7-20 7.7.2.6 Turbine-Generator Trip With Reactor Trip .............................................. 7.7-21 7.7.2.7 Operational Transient Analysis ................................................................ 7.7-22 7.7.3 Reference for Section 7.7.......................................................................... 7.7-23 7-v Rev. 30

MPS-3 FSAR Table of Contents (Continued)

Section Title Page 7.8 ANTICIPATED TRANSIENTS WITHOUT SCRAM MITIGATION SYSTEM ACTUATION CIRCUITRY............................. 7.8-1 7.8.1 Description.................................................................................................. 7.8-1 7.8.1.1 System Description ..................................................................................... 7.8-1 7.8.1.2 Equipment Description ............................................................................... 7.8-1 7.8.1.3 Functional Performance Requirements....................................................... 7.8-3 7.8.1.4 AMSAC Interlocks ..................................................................................... 7.8-3 7.8.1.5 Trip System................................................................................................. 7.8-3 7.8.1.6 Isolation Devices......................................................................................... 7.8-4 7.8.1.7 AMSAC Diversity From the Reactor Protection Systems.......................... 7.8-4 7.8.1.8 Power Supply .............................................................................................. 7.8-4 7.8.1.9 Environmental Variations ........................................................................... 7.8-4 7.8.1.10 Set Points .................................................................................................... 7.8-5 7.8.2 Analysis ...................................................................................................... 7.8-5 7.8.2.1 Safety Classification/Safety Related Interface ........................................... 7.8-5 7.8.2.2 Redundancy ................................................................................................ 7.8-5 7.8.2.3 Diversity From the Existing Trip System ................................................... 7.8-5 7.8.2.4 Electrical Independence .............................................................................. 7.8-6 7.8.2.5 Physical Separation From the RTS and ESFAS ......................................... 7.8-6 7.8.2.6 Environmental Qualification....................................................................... 7.8-6 7.8.2.7 Seismic Qualification.................................................................................. 7.8-6 7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance ........................... 7.8-6 7.8.2.9 Power Supply .............................................................................................. 7.8-7 7.8.2.10 Testability at Power .................................................................................... 7.8-7 7.8.2.11 Inadvertent Actuation ................................................................................. 7.8-7 7.8.2.12 Bypass ......................................................................................................... 7.8-8 7.8.2.12.1 Maintenance Bypasses ................................................................................ 7.8-8 7.8.2.12.2 Operating Bypasses..................................................................................... 7.8-8 7.8.2.12.3 Indication of Bypasses ................................................................................ 7.8-8 7.8.2.12.4 Means for Bypassing .................................................................................. 7.8-8 7.8.2.13 Completion of Mitigative Actions Once Initiated ...................................... 7.8-8 7.8.2.14 Manual Initiation......................................................................................... 7.8-8 7.8.2.15 Information Readout ................................................................................... 7.8-9 7.8.2.16 Compliance With Standards and Design Criteria ....................................... 7.8-9 7-vi Rev. 30

MPS-3 FSAR CHAPTER 7-INSTRUMENTATION AND CONTROLS List of Tables Number Title 7.1-1 Listing of Applicable Criteria 7.2-1 List of Reactor Trips 7.2-2 Protection System Interlocks 7.2-3 Reactor Trip System Instrumentation 7.2-4 Reactor Trip Correlation 7.3-1 Interlocks for Engineered Safety Features Actuation System 7.3-2 Engineered Safety Features Actuation System Instrumentation 7.3-3 Safety Injection Signal 7.3-4 Containment Isolation Phase A 7.3-5 Steam Line Isolation 7.3-6 Feedwater Isolation 7.3-7 Control Building Isolation 7.3-8 Containment Depressurization Actuation 7.3-9 Containment Isolation Phase B 7.3-10 Instrumentation and Control Systems for Engineered Safety Features and Essential Auxiliary Supporting Systems 7.4-1 Instruments and Controls Outside Control Room for Cold Shutdown 7.5-1 Accident Monitoring Instrumentation List 7.7-1 Plant Control System Interlocks 7-vii Rev. 30

MPS-3 FSAR NOTE: REFER TO THE CONTROLLED PLANT DRAWING FOR THE LATEST REVISION.

CHAPTER 7 - INSTRUMENTATION AND CONTROLS List of Figures Number Title 7.1-1 Solid State Protection System Block Diagram 7.1-2 Reactor Trip/ESF Actuation Mechanical Linkage for Dual Train Switches 7.2-1 (Sheets 1-19) P&IDs Functional Diagram, Reactor Trip System/Loop Stop Valve Interlocks/Pressurizer Pressure Relief System 7.2-2 Setpoint Reduction Function for Overpower and Over-temperature T Trips 7.3-1 Failure Modes and Effects Analysis Quench Spray System 7.3-2 Fault Tree Diagram Quench Spray System 7.3-3 Typical ESF Test Circuits 7.3-4 Engineered Safeguards Test Cabinet 7.6-1 Logic Diagram for RHS Isolation Valves Notes to Figure 7.6-1 7.6-2 Functional Block Diagram of Accumulator Isolation Valves 7.6-3 Automatic RHS and QSS Pump Shutoff 7.6-4 Reactor Coolant System Loop with Loop Stop Valves 7.7-1 Simplified Block Diagram of Reactor Control System 7.7-2 Control Bank Rod Insertion Monitor 7.7-3 Rod Deviation Comparator 7.7-4 Block Diagram of Pressurizer Pressure Control System 7.7-5 Block Diagram of Pressurizer Level Control System 7.7-6 Block Diagram of Steam Generator Water Level Control System 7.7-7 Block Diagram of Main Feedwater Pump Speed Control System 7.7-8 Block Diagram of Steam Dump Control System 7.7-9 Basic Flux-Mapping System 7.7-10 Not Used 7.7-11 Not Used 7.7-12 Not Used 7.7-13 Not Used 7.7-14 Simplified Block Diagram of Rod Control System 7-viii Rev. 30

MPS-3 FSAR NOTE: REFER TO THE CONTROLLED PLANT DRAWING FOR THE LATEST REVISION.

7.7-15 Control Bank B Partial Simplified Schematic Diagram of Power Cabinets 1 BD and 2 BD 7.8-1 Actuation Logic System Architecture 7-ix Rev. 30

MPS3 UFSAR CHAPTER 7 - INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases, system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Standard 279-1971 IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations.

The primary purpose of the instrumentation and control systems is to provide automatic protection and exercise proper control against unsafe and improper reactor operation during steady state and transient power operations (ANS Conditions I, II, III) and to provide initiating signals to mitigate the consequences of faulted conditions (ANS Condition IV). ANS conditions are discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes those instrumentation and control systems which are central to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public.

It is shown that the applicable criteria and codes, such as General Design Criteria and IEEE Standards, concerned with the safe generation of nuclear power are met by these systems. See Table 7.1-1 for a listing of applicable criteria.

Definitions Terminology used in this chapter is based on the definitions given in IEEE Standard 279-1971 which is listed in Section 7.1.2. In addition, the following definitions apply:

1. Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which when tripped, would cause an automatic system trip.
2. Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited, or otherwise restricted by the Technical Specifications.
3. Cold Shutdown Condition - A Technical Specifications operational mode where Keff < 0.99 and Tavg is 200°F.
4. Hot Shutdown Condition - A Technical Specifications operational mode where Keff < 0.99 and 350°F > Tavg > 200°F.
5. Phase A Containment Isolation - Closure of all non-essential process lines which penetrate containment initiated manually or by the safety injection signal.

7.1-1 Rev. 30

MPS3 UFSAR

6. Phase B Containment Isolation - Closure of remaining process lines, initiated manually or by the containment Hi-3 pressure signal (process lines do not include engineered safety features lines).
7. System Response Times:
a. Reactor Trip System Response Time The time interval from when the monitored parameter exceeds its trip set point at the channel sensor until loss of stationary gripper coil voltage.
b. Engineered Safety Features System Response Time The time interval from when the monitored parameter exceeds its ESF actuation set point at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.).

Times shall include diesel generator starting and sequence loading delays where applicable.

8. Reproducibility - This definition is taken from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology: the closeness of agreement among repeated measurements of the output for the same value of input made under the same operating conditions over a period of time, approaching from both directions. It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).
9. Accuracy - This definition is derived from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology. An accuracy statement for a device falls under Note 2 of the SAMA definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: reference accuracy includes the combined conformity, hysteresis, and repeatability errors. To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, trip accuracy and indicated accuracy etc., would include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.

7.1-2 Rev. 30

MPS3 UFSAR

10. Normal Operating Conditions - These conditions cover all normal process temperature and pressure changes. Also included are ambient temperature changes around the transmitter and racks. Not included are accuracies under post-accident conditions.
11. Readout Devices - For consistency, the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable), and controllers.
12. Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field-mounted hardware. Rack environmental effects are included in the next two definitions to avoid duplication due to dual inputs.
13. Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.
14. Trip Accuracy - This definition includes comparator accuracy, channel accuracy, for each input, and rack environmental effects. This is the tolerance expressed in process terms (or percent of span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming. The term actuation accuracy may be used where the word trip might cause confusion (for example, when starting pumps and other equipment).
15. Control Accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This would include gain changes where the control span is different from the span of the measured variable.

Where controllers are involved, the control span is the input span of the controller.

No error is included for the time in which the system is in a nonsteady state condition.

7.1.1 IDENTIFICATION OF SAFETY RELATED SYSTEMS 7.1.1.1 Safety Related Systems The instrumentation discussed in Chapter 7 that is required to function to achieve the system responses assumed in the safety evaluations, and those needed to shutdown the plant safely are given in this section.

7.1-3 Rev. 30

MPS3 UFSAR 7.1.1.1.1 Reactor Trip System The reactor trip system (RTS) is a functionally defined system described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the RTS are given in Section 7.1.2.1. Figure 7.1-1 includes a single line diagram of this system.

7.1.1.1.2 Engineered Safety Features Actuation System The engineered safety features actuation system (ESFAS) is a functionally defined system described in Section 7.3. The equipment which provides the actuation functions is identified and discussed in Section 7.3. Design bases for the ESFAS are given in Section 7.1.2.1.

7.1.1.1.3 Instrumentation and Control Power Supply System Design bases for the instrumentation and control power supply system are given in Section 7.1.2.1. Further description of this system is provided in Section 7.6.1.

7.1.1.2 Safety Related Display Instrumentation Display instrumentation provides the operator with information to enable him to monitor the results of engineered safety features actions following a Condition II, III, or IV event. Section 7.5, Table 7.5-1 provides information required to maintain the plant in a hot shutdown condition, or to proceed to cold shutdown.

7.1.1.3 Instrumentation and Control System Designers All systems discussed in Chapter 7 have definitive functional requirements developed on the basis of the Westinghouse NSSS design. Figure 7.2-1, Sheet 8, defines Westinghouse NSSS scope; the remaining support systems are balance-of-plant (BOP) scope. Regardless of the supplier, the functional requirements necessary to assure plant safety and proper control are clearly delineated.

7.1.1.4 Plant Comparison System functions for all systems discussed in Chapter 7 that are similar to those of the North Anna 1 and 2 applications are provided in the comparison table in Section 1.3.

7.1.1.5 Alarms Annunciators are provided on the main control board and on local panels. Each local panel has a common trouble annunciator on the main control board that is alarmed when any annunciator is alarmed on the local panel. The annunciators are nonsafety grade except for the emergency diesel generator and hydrogen recombiner local alarms which are safety grade. The safety grade systems monitored are not degraded by the annunciators since isolators are used to isolate safety grade circuits from nonsafety grade circuits. The instrumentation section for each system list the annunciators and the parameters monitored. Isolators are discussed in Section 7.2.

7.1-4 Rev. 30

MPS3 UFSAR Each Emergency Diesel Generator local annunciator system has isolators that isolate nonsafety inputs. Thus, the integrity of the safety grade annunciator system is maintained. See Section 8.3.1.1.3 for details.

Each Hydrogen Recombiner local annunciator system has isolators to prevent these safety grade annunciators from being degraded by their connection to a nonsafety grade annunciator in the main control room.

7.1.1.6 Communication Systems Communication systems are discussed in Section 9.5.2.

7.1.2 IDENTIFICATION OF SAFETY CRITERIA Section 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1. Design bases for nonsafety related systems are provided in the sections which describe the systems. Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15.

Functional requirements, developed on the basis of the results of the accident analyses, which have utilized conservative assumptions and parameters are used in designing these systems and a pre-operational testing program verifies the adequacy of the design. Accuracies are given in Sections 7.2 and 7.3.

The documents listed in Table 7.1-1 were considered in the design of the systems given in Section 7.1.1. In general, the scope of these documents is given in the document itself. This determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems in its scope is provided in the referenced sections given in Table 7.1-1 for each criterion. Because some documents were issued after design and testing had been completed, the equipment documentation may not meet the format requirements of some standards. Justification for any exceptions taken to each document for systems in its scope is provided in the referenced sections.

7.1.2.1 Design Bases 7.1.2.1.1 Reactor Trip System The reactor trip system acts to limit the consequences of Condition II events (incidents of moderate frequency, such as loss of normal feedwater flow) by, at most, a shutdown of the reactor and turbine with the plant capable of returning to operation after corrective action. The reactor trip system features impose a limiting boundary region to plant operation which ensures that the reactor safety limits are not exceeded during Condition II events and that these events can be accommodated without developing into more severe conditions. Reactor trip set points are given in the Technical Specifications.

The design requirements for the reactor trip system are derived by analyses of plant operating and fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 7.1-5 Rev. 30

MPS3 UFSAR 279-1971 are discussed in Section 7.2.1. The design limits specified by Westinghouse for the reactor trip system are:

1. As a result of any anticipated transient or malfunction (Condition II faults), the departure from nucleate boiling ratio (DNBR) shall not be less than the safety analysis limits (see Section 4.4).
2. Power density shall not exceed the rated linear power density for Condition II faults. See Chapter 4 for fuel design limits.
3. The stress limit of the reactor coolant system for the various conditions shall be as specified in Chapter 5.
4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault.
5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety.

7.1.2.1.2 Engineered Safety Features Actuation System The engineered safety features actuation system acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the safety injection system). The engineered safety features actuation system acts to mitigate Condition IV events (limiting faults, which include the potential for significant release of radioactive material).

The design bases for the engineered safety features actuation system are derived from the design bases given in Chapter 6 for the engineered safety features. Design bases requirements of IEEE Standard 279-1971 are addressed in Section 7.3.1.2. General design requirements are given below.

1. Automatic Actuation Requirements The primary requirements of the engineered safety features actuation system is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the engineered safety features system.
2. Manual Actuation Requirements The engineered safety features actuation system must have provisions in the control room for manual initiation.

7.1-6 Rev. 30

MPS3 UFSAR 7.1.2.1.3 Instrumentation and Control Power Supply System The instrumentation and control power supply system provides continuous, reliable, regulated single phase AC power to all instrumentation and control equipment required for plant safety.

Details of this system are provided in Section 7.6. The design bases are given below:

1. Each inverter has the capacity and regulation required for the AC output for proper operation of the equipment supplied.
2. Redundant loads are assigned to different distribution panels which are supplied from different inverters.
3. Auxiliary devices that are required to operate dependent equipment are supplied from the same distribution panel to prevent the loss of electric power in one protection set from causing the loss of equipment in another protection set. No single failure shall cause a loss of power supply to more than one distribution panel.
4. Each of the distribution panels has access only to its respective inverter supply and a standby power supply.
5. The system complies with IEEE Standard 308-1971, Paragraph 5.4.

7.1.2.1.4 Emergency Power Design bases and system description for the emergency power supply are provided in Chapter 8.

7.1.2.1.5 Interlocks Interlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given in Tables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensure that the NSSS will be put into and maintained in a safe state following an ANS Condition II, III or IV accident commensurate with applicable Technical Specifications and pertinent ANS Criteria.

Therefore the protective systems have been designed to meet IEEE Standard 279-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of a protective function are automatically cleared whenever the protective function is required in accordance with General Design Criteria 20, 21, and 22 and Paragraphs 4.11, 4.12, and 4.13 of IEEE Standard 279-1971. Control interlocks (C) are identified in Table 7.7-1. Because control interlocks are not safety related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

7.1.2.1.6 Bypasses Bypasses are designed to meet the requirements of IEEE Standard 279-1971, Paragraphs 4.11, 4.12, 4.13, and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.

7.1-7 Rev. 30

MPS3 UFSAR 7.1.2.1.7 Equipment Protection The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed and installed to protect the plant from damage. This is accomplished by working to accepted standards and criteria aimed at providing reliable instrumentation which is available under varying conditions. As an example, certain equipment is seismically qualified in accordance with IEEE Standard 344-1975. Independence and separation is achieved, as required by IEEE Standard 279-1971, IEEE Standard 384-1974 and Regulatory Guide 1.75, either by barriers, physical separation or demonstration test. This serves to protect against complete destruction of a system by fires, missiles or other natural hazards.

7.1.2.1.8 Diversity Functional diversity has been designed into the system. Functional diversity is discussed in WCAP-7706-L and WCAP-7706. The extent of diverse system variables has been evaluated for a wide variety of postulated accidents.

Regarding the engineered safety features actuation system for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from two diverse parameter measurements:

1. Low pressurizer pressure
2. High containment pressure (Hi-1)

For a steam break accident, safety injection signal actuation is provided by:

1. Low steamline pressure
2. For a steam break inside containment, high containment pressure (Hi-1) provides an additional parameter for generation of the signal
3. Low pressurizer pressure All of the above sets of signals are redundant and physically separated and meet the requirements of IEEE Standard 279-1971.

7.1.2.1.9 Bistable Trip Set Points The following parameters are applicable to reactor trip and engineered safety features actuation:

1. Safety limit
2. Allowable value
3. Trip set point 7.1-8 Rev. 30

MPS3 UFSAR The safety limit is a limit on an important process variable that is necessary to reasonably protect the integrity of physical barriers that guard against the uncontrolled release of radioactivity.

Safety limits such as those for reactor coolant system pressure are found in Section 2.0 of the Technical Specifications.

To accommodate instrument drift which can occur between operational tests and the accuracy to which set points can be measured and calibrated, allowable values for the reactor trip set points have been specified in the Technical Specifications. Operation with the set points less conservative than the reactor trip or engineered safety features trip set point but within the allowable value is acceptable since an allowance has been made in the safety analysis to accommodate these uncertainties.

The set point limits specified in Technical Specifications are the nominal values at which the reactor trips and/or engineered safety features trips are set for each functional unit. The trip set points have been selected to ensure that the core and reactor coolant system are prevented from exceeding their safety limits during normal operation and design basis operational occurrences, and to support the mitigation of limiting accidents.

The methodology used to derive the trip set points is based upon combining all of the uncertainties in the channels. Inherent to the determination of the trip set points are the magnitudes of these channel uncertainties. Sensors and other instrumentation utilized in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes.

A further discussion on set points is found in Sections 7.2.2.2.1 and 7.3.1.2.6.

The only requirement on the uncertainty of an instrumentation channel is that over the instrument span, the uncertainty must always be less than or equal to the value allowed in the accident analysis. The instrument does not need to be the most accurate at the set point value as long as it meets the minimum accuracy requirement. The accident analysis accounts for the expected uncertainties at the actual set point.

Range selection for the instrumentation covers the expected range of the process variable being monitored consistent with its application. The design of the reactor trip and engineered safety features systems is such that the bistable trip set points are not set within 5 percent of the high and low end of their calibrated span or range. Functional requirements established for every channel in the reactor trip and engineered safety features systems stipulate the maximum allowable errors on accuracy, linearity, and reproducibility. The protection channels have the capability for, and are tested to ascertain that the characteristics throughout the entire span in all aspects are acceptable and meet functional requirement specifications.

The specific functional requirements for response time, set point, and operating span are based on the results and evaluation of safety studies carried out using data pertinent to the plant. Emphasis is placed on establishing adequate performance requirements under both normal and faulted conditions. This includes consideration of process transmitter margins such that even under a highly improbable situation of full power operation at the limits of the operating map (as defined 7.1-9 Rev. 30

MPS3 UFSAR by the high and low pressure reactor trip, T overpower and overtemperature trip lines (DNB protection) and the steam generator safety valve pressure set point) that adequate instrument response is available to ensure plant safety.

7.1.2.1.10 Engineered Safety Features Motor Specifications Motors are discussed in Section 8.3.1.

7.1.2.2 Independence of Redundant Safety Related Systems The safety related systems in Section 7.1.1.1 are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria and Paragraph 4.6 of IEEE Standard 279-1971. The electrical power supplies, instrumentation, and control conductors for redundant circuits have physical separation to preserve the redundancy and to ensure that no single credible event will prevent operation of the associated function due to electrical conductor damage. Critical circuits and functions include power, control and analog instrumentation associated with the operation of the reactor trip system or engineered safety features actuation system. Credible events shall include, but not be limited to, the effects of short circuits, pipe rupture, missiles, fire, etc and are considered in the basic plant design. In the control board, separation of redundant circuits is maintained as described in Section 8.3.1.4.

7.1.2.2.1 General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974)

Description of separation is provided in Section 8.3, and compliance with Regulatory Guide 1.75 is described in Section 1.8 for BOP Scope.

The physical separation criteria for redundant safety related system sensors, sensing lines, wireways, cables, and components on racks for the NSSS scope meet recommendations contained in Regulatory Guide 1.75 with the following comments.

1. The design of the protection system relies on the provisions of IEEE-384-74 relative to isolation devices to prevent malfunctions in one circuit from causing unacceptable influences on the functioning of the protection system. The protection system uses redundant instrumentation channels and actuation trains and incorporates physical and electrical separation to prevent faults in one channel from degrading any other protection channel.
2. Separation recommendations for redundant instrumentation racks are not the same as those given in Paragraph C16 of Regulatory Guide 1.75, Revision 1, for the control boards because of different functional requirements. Main control boards contain redundant circuits which are required to be physically separated from each other. However, since there are no redundant circuits which share a single compartment of an NSSS protection instrumentation rack, and since these redundant protection instrumentation racks are physically separated from each other, the physical separation requirements specified for the main control board do not apply.

7.1-10 Rev. 30

MPS3 UFSAR However, redundant, isolated control signal cables leaving the protection racks are brought into close proximity elsewhere in the plant, such as the control board. It could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection and control wiring within each rack. Regulatory Guide 1.75, Paragraph C-4 and IEEE-384-1974, Paragraph 4.5(3), provide the option to demonstrate by tests that the absence of physical separation could not significantly reduce the availability of Class 1E circuits.

Westinghouse test programs have demonstrated that Class 1E protection systems, Nuclear Instrumentation System (NIS); Solid State Protection System (SSPS); and 7300 Process Control System (7300 PCS), are not degraded by non-Class 1E circuits sharing the same enclosure. Conformance to the requirements of IEEE-279 and Regulatory Guide 1.75 has been established and accepted by the NRC based on the following which is applicable to these systems at Millstone.

Tests conducted on the as-built designs of the NIS and SSPS were reported and accepted by the NRC in support of the Diablo Canyon application (Docket Numbers 50-275 and 50-323). Westinghouse considers these programs as applicable to all plants, including Millstone. Westinghouse tests on the 7300 PCS were covered in a report entitled, 7300 Series Process Control System Noise Tests, subsequently reissued as WCAP-8892-A. In a letter dated April 20, 1977, R.

Tedesco to C. Eicheldinger, the NRC accepted the report in which the applicability of the Millstone plant is established.

3. The physical separation criteria for instrument cabinets within the NSSS scope meet the recommendations contained in Paragraph 5.7 of IEEE-384-1974.
4. The core thermocouple system satisfies Regulatory Guide 1.75 separation requirement except for the two channels/trains inside the refueling cavity. The method of installation of the core thermocouples within the reactor cavity was completed prior to upgrading of the system to satisfy Regulatory Guide 1.97 requirements. The design within the refueling cavity is acceptable because:
  • only a small, self generated signal exists in the cabling from the thermocouples to the reference junction boxes and therefore no chance exists for a postulated propagating fault, and
  • due to the interference provided by the rod control mechanisms and rod position indicator stack, no likelihood exists for rendering all thermocouples inoperable.

7.1.2.2.2 Specific Systems Independence is maintained throughout the system, extending from the sensor through the devices actuating the protective function. Physical separation is used to achieve separation of redundant 7.1-11 Rev. 30

MPS3 UFSAR transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant protection channel set. Redundant analog equipment is separated by locating modules in different protection rack sets. Each redundant channel set is energized from a separate AC power feed.

There are four separate process analog sets. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment penetrations and analog protection cabinets to the redundant trains in the logic racks. Redundant analog channels are separated by locating modules in different cabinets or compartments of a cabinet. Since all equipment within any cabinets is associated with a single protection set, there is no requirement for channel separation of wiring and components within the cabinets.

In the nuclear instrumentation system, process instrumentation systems, and the solid state protection system input cabinets where redundant channel instrumentation are physically adjacent, there are no wire ways, or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks. Redundant analog channels are separated by locating modules in different cabinets or compartments of a cabinet.

Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full length control rod drive mechanisms, permitting the rods to free fall into the core.

1. Reactor Trip System
a. Separate routing is maintained for the four basic reactor trip system channel sets analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets shall be maintained from sensors to instrument cabinets to logic system input cabinets.
b. Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained, and in addition, they shall be separated (by spatial separation or by provision of barriers or by separate cable trays or wireways) from the four analog channel sets.
2. Engineered Safety Features Actuation System
a. Separate routing is maintained for the four basic sets of engineered safety features actuation system analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets.

7.1-12 Rev. 30

MPS3 UFSAR

b. Separate routing of the engineered safety features actuation signals from the redundant logic system cabinets is maintained. In addition, they shall be separated by spatial separation or by provisions of barriers or by separate cable trays or wireways from the four analog channel sets.
c. Separate routing of control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.
3. Instrumentation and Control Power Supply System For separation criteria presented applicable for the load centers and buses distributing power to redundant components and to the control of these power supplies, see Section 8.3.1.4.

Reactor trip system and engineered safety features actuation system analog circuits may be routed in the same wireways provided circuits have the same power supply and channel set identified (I, II, III or IV).

7.1.2.2.3 Fire Protection For electrical equipment within the NSSS scope of supply the NSSS specifies noncombustible or fire retardant material and conducts vendor-supplied specification reviews of this equipment which includes assurance that materials will not be used which may ignite or explode from an electrical spark, flame, or from heating, or will independently support combustion. These reviews also include assurance of conservative current carrying capacities of all instrument cabinet wiring, which precludes electrical fires resulting from excessive overcurrent (I R) losses. For example, wiring used for instrument cabinet construction has Teflon or Tefzel insulation and is adequately sized based on current carrying capacities set forth by the National Electric Code. In addition, fire retardant paint is used on protection rack or cabinet construction to retard fire or heat propagation from rack to rack. Braided sheathed material is noncombustible.

Details of the plant's fire protection system including consideration within BOP scope are provided in Section 9.5.1.

7.1.2.3 Physical Identification of Safety Related Equipment There are four separate protection sets identifiable with process equipment associated with the reactor trip and engineered safeguards actuation systems. A protection set may be comprised of more than a single process equipment cabinet. The color coding of each process equipment rack nameplate coincides with the color code established for the protection set of which it is a part.

Redundant channels are separated by locating them in different equipment cabinets. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, containment penetrations and equipment cabinets to the redundant trains in the logic racks. The solid state protection system input cabinets are divided into four isolated compartments, each serving one of the four redundant input channels. Horizontal 1/8-inch thick solid steel barriers, 7.1-13 Rev. 30

MPS3 UFSAR coated with fire-retardant paint, separate the compartments. Four, 1/8-inch thick, solid steel wire-ways coated with fire-retardant paint enter the input cabinets vertically, even in its own quadrant.

The wireway for a particular compartment is open only into that compartment so that flame could not propagate to affect other channels. A diagram of the input cabinet is given on Figure 7.1-2. At the logic racks the protection set color coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color coded nameplates described below provide identification of equipment associated with protective functions and their channel set association:

Protection Set Color Coding I RED with WHITE lettering II WHITE with BLACK lettering III BLUE with WHITE lettering IV YELLOW with BLACK lettering All noncabinet mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. For ID of cables, cable trays and conduits, see Section 8.3.1.2.4.

7.1.2.4 Conformance to Criteria A listing of applicable criteria and the SAR Sections where conformance is discussed is given in Table 7.1-1.

7.1.2.5 Conformance to Regulatory Guide 1.22 Periodic testing of the reactor trip and engineered safety features actuation systems, as described in Sections 7.2.2 and 7.3.2, complies with Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions.

Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a separate annunciator for the train in test. In accordance with Regulatory Guide 1.47, for an event that renders a safety system inoperable but does not automatically operate the system bypass indicator, capability to operate each bypass indicator manually has been provided to the reactor operator. Solid state protection system test circuitry does not allow two trains to be tested at the same time so that extension of the bypass condition to the redundant system is prevented. Administrative controls prevent both trains of the emergency generator load sequencer from being bypassed at the same time.

7.1-14 Rev. 30

MPS3 UFSAR The actuation logic for the reactor trip and engineered safety features actuation system is tested as described in Sections 7.2 and 7.3. As recommended by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that:

1. There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant.
2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation.
3. The equipment can routinely be tested when the reactor is shutdown.

The list of equipment that cannot be tested at full power so as not to damage equipment or upset plant operation is:

1. Manual actuation switches
2. Turbine
3. Main steam line isolation valves (close)
4. Main feedwater isolation valves (close)
5. Feedwater control valves (close)
6. Main feedwater pump trip solenoids
7. Reactor coolant pump seal water return valves (close)
8. Charging header to cold leg isolation valves
9. Charging and letdown isolation valves (close)
10. Deleted by PKG FSC 07-MP3-024
11. CVCS suction valves - Normal (close)
12. Instrument air to containment isolation valves (close)
13. Chillwater supply and return containment isolation valves (close)

The justification for not testing the above 13 items at full power is discussed below.

1. Manual Actuation Switches - These would cause initiation of their protection system function at power causing plant upset and/or reactor trip. It should be noted 7.1-15 Rev. 30

MPS3 UFSAR that the reactor trip function that is derived from the automatic safety injection signal is tested at power as follows:

The analog signals, from which the automatic safety injection signal is derived, is tested at power in the same manner as the other analog signals and as described in Section 7.2.2.2.3 (10). The processing of these signals in the solid state protection system (SSPS) wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semi-automatic test provisions of the SSPS. The reactor trip breakers are tested at power as discussed in Section 7.2.2.2.3 (10).

2. Turbine Mechanical and backup overspeed trip tests are performed periodically while carrying load without tripping the unit, by using special test provisions.
3. Closing the Main Steam Isolation Valves Main steam isolation valves are routinely tested during refueling outages. Testing of the main steam isolation valves to closure at power is not practical. As the plant power is increased, the coolant average temperature is programmed to increase. If the valves are closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator relief valves and possibly the steam generator safety valves. The steam pressure transient produced would cause shrinkage in the steam generator level, which would cause the reactor to trip on low-low steam generator water level. Testing during operation will decrease the operating life of the valve.

Based on the above identified problems incurred with periodic testing of the main steam isolation valves at power and since, (1) no practical system design will permit operation of the valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the actuated equipment during this test. Although the actual closing of these valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function.

It is noted that the solenoids work on the deenergize-to-actuate principle, so that the main steam isolation valves will fail close upon loss of electrical power to the solenoids.

Based on the above, the testing of the isolating function of main steam isolation valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.

4. Closing the Feedwater Isolation Valve The feedwater isolation valves are routinely tested during refueling outages.

Periodic testing of these feedwater isolation valves closing them completely at 7.1-16 Rev. 30

MPS3 UFSAR power would induce steam generator water level transients and oscillations which would trip the reactor. These transient conditions would be caused by perturbing the feedwater flow and pressure conditions necessary for proper operation of the variable-speed feedwater pump control system and the steam generator water level control system. Any operation which induces perturbations in the main feedwater flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided.

Based on these identified problems incurred with periodic testing of the feedwater isolation valves and since:

a. No practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant.
b. The probability that the protection system will fail to initiate the activated equipment is acceptably low due to final actuation, and
c. These valves are tested during refueling outages, meeting the guidelines of Section D.4 of Regulatory Guide 1.22.
5. Closing the Feedwater Control Valves These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of operability of feedwater control valves at power is assured by confirmation of proper operation of the steam generator water level system. The actual actuation function of the solenoids, which provides the closing function is periodically tested at power as discussed in Section 7.3.2.2.5. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test.

Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function. It is noted that the solenoids work on the de-energize-to-actuate principal, so that the feedwater control valves will fail close upon either the loss of electrical power to the solenoids or loss of air pressure.

Based on the above, the testing of the isolating function of feedwater control valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.

6. Main Feedwater Pump Trip Solenoids Main Feedwater Pump - No credit is taken in the analysis for tripping the main feedwater pumps, and therefore this function does not require periodic testing.

These functions are routinely tested during refueling outages.

7. Seal Water Return Valves (Close) 7.1-17 Rev. 30

MPS3 UFSAR Seal return line isolation valves are routinely tested during refueling outages.

Closure of these valves during operation would cause the safety valve to lift, with the possibility of valve chatter. Valve chatter would damage this relief valve.

Testing of these valves at power would cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. As above, additional containment penetrations and containment isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Section D.4 of Regulatory Guide 1.22 are met.

8. Charging Header to Cold Leg Isolation Valves (Open)

The opening of these valves during the test of the actuating protection channel would adversely affect the operability of the plant. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation and the valves are routinely tested during refueling outages.

9. Charging and Letdown Isolation Valves (Close)

The plant is designed for a limited number of letdown isolation thermal cycles, and exercising these valves during power operations can result in a thermal cycle to the charging path to the RCS. These valves are routinely tested during cold shutdowns and refueling outages.

10. Deleted by PKG FSC 07-MP3-024
11. CVCS Suction Valves - Normal (Close)

Actuating these valves in conjunction with RWST suction isolation injects a small amount of borated water from the RWST into the RCS, causing an increase in pressurizer level and possible outward rod motion. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

12. Instrument Air to Containment Isolation Valves (Close)

Allowing the valves to close puts the plant risk of a loss of instrument air inside containment in the event that the valves do not reopen following testing. A loss of containment instrument air would disrupt RCS volume and pressure control systems and result in a letdown isolation. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

13. Chillwater Supply and Return Containment Isolation Valves (Close)

Two valves are closed during each slave relay test - one supply and one return in opposite headers. Although the two headers are cross connected during testing, 7.1-18 Rev. 30

MPS3 UFSAR closing the valves results in a loss of chillwater to containment. Containment temperature rises causing containment pressure to exceed the Technical Specification Limit within a short period of time. Exceeding the Technical Specification Limit places the plant outside safety analysis assumptions for containment pressure, and requires operators to commence plant shutdown if pressure is not restored to within the limit within one hour. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

7.1.2.6 Conformance to Regulatory Guide 1.47 Refer to Section 1.8 and 7.5.3.

7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 The principles described in IEEE Standard 379-1972 were used in the design of the protection system. The system complies with the intent of this standard and the additional guidance of Regulatory Guide 1.53 although the formal analyses have not been documented exactly as outlined. Westinghouse has gone beyond the required analyses and has performed a fault tree analysis (WCAP-7706-L and WCAP-7706).

The referenced topical report provides details of the analyses of the protection systems previously made to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE Standard 279-1971. The interpretation of single failure criterion provided by IEEE Standard 379-1972 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The reactor trip and engineered safeguards actuation systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

7.1.2.8 Conformance to Regulatory Guide 1.63 Compliance to Regulatory Guide 1.63 is described in Section 1.8.

7.1.2.9 Conformance to IEEE Standard 317-1972 Regulatory Guide 1.63 addresses IEEE Standard 317.

7.1.2.10 Conformance to IEEE Standard 336-1971 The quality assurance requirements for installing, inspecting, and testing of instrumentation, and electric equipment conforms to IEEE Standard 336-1971.

7.1-19 Rev. 30

MPS3 UFSAR 7.1.2.11 Conformance to IEEE Standard 338-1971 The periodic testing of the reactor trip system and engineered safety features actuation system conforms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests demonstrate this capability for the system.

Overall protection systems response times are demonstrated by test. Sensors within the Westinghouse scope will be demonstrated adequate for this design by vendor testing, in-site tests in operating plants with appropriately similar design, or by suitable type testing. The nuclear instrumentation system detectors are excluded from time response testing since they exhibit response time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety. The reactor coolant pump speed sensors are exempt from time response testing since they will either operate with a short and predictable time response or fail in a safe direction, indicating lower than actual pump speed.

A periodic testing program exists to determine the time response of sensors which cause a reactor trip or the actuation of engineered safety features consistent with requirements given in the Technical Specifications and the Technical Requirements Manual. Time response testing of sensors (with the exception of neutron detectors and reactor coolant pump speed sensors) is performed per Technical Specifications section 4.3.1.2.

Each Reactor Trip System and Engineered Safety Features Actuation System response time test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18 months), where N is the total number of redundant channels in a specific protective function.

The measurement of response time at the specified time intervals provides assurance that the protective and engineered safety features action function associated with each channel is completed within the time limit assumed in the accident analyses.

2. The reliability goals specified in Paragraph 4.2 of IEEE Standard 338-1971, have been developed and serve as a basis for adequate time intervals for testing of the protection system.
3. The periodic test interval discussed in Paragraph 5.2, which is based on items outlined in Paragraph 4.3 of IEEE Standard 338-1971, is specified in the plant Technical Specifications. The initial test interval is conservatively selected to 7.1-20 Rev. 30

MPS3 UFSAR assure that equipment associated with protection functions will not drift beyond its minimum performance requirements.

4. The test interval discussed in Paragraph 5.2 of IEEE Standard 338-1971, is verified and/or corrected based on past operating experience and surveillance test results.

Test interval may be modified, if necessary, to assure that system and subsystem protection is reliably provided. If any protection channel fails to meet its acceptance criteria during periodic testing, actions are taken as required by the Technical Specifications. Analytic methods for determining reliability have been used to determine test interval.

Based on the scope definition given in IEEE Standard 338-1971, no other systems described in Chapter 7 are required to comply with this standard. Regulatory Guide 1.97 is discussed in post-accident monitoring report.

7.1.3 REFERENCE FOR SECTION 7.1 7.1-1 WCAP-7706-L, (Proprietary) and WCAP-7706, 1973, Gangloff, W.C. and Loftus, W.D.,

An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.

7.1-2 WCAP-8892-A (Non proprietary) June 1977, Siroky, R.M. and Marasco, F.W.,

Westinghouse 7300 Series Process Control System Noise Tests.

7.1-3 Letter from R. Tedesco, Nuclear Regulatory Commission to C. Eicheldinger, Westinghouse, dated April 20, 1977.

7.1-21 Rev. 30

MPS3 UFSAR TABLE 7.1-1 LISTING OF APPLICABLE CRITERIA

1. GENERAL DESIGN CRITERIA (GDC), APPENDIX A TO 10 CFR PART 50 Conformance Discussed Criteria Title in GDC 1 Quality Standards and Records 3.1.2, 7 GDC 2 Design Bases for Protection Against Natural 3.1.2, 3.10, 7.2.1.1.11 Phenomena GDC 3 Fire Protection 3.1.2, 7.1.2.2.3 GDC 4 Environmental and Missile Design Bases 3.1.2, 7.2.2.2 GDC 5 Sharing of Structures, Systems, and 3.1.2 Components GDC 10 Reactor Design 3.1.2, 7.2.2.2 GDC 12 Suppression of Reactor Power Oscillations 3.1.2 GDC 13 Instrumentation and Control 3.1.2, 7.3.1, 7.3.2 GDC 15 Reactor Coolant System Design 3.1.2, 7.2.2.2 GDC 17 Electric Power Systems 3.1.2, 8.2.1 GDC 19 Control Room 3.1.2 GDC 20 Protection System Functions 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC 21 Protection System Reliability and Testability 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC 22 Protection System Independence 3.1.2, 7.1.2.2, 7.2.2.2, 7.3.1, 7.3.2 GDC 23 Protection System Failure Modes 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC 24 Separation of Protection and Control 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 Systems GDC 25 Protection System Requirements for 3.1.2, 7.3.2 Reactivity Control Malfunctions GDC 26 Reactivity Control System Redundancy and 3.1.2 Capability GDC 27 Combined Reactivity Control Systems 3.1.2, 7.3.1, 7.3.2 Capability GDC 28 Reactivity Limits 3.1.2, 7.3.1, 7.3.2 7.1-22 Rev. 30

MPS3 UFSAR

1. GENERAL DESIGN CRITERIA (GDC), APPENDIX A TO 10 CFR PART 50 Conformance Discussed Criteria Title in GDC 29 Protection Against Anticipated Operational 3.1.2, 7.2.2.2 Occurrences GDC 33 Reactor Coolant Makeup 3.1.2 GDC 34 Residual Heat Removal 3.1.2 GDC 35 Emergency Core Cooling 3.1.2, 7.3.2 GDC 37 Testing of Emergency Core Cooling System 3.1.2, 7.3.2 GDC 38 Containment Heat Removal 3.1.2, 7.3.1, 7.3.2 GDC 40 Testing of Containment Heat Removal 3.1.2, 7.3.2 System GDC 41 Containment Atmosphere Cleanup 3.1.2, 8.3.1.1 GDC 43 Testing of Containment Atmosphere Cleanup 3.1.2, 7.3.2 Systems GDC 44 Cooling Water 3.1.2 GDC 46 Testing of Cooling Water System 3.1.2, 7.3.2 GDC 50 Containment Design Basis 3.1.2 GDC 54 Piping Systems Penetrating Containment 3.1.2 GDC 55 Reactor Coolant Pressure Boundary 3.1.2 Penetrating Containment GDC 56 Primary Containment Isolation 3.1.2 GDC 57 Closed Systems Isolation Valves 3.1.2
2. INSTITUTE OF ELECTRICAL AND ELECTRONIC ENGINEERS (IEEE) STANDARDS:

Conformance Discussed Criteria Title in IEEE Std 279-1971 Criteria for Protection Systems for Nuclear 7.1, 7.2, 7.3, 7.6 (ANSI N42.7-1972) Power Generating Stations IEEE Std 308-1971 Criteria for Class IE Electric Systems for 7.1.2.1.3 Nuclear Power Generating Stations IEEE Std 317-1972 Electric Penetration Assemblies in 7.1.2.9 Containment Structures for Nuclear Power Generating Stations 7.1-23 Rev. 30

MPS3 UFSAR

2. INSTITUTE OF ELECTRICAL AND ELECTRONIC ENGINEERS (IEEE) STANDARDS:

Conformance Discussed Criteria Title in IEEE Std 323-1974 IEEE Standard for Qualifying Class IE 3.11, 1.8 (R.G. 1.89)

Equipment for Nuclear Power Generating Stations IEEE Std 334-1971 Type Tests of Continuous-Duty Class I 1.8 (R.G. 1.40), 7.1.2.1.10 Motors Installed Inside the Containment of Nuclear Power Generating Stations IEEE Std 336-1971 Installation, Inspection, and Testing 7.1.2.10 (ANSI Requirements for Instrumentation and Electric N45.2.4-1972) Equipment During the Construction of Nuclear Power Generating Stations IEEE Std 338-1971 Criteria for the Periodic Testing of Nuclear 7.1.2.11, 1.8 Power Generating Station Protection (R.G. 1.118)

Systems IEEE Std 344-1975 Guide for Seismic Qualification of Class I 3.10 (ANSI N41.7) Electrical Equipment for Nuclear Power Generating Stations IEEE Std 379-1972 Guide for the Application of the Single 7.1.2.7, 1.8 (ANSI N41.2) Failure Criterion to Nuclear Power (R.G. 1.53)

Generating Station Protection Systems IEEE Std 382-1972 Type Test of Class I Electric Valve Operators 1.8 (R.G. 1.73)

IEEE Std 384-1974 Criteria for Separation of Class IE 7.1.2.2.1, 1.8 Equipment and Circuits (R.G. 1.75)

3. REGULATORY GUIDES (RG)

Conformance Discussed Criteria Title in RG 1.6 Independence Between Redundant Standby Chapter 8 (Onsite) Power Sources and Between Their Distribution Systems RG 1.11 Instrument Lines Penetrating Primary 1.8, 6.2.4 Reactor Containment RG 1.22 Periodic Testing of Protection System 1.8, 7.1.2.5, 7.3.2.2.5, Actuation Functions 7.2.2.2.3 RG 1.29 Seismic Design Classification 1.8 7.1-24 Rev. 30

MPS3 UFSAR

3. REGULATORY GUIDES (RG)

Conformance Discussed Criteria Title in RG 1.30 Quality Assurance Requirements for the 1.8 Installation, Inspection, and Testing of Instrumentation and Electric Equipment RG 1.32 Use of IEEE Std 308-1971 Criteria for 1.8, 8.1.7, 8.3.2 Class IE Electric Systems for Nuclear Power Generating Stations RG 1.47 Bypassed and Inoperable Status Indication 1.8, 7.1.2.6, 7.5.3 for Nuclear Power Plant Safety Systems RG 1.53 Application of the Single-Failure Criterion to 7.1.2.7, 1.8 Nuclear Power Plant Protection Systems RG 1.62 Manual Initiation of Protection Actions 1.8, 7.3.2.2.7 RG 1.63 Electric Penetration Assemblies in 1.8 Containment Structures for Water-Cooled Nuclear Power Plants RG 1.68 Preoperational and Initial Startup Test 1.8, Chapter 14 Programs for Water-Cooled Power Reactors RG 1.70 Standard Format and Content of Safety 1.8, Chapter 7 Analysis Reports for Nuclear Power Plants Rev. 3 RG 1.73 Qualification Test of Electric Valve 1.8 Operators Installed Inside the Containment RG 1.75 Physical Independence of Electric Systems 1.8, 7.1.2.2.1 RG 1.78 Assumptions for Evaluating the Habitability 9.4.1.1, 6.4 of a Nuclear Power Plant Control Room During a Postulated Hazardous Chemical Release RG 1.89 Qualification of Class IE Equipment for 1.8, 3.11 Nuclear Power Plants RG 1.95 Protection of Nuclear Power Plant Control 1.8 Room Operators Against an Accidental Chlorine Release RG 1.97 Instrumentation for Light-Water-Cooled 1.8, 7.5 Nuclear Power Plants to Assess Plant Conditions During and Following an Accident 7.1-25 Rev. 30

MPS3 UFSAR

3. REGULATORY GUIDES (RG)

Conformance Discussed Criteria Title in RG 1.100 Seismic Qualification of Electric Equipment 1.8 for Nuclear Power Plants RG 1.105 Instrument Spans and Setpoints 1.8, 7.5.3 RG 1.118 Periodic Testing of Electric Power and 1.8 Protection Systems RG 1.120 Fire Protection Guidelines for Nuclear Power 1.8 Plants

4. Branch Technical Positions (BTP) EICSB Conformance Discussed Criteria Title in BTP ICSB 1 Backfitting of the Protection and Emergency 7, 8 Power Systems of Nuclear Reactors BTP ICSB 3 Isolation of Low Pressure Systems from the 7.6.2 High Pressure Reactor Coolant System BTP ICSB 4 Requirements on Motor-Operated Valves in 7.6.4 the ECCS Accumulator Lines BTP ICSB 5 Scram Breaker Test Requirements - 7.2.2.2.3 (Item 10),

Technical Specifications Technical Specifications (Table 4.3-1, Items 21 and 18)

BTP ICSB 9 Definition and Use of Channel Calibration Table 4.3-1, Section 1,

- Technical Specifications Definitions, in Technical Specifications BTP ICSB 10 Electrical and Mechanical Equipment 3.10 Seismic Qualification Program BTP ICSB 12 Protection System Trip Point Changes for 7.2.2.2.1 Operation with Reactor Coolant Pumps Out of Service BTP ICSB 13 Design Criteria for Auxiliary Feedwater 10.4.9 Systems BTP ICSB 14 Spurious Withdrawals of Single Control 7.7.2.2, 15.4.1, 15.4.2, Rods in Pressurized Water Reactors 15.4.8 BTP ICSB 15 Reactor Coolant Pump Breaker Qualification 7.2.1.1.2 (4) 7.1-26 Rev. 30

MPS3 UFSAR

4. Branch Technical Positions (BTP) EICSB Conformance Discussed Criteria Title in BTP ICSB 16 Control Element Assembly (CEA) Interlocks Not Applicable in Combustion Engineering Reactors BTP ICSB 18 Application of the Single-Failure Criteria to Tech. Spec. 16. 3/4.5 Manually Controlled Electrically Operated Valves BTP ICSB 19 Acceptability of Design Criteria for Not Applicable Hydrogen Mixing and Drywell Vacuum Relief Systems BTP ICSB 20 Design of Instrumentation and Control 6.3.2.2.2, Table 6.3-7 Provided to Accomplish Changeover from Injection to Recirculation Mode BTP ICSB 21 Guidance for Application of Regulatory 7.1.2.6 Guide 1.47 BTP ICSB 22 Guidance for Application of Regulatory 7.1.2.5 Guide 1.22 BTP ICSB 23 Qualification of Safety Related Display 7.5 Instrumentation for Post-Accident Conditions Monitoring and Safe Shutdown BTP ICSB 24 Testing of Reactor Trip System and 7.1.2.11 Engineered Safety Features Actuation System Sensor Response Time BTP ICSB 25 Guidance for the Interpretation of General 3.1.2, 7.3.2 Design Criterion 37 for Testing the Operability of the Emergency Core Cooling System as a Whole BTP ICSB 26 Requirements for Reactor Protection System 7.2.1.1.2 (Item 6)

Anticipatory Trips BTP ICSB 27 Design Criteria for Thermal Overload 8.3.1.1.4 Protection for Motors of Motor-Operated Valves 7.1-27 Rev. 30

MPS3 UFSAR FIGURE 7.1-1 SOLID STATE PROTECTION SYSTEM BLOCK DIAGRAM 7.1-28 Rev. 30

MPS3 UFSAR FIGURE 7.1-2 REACTOR TRIP/ESF ACTUATION MECHANICAL LINKAGE FOR DUAL TRAIN SWITCHES 7.1-29 Rev. 30

MPS3 UFSAR 7.2 REACTOR TRIP SYSTEM 7.

2.1 DESCRIPTION

7.2.1.1 System Description The reactor trip system automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. Therefore, the reactor trip system keeps surveillance on process variables which are directly related to equipment mechanical limitations such as pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters) and also on variables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor coolant temperatures). Still other parameters utilized in the reactor trip system are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint, the reactor will be shutdown in order to protect against either gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the containment.

The following systems and equipment make up the reactor trip system (WCAP-7913; WCAP-8255; WCAP-7488-L and WCAP-7672):

1. Process instrumentation and control system
2. Nuclear instrumentation system
3. Solid state logic protection system
4. Reactor trip switchgear
5. Manual actuation circuit The reactor trip system consists of sensors which, when connected with analog circuitry consisting of two to four redundant channels, monitor various plant parameters, and digital circuitry, consisting of two redundant logic trains, which receives inputs from the analog protection channels as well as other digital inputs to complete the logic necessary to open the reactor trip breakers.

Each of the two trains, A and B, is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively. The two trip breakers in series connect three phase AC power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-1, Sheet 2. During plant power operation, a DC undervoltage coil on each reactor trip breaker holds a trip plunger out against its spring, allowing the power to be available at the rod control power supply cabinets. For reactor trip, a loss of DC voltage to the undervoltage coil, as well as energization of the shunt trip coil, trips open the breaker. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, 7.2-1 Rev. 30

MPS3 UFSAR into the core. The rods cannot be withdrawn until the trip breakers are manually reset. The trip breakers cannot be reset until the abnormal condition which initiated the trip is corrected. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed in Section 7.2.2.2.3.

7.2.1.1.1 Functional Performance Requirements The reactor trip system automatically initiates reactor trip:

1. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II)
2. To limit core damage for infrequent faults (Condition III)
3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV)

The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown to avoid unnecessary actuation of the engineered safety features actuation system.

The reactor trip system provides for manual initiation of reactor trip by operator action.

7.2.1.1.2 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. To ensure a reliable system, high quality design, components, manufacturing quality control and testing are used. In addition to redundant channels and trains, the design approach provides a reactor trip system which monitors numerous system variables, therefore providing protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents.

Table 7.2-1 provides a list of reactor trips which are described below:

1. Nuclear Overpower Trips The specific trip functions generated are as follows:
a. Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.

There are two bistables, each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during 7.2-2 Rev. 30

MPS3 UFSAR normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10 percent power (P-10). Three out of the four channels below 10 percent power automatically reinstates the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks.

b. Intermediate range high neutron flux trip The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint.

This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above approximately 10 percent power (P-10). Three out of the four power range channels below this value automatically reinstates the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup.

This bypass action is annunciated on the control board.

c. Source range high neutron flux trip The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two out of four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control board mounted switches. Each switch will reinstate the trip function in one of the two protection logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.
d. Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides RCS overpressure protection for inadvertent RCCA withdrawal events and 7.2-3 Rev. 30

MPS3 UFSAR DNB protection against rod ejection accidents of low worth from mid-power and is always active.

e. Power range high negative neutron flux rate trip This trip provided protection against the effects of two or more dropped control rods. Improved analysis techniques have shown the trip not to be required to provide a reactor trip function, and it is no longer included in the Technical Specifications. Rather than remove the trip, the trip setpoint has been increased sufficiently to prevent the trip from being actuated by most credible combinations of dropped control rods.

Figure 7.2-1, Sheet 3, shows the logic for all of the nuclear overpower and rate trips.

2. Core Thermal Overpower Trips The specific trip functions generated are as follows:
a. Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation:

Overtemperature T T ( 1 + 1 S )


( 1 + 4 S )


K 1 - K 2 ---------------------

- ( T - T )t + K 3 ( P - P ) - f 1 ( I )

T 0 ( 1 + 2 S ) ( 1 + 5 S )

where:

T is measured Reactor Coolant System T, °F; T0 is loop specific indicated T at RATED THERMAL POWER, °F;

( 1 + 1 S )


is the function generated by the lead-lag compensator on measured T;

( 1 + 2 S )

1 and 2 are the time constants utilized in the lead lag compensator for T, 1 [*] sec, 2 [*] sec; K1 [*]

K2 [*] /°F; 7.2-4 Rev. 30

MPS3 UFSAR

( 1 + 4 S )


is the function generated by the lead-lag compensator for Tavg;

( 1 + 5 S )

4 and 5 are the time constants utilized in the lead-lag compensator for Tavg 4 [*] sec, 5 [*] sec 7 is the time constant utilized in the lag compensator for the Thot filter, 7 4 sec T is measured Reactor Coolant System average temperature; °F; T' is loop specific indicated Tavg at RATED THERMAL POWER, [*] °F; K3 [*] /psi P is measured pressurizer pressure, psia; P' is nominal pressurizer pressure, [*] psia; s is the Laplace transform operator, sec-1; and f1 (I) is a function of the indicated difference between top and bottom detectors of the power range neutron ion chambers; with nominal gains to be selected based on measured instrument response during plant startup tests calibrations such that:

1. For qt - qb between - [*]% and [*]%, f1(I) 0, where qt and qb are percent RATED THERMAL POWER in the upper and lower halves of the core, respectively, and qt + qb is the total THERMAL POWER in percent RATED THERMAL POWER;
2. For each percent that the magnitude of qt - qb exceeds - [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER;
3. For each percent that the magnitude of qt - qb exceeds [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER.
a. A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel. Increases in beyond a pre-defined deadband result in a decrease in trip setpoint. Refer to Figure 7.2-2.

The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.2.2.3.3 for an analysis of this arrangement.

Figure 7.2-1, Sheet 5, shows the logic for overtemperature T trip function.

(The values denoted with [*] are specified in the COLR.)

7.2-5 Rev. 30

MPS3 UFSAR

b. Overpower T trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated using the following equation:

Overpower T T (---------------------


1 + 1 S )

- K4 - K6 ( T - T )

T 0 ( 1 + 2 S )

Where:

T is measured Reactor Coolant System T, °F; T0 is loop specific indicated T at RATED THERMAL POWER, °F;

( 1 + 1 S )


is the function generated by the lead-lag compensator on measured T;

( 1 + 2 S )

1 and 2 are the time constants utilized in the lead lag compensator for T, 1 [*]sec, 2 [*] sec; K4 [*];

7 is the time constant utilized in the lag compensator for the Thot filter, 7 4 sec T is measured Reactor Coolant System average temperature; °F; T is loop specific indicated Tavg at RATED THERMAL POWER, [*] °F; K6 [*]/°F when T > T" and K6 [*]/°F when T T";

s is the Laplace transform operator, sec-1 (The values denoted with [*] are specified in the COLR.)

The source of temperature information is identical to that of the overtemperature T trip and the resultant T setpoint is compared to the same T. Figure 7.2-1, Sheet 5, shows the logic for this trip function.

4. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows:
a. Pressurizer low pressure trip 7.2-6 Rev. 30

MPS3 UFSAR The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7 the reactor is tripped when the pressurizer pressure measurement fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1, Sheet 6.

b. Pressurizer high pressure trip The purpose of this trip is to protect the reactor coolant system against system overpressure.

The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Figure 7.2-1, Sheet 6.

c. Pressurizer high water level trip This trip is provided as a backup to the pressurizer high pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

The trip logic for this function is shown on Figure 7.2-1, Sheet 6.

5. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation. Figure 7.2-1, Sheet 5 shows the logic for these trips. The means of sensing the loss of coolant flow are as follows:
a. Low reactor coolant flow The parameter sensed is reactor coolant flow. Four elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three bistables in a loop would indicate a low flow in that loop.

7.2-7 Rev. 30

MPS3 UFSAR The coincidence logic and interlocks are given in Table 7.2-1.

b. Reactor coolant pump underspeed trip This function protects the reactor core from DNB in the event of loss of flow in more than one loop by tripping the reactor when the speeds on two out of the four reactor coolant pumps fall below the setpoints. Loss of flow in more than one loop could be caused by a voltage or frequency transient in the plant power supply such as would occur during a loss of offsite power, or by accidental opening of more than one RCP circuit breaker.

There is one speed detector mounted on each reactor coolant pump. The trip is blocked below P-7 to permit plant startup.

RCP speed is detected by a probe mounted on the reactor coolant pump frame. The speed signal is transmitted to the Process Instrumentation and Control System which convert the signal to a bistable output to the solid state protection system to provide the trip logic function described above.

The RCP underspeed trip replaces the undervoltage and underfrequency reactor trips used previously. The principle reason for this change is to improve plant availability during voltage dip transients which do not result in violations of plant safety limits. The undervoltage trip setpoint was chosen to trip the reactor if the RCP motor pull out torque dropped below nominal due to low voltage. This event could cause a pump speed decrease and a consequent flow reduction. The basis for the undervoltage trip setpoint and time response was the demonstration of acceptable results for the complete loss of flow accident. Transient voltage reductions below the undervoltage trip setpoint followed by subsequent voltage recovery could result in an undervoltage reactor trip even though pump speed and flow reductions would not violate safety limits.

The RCP underspeed trip provides a more direct measurement of the parameter of interest, and will permit the plant to ride through many postulated voltage dip transients without reactor trip if safety limits are not violated. Selection of the underspeed trip setpoint and time response provide for the timely initiation of reactor trip during the complete loss of flow accident and the limiting frequency decay event, consistent with the analysis results reported in Chapter 15.

The logic for this trip is shown on Figure 7.2-1, Sheet 5. The development of P-7 isshown on Figure 7.2-1, Sheet 4.

The capability for sensor checks and for test and calibration of the RCP underspeed trip are in accordance with Sections 4.9 and 4.10 of IEEE-279-1971.

7.2-8 Rev. 30

MPS3 UFSAR The basis for environmental qualification of the RCP speed detectors is that they will be required to perform their protective function (during the complete loss of flow accident and the limiting frequency decay event) in an environment (i.e., temperature, humidity, pressure, chemical, and radiation) no more severe than the environment in which they are required to perform their normal function. Therefore, it is not necessary to impose environmental qualification requirements on these detectors that are more restrictive than those imposed for use under rated conditions. The RCP speed detectors will be qualified for use under rated conditions with their performance verified by actual on-line operation in the plant. The RCP speed detectors will also require qualification to the worst vibrations to which they could be subjected and required to operate.

6. Steam Generator Low-Low Level Trip This trip protects the reactor from loss of heat sink. This trip is actuated on two out of four low-low water level signals occurring in any steam generator.

The logic is shown on Figure 7.2-1, Sheet 7.

7. Reactor Trip on a Turbine Trip (anticipatory)

The reactor trip on a turbine trip is actuated by two out of three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. Below P-9 the turbine trip to reactor trip signal is blocked. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the safety analysis (Chapter 15) for this trip.

The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint. Digital isolators (Section 7.2.1.1.8) have been used to isolate these contacts from the reactor protection system cabinets which receive the inputs from these contacts.

One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are shut during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip. This design functions in a deenergize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do 7.2-9 Rev. 30

MPS3 UFSAR not form part of the design bases for anticipatory trip sensors. (The reactor protection system cabinets which receive the inputs from the anticipatory trip sensors are, of course, seismically qualified as discussed in Section 3.10.) The anticipatory trips thus meet IEEE-279-1971 and BTP ICSB-26, including redundancy, separation, single failure, etc. Seismic qualification of the contacts sensors is not required.

The logic for this trip is shown on Figure 7.2-1, Sheet 16.

8. Safety Injection Signal Actuation Trip A reactor trip occurs when a safety injection signal is initiated. The means of actuating the safety injection system are described in Section 7.3. This trip protects the core against a pipe rupture in the secondary system, an inadvertent secondary system depressurization, an inadvertent operation of the ECCS during power operations, or any other accident which results in a safety injection signal before a reactor trip is generated by the reactor trip system.

Figure 7.2-1, Sheet 8, shows the logic for this trip.

9. Manual Trip The manual trip consists of two switches. Each trip switch actuates the undervoltage and shunt trip attachments of the Train A and Train B reactor trip breakers and, when one of them is racked-in for surveillance testing, the Train A or Train B reactor trip bypass breakers.

There are no interlocks which can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown on Figure 7.1-2.

7.2.1.1.3 Reactor Trip System Interlocks

1. Power Escalation Permissives The overpower protection provided by the out of core nuclear instrumentation consists of three discrete, but overlapping ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

One of two intermediate range permissive signals (P-6) is required prior to source range trip blocking and detector high voltage cutoff. Source range trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) setpoint. There are two manual reset switches for administratively reactivating the source range level trip and detector 7.2-10 Rev. 30

MPS3 UFSAR high voltage when between the permissive P-6 and P-10 setpoints, if required.

Source range level trip block and high voltage cutoff are always maintained when above the permissive P-10 setpoint.

The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection.

The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 4.

Both of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.

2. Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent of full power) on a low reactor coolant flow in more than one loop, reactor coolant pump underspeed, pressurizer low pressure, pressurizer high water level. See Figure 7.2-1, Sheets 5, 6, and 16, for permissive applications. The low power signal is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 4 and 16, for the derivation of P-7.

The P-8 interlock blocks a reactor trip when the plant is below the P-8 setpoint listed in Technical Specifications Table 2.2-1, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor has the capability to operate with one inactive loop and trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for applicable logic.

The P-9 interlock blocks a reactor trip when the plant is below 51 percent of full power, on a turbine trip. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. See Figure 7.2-1, Sheet 4, for the derivation of P-9 and Sheet 16 for applicable logic.

See Table 7.2-2 for the list of protection system blocks.

7.2-11 Rev. 30

MPS3 UFSAR 7.2.1.1.4 Coolant Temperature Sensor Arrangement The individual narrow range hot and cold leg temperature signals required for input to the reactor trip circuits and interlocks are obtained using RTDs installed in each reactor coolant loop.

The hot leg temperature measurement on each loop is accomplished with three fast-response, narrow-range, single-element RTDs mounted in thermowells, spatially located approximately 120° around the hot leg. One wide range RTD is installed in each hot leg. One fast response, narrow range, dual element RTD is located in each cold leg at the discharge of the reactor coolant pump. One wide range RTD is installed in each cold leg. Temperature streaming in the cold leg is minimized due to the mixing action of the RCP; hence, only one narrow range cold leg RTD is required.

The narrow range cold leg temperature measurement, together with the average obtained from the three narrow range hot leg temperatures, is used to calculate reactor coolant loop delta-T and T-avg which are used in the reactor control and protection system.

7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation employs a tank level arrangement using differential pressure between an upper and a lower tap on a column of water. A reference leg connected to the upper tap is kept full of water by condensation of steam at the top of the leg.

7.2.1.1.6 Analog System The analog system consists of two instrumentation systems; the process instrumentation system and the nuclear instrumentation system.

Process instrumentation includes those devices (and their interconnection into systems) which measure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and occasional physiochemical parameters such as fluid conductivity or chemical concentration. Process instrumentation specifically excludes nuclear and radiation measurements. The process instrumentation includes the process measuring devices, power supplies, indicators, recorders, alarm actuating devices, controllers, signal conditioning devices, etc., which are necessary for day-to-day operation of the nuclear steam supply system (NSSS) as well as for monitoring the plant and providing initiation of protective functions upon approach to unsafe plant conditions.

The primary function of nuclear instrumentation is to protect the reactor by monitoring the neutron flux and generating appropriate trips and alarms for various phases of reactor operating and shutdown conditions. It also provides a secondary control function and indicates reactor status during startup and power operation. The nuclear instrumentation system (NIS) uses information from three separate types of instrumentation channels to provide three discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the necessary overpower reactor trip protection required during operation in that range. The overlap of instrument ranges provides reliable continuous protection beginning with source level through the intermediate and low power level. As the reactor power increases, the overpower protection 7.2-12 Rev. 30

MPS3 UFSAR level is increased by administrative procedures after satisfactory higher range instrumentation operation is obtained. Automatic reset to more restrictive trip protection is provided when reducing power.

Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120 percent of full power. The power range channels are capable of recording overpower excursions up to 200 percent of full power. The neutron flux covers a wide range between these extremes.

The nuclear instrumentation providing reactor trip functions utilizes multiple-range detectors (i.e.,

BF3 detectors to monitor source range, compensated ion chambers for intermediate range, and uncompensated ion chambers for power range). Compliance to requirements of Regulatory Guide 1.97, Revision 2, (post-accident) and Appendix R to 10 CFR 50 (safe shutdown instrumentation) is achieved through the use of dual-redundant channels of extended range fission chambers capable of monitoring twelve decades of reactor power. The extended range fission chambers provide input to shutdown monitors which detect and annunciate a loss of shutdown margin, such as inadvertent boron dilution during shutdown or refueling. The extended range fission chambers do not interface with the solid state protection system described in Section 7.2.1.1.7.

The lowest range (source range) covers six decades of leakage neutron flux. The lowest observed count rate depends on the strength of the neutron sources in the core and the core multiplication associated with the shutdown reactivity. This is generally greater than two counts per second. The next range (intermediate range) covers eight decades. Detectors and instrumentation are chosen to provide overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range of instrumentation (power range) covers approximately two decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range.

The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup and power operation, as well as during subsequent refueling. Start-up-rate indication for the source and intermediate range channels is provided at the control board. Reactor trip, rod stop, control and alarm signals are transmitted to the reactor control and protection system for automatic plant control.

Equipment failures and test status information are annunciated in the control room. See WCAP-7913 and WCAP-8255 for additional background information on the process and nuclear instrumentation.

7.2.1.1.7 Solid State Logic Protection System The solid state logic protection system takes binary inputs (voltage/no voltage) from the process and nuclear instrument channels corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal by interrupting voltage to the undervoltage trip attachments and by supplying voltage to the shunt trip auxiliary relay coils of the reactor trip breakers when the necessary combination of signals occur. The system also provides annunciator, status light and computer input signals which indicate the condition of bistable input signals, partial trip and full trip functions and the 7.2-13 Rev. 30

MPS3 UFSAR status of the various blocking, permissive and actuation functions. In addition, the system includes means for semi-automatic testing of the logic circuits (WCAP-7488-L and WCAP-7672).

7.2.1.1.8 Isolators Analog Isolators In certain applications, Westinghouse considers it advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel, as permitted by IEEE Standard 279-1971.

In all of these cases, analog signals derived from protection channels for non-protective functions are obtained through isolation amplifiers located in the analog protection racks. By definition, non-protective functions include those signals used for control, remote process indication, and computer monitoring. Refer to Section 7.1.2.2.1 for discussion of electrical separation of control and protection functions.

Digital Isolators Digital isolators provide separation between safety and non safety related control circuits. They are located in the process instrumentation and control system, the nuclear instrumentation system, and the solid state protection system. The isolators meet all the requirements of Regulatory Guides 1.75 and 1.89 for Class IE isolation devices.

Isolator cabinets are located in various places throughout the plant and provide an interface between Class IE equipment and Non-Class IE equipment. All the wiring and devices in the isolator cabinets associated with Class IE equipment are separated from those associated with Non-Class IE equipment by a barrier panel so that any credible failure of Non-Class IE equipment cannot prevent the proper functioning of the Class IE system. The isolators consist of a coil on one side of the barrier and a magnetically operated read switch on the other side.

7.2.1.1.9 Energy Supply and Environmental Variations The energy supply for the reactor trip system, including the voltage and frequency variations, is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system performs, is given in Section 3.11 and Chapter 8.

7.2.1.1.10 Setpoints The setpoints that require trip action are given in the Technical Specifications. A detailed discussion on setpoints is found in Section 7.1.2.1.9.

7.2-14 Rev. 30

MPS3 UFSAR 7.2.1.1.11 Seismic Design The seismic design considerations for the reactor trip system are given in Section 3.10. This design meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).

7.2.1.2 Design Bases Information The information given below presents the design bases information requested by Section 3 of IEEE Standard 279-1971.Functional logic diagrams are presented on Figure 7.2-1.

7.2.1.2.1 Generating Station Conditions The reactor trip system limits the generating station conditions to:

1. DNBR not less than the safety analysis limits (see Section 4.4).
2. Power density (kilowatts per foot) not greater than the rated value for Condition II faults (see Section 4.1).
3. Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.

7.2.1.2.2 Generating Station Variables The following are the variables and conditions required to be monitored in order to provide reactor trips (Table 7.2-1):

1. Neutron flux.
2. Reactor coolant temperature.
3. Reactor coolant system pressure (pressurizer pressure).
4. Pressurizer water level.
5. Reactor coolant flow.
6. Reactor coolant pump operational status (shaft speed).
7. Steam generator water level.
8. Turbine-generator operational status (trip fluid pressure and stop valve position).
9. Automatic safety injection signals.
10. Manual reactor trips.

7.2-15 Rev. 30

MPS3 UFSAR

11. General warning alarms (in both trains)
12. SSPS N-1 misalignment.

N-1 operation is no longer within the Millstone Unit 3 Design Bases. Previously installed SSPS equipment to support N-1 operation still exists within the plant.

Therefore, the mis-alignment SSPS N-1 reactor trip has been maintained and remains operational should the selector switches be inadvertently actuated.

7.2.1.2.3 Spatially Dependent Variables

1. The measurement of reactor coolant hot leg temperature has significant spatial dependence. The effect on the measurement is limited by taking three temperature measurements spaced approximately 120° apart around the hot leg.
2. Reactor core power exhibits a spatial dependence across the plane of the core (i.e.,

radial power distribution) as well as along the length of the core (i.e., axial power distribution). The core safety limits, for which the Overpower and Overtemperature T reactor trips provide protection, are developed assuming a reference core power distribution. A compensating term, f1() is then added to the Overtemperature T reactor trip to account for axial core power distributions more severe than the reference core power distribution. Upper and lower sections of each power range neutron flux channel provide the measurements required to synthesize the f1() function.

7.2.1.2.4 Limits, Margins, and Setpoints The parameter values that would require reactor trip are given in the Technical Specifications, the Core Operating Limits Report (COLR) and in Chapter 15, Accident Analyses. Chapter 15 proves that the setpoints used in the Technical Specifications are conservative.

The setpoints for the various functions in the reactor trip system have been analytically determined such that the operational limits so prescribed will prevent fuel clad damage and loss of integrity of the reactor coolant system as a result of any ANS Condition II incident (anticipated malfunction). As such, during any ANS Condition II incident, the reactor trip system limits the following parameters to:

1. DNBR not less than the safety analysis limits (see Section 4.4)
2. Maximum system pressure not greater than 2750 psia
3. Fuel rod maximum linear power not greater than the design limit (see Section 4.1)

The accident analyses described in Chapter 15 demonstrate that the functional requirements as specified for the reactor trip system are adequate to meet the above considerations, even when assuming, for conservatism, adverse combinations of instrument errors (Table 15.3-1). A 7.2-16 Rev. 30

MPS3 UFSAR discussion of the safety limits associated with the reactor core and reactor coolant system, plus the limiting safety system setpoints, are presented in the Technical Specifications and the COLR.

7.2.1.2.5 Abnormal Events The malfunctions, accidents or other unusual events which could physically damage reactor trip system components or could cause environmental changes are as follows:

1. Earthquakes (Chapters 2 and 3)
2. Fire (Section 9.5)
3. Explosion (hydrogen buildup inside containment) (Section 6.2)
4. Missiles (Section 3.5)
5. Flood (Chapters 2 and 3)
6. Wind and tornadoes (Section 3.3)

The reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions. The reactor trip system relies upon provisions made by the owner and operator of the plant to provide protection against destruction of the system from fires, explosions, missiles, floods, wind, and tornadoes (see each item above).

7.2.1.2.6 Minimum Performance Requirements

1. Reactor trip system response times Reactor trip system response time is defined in Section 7.1. Maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. (See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.)
2. Reactor trip accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Section 7.1.2.1.9.
3. Reactor trip system ranges Reactor trip system ranges are tabulated in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Reactor trip setpoints are at least 5 percent from the end of the instrument span.

7.2-17 Rev. 30

MPS3 UFSAR 7.2.1.3 Final Systems Drawings Functional block diagrams, electrical elementaries and other drawings required to assure electrical separation and perform a safety review are provided in the safety related drawing package (Section 1.7).

7.2.2 ANALYSES 7.2.2.1 Failure Mode and Effects Analyses An analysis of the reactor trip system has been performed. Results of this study and a fault tree analysis are presented in WCAP-7706-L and WCAP-7706.

7.2.2.2 Evaluation of Design Limits While most setpoints used in the reactor protection system are fixed, there are variable setpoints, most notably the overtemperature T and overpower T setpoints. All setpoints in the reactor trip system have been selected on the basis of engineering design or safety studies. The capability of the reactor trip system to prevent loss of integrity of the fuel cladding and/or reactor coolant system pressure boundary during Condition II and III transients is demonstrated in Chapter 15.

These accident analyses are carried out using those setpoints determined from results of the engineering design studies. Setpoint limits are presented in the Technical Specifications and the COLR. A discussion of the intent for each of the various reactor trips and the accident analyses (where appropriate) which utilizes this trip is presented below. It should be noted that the selected trip setpoints all provide for margin before protection action is actually required to allow for instrument and process uncertainties. The design meets the requirements of Criteria 10 and 20 of the 1971 GDC.

7.2.2.2.1 Trip Setpoint Discussion As discussed in Section 4.4, the departure from nucleate boiling (DNB) design basis is that there will be at least a 95 percent probability (at a 95 percent confidence level) that DNB will not occur due to Condition I and II events. If the DNBR were to decrease below the safety analysis limits during these events, the probability of local fuel cladding failure would be unacceptable. The DNBR existing at any point in the core for a given core design can be determined as a function of the core inlet temperature, power output, operating pressure and flow. Consequently, core safety limits which are based on the DNBR safety limits (see Section 4.4) are developed as a function of core T, Tavg and pressure, for a specified flow as illustrated by the solid lines on Figure 15.0-1.

Also shown as a dashed line on Figure 15.0-1 are the loci of conditions equivalent to 121 percent of power as a function of T and Tavg representing the overpower (kW/ft) limit on the fuel (see Chapter 4). The dashed lines indicate the maximum permissible setpoint (T) as a function of Tavg and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in the equation representing the dashed lines are as given in the COLR. These values are conservative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, 20, and 29, of the 1971 GDC.

7.2-18 Rev. 30

MPS3 UFSAR DNBR is not a directly measurable quantity; however, the process variables that determine DNB are sensed and evaluated. Small, isolated changes in various process variables may not individually result in violation of a core safety limit; whereas the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The design concept of the reactor trip system takes cognizance of this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded should operation continue. Basically, the high pressure, low pressure and overpower/overtemperature T trips provide sufficient protection for slow transients as opposed to such trips as low flow or high flux which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be affected.

Therefore, the reactor trip system has been designed to provide protection for fuel cladding and reactor coolant system pressure boundary integrity where:

1. A rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit
2. A slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded.

Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding technical specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.

The resetting of the reactor trip system instrumentation setpoints as listed in the Technical Specifications will be carried out under prescribed administrative procedures, under the direction of authorized supervision, and with the plant conditions prescribed in Section 3.4.1.1 of the Technical Specifications.

The RTS design meets the requirements of Criterion 21 of the 1971 GDC.

Preoperational testing is performed on reactor trip system components and systems to determine equipment readiness for startup. This testing serves as a further evaluation of the system design.

Analyses of the results of Condition I, II, III, and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15. The instrumentation installed to mitigate the consequences of load rejection and turbine trip is given in Section 7.4.

7.2-19 Rev. 30

MPS3 UFSAR 7.2.2.2.2 Reactor Coolant Flow Measurement The elbow taps used on each loop in the primary coolant system are instrument devices that indicate the status of the reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. The correlation between flow and elbow tap signal is given by the following equation:

W 2 P- = ------


- (7.2-3)

P o W o Where Po is the pressure differential at the reference flow Wo, and P is the pressure differential at the corresponding flow, W. The full flow reference point is established during initial plant startup. The low flow trip point is then established by extrapolating along the correlation curve.

The expected absolute accuracy of the channel is within +/- 10 percent of full flow and field results have shown the repeatability of the trip point to be within +/- 1 percent.

7.2.2.2.3 Evaluation of Compliance to Applicable Codes and Standards The reactor trip system meets the criteria of the general design criteria as indicated. The reactor trip system meets the requirements of Section 4 of IEEE Standard 279-1971, as indicated below:

1. General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level. Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and levels; Section 7.2.1.2.5 discusses abnormal events; and Section 7.2.1.2.6 presents minimum performance requirements.
2. Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train does not prevent protective action at the system level when required. Loss of input power, the most likely mode of failure, to a channel or logic train, will result in a signal calling for a trip. This design meets the requirements of Criterion 23 of the 1971 GDC.

To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design, production, installation and operation, are employed, as discussed in WCAP-7706-L and WCAP-7706. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

7.2-20 Rev. 30

MPS3 UFSAR

3. Quality of Components and Modules For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.
4. Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.
5. Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform are given in Section 3.11.
6. Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate AC power feed. This design meets the requirements of Criterion 21 of the 1971 GDC.

Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full-length control rod drive mechanisms, permitting the rods to free fall into the core. See Figure 7.1-1.

The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur (see Table 15.0-6). This design meets the requirements of Criterion 22 of the 1971 GDC.

7. Control and Protection System Interaction 7.2-21 Rev. 30

MPS3 UFSAR The protection system is designed to be independent of the control system. In certain applications the control signals and other non-protective functions are derived from individual protective channels through isolation amplifiers. The isolation amplifiers are classified as part of the protection system and are located in the analog protective racks. Non-protective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit, i.e., the non-protective side of the circuit, does not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of Criterion 24 of the 1971 GDC and Paragraph 4.7 of IEEE Standard 279-1971.

The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.

8. Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.
9. Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have read-outs available. Channel checks are discussed in Technical Specification 3/4.3 and Table 4.3-1 of the Technical Specifications.
10. Capability for Testing The reactor trip system is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Section 7.1.2.5.

The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode in order to avoid 7.2-22 Rev. 30

MPS3 UFSAR spurious trips. Setpoints for the Reactor Trip System are specified in Technical Specifications Table 2.2-1.

Analog Channel Tests Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, de-energizes the associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any reason (test, maintenance purposes, or removed from service) will cause that portion of the logic to be actuated (partial trip), accompanied by a partial trip alarm and channel status light actuation in the control room. Each channel contains those switches, test points, etc., necessary to test the channel (WCAP-7913; WCAP-8255).

The following periodic tests of the analog channels of the protection circuits are performed:

a. Tavg and T protection channel testing.
b. Pressurizer pressure protection channel testing.
c. Pressurizer water level protection channel testing.
d. Steam generator water level protection channel testing.
e. Reactor coolant low flow, underspeed protection channels.
f. Impulse chamber pressure channel testing.

Nuclear Instrumentation Channel Tests Prior to testing, the power range channels of the Nuclear Instrumentation System (NIS) may be calibrated on a tripped channel with the channel detector disabled to eliminate live channel interference. Because the power range channel reactor trip logic is two out of four, channel trip bypass is not required. The channel is tripped by removing the control power fuses in the channel under test. This results in a one out of three logic to cause a reactor trip.

To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action, operation of which initiates the CHANNEL TEST annunciator in the control room. The channel may be tested with the channel tripped or by restoring the channel to operation. It should be noted that if testing is performed after the channel is restored to operation, a valid trip signal would cause 7.2-23 Rev. 30

MPS3 UFSAR the channel under test to trip at a lower actual reactor power level. In either case, a reactor trip would occur when a second bistable trips. Bistable operation is tested by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

The nuclear instrumentation system periodically in accordance with Table 4.3-1 of the Technical Specifications.

Any deviations noted during the performance of the tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures for the nuclear instrumentation system. Reactor trip setpoints are indicated in the Technical Specifications.

For additional background information on the nuclear instrumentation system, refer to WCAP-8255.

Solid State Logic Testing The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the Train A and Train B logic rack test panels.

This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and non-trip logic. The reactor trip undervoltage and shunt trip relay coils are pulsed in order to check logic. During logic testing of one train, the other train can initiate any required protective functions. Door limit switches on each door of each train assembly provide remote indication of open solid state protection system doors. Annunciation is also provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes.

Logic testing is one of the SSPS surveillances. Refer to Technical Specifications Section 3/4.3.1 for Reactor Trip System surveillance requirements and limiting conditions for operation.

A reactor trip resulting from underspeed of the reactor coolant pumps is provided as discussed in Section 7.2.1 and shown on Figure 7.2-1. The logic for this trip is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided.

7.2-24 Rev. 30

MPS3 UFSAR This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1971 discussed in Section 7.1.2.11.

The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given in Tables 7.2-2 and 7.3-3 and designated protection or p interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standard 279-1971 and 338-1971.

Testing of all protection system interlocks is provided by the logic testing and semi-automatic testing capabilities of the solid state protection system. In the solid state protection system, the undervoltage trip attachment and shunt trip auxiliary relay coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (2 out of 4 loops showing 2 out of 3 low flow) is tested to verify operability of the trip above P-7 and non-trip below P-7 (Figure 7.2-1, Sheet 5). Interlock testing may be performed at power.

Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:

a. Check of input relays During testing of the process instrumentation system and nuclear instrumentation system channels, each channel bistable is placed in a trip mode causing one input relay in Train A and one in Train B to de-energize.

A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions.

Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation lights the status lamp and annunciator.

Each train contains a multiplexing test switch. At the start of a process of nuclear instrumentation system test, this switch (in either train) is placed in the A + B position. The A + B position alternately allows for information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp means that the input relays in the two trains did not both de-energize. Contact inputs to the logic protection system such as turbine stop valve limit switches operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays.

Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and 7.2-25 Rev. 30

MPS3 UFSAR annunciators on the control board. Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

b. Check of logic matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. At the completion of the logic matrix tests, the bistable status lights on the main control board section 4 (3IHA-ANNMB4G) will be checked to ensure the closure of the input error inhibit switch contacts. The tripped condition of the bistable status lights for Power Range P-10 Permissives channel 1 through 4 or Turbine Stop Valves 1 through 4 will be checked depending on the plant thermal power level (above 10% or below 10% respectively) during the test. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically (Figure 7.1-2).

Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.

The testing capability meets the requirements of Criterion 21 of the 1971 GDC.

Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). The following procedure describes the method used for testing the trip breakers:

a. With bypass breaker 52/BYA racked out in the Test position, manually close and trip it to verify its operation.

7.2-26 Rev. 30

MPS3 UFSAR

b. Rack in and close 52/BYA. Manually trip 52/RTA through a protection system logic matrix while at the same time operating the Auto Shunt Trip Block pushbutton on the automatic shunt trip panel. This verifies operation of the undervoltage trip attachment (UVTA) when the breaker trips. After reclosing RTA, trip it again by operation of the Auto Shunt Trip Test pushbutton on the automatic shunt trip panel. This is to verify tripping of the breaker through the shunt trip device.
c. Close 52/RTA.
d. Trip and rack out 52/BYA.
e. Repeat above steps a through d to test reactor trip breaker 52/RTB using bypass breaker 52/BYB.

Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers automatically trip.

Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers automatically trip.

The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate separate annunciators in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches would result in audible and visual indications.

The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a technical specification, 3/4.3, defining the minimum number of operable channels has been formulated. This technical specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met.

11. Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. Additional information is given in Section 7.2.2.2.
12. Operating Bypass 7.2-27 Rev. 30

MPS3 UFSAR Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met (see Table 7.2-2). Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section.

13. Indication of Bypasses Bypass indication is further discussed in Section 7.1.2.5.

Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

14. Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions.
15. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.
16. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator.
17. Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment.
18. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.

7.2-28 Rev. 30

MPS3 UFSAR

19. Identification of Protective Actions Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in Item 20 below.
20. Information Readout The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents).

The only transmitted signal that is not indicated or recorded is the reactor coolant pump shaft speed. This speed does not need to be indicated or recorded because it is a parameter that the operator can neither control nor is it credible for the sensor to fail in ways to indicate erroneously high speed.

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.

21. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Item 10 above.

7.2.2.3 Specific Control and Protection Interactions 7.2.2.3.1 Neutron Flux Four power range neutron flux channels are provided for overpower protection. An isolated auctioneered high signal is derived by auctioneering of the four channels for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer.

Two out of four overpower trip logic will ensure an overpower trip if needed even with an independent failure in another channel.

In addition, channel deviation signals in the control system will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated 7.2-29 Rev. 30

MPS3 UFSAR by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint.

7.2.2.3.2 Reactor Coolant Temperature The accuracy of the narrow range resistance temperature detector loop temperature measurements is demonstrated during plant startup tests by comparing temperature measurements from all loop narrow range resistance temperature detectors with one another as well as with the temperature measurements obtained from the wide-range resistance temperature detector located in the hot leg and cold leg piping of each loop. The comparisons are done with the reactor coolant system in an isothermal condition. The linearity of the T measurements obtained from the hot leg and cold leg narrow range loop resistance temperature detectors as a function of plant power is also checked during plant startup tests. The absolute value of T versus plant power is not important, per se, as far as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. Therefore the percent T scheme is relative, not absolute, and therefore provides better protective action without the expense of accuracy. For this reason, the linearity of the T signals as a function of power is of importance rather than the absolute values of the T. As part of the plant startup tests, the narrow range loop resistance temperature detector signals will be compared with the core exit thermocouple signals.

Reactor control is based upon signals derived from protection system channels after isolation by isolation amplifiers such that no feedback effect can perturb the protection channels.

Since control is based on the average temperature of the loop with the highest temperature, the control rods are always moved based upon the most pessimistic temperature measurement with respect to margins to DNB. A spurious low average temperature measurement from any loop temperature control channel will cause no control action; additionally, rod control cannot automatically withdraw rods. A spurious high average temperature measurement will cause rod insertion (safe direction).

Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Turbine runback (power demand reduction) will also occur if any two of the four overtemperature or overpower T channels indicate an adverse condition.

7.2.2.3.3 Pressurizer Pressure The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the overtemperature T trip protection function and power-operated relief valves.

Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters. Pressurizer pressure is sensed by fast response pressure transmitters.

7.2-30 Rev. 30

MPS3 UFSAR A spurious high pressure signal from one channel can cause decreasing pressure by actuation of spray valves. Additional redundancy is provided in the low pressurizer pressure reactor trip and in the logic for safety injection to ensure low pressure protection.

Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3 percent. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge.

In addition, operation of any one of the power-operated relief valves can maintain pressure below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action.

Redundancy is not compromised by having a shared tap for two of the four pressurizer pressure transmitters (Section 7.2.1.1.2) since the logic for this trip is two out of four. If the shared tap is plugged, the affected channels remain static. If the impulse line bursts, the indicated pressure drops to zero. In either case the fault is easily detectable, and the protective function remains operable.

7.2.2.3.4 Pressurizer Water Level Three pressurizer water level channels are used for reactor trip. Isolated signals from these channels are used for pressurizer water level control. A failure in the level control system could fill or empty the pressurizer at a rate that allows the operator to mitigate the transient.

The high pressurizer water level trip setpoint provides sufficient margin such that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of the water level control would not lead to any liquid discharge through the safety valves. This is due to the operators taking manual action and the automatic high pressurizer pressure reactor trip, a function diverse to the high pressurizer water level trip, actuating at a pressure sufficiently below the safety valve setpoint to prevent liquid discharge.

For control failures which tend to empty the pressurizer, ample time and alarms exist to alert the operator of the need for appropriate action. If action is not taken, letdown will isolate on low pressurizer level, reducing RCS outflow. Should low pressurizer pressure occur, safety injection will actuate.

7.2.2.3.5 Steam Generator Water Level The basic function of the reactor protection circuits associated with low-low steam generator water level is to preserve the steam generator heat sink for removal of long-term residual heat.

Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam 7.2-31 Rev. 30

MPS3 UFSAR generator water level. In addition, redundant auxiliary feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the steam generators are dry. This reduces the required capacity, increases the time interval before auxiliary feedwater pumps are required, and minimizes the thermal transient on the reactor coolant system and steam generators. Therefore, a low-low steam generator water level reactor trip circuit is provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient. Two-out-of-four low-low steam generator water level trip logic ensures a reactor trip if needed even if the protection channel used for control fails and a second protection channel experiences a postulated random failure.

A spurious low signal from the feedwater flow channel being used for control would cause an increase in feedwater flow. The mismatch between steam flow and feedwater flow produced by the spurious signal would actuate alarms to alert the operator of the situation in time for manual correction. If the condition continues, a two-out-of-four high-high steam generator water level signal in any loop, independent of the indicated feedwater flow, will cause feedwater isolation and trip the turbine. The turbine trip will result in a subsequent reactor trip if power is above the P-9 setpoint. The high-high steam generator water level trip is an equipment protective trip preventing excessive moisture carryover which could damage the turbine blading.

In addition, a high-high steam generator water level turbine trip and feedwater isolation or a low-low steam generator water level reactor trip may be avoided in the event of a steam or feedwater flow instrument channel failure since the steam generator water level input to the three element steam generator water level controller will attempt to restore water level to its nominal setpoint.

A spurious high steam generator water level signal from the protection channel used for control will tend to close the feedwater valve. A spurious low steam generator water level signal will tend to open the feedwater valve. Before a reactor trip would occur, two-out-of-four channels in a loop would have to indicate a low-low water level. Any slow drift in the water level signal will permit the operator to respond to the level alarms and take corrective action.

Automatic protection is provided in case the spurious high level reduces feedwater flow sufficiently to cause low-low level in the steam generator. Automatic protection is also provided in case the spurious low level signal increases feedwater flow sufficiently to cause high level in the steam generator. A turbine trip and feedwater isolation would occur on two-out-of-four high-high steam generator water level in any loop.

7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of component cooling water is discussed in Section 7.3.2.

Load rejection and turbine trip are discussed in further detail in Section 7.7.

The control interlocks, called rod stops, that are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal are discussed in Section 7.7.1.4.1 and listed on Table 7.7-1. Excessively high power operation, if allowed to continue, might lead to a safety limit (as given in the Technical Specifications) being reached. Before such a limit is reached, protection will be available from the reactor trip system. Rod block setpoints are reached 7.2-32 Rev. 30

MPS3 UFSAR before reactor trip setpoints to minimize actuation of the reactor trip system. The rod withdrawal stops are not part of the reactor trip system, and are considered to be control functions.

7.2.3 TESTS AND INSPECTIONS The reactor trip system meets the testing requirements of IEEE Standard 338-1971, as discussed in Section 7.1.2.11. The testability of the system is discussed in Section 7.2.2.2.3. The initial test intervals are specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of IEEE Standard 338-1971, will be available for audit by responsible personnel. Periodic testing complies with Regulatory Guide 1.22 as discussed in Sections 7.1.2.5 and 7.2.2.2.3.

7.

2.4 REFERENCES

FOR SECTION 7.2 7.2-1 WCAP-7488-L, 1971 (Proprietary) and WCAP-7672, 1971 (Non proprietary), (Additional background information only) Katz, D. N., Solid State Logic Protection System Description.

7.2-2 WCAP-7706-L, 1971 (Proprietary) and WCAP-7706, 1971 (Non proprietary), Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.

7.2-3 WCAP-7913, 1973, (Additional background information only) Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply Systems.

7.2-4 WCAP-8255, 1974, (Additional background information only) Lipchak, J. B., Nuclear Instrumentation System.

7.2-5 DNC Letter 07-0450I, Dominion Nuclear Connecticut, Inc. Millstone Power Station Unit 3 Stretch Power Uprate License Amendment Request Additional Information in Connection with the NRC Audit Held on May 13, 2008 in Rockville, Maryland, dated May 21, 2008.

7.2-33 Rev. 30

MPS3 UFSAR TABLE 7.2-1 LIST OF REACTOR TRIPS Reactor Trip Coincidence Logic Interlocks Comments

1. High neutron flux (Power 2 -out-of-4 Manual block of low setting permitted Automatic reset of lowm setting Range) at or above P-10 (high setting has no below P-10 (high and low settings) interlocks)
2. Intermediate range neutron 1-out-of-2 Manual block permitted at or above P- Automatic reset below P-10 flux 10
3. Source range neutron flux 1-out-of-2 Manual block permitted at or above P- Manual reset permitted below P-
6. Automatic block at or above P-10. 10. Automatic reset below 6.
4. Power range high positive 2 -out-of-4 No interlocks Manual reset neutron flux rate
5. Power range high negative 2 -out-of-4 No interlocks Manual reset neutron flux rate
6. Overtemperature T 2 -out-of-4 No interlocks MPS3 UFSAR
7. Overpower T 2 -out-of-4 No interlocks
8. Pressurizer low pressure 2 -out-of-4 Interlocked with P-7 Blocked below P-7
9. Pressurizer high pressure 2 -out-of-4 No interlocks
10. Pressurizer high water level 2-out-of-3 Interlocked with P-7 Blocked below P-7
11. Low reactor coolant flow 2-out-of-3 in 2 -out- Interlocked with P-7 Low flow in two loops will cause a of-4 loops reactor trip when at or above P-7.

Blocked below P-7. Low flow in one loop will cause a reactor trip when at or above P-8.

2-out-of-3 in any Interlocked with P-8 Blocked below P-8 loop 7.2-34 Rev. 30

MPS3 UFSAR TABLE 7.2-1 LIST OF REACTOR TRIPS Reactor Trip Coincidence Logic Interlocks Comments

12. Reactor coolant pump shaft 2 -out-of-4 Interlocked with P-7 Low speed on all pumps permitted underspeed below P-7
13. Low-low steam generator 2 -out-of-4 in any No interlocks water level loop
14. Safety injection signal Coincident with No interlocks (See Section 7.3 for Engineered actuation of safety Safety Features actuation injection conditions)
15. Turbine (anticipatory) trip a) Low trip fluid pressure 2-out-of-3 Interlocked with P-9 Blocked below P-9 b) Turbine stop valve close 4-out-of-4 Interlocked with P-9 Blocked below P-9
16. Manual 1-out-of-2 No interlocks Reactor Trip or SIS
17. SSPS General Warning 2-out-of-2 No interlocks Both trains simultaneously MPS3 UFSAR Alarm
18. N-1 Misalignment N/A No interlocks N-1 switches in SSPS misaligned (see section 7.2.1.2.2, item 12, for details) 7.2-35 Rev. 30

MPS3 UFSAR TABLE 7.2-2 PROTECTION SYSTEM INTERLOCKS Designation Derivation Function I. Power Escalation Permissives:

P-6 Presence of P-6: 1-out-of-2 neutron Allows manual block of source range flux (intermediate range) above reactor trip.

setpoint.

Absence of P-6: 2-out-of-2 neutron Defeats the block of source range reactor flux (intermediate range) below trip setpoint.

P-10 Presence of P-10: 2-out-of-4 Allows manual block of power range neutron flux (power range) above (low set-point) reactor trip.

setpoint. Allows manual block of intermediate range reactor trip and intermediate range rod stops (C-1).

Automatically blocks source range reactor trip (back-up for P-6).

Input to P-7.

Absence of P-10: 3-out-of-4 neutron Defeats the block of power range (low flux (power range) below setpoint. set-point) reactor trip.

Defeats the block of intermediate range reactor trip and intermediate range rod stops (C-1).

Input to P-7.

Allows reset of block of source range reactor trip.

II. Blocks of Reactor Trips:

P-7 Absence of P-7: 3out-of-4 neutron Blocks reactor trip on: Low reactor flux (power range) below setpoint coolant flow in more than one loop, (from P-10) and and 2-out-of-2 underspeed, pressurizer low pressure, turbine impulse chamber pressure and pressurizer high level.

below setpoint (from P-13).

P-8 Absence of P-8: 3-out-of-4 neutron Blocks reactor trip on low flux reactor (power range) below setpoint. coolant flow in a single loop.

P-9 Absence of P-9: 3-out-of-4 neutron Blocks reactor trip on turbine trip.

flux (power range) below setpoint.

P-13 Absence of P-13: 2-out-of-2 turbine Input to P-7 impulse chamber pressure below setpoint.

7.2-36 Rev. 30

MPS3 UFSAR TABLE 7.2-3 REACTOR TRIP SYSTEM INSTRUMENTATION Reactor Trip System Reactor Trip Signal Process Measurement Range Total Allowance (1) (2) Response Time

1. Power range high neutron flux 0 to 120 percent of full power Hi - 6.3% of span 0.5 second (3)

(High and low settings)

Lo - 8.3% of span

2. Intermediate range high neutron 8 decades of neutron flux overlapping (4) (4) flux both source and power ranges (10-11 to 10-3 amperes)
3. Source range high neutron flux (4) (4) 6 decades of neutron flux (1 to 106 counts/sec)
4. Power range high positive neutron 0 to +120 percent of full power 1.08% of span (5) 0.5 seconds (5) flux rate
5. Power range high negative neutron 0 to 120 percent of full power (4) (4)

MPS3 UFSAR flux rate

6. Overtemperature T THOT 530 to 650°F 11.3 percent of T 11.0 seconds span TCOLD 510 to 630°F TAVG 530 to 630°F PPZR 1700 to 2500 psia f() -60 to +60% (4)

T setpoint 0 to 150% of full power T 7.2-37 Rev. 30

MPS3 UFSAR TABLE 7.2-3 REACTOR TRIP SYSTEM INSTRUMENTATION Reactor Trip System Reactor Trip Signal Process Measurement Range Total Allowance (1) (2) Response Time

7. Overpower T THOT 530 to 650°F 4.9 percent of T span 11.0 seconds TCOLD 510 to 630°F TAVG 530 to 630°F T setpoint 0 to 150% of full power T
8. Pressurizer low pressure 1700 to 2500 psia 5.0 percent of span 2.0 seconds
9. Pressurizer high Pressure 1700 to 2500 psia 5.0 percent of span 2.0 seconds
10. Pressurizer high water level Span between level taps ( 520 11.0 percent of span 2.0 seconds inches)
11. Low reactor coolant flow 0 to 120 percent of thermal design 4.2 percent of span 1.0 seconds MPS3 UFSAR flow
12. Reactor coolant pump shaft under 960 to 1260 RPM 1.6 percent of span 0.6 seconds (6) speed
13. Low-low Steam generator water Span between narrow range level taps 18.1 percent of span 2.0 seconds level ( 128 inches)
14. Turbine trip N/A N/A (7)

NOTES:

(1) Refer to Technical Specifications Section B 3/4.3.1 for a discussion of Total Allowance.

(2) Reactor Trip System Response Time is defined by Technical Specification 1.28 as: ...the time interval from when the monitored parameter exceeds its trip setpoint at the channel sensor until loss of stationary gripper coil voltage.

(3) Neutron detectors are exempt from time response testing.

7.2-38 Rev. 30

MPS3 UFSAR (4) Information not applicable since Trip(s) are not required by safety analysis per FSAR Table 15.0-4.

(5) Credited in generic Westinghouse analysis applicable to MPS-3 (Reference 7.2-5).

(6) RCP speed sensors are exempt from time response testing.

(7) The FSAR Chapter 15 safety analysis does not credit reactor trip due to turbine trip in demonstrating that the acceptance criteria is met. Therefore, time response testing for this function is not required.

MPS3 UFSAR 7.2-39 Rev. 30

MPS3 UFSAR TABLE 7.2-4 REACTOR TRIP CORRELATION Trip(a) Accident (b) Tech Spec. (c)

1. Power range high neutron 1. Uncontrolled rod cluster control assembly bank withdrawal from a 2.2.1 flux trip (low setpoint) subcritical or low power startup condition(15.4.1) Table 2.2-1 #2 See Note (d)
2. Spectrum of rod cluster control assembly ejection accidents (15.4.8)
3. Chemical and volume control system malfunction that results in a decrease in boron concentration in the reactor coolant (15.4.6)
4. Excessive heat removal due to feedwater system malfunctions (15.1.1 and 15.1.2)
2. Power range high neutron 1. Uncontrolled rod cluster control assembly bank withdrawal from a 2.2.1 flux trip (high setpoint) subcritical low power startup condition (15.4.1) Table 2.2-1 #2 See Note (d) MPS3 UFSAR
2. Uncontrolled rod cluster control assembly bank withdrawal at power (15.4.2)
3. Excessive heat removal due to feedwater system malfunctions (15.1.1 and 15.1.2)
4. Excessive increase in secondary steam flow (15.1.3)
5. Inadvertent opening of a steam generator relief or safety valve (15.1.4)
6. Steam system piping failure (15.1.5)
7. Spectrum of rod cluster control assembly ejection accidents (15.4.8)
8. Chemical and volume control system malfunction that results in a decrease in boron concentration in the reactor coolant (15.4.6) 7.2-40 Rev. 30

MPS3 UFSAR TABLE 7.2-4 REACTOR TRIP CORRELATION Trip(a) Accident (b) Tech Spec. (c)

3. Intermediate range high 1. Uncontrolled rod cluster control assembly bank withdrawal from a 2.2.1 neutron flux trip subcritical or low power startup condition (15.4.1) Table 2.2-1 #5
4. Source range high neutron 1. Uncontrolled rod cluster control assembly bank withdrawal from a 2.2.1 flux trip subcritical or low power startup condition (15.4.1) Table 2.2-1 #6
2. Chemical and volume control system malfunction that results in a decrease in boron concentration in the reactor coolant (15.4.6)
5. Power range high positive 1. Uncontrolled rod cluster control assembly bank withdrawal at power and 2.2.1 neutron flux rate trip spectrum of rod cluster control assembly ejection accidents (15.4.2 and Table 2.2-1 #3 15.4.8)
2. Uncontrolled rod cluster control assembly bank withdrawal from a subcritical or low power startup condition (15.4.1)
6. Power range high negative See Note (e) MPS3 UFSAR flux rate trip 7.2-41 Rev. 30

MPS3 UFSAR TABLE 7.2-4 REACTOR TRIP CORRELATION Trip(a) Accident (b) Tech Spec. (c)

7. Overtemperature T trip 1. Uncontrolled rod cluster control assembly bank withdrawal at power (15.4.2) 2.2.1 Table 2.2-1 #7
2. Chemical and volume control system malfunction that results in a decrease in boron concentration in the reactor coolant (15.4.6)
3. Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3)
4. Excessive heat removal due to feedwater system malfunctions (15.1.1, and 15.1.2)
5. Excessive increase in secondary steam flow (15.1.3)
6. Inadvertent opening of a pressurizer safety or relief valve (15.6.1)
7. Rod cluster control assembly misalignment (15.4.3)
8. Loss of normal feedwater flow (15.2.7)

MPS3 UFSAR

9. Steam generator tube failure (15.6.3)
10. Feedwater system pipe break (15.2.8)
8. Overpower T trip 1. Uncontrolled rod cluster control assembly bank withdrawal at power (15.4.2) 2.2.1 Table 2.2-1 #8
2. Excessive heat removal due to feedwater system malfunctions (15.1.1 and 15.1.2)
3. Excessive increase in secondary steam flow (15.1.3)
4. Inadvertent opening of a steam generator relief or safety valve (15.1.4)
5. Steam system piping failure (15.1.5)
6. Rod cluster control assembly misalignment (15.4.3)
7. Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3) 7.2-42 Rev. 30

MPS3 UFSAR TABLE 7.2-4 REACTOR TRIP CORRELATION Trip(a) Accident (b) Tech Spec. (c)

9. Pressurizer low pressure trip 1. Inadvertent opening of a pressurizer safety or relief valve (15.6.1) 2.2.1 Table 2.2-1 #9
2. Loss of coolant accidents resulting from the spectrum of postulated piping breaks within the reactor coolant pressure boundary (15.6.5)
3. Excessive increase in secondary steam flow (15.1.3)
4. Steam generator tube failure (15.6.3)
5. Inadvertent opening of a steam generator relief or safety valve (15.1.4)
6. Steam system piping failure (15.1.5)
7. Rod cluster control assembly misalignment (15.4.3)
8. Inadvertent operation of the ECCS during power operation (15.5.1)
10. Pressurizer high pressure 1. Uncontrolled rod cluster control assembly bank withdrawal at power (15.4.2) 2.2.1 MPS3 UFSAR trip Table 2.2-1 #10
2. Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3)
3. Loss of normal feedwater flow (15.2.7)
4. Feedwater system pipe break (15.2.8)
11. Pressurizer high water level 1. Uncontrolled rod cluster control assembly bank at power (15.4.2) 2.2.1 trip Table 2.2-1 #11
12. Low reactor coolant flow 1. Partial loss of forced reactor coolant flow (15.3.1) 2.2.1 Table 2.2-1 #12
2. Loss of non-emergency AC power to the station auxiliaries (15.2.6)
3. Complete loss of forced reactor coolant flow (15.3.2)
4. Reactor coolant pump shaft seizure (locked rotor) (15.3.3) 7.2-43 Rev. 30

MPS3 UFSAR TABLE 7.2-4 REACTOR TRIP CORRELATION Trip(a) Accident (b) Tech Spec. (c)

13. Reactor coolant pump 1. Complete loss of forced reactor coolant flow (15.3.2) 2.2.1 underspeed trip Table 2.2-1 #15
14. Low-low steam generator 1. Loss of normal feedwater (15.2.7) 2.2.1 water level trip Table 2.2-1 #13
2. Loss of non-emergency AC power to the station auxiliaries (15.2.6)
3. Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3)
4. Feedwater system pipe break (15.2.8)
5. Steam system piping failure (15.1.5)
15. Reactor trip on turbine trip 1. Excessive heat removal due to feedwater system malfunctions (15.1.1 and 2.2.1 15.1.2) Table 2.2-1 #16
2. Loss of non-emergency AC power to the station auxiliaries (15.2.6)

MPS3 UFSAR

16. Safety injection signal 1. Inadvertent opening of a steam generator relief or safety valve (15.1.4) 2.2.1 actuation trip Table 2.2-1 #17
2. Steam system piping failure (15.1.5)
3. Inadvertent operation of the ECCS (15.5.1)
4. Feedwater System Pipe Break (15.2.8)
17. Manual trip 1. Available for all accidents (Chapter 15) 2.2.1 Table 2.2-1 #1 NOTES:

(a) Trips are listed in order of discussion in Section 7.2.

(b) References refer to accident analysis presented in Chapter 15.

(c) References refer to Technical Specifications presented in Chapter 16.

7.2-44 Rev. 30

MPS3 UFSAR (d) The power range high neutron flux trip is not required to be OPERABLE in MODES 3, 4 or 5. Administrative controls have been implemented to preclude an uncontrolled rod/

bank withdrawal from occurring in these MODES when plant conditions are not bounded by the accident assumptions.

(e ) A Technical Specification reference is not required because this trip is not assumed to function in the accident analysis.

7.2-45 Rev. 30

MPS3 UFSAR FIGURE 7.2-1 (SHEETS 1-19) P&IDS FUNCTIONAL DIAGRAM, REACTOR TRIP SYSTEM/LOOP STOP VALVE INTERLOCKS/PRESSURIZER PRESSURE RELIEF SYSTEM The figure indicated above represents an engineering controlled drawing that is Incorporated by Reference in the MPS-3 FSAR. Refer to the List of Effective Figures for the related drawing number and the controlled plant drawing for the latest revision.

7.2-46 Rev. 30

MPS3 UFSAR FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVER-TEMPERATURE T TRIPS 7.2-47 Rev. 30

MPS3 UFSAR 7.3 ENGINEERED SAFETY FEATURES SYSTEM In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features. The occurrence of a limiting fault, such as a loss-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and reactor coolant system component and ensure containment integrity.

In order to accomplish these design objectives, the engineered safety features system has proper and timely initiating signals which are to be supplied by the sensors, transmitters, and logic components making up the various instrumentation channels of the engineered safety features actuation system. The engineered safety features actuation system as discussed in Section 7.3 is consistent with Technical Specification Table 3.3-3.

7.

3.1 DESCRIPTION

The engineered safety features actuation system (ESFAS) uses selected plant parameters, determines whether or not predetermined safety limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of Condition III or IV faults. In addition, some engineered safety features such as auxiliary feedwater may be actuated for condition II faults such as loss of normal feedwater flow. Once the required logic combination is completed, the system sends actuation signals to the appropriate engineered safety features components. The ESFAS meets the requirements of Criteria 13, 20, 27, 28, and 38 of the 1971 General Design Criteria (GDC).

7.3.1.1 System Description The ESFAS is a functionally defined system described in this section. The equipment which provides the actuation functions identified in Section 7.3.1.1.1 is listed and discussed in this section (WCAP-7913, 1973; WCAP-7488-L, 1971; WCAP-7705, 1976):

1. Process Instrumentation and Control System (WCAP-7913, 1973).
2. Solid State Logic Protection System (WCAP-7488-L, 1971).
3. Engineered Safety Features Test Cabinet (WCAP-7705, 1976).
4. Manual Actuation Circuits.
5. Emergency Generator Load Sequencer, Table 1.7-1, Logic Diagram Package.
6. Control building inlet and containment purge air radiation monitoring channels.

The ESFAS consists of two discrete portions of circuitry: (1) an analog portion consisting of two to four redundant channels per parameter or variable to monitor various plant parameters such as 7.3-1 Rev. 30

MPS3 UFSAR the reactor coolant system and steam system pressures, temperatures and flows and containment pressures; and (2) a digital portion consisting of two redundant logic trains which receive inputs from the analog protection channels and perform the logic needed to actuate the engineered safety features. Each digital train is capable of actuating the engineered safety features (ESF) equipment required. Two channels of pressure switches are provided on the refueling water storage tank (RWST) to perform ESF functions. The intent is that any single failure within the ESFAS does not prevent system action when required.

A description of the emergency generator load sequencer is found in Section 7.3.1.1.5. A description of the applicable channels of the radiation monitoring system is in Section 11.5.2.2.

The redundant concept is applied to both the analog and logic portions of the system. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment vessel penetrations and analog protection racks terminating at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1971 GDC.

The variables are sensed by the analog circuitry as discussed in WCAP-7913 (1973) and in Section 7.2. The outputs from the analog channels are combined into actuation logic as shown on Figure 7.2-1, Sheets 5, 6, 7, and 8. Refer to Technical Specification Table 3.3-3 for ESFAS instrumentation channel requirements.

The interlocks associated with the ESFAS are outlined in Table 7.3-1. These interlocks satisfy the functional requirements discussed in Section 7.1.2.

Manual actuation from the control board of containment isolation Phase A is provided by operation of either one of the redundant momentary containment isolation Phase A controls. The separate trains are thereby linked by mechanical means in a fashion similar to that shown on Figure 7.1-2. Also on the control board is a manual actuation of safety injection by one of the redundant controls and a manual actuation of containment isolation Phase B by either of the two sets of controls.

Manual controls are also provided to switch from the injection to the recirculation phase after a loss-of-coolant accident.

7.3.1.1.1 Function Initiation The specific functions which rely on the ESFAS for initiation are listed below. In addition, see Table 15.0-6 for the engineered safety features required for specific design basis plant conditions.

For further information about the design of the functions discussed below, see appropriate Logic Diagrams referenced in Table 1.7-1.

1. A reactor trip, provided one has not already been generated by the reactor trip system.

7.3-2 Rev. 30

MPS3 UFSAR

2. Charging pumps, safety injection pumps, residual heat removal pumps, and associated valves which provide emergency makeup water to the cold and hot legs of the reactor coolant system (Table 7.3-3).
3. Those pumps and associated valves which provide core, containment, and other safety-related cooling functions (e.g., service water and component cooling water pumps).
4. Motor-driven and steam-driven auxiliary feedwater pumps and associated valves to provide a heat sink for the removal of decay heat from the reactor.
5. Phase A containment isolation, whose function is to prevent fission product release. (Isolation of all lines not essential to reactor protection.) (Table 7.3-4).
6. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (Table 7.3-5).
7. Main feedwater line isolation, as required, to prevent or mitigate the effect of excessive cooldown (Table 7.3-6).
8. Start the emergency generators to assure backup supply of power to ESF and essential auxiliary supporting systems components.
9. Initiate pressurized filtration for the control room to meet control room occupancy requirements. (Table 7.3-7).
10. Containment depressurization actuation (CDA) which performs the following functions:
a. Initiates containment spray to reduce containment pressure and temperature following a loss-of-coolant accident or a main steam or feedwater line break accident inside of containment (Table 7.3-8).
b. Initiates Phase B containment isolation which isolates the containment following a loss of reactor coolant accident, or a main steam or feedwater line break within containment to limit radioactive releases. (Phase B isolation, together with Phase A isolation, results in isolation of all but emergency core cooling system and containment spray lines penetrating the containment.) (Table 7.3-9).
11. Stripping of electrical loads, blocking of manual starting and time delayed starting, when required, of safety related electrical loads by the Emergency Generator Load Sequencer.

7.3-3 Rev. 30

MPS3 UFSAR

12. Isolation of the containment purge path to limit the release of radioactive material from containment (Mode 1-4 only). Isolation is not credited for a fuel handling accident per Section 15.7.4.
13. Ventilation and filtration fans and associated dampers and valves which provide ventilation for vital building areas and filtration of air discharged from building.

7.3.1.1.2 Analog Circuitry The process analog sensors and racks for the ESFAS are generically discussed in WCAP-7913 (1973). Discussed in this report are typical parameters to be measured, including pressures, flows, tank and vessel water levels, and temperatures, as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, orifices and flow elements, resistance temperature detectors, as well as automatic calculations, signal conditioning, and location and mounting of the devices.

The sensors monitoring the primary system are located as shown on the piping and instrumentation diagrams in Chapter 5, reactor coolant system. The secondary system sensor locations are shown on the steam and feedwater system piping and instrumentation diagrams given in Chapter 10.

7.3.1.1.3 Digital Circuitry The ESF logic racks are discussed in detail in WCAP-7488-L (1971). The description includes the considerations and provisions for physical and electrical separation, as well as details of the circuitry. WCAP-7488-L (1971) also covers certain aspects of online test provisions, provisions for test points, considerations for the instrument power source, considerations for accomplishing physical separations. The outputs from the analog channels are combined into actuation logic as shown on Sheets 5, 6, 7, 8, 13, 14, 15 and 16 on Figure 7.2-1.

To facilitate engineered safety features actuation testing, four cabinets (two per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group-by-group basis until actuation of all devices has been checked. Final actuation testing is discussed in detail in Section 7.3.2.

The Emergency Generator Load Sequencer uses digital logic which is described in Section 7.3.1.1.5 and shown on the Logic Diagrams referenced in Table 1.7-1. Each channel (one per train) of the radiation monitoring instrumentation associated with the Containment Purge Isolation function provides outputs directly to actuate equipment.

7.3.1.1.4 Final Actuation Circuitry The outputs of the solid state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices are listed as follows:

7.3-4 Rev. 30

MPS3 UFSAR

1. Emergency core cooling system pump and valve actuators. See Chapter 6 for flow diagrams and additional information.
2. Containment isolation (Phase A - T signal isolates all nonessential process lines on receipt of safety injection signal; Phase B - P signal isolates remaining process lines (which do not include safety injection lines) on receipt of 2-out-of-4 hi-3 containment pressure signal). For further information, see Section 6.2.4.
3. Service water pump and valve actuations (Chapter 9).
4. Auxiliary feed pumps start and valve actuators (Chapter 10).
5. Diesel start (Chapter 8).
6. Feedwater isolation valve actuators (Chapter 10).
7. Ventilation isolation valve and damper actuators (Chapter 6).
8. Steam line isolation valve actuators (Chapter 10).
9. Quench spray and recirculation containment pumps and valve actuators (Chapter 6).

7.3.1.1.5 ESF and Essential Auxiliary Support Systems Engineered Safety Features System Systems that comprise the ESF and essential auxiliary supporting systems for Millstone 3 are listed in Table 7.3-10. Their function and operation following ESFAS initiation are summarized in this section. Additional information on these systems can be found in the referenced sections.

Emergency Core Cooling System The emergency core cooling system (ECCS) is described in Section 6.3 and is shown on Figure 6.3-1. Development of the SIS and CDA is shown on Figure 7.2-1 (Sheet 8 of 19).

The low pressure safety injection system, high pressure safety injection system, charging pumps in the chemical and volume control system, containment recirculation system, and residual heat removal system perform the function of core cooling for both normal plant cooldown and emergency core cooling.

When a safety injection signal (SIS) occurs, the injection mode of operation is automatically initiated. The charging pumps are started and lined up to take suction from the RWST, and when a low RCS pressure condition exist (P-19), will discharge to the reactor coolant cold leg.

7.3-5 Rev. 30

MPS3 UFSAR The component interlocks used in different modes of system operation are described in Section 6.3.2.1.

A. RHS Pump Interlock from Injection to Recirculation The details of achieving cold leg recirculation following safety injection are given in Section 6.3.2 and in Table 6.3-7. Figure 7.6-3 shows the logic which is used to automatically control RHS pumps.

B. Sequenced Safeguard Signals A sequenced safeguard signal is generated by the emergency generator load sequencer for the safety injection pump, RHS pump, or charging pump whenever the signals listed with the associated pumps exist.

1. Safety Injection Pump
  • SIS recirculation mode then LOP
  • CDA recirculation mode then LOP
2. Residual Heat Removal Pumps
3. Charging Pumps
  • SIS recirculation mode and then LOP
  • CDA recirculation mode and then LOP C. Component Controls
1. Residual Heat Removal System Pumps 7.3-6 Rev. 30

MPS3 UFSAR The RHS pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. A low-low RWST level is directly annunciated in the control room and interlocks with the SI signal to trip the RHR pumps. The pumps are started automatically on receipt of a sequenced safeguard signal. When a safety injection signal exists, the pumps are stopped automatically on low-low RWST level.

Ammeters and indicator lights are located on the main control board and at the switchgear for the RHS pumps. ESF status lights on the main control board indicate when the RHS pumps are running. RHS pump AUTO trip and overcurrent is alarmed in the control room. Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two residual heat removal pumps powered from separate emergency buses. No single failure at the system level will prevent operation of at least one residual heat removal system train.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

One train of the residual heat removal system at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

d. IEEE Standard 279-1971, Paragraph 4.13:

A RHR pump low pressure safety injection system Train A or Train B bypass annunciator is alarmed in the control room when any of the following conditions exist for Train A or B:

  • Loss of control power to RHS pump.

7.3-7 Rev. 30

MPS3 UFSAR

  • RHS pump circuit breaker racked out.
  • RWST to RHR pump valve not full open.
  • RHR pump to charging pump valve not full closed.
  • ESF ACU breaker open or control power not available.
  • RHR to hot leg isolation valve not full closed.
  • RHR heat exchanger flow control valve not full open.
  • Reactor plant CCW system bypass.
  • RHR to cold leg isolation valve not full open.
e. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is received, the residual heat removal system will go to completion. Deliberate operator action is required to stop the RHR pumps.

The safety signal must be reset and manual controls used.

f. IEEE Standard 279-1971, Paragraph 4.17:

The residual heat removal pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

2. Safety Injection Pumps The safety injection pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. The pumps are started automatically on receipt of a sequenced safeguard signal. Ammeters and indicator lights are located on the main control board and at the switchgear for the safety injection pumps. ESF status lights on the main control board indicate when a safety injection pump is running. Safety injection pump AUTO Trip or overcurrent is alarmed in the control room. Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.

Indicators on the main control board monitor safety injection pump discharge flow.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two safety injection pumps powered from separate emergency buses. No single failure at the system level will prevent safety injection.

7.3-8 Rev. 30

MPS3 UFSAR

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:

  • Safety injection pump control switch in pull to lock.
  • SI pump loss of control power or breaker racked out.
  • Bypass push button depressed.
  • RWST to safety injection pump valve not full open and valve circuit breaker open or control power not available.
  • ESF ACU breaker open or control power not available.
  • Safety injection cross connect valve not full open and valve circuit breaker open.
  • Safety injection pump to hot leg valve not full closed and valve circuit breaker open or control power not available.
  • Safety injection pump to cold leg valve not full open and valve circuit breaker open or control power not available.
  • Safety injection pump suction valve not full open and valve circuit breaker open or control power not available.
  • Containment recirculation injection system bypassed.
  • Safety Injection Pump Cooling Pump Circuit Breaker Open or Control Power Not Available or Motor Thermal Overload.
d. IEEE Standard 279-1971, Paragraph 4.17:

The safety injection pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

7.3-9 Rev. 30

MPS3 UFSAR One train at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

3. Charging Pumps Normally, one charging pump is running. During a loss-of-coolant accident (LOCA), two charging pumps operate as part of the safety injection system. The third pump is a swing pump with a breaker cubicle on each emergency bus that is normally empty. The swing pump uses the breaker of the pump which is not in service. Mechanical and keylock switches prevent the pump from being placed on Train A and Train B emergency buses at the same time.

On a loss-of-power (LOP) signal the charging pump that is running is not stripped from the emergency bus; therefore, the pump starts immediately when power is restored. The pumps are started automatically on receipt of a sequenced safeguard signal.

Manual controls are provided on the main control board and at the switchgear for the charging pumps. An annunciator is alarmed on the main control board when local control is selected. ESF status lights indicate when a charging pump is running.

Ammeter and indicator lights are located at the switchgear and on the main control board.

Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.

Each charging pump has an auxiliary lube oil pump with a local STOP-AUTO control switch. The auxiliary lube oil pumps start automatically when AUTO is selected on low lube oil pressure, or when the associated charging pump is stopped. The auxiliary lube-oil pump stops automatically when AUTO is selected and lube oil pressure is above a predetermined pressure and the associated charging pump is started.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

7.3-10 Rev. 30

MPS3 UFSAR There are three charging pumps, 3CHS*P3A, B, and C. The C pump is a swing pump. Normally, two charging pumps (3CHS*P3A and B) have their breakers racked in and one of the two is running. In the event that the A or B pump fails, its breaker is racked out and racked into the C pump cubicle (Train A or B). Mechanical and electrical interlocks prevent the C pump from being connected to two buses at the same time.

Power is supplied to the charging pumps from two separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:

  • Charging pump A, B, or C control switch in pull to lock or loss of control power or breaker racked out.
  • Charging pump cubicle ventilation system bypassed.

(Auxiliary circuits associated with the inlet and outlet ventilation dampers for the charging pump cubicles do not provide input to bypass annunciator.)

  • Bypass push button depressed for charging pumps safety injection.
  • Charging pump header isolation valve not full open.
  • RWST to charging pump valve circuit breaker open.
  • VCT to charging pump valve circuit breaker open.
  • Charging pumps to reactor cold legs isolation valve circuit breaker open.
  • Charging pump miniflow isolation valve circuit breaker open.
  • Charging pump cooling pump control switch in PULL TO LOCK or circuit breaker open.

7.3-11 Rev. 30

MPS3 UFSAR

  • Containment recirculation injection system bypassed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is initiated, the charging pumps go to completion.

Deliberate operator action is required to stop a charging pump. The safety signal must be reset and the pump stopped by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The charging pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

One charging pump at a time can be taken out of service and periodically tested in accordance with the Technical Specifications.

g. This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
4. Refueling Water Storage Tank to Charging Pump Valve Redundant RWST to charging pump valves have manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. REMOTE/

LOCAL transfer switches are on the transfer switch panels. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when the valves are open. Open and closed valve positions are monitored by the plant computer. The valves open automatically on receipt of an SIS or when the volume control tank level is low-low.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The RWST to charging pump valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

7.3-12 Rev. 30

MPS3 UFSAR

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Circuit breaker for valve open.
  • Loss of control power to valve.
  • Valve motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the RWST to charging pump valves go to the fully open position. Deliberate operator action is required to close the valves.

The SIS must be reset and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The RWST to charging pump valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The RWST valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

5. Volume Control Tank Outlet Isolation Valves Redundant volume control tank (VCT) outlet isolation valves have manual controls and indicator lights on the main control board and on the auxiliary shutdown panel. REMOTE/LOCAL transfer switches are on the transfer switch panel. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when the valves are closed. An annunciator is alarmed in the control room when a VCT outlet isolation valve is closed. Open and closed valve positions are monitored by the plant computer. The valves close automatically on receipt of an SIS or VCT low-low level signal, provided the associated RWST to the charging pump valve is open.

7.3-13 Rev. 30

MPS3 UFSAR Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The VCT outlet isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent VCT outlet isolation.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Circuit breaker for valve open.
  • Loss of control power to valve.
  • Valve motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS or VCT low-low level signal is received, the VCT outlet isolation valves go fully closed. The SIS must be reset and the VCT low-low level signal cleared and the valves opened by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The VCT outlet isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The VCT isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

7.3-14 Rev. 30

MPS3 UFSAR

6. Charging Pump to Reactor Cold Leg Isolation Valves Redundant charging pump to reactor cold leg isolation valves have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are open. An annunciator is alarmed in the control room when an isolation valve is open. The valves open automatically on receipt of an SIS in conjunction with the cold leg injection permissive (P-19).

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pump to reactor cold leg isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Circuit breaker for valve open.
  • Loss of control power to valve.
  • Valve motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated and the cold leg injection permissive (P-19) is enabled, the charging pump to cold leg isolation valves go to fully open.

Deliberate operator action is required to close the valves. The SIS must be reset and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The charging pump to cold leg isolation valves have manual controls on the main control board.

7.3-15 Rev. 30

MPS3 UFSAR

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pumps to reactor cold leg isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

7. Charging Pump to Reactor Coolant System Isolation Valves Redundant charging pump to reactor coolant system isolation valves (normal charging flow path) have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are closed. The valves close automatically on receipt of an SIS.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pump to reactor coolant system isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent isolation of normal charging to reactor coolant system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Circuit breaker for valve open.
  • Loss of control power to valve.
  • Valve motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the charging pump to reactor coolant isolation valves go to the fully closed position. Deliberate operator action is required to open the valves. The SIS must be reset and the valves opened by manual controls.

7.3-16 Rev. 30

MPS3 UFSAR

e. IEEE Standard 279-1971, Paragraph 4.17:

The charging pump to reactor coolant isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.

The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pump to reactor coolant system isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

8. Charging Pump Miniflow Isolation Valves (Train B)

The miniflow isolation valve for each charging pump has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel.

REMOTE/LOCAL control transfer switches are on a transfer switch panel. An annunciator is alarmed in the control room when LOCAL control is selected. An annunciator is alarmed in the control room when a valve is closed. ESF status lights indicate when a valve is closed. Open and closed positions are monitored by the plant computer. The valves close automatically on receipt of an SIS.

9. Charging Pump Miniflow Isolation Valve (Train A)

The charging pump combined miniflow isolation valve has manual control and indicator lights on the main control board. An annunciator alarms in the control room when the valve is closed. An ESF status light indicates when the valve is closed. The valve is closed automatically on receipt of an SIS.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are three Train B miniflow isolation valves and one combined Train A miniflow isolation valve. The Train A and Train B valves are powered from separate emergency buses. No single failure at the system level will prevent charging pump miniflow isolation.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3-17 Rev. 30

MPS3 UFSAR

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Circuit breaker for valve open.
  • Loss of control power to valve.
  • Valve motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the charging pump to miniflow isolation valves go to the fully closed position. Deliberate operator action is required to open the valves. The SIS must be reset and the valves opened by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The Train B charging pump miniflow isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.

The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pump miniflow isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

10. Accumulator Isolation Valves Two accumulator isolation valves are powered from the Train A emergency bus; the other two are powered from the Train B emergency bus. Each valve has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when a valve is closed. An annunciator is alarmed in the control room when a valve is closed. Open and closed positions are monitored by the plant computer. Signals from the ESFAS are provided to the valve(s) upon initiation of SIS or high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function.

(See Section 6.3.2.2.6).

7.3-18 Rev. 30

MPS3 UFSAR Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The Train A and B accumulator isolation valves are powered from separate emergency buses.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The accumulator tank low pressure safety injection bypass annunciator is alarmed in the control room whenever an accumulator isolation valve is not fully open.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the accumulator isolation valves would go to the fully open position if power were available and if the valves were closed.

Since these valves are locked open during normal operation with their power removed, the signal performs no actual function. (See Section 6.3.2.2.6). Deliberate operator action is required to close a valve. The SIS must be reset, power must be restored and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The accumulator isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The accumulator isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of the engineered safety features actuation system.

Containment Depressurization System The containment depressurization systems design is described in Section 6.2.2, and the flow diagrams are shown on Figures 6.2-37 and 6.2-38. The containment depressurization systems consist of the quench spray system and the containment recirculation spray system.

7.3-19 Rev. 30

MPS3 UFSAR The containment depressurization systems operate only subsequent to a design basis accident (DBA). During normal unit operation, the motor-operated valves in the containment recirculation pump suction lines and discharge headers are open. To ensure proper position of these valves, the CDA signal actuates the valves to open and to override a possible close-test position. The motor-operated isolation valves in the quench spray system are closed during normal unit operation. The isolation valves in the quench spray discharge headers open upon receipt of a CDA signal. The solenoid pilot air-operated valves in the suction line from the RWST to the refueling water recirculation pumps close on a safety injection signal (SIS), thus isolating the nonsafety related portion of the suction piping downsteam of the second isolation valve.

The quench spray pumps are started automatically on receipt of a CDA signal. On receipt of a CDA signal combined with a LOP signal, the quench spray pumps are sequenced on by the emergency generator load sequencer. The quench spray pumps are stopped automatically on receipt of a RWST empty signal.

The containment recirculation pumps are sequenced on automatically on receipt of a RWST Low-Low Level signal coincident with a CDA signal.

A. Containment Recirculation System Instrumentation The following instrumentation is provided in the control room to monitor the system performance.

1. Redundant level indicators for the containment sump. One level channel is recorded.
2. Containment recirculation pump discharge pressure indicators.
3. Containment recirculation pump seal head tank low level alarm which detects seal water leakage or seal failure.
4. Containment recirculation cooler recirculation water outlet temperature.
5. Redundant containment sump temperature indicators.
6. Containment recirculation cooler service water outlet flow indicators.
7. Containment recirculation pump flow indicators.
8. Containment recirculation pump low discharge pressure annunciators interlocked with pump running signal.

A pressure transmitter in the common test line from the RWST and a pressure transmitter in the discharge line of each containment recirculation pump are utilized by the plant computer to verify performance of the containment recirculation pumps.

7.3-20 Rev. 30

MPS3 UFSAR Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The containment recirculation system is divided into two separate, redundant mechanical and electrical trains. This provides redundancy to prevent a failure of an active or passive component from impairing the system capability to supply water for the containment depressurization system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The containment recirculation system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):

  • Containment recirculation pump loss of control power or breaker racked out.
  • Containment recirculation pump control switch in pull to lock.
  • Containment recirculation pump area air conditioning unit - loss of control power or circuit breaker open.
  • Service water valve to reactor plant component cooling water heat exchanger not fully closed and circuit breaker open or loss of control power.
  • Service water valve to containment recirculation coolers not fully open and loss of control power or circuit breaker open.
  • Service water outlet valve for containment recirculation coolers not fully open.
  • Service water valve to turbine plant component cooling heat exchangers not fully closed and loss of power or circuit breaker open.
  • Service water valves to reactor plant component cooling heat exchangers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).
  • Service water inlet valves for containment recirculation coolers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).

7.3-21 Rev. 30

MPS3 UFSAR

  • Service water valves to turbine plant component cooling water heat exchangers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).
  • Recirculation spray header isolation valve not fully open and loss of power or circuit breaker open.
  • Cross-connect valve to low pressure safety injection system not fully closed.
  • Recirculation spray pump suction valve not fully open and loss of power or circuit breaker open.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once a CDA signal coincident with an RWST Low-Low signal is received, the containment recirculation pumps are started automatically. Deliberate operator action is required to stop the pumps.

e. IEEE Standard 279-1971, Paragraph 4.10:

The containment recirculation system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the containment recirculation system. REMOTE/LOCAL control selector switches are provided for the containment recirculation pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

Switchover from the injection to recirculation phase for the recirculation system is described in Section 6.3. Logic for the RWST signals is found in Section 6.3.5.4.

B. Quench Spray System Instrumentation The following instrumentation is provided in the control room to monitor the quench spray system.

1. Quench spray pump discharge flow indicators and low flow annunciators.
2. RWST (level indication and level alarms).

7.3-22 Rev. 30

MPS3 UFSAR

3. Temperature indicators are provided on the main control board for the RWST, the refueling water recirculation pump suction, and the refueling water coolers outlet.

High and low RWST temperature is alarmed on the main control board.

4. The refueling water recirculation pumps and the associated coolers operate only during normal unit operation. One refueling water recirculation pump is normally in AUTO and starts on a predetermined RWST high temperature signal. The second pump can be placed in service manually. Both pumps are stopped by a low temperature signal - RWST temperature or refueling water recirculation pump suction line temperature. The objective of the instrumentation associated with the refueling water recirculation pumps is to maintain the temperature of the refueling water within design limits.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The quench spray system is divided into two separate, redundant mechanical and electrical trains. This dual concept provides redundancy to prevent a failure of an active component or a passive component at the system level to supply water for the containment depressurization system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The quench spray pump bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):

  • Quench spray pump in pull to lock.
  • Quench spray header isolation valve loss of control power or circuit breaker open.
  • Quench spray pump loss of control power or breaker racked out.
  • Quench spray pump area air conditioning unit loss of control power or circuit breaker open.
  • Manual bypass push button depressed.

7.3-23 Rev. 30

MPS3 UFSAR

d. IEEE Standard 279-1971, Paragraph 4.16:

Quench spray pump operation is automatically initiated on receipt of a Sequenced Safeguard Signal which is initiated by a CDA signal. The pumps stop automatically on receipt of an 'RWST Empty' signal. Deliberate operator action is required to stop the pumps prior to receipt of this signal.

e. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the quench spray system. REMOTE/LOCAL control selector switches are provided for the quench spray pumps outside the control room at the switchgear.

An annunciator is alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The quench spray pumps are periodically tested in accordance with the Technical Specifications.

The testing and calibration of the level switches used for the detection of the RWST level is accomplished by taking one logic Train (A or B) out of service for a short duration.

The testing of the RWST level switches used for tripping the quench spray pumps will be used as an example. The switches may be tested in either of two ways:

  • In the first method, the circuit breakers in the train under test are racked to the TEST position and left in TRIP. The level switches for the train are then isolated from the RWST at the isolation valve in the safeguard building. A pressure test signal is injected to simulate level in the RWST above the reset point of the switch. The breaker is then closed and the test pressure is slowly decreased until the trip point is reached. Breaker indicating lights, annunciators, and computer points in the control room are verified to indicate the breaker tripped/empty condition and that the quench spray pump discharge valve goes shut.
  • In the second method, the quench spray pump for the train in test is manually started. Test pressure is then varied and indications are verified as stated above.

Verification that the test pressure connections have been removed and manifold valves have been reopened is accomplished by the use of alarms, valve position lights, and administrative procedures.

Testing and inspections of the containment heat removal and depressurization systems are described in Section 6.2.2.4.

7.3-24 Rev. 30

MPS3 UFSAR Containment Isolation System The initiation signals for the containment isolation system are a part of the engineered safety features actuation system. Penetration types and containment isolation valve arrangements are described in detail in Section 6.2.4.

The safety function of the containment isolation system is to isolate automatically appropriate lines penetrating the containment structure in order to limit the uncontrolled release of radioactive materials to the environment, following an accident.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

Containment isolation valves are located inside and outside of the containment structure, ensuring containment integrity. The containment isolation system provides two barriers between the atmosphere outside the containment structure and 1) the atmosphere inside the containment structure, 2) the reactor coolant system, and 3) the systems connected to Items 1 or 2 as a result of or subsequent to a DBA signal provided by safety injection, containment isolation Phase A (CIA),

containment isolation Phase B (CIB), feedwater isolation (FWI), or steam line isolation (SLI).

These signals open or close containment structure penetrations for ESF systems which function to mitigate the consequences of an accident.

Containment isolation valves are actuated by electrically powered solenoid valves, by solenoid-operated air pilot valves or by motor operators. Valves controlled by electrically powered solenoid valves or solenoid-operated air pilot valves are designed to fail in the closed position upon loss of power or instrument air.

Operators for motor-operated valves are designed for fast closure so as to ensure containment isolation in the shortest possible time. Motor-operated valves fail in the as is position. Torque and limit switches ensure proper valve setting.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A containment isolation Phase A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Reactor coolant pump seal water return valve - loss of power or circuit breaker open or motor thermal overload.

7.3-25 Rev. 30

MPS3 UFSAR

  • Reactor coolant pump seal water return valve safeguard test cabinet switch in PUSH TO TEST (Block Test Equip.).
  • Loss of AC power to auxiliary relay control circuit.
  • Manual bypass push button depressed.
  • Containment atmosphere monitoring discharge isolation valve - loss of power or circuit breaker open, or thermal overload (Train B only).

A containment isolation Phase B bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Reactor plant component cooling isolation valves - loss of power or circuit breaker open or motor thermal overload.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Any automatic containment isolation action, once initiated, will go to completion.

The return to normal operating conditions requires deliberate operator action.

Consistent with IE Bulletin 80-06 which allows actions other than modification or design change to ensure safety related equipment remains in its emergency mode upon reset of an ESF signal, procedural steps are prescribed to ensure the main steam pressure relieving valves remain closed upon SLI reset.

e. IEEE Standard 279-1971, Paragraph 4.17:

The operator has the means for manual initiation of the containment isolation system independent of automatic actuation. Manual controls and visual indication for the containment isolation valves are described in Sections 7.5 and 6.2.4.

f. IEEE Standard 279-1971, Paragraph 4.10:

Containment isolation valves are tested to ensure they are capable of closing by operating manual switches in the control room and by observing the position lights. Periodic testing during normal operation is performed on all containment isolation valves except those where the test would interrupt or upset normal operation. Testing of these valves is performed during refueling shutdowns.

Refer to Section 6.2.4.4 for testing and inspection procedures of containment isolation valves in various systems. Table 6.2-65 lists design, operating, and functional parameters of all containment isolation valves.

7.3-26 Rev. 30

MPS3 UFSAR The design bases for the controls of the containment isolation system are:

1. Physical and electrical separation between controls of the redundant containment isolation valves is provided to prevent electrical faults or physical damage to one of the containment isolation valve controls from affecting the controls of the redundant valve.
2. The controls of the containment isolation system are designed to withstand seismic loads and to operate in adverse environmental conditions in accordance with requirements described in Sections 3.10 and 3.11, respectively.

Status lights monitoring the status of containment isolation valves enable the operator, during emergency conditions, to make sure all isolation valves are in the required position, or to take corrective action if necessary.

Combustible Gas Control System in Containment (HCS)

The combustible gas control system is described in Section 6.2.5 and its piping and instrumentation diagram is shown on Figure 6.2-36.

The hydrogen recombiner system, though currently installed, is not used to provide any mitigating function. The hydrogen recombiner system, associated controls, alarms (including Regulatory Guide 1.47 bypass alarms) and ventilation dampers have been isolated awaiting abandonment. The system discussion describes the system as originally installed and operated.

Each of the redundant trains in the hydrogen recombiner system is completely instrumented to ensure the system performs its function following any single failure. Because the hydrogen recombiner is connected to safety related electrical busses, the hydrogen recombiners are safety-related.

A hydrogen analyzer is permanently installed in each train to provide the capability of analyzing the hydrogen content in the gas being drawn from the containment atmosphere.

Once the hydrogen burn-off process has started, a temperature controller maintains the recombiner chamber temperature at approximately 1,300°F. Flow, temperature, and pressure indication is provided at each hydrogen recombiner blower discharge. Temperature indication is provided at the discharge of each electric preheater and a pressure indicator is provided at the discharge of each hydrogen recombiner.

Each set of instrumentation and controls requiring electric power is supplied from an independent source. 120 VAC power is supplied from the 120 VAC vital buses and 125 VDC power from the 125 VDC buses.

Analysis

a. Deleted:

7.3-27 Rev. 30

MPS3 UFSAR

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Section 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A DBA hydrogen recombiner system bypassed annunciator is alarmed in the control room whenever any of the following conditions exists (Train A or B):

  • Recombiner building inlet and outlet ventilation damper loss of control power.

(Auxiliary power circuits associated with the inlet and outlet ventilation dampers do not provide input to bypass annunciator.)

  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

The DBA hydrogen recombiner system is manually initiated and monitored locally in the hydrogen recombiner building. After the initial heatup of the system, the system operates automatically with common alarms located in the control room to alert the operator of a malfunction.

e. IEEE Standard 279-1971, Paragraph 4.17:

The DBA hydrogen recombiner system operating parameters are monitored, indicated, and controlled locally. In addition, recombiner bypassed and common trouble alarms are annunciated in the control room. Indicators and a recorder (Channel A only) for hydrogen gas concentration are located on the main control boards. The system bypass push button and loss of control power to the system cubicle ventilation dampers are monitored by the plant computer.

f. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The hydrogen analyzer is tested, by injecting sample gases, to verify zero and span calibration.

Supplementary Leak Collection and Release System The supplementary leak collection and release system (SLCRS) is described in Section 6.2.3; its flow diagram is shown on Figure 9.4-2.

The SLCRS consist of two exhaust fans, each supplied from a separate emergency bus, two filter banks, and the associated ductwork and dampers.

7.3-28 Rev. 30

MPS3 UFSAR The SLCRS in conjunction with the Auxiliary Building Ventilation System exhausts, creates, and maintains a partial vacuum of greater than or equal to 0.4 inches water gauge at the 24 foot 6 inch elevation within 120 seconds upon receipt of an SIS or when manually started.

Following a LOCA, the SIS signal 1) opens the SLCRS Train A and B filter bank inlet and 2) starts the SLCRS Train A and B exhaust fans High differential pressure across the roughing filter, high efficiency particulate air (HEPA) filter, carbon absorber, and HEPA filter of each filter bank is alarmed in the control room.

The filtered exhaust is monitored for radiation (Section 11.5) prior to discharge to atmosphere via the Millstone 1 stack.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The supplementary leak collection and release system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the system capability to maintain a negative pressure of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Section 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The SLCRS bypassed annunciator is alarmed in control room whenever any of the following conditions exists (Train A or B):

  • SLCRS fan control switch in pull to lock position.
  • SLCRS fan loss of power or circuit breaker open.
  • Manual bypass push button depressed.
  • Reactor plant component cooling pump cubicle ventilation system bypass.
  • Auxiliary Building filter system exhaust fan control switch in pull to lock, or circuit breakers open, or loss of control power.
  • Auxiliary Building filter system exhaust fan damper circuit breaker open, or loss of control power.

7.3-29 Rev. 30

MPS3 UFSAR

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is received, the SLCRS exhausts, creates, and maintains a partial vacuum of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds. Deliberate operator action is required to release the SLCRS from maintaining this vacuum.

e. IEEE Standard 279-1971, Paragraph 4.10:

The SLCRS is periodically tested in accordance with the Technical Specifications.

Fans, air operated dampers, and controls for the supplementary leak collection system are tested by automatically starting on a simulated SIS signal and allowing them to reach operating speed with all dampers in the operating position before being shut down.

Auxiliary Feedwater System The auxiliary feedwater system, except for ESFAS initiation signals, is described in Section 10.4.9. The safety related portions of the auxiliary feedwater system are shown on Figure 10.4-6.

One turbine-driven auxiliary feedwater pump and two motor-driven pumps are provided. Each motor-driven pump has half the capacity of the turbine-driven pump. Power is supplied to the motor-driven pumps from separate emergency buses. Steam supply to the turbine-driven pump is shown on Figure 10.3-1. A branch line from three main steam lines (A,B,D) is connected into a common header to supply steam to the turbine. A normally closed air-operated valve is installed in each branch line (A,B,D). Each air-operated valve is controlled by two solenoid-operated valves connected in series in the air supply line. The solenoid-operated valves are supplied power from separate emergency 125 VDC buses. Loss of DC power to either solenoid-operated valve vents air to open the associated air-operated valve. A motor-operated stop check valve is installed in each line. These valves are normally in the open position. Power for each of the motor-operated stop check valves is supplied from an emergency bus.

During normal operation, the operability of all valves in the auxiliary feedwater system is verified by remote manual action. The three air-operated valves are exercised similarly by isolating the steam supply to the turbine-driven auxiliary feedwater pump by closing the motor-operated stop check valves in the steam lines.

In the auxiliary feedwater system, the motor-driven pumps are started automatically by the following signals: (These signals also close the blowdown isolation and sample line valves for all steam generators.)

  • Safety injection or containment depressurization (from the Emergency Generator Load sequencer).

7.3-30 Rev. 30

MPS3 UFSAR

  • Two out of four (2/4) low-low level in any steam generator (from solid state protection system).
  • Emergency bus loss of power (LOP signal).

The motor-driven pumps are also started manually.

Starting the turbine-driven pump is initiated automatically by:

  • Two out of four (2/4) low-low level in two or more steam generators (from solid state protection system).
  • Emergency DC bus loss of power (not actually an initiation signal but, rather, a failure mode of the solenoid valves for the turbine-driven auxiliary feedwater pump steam supply valves).

The turbine-driven pump is also started manually.

Indication and controls required for the auxiliary feedwater system in the event of inaccessibility of the control room are provided on the auxiliary shutdown panel described in Section 7.4.

Instrumentation required for post-accident monitoring is described in Section 7.5. The solenoid-operated modulating valves in the auxiliary feedwater supply line to each steam generator are manually-operated from the main control board or from the auxiliary shutdown panel.

The motor-operated valves in the auxiliary feedwater lines from the motor-driven auxiliary feedwater pumps discharge are manually operated from the main control board or from the auxiliary shutdown panel. The valves associated with any one auxiliary feedwater line are powered from different emergency buses. The valves are normally open so that loss of power to one emergency bus does not prevent the isolation or control of auxiliary feedwater to a steam generator. An air-operated valve is provided for each motor-driven steam generator auxiliary feedwater pump, and a hand control valve is provided for the turbine-driven auxiliary feedwater pump between the pump suction and the condensate storage tank to allow pump suction to be taken from the tank. The condensate storage tank suction valves for the motor-driven pumps can be operated from the main control board or from the auxiliary shutdown panel, or close automatically on receipt of an SIS, CDA, auxiliary feedwater pump AUTO start (any steam generator 2/4 low-low level), AMSAC, or LOP signal. The condensate storage tank suction valve for the turbine-driven auxiliary feedwater pump is administratively locked closed. These valves are normally closed, and the air-operated valves fail closed on loss of control air or electric power.

Steam generator auxiliary feedwater pump suction and discharge pressure is indicated in the control room and monitored by the plant computer. Flow in each steam generator auxiliary feedwater supply line is indicated by flow indicators in the control room and on the auxiliary 7.3-31 Rev. 30

MPS3 UFSAR shutdown panel. (Indicators for steam generators 1A and 1D are provided with umbilical type connections to isolate the normal source device and connect an alternate source device to facilitate safe shutdown from shutdown locations following a fire as described in Section 6.2.11 of the Fire Protection Evaluation Report.)

The correct operation of the auxiliary feedwater system is verified in conjunction with the steam generator auxiliary feedwater pump test described in Section 10.4.9.4. The steam generator auxiliary feedwater pumps are operated during this test. Testing of actuated devices and associated control is performed periodically to ensure reliability and performance.

Redundant demineralized water storage tank (DWST) level transmitters with redundant level indicators are provided on the main control board and on the auxiliary shutdown panel. Level is recorded for one channel and the other channel provides high, low, and low-low level annunciation on the main control board.

The DWST temperature is maintained above a minimum temperature automatically by a demineralized water storage tank electric heater and circulating pump. Low temperature is alarmed on the main control board.

Bypass indication is provided in the control room and is isolated such that it does not degrade the protection function of the auxiliary feedwater system.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two motor-driven auxiliary feedwater pumps with power supplied from separate emergency buses. The motor-driven pumps each supply auxiliary feedwater to two steam generators.

A turbine-driven auxiliary feedwater pump supplies auxiliary feedwater to all four steam generators. The turbine is supplied steam from three separate steam generators (3RCS*SG1A, B, or D). Each steam supply line to the auxiliary feed pump turbine has an air-operated valve normally closed and a motor-operated valve normally open. Each air-operated valve has two solenoid valves, each supplied power from separate emergency DC buses. Loss of power to either solenoid valve vents air from the associated air-operated valve and cause it to open. Two of the normally open motor-operated valves are powered from the Train A emergency bus and the other is powered from the Train B emergency bus. No single failure at the system level will prevent the auxiliary feedwater pumps from supplying auxiliary feedwater to the steam generators.

Each auxiliary feedwater line from a motor-driven pump has a normally open solenoid valve that fails open and a motor-operated valve normally open that fails as is on loss of power. The valves are powered from separate emergency buses; the motor-operated valve is powered from the opposite electrical train as the motor-7.3-32 Rev. 30

MPS3 UFSAR driven pump. No single failure prevents the control of auxiliary feedwater flow from a motor-driven pump to a steam generator.

Each auxiliary feedwater line from the turbine-driven pump has two normally open solenoid valves that fail open. The valves are powered from separate emergency buses. No single failure will prevent the control of auxiliary feedwater flow to a steam generator.

Each auxiliary feedwater line to a steam generator has a Train A and a Train B feedwater flow transmitter that is powered from separate power supplies. One auxiliary feedwater flow transmitter has an associated main control room indicator and the other displays on plant computer. Two Train A and two Train B auxiliary feedwater flow indicators, one for each steam generator, are on the main control board and on the auxiliary shutdown panel. No single failure will prevent at least two auxiliary feedwater flow indicators from indicating at the main control board and at the auxiliary shutdown panels. There is a Train A and Train B steam generator level indicator for each steam generator on the main control board and at the auxiliary shutdown panel that can be used as backup indication for the flow indicators.

There are two trains of DWST level indicators on the main control board and at the auxiliary shutdown panel. The Train A level is recorded on the main control board.

The trains are powered from separate buses. No single failure will prevent DWST level indication on the main control board or at the auxiliary shutdown panel.

No single failure at the system level will prevent auxiliary feedwater from being supplied to the steam generators.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The motor-driven auxiliary feedwater system bypass (Train A) annunciator is alarmed in the control room whenever any of the following conditions exist:

  • Either feed pump motor loss of control power or breaker racked out.
  • Either pump motor control switch in pull to lock position.

7.3-33 Rev. 30

MPS3 UFSAR

  • Manual bypass push button depressed.

The auxiliary turbine-driven feed pump bypass (Train B) annunciator is alarmed in the control room whenever any of the following conditions exist:

  • 3MSS*MOV17A, B, or D not fully open.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an auxiliary feedwater pump start signal is received, the auxiliary feedwater pumps go to completion and run. Deliberate operator action must be taken to stop an auxiliary feedwater pump. The AUTO start signal must be cleared and the pumps stopped by manual controls. An exception is that the motor-driven pumps are stopped automatically by low lube oil pressure, and electrical protection trips; the Train A motor-driven pump is isolated from AUTO start and sequencer signals when in LOCAL control to facilitate safe shutdown from a remote shutdown location following a fire as described in Section 6.2.11 of the Fire Protection Evaluation Report. The turbine-driven auxiliary feedwater pump is stopped automatically by overspeed protection.

e. IEEE Standard 279-1971, Paragraph 4.17:

The motor-driven auxiliary feedwater pumps have manual controls on the main control board and at the switchgear. REMOTE/LOCAL control transfer switches at the switchgear are alarmed in the control room when LOCAL is selected.

The turbine-driven auxiliary feedwater pump steam supply valves have manual controls on the main control board and at the auxiliary shutdown panel. REMOTE/

LOCAL control transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.

The turbine-driven auxiliary feedwater pump speed changer has manual controls on the main control board and local to the pump. REMOTE/LOCAL control transfer switch on the local control panel is alarmed in the control room when remote is selected.

7.3-34 Rev. 30

MPS3 UFSAR The auxiliary feedwater control and isolation valves have manual controls on the main control board and at the shutdown panels. REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

One motor-driven auxiliary feedwater pump at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

Refer to Section 10.4.9.4 for testing of turbine-driven auxiliary feedwater pump.

The auxiliary feedwater control and isolation valves are periodically tested in accordance with the Technical Specifications. The valves are operated manually with controls on the main control board and at the auxiliary shutdown panel.

The steam supply valves for the turbine-driven pump are periodically tested in accordance with the Technical Specifications.

g. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The DWST level transmitters and auxiliary feedwater flow transmitters are periodically tested in accordance with the Technical Specifications.

ESF Filtration System The ESF filtration system consists of the auxiliary building filter system (ABFS) which is described in Section 9.4.3 and its flow diagram is shown on Figure 9.4-2.

The ABFS consists of two ABFS exhaust fans, each supplied from a separate emergency bus, two main filter banks, and the associated ductwork and dampers.

The following areas are exhausted by the ABFS:

  • Waste disposal building
  • Auxiliary building
  • Containment purge air system 7.3-35 Rev. 30

MPS3 UFSAR

  • Charging pump and component cooling water pump area Exhaust from the areas can be directed through the auxiliary building filters or bypassed to atmosphere. Both paths of exhaust are provided with redundant air-operated dampers with solenoid pilot valves, with the exception of the filter inlet from the charging pump and component cooling water pump area. The redundant dampers are in series and fail closed on loss of power or air.

The filter inlet dampers from the charging pump and component cooling water area are in parallel and one is fixed full open, the other fixed closed. Normally, the exhaust from the areas is bypassed to the atmosphere. However, the exhaust from any or all of the areas can be manually directed through the filters. On receipt of a SIS, LOP, or CDA signal, the normal exhaust dampers from the charging pump and component cooling water pump area close automatically. All other inlet dampers and filter bypass to atmosphere dampers are closed on receipt of a SIS, LOP, or CDA, or by manual operation, the Train A filter inlet and exhaust fan discharge dampers open and start the Train A filter exhaust fan. Train B is then on standby. The safeguard signal is initiated by a SIS or CDA signal. During LOP, the exhaust fans are sequenced in accordance with the emergency generator load sequence. The standby filter train is started automatically on a high plenum pressure signal from the operating train.

During refueling and in the event of high radiation from one of the areas exhausted by the ABFS, the exhaust flows are manually diverted to the auxiliary building filter bank.

The fuel building filter banks are normally bypassed by the unfiltered exhaust fan. During refueling and in the event of high radiation, the fuel building exhaust is manually diverted to the fuel building filter bank. Either Train A or Train B is operated with the other train in standby.

The auxiliary building and fuel building filter banks have manual controls located on the main heating and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

High differential pressure across the prefilter, carbon absorber, and/or HEPA filter of each filter bank is alarmed in the control room.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two redundant ESF filtration Trains (A and B). The equipment in Train A is supplied from one emergency bus and Train B equipment is supplied from a separate emergency bus. No single failure at the system level will prevent the ESF filtration system from filtering the air system during an accident.

b. IEEE Standard 279-1971, Paragraph 4.4:

7.3-36 Rev. 30

MPS3 UFSAR Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A charging pump high pressure safety injection system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Auxiliary building filter system fan in pull to lock position.
  • Auxiliary building filter system fan loss of control power or breaker racked out.
  • Auxiliary building filter system fan outlet damper loss of power or circuit breaker open.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once initiated by a safety signal, the ESF filtration system will go to completion.

Return to normal operation requires deliberate operator action by resetting safety signals and using manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The auxiliary building and fuel building filter banks have manual controls located on the main heating and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The ESF filtration system is periodically tested in accordance with the Technical Specifications.

Essential Auxiliary Support Systems Auxiliary support systems that are required to function upon initiation of ESFAS are listed in Table 7.3-10. A summary description of these systems are provided in this section. Additional details can be found in the referenced sections.

Service Water System The service water system is described in Section 9.2.1 and its flow diagram is shown on Figure 9.2-1. For the purpose of instrumentation and control application, a recapitulation of the system design follows.

7.3-37 Rev. 30

MPS3 UFSAR Two service water headers, each supplied by two service water pumps, are provided. The power for the two-train design is supplied from two separate emergency buses as shown on Figure 8.1-1.

Either of the two redundant service water system trains has the capability to supply sufficient quantities of cooling water to the required equipment for safe shutdown. For the emergency mode of operation, the supply lines to the nonsafety related equipment are isolated by automatic closure of isolation valves. A LOP, CDA, or service water low header pressure signal automatically closes isolation valves in the supply line to the turbine plant component cooling heat exchangers. A LOP or CDA signal automatically closes isolation valves in the supply lines to the circulating water pumps lube water. In addition to those closed on a LOP or CDA signal, the CDA signal automatically closes the isolation valves in the supply lines to the reactor plant component cooling heat exchangers and automatically opens supply valves to the containment recirculation coolers. A LOP, SIS, or CDA signal causes automatic opening of the air-operated valves in the outlet lines from the diesel engine coolers. A LOP signal starts service water booster pumps that supply the MCC and rod control area air-conditioning units.

Continuous radiation monitoring is provided in the service water discharge headers (Section 11.5). Following a DBA, continuous radiation monitoring (Section 11.5) is provided in the discharge of each train of containment recirculation coolers. Each containment recirculation cooler has a remotely operated valve in its supply and discharge line. On a high radiation alarm, the operator can isolate the affected containment recirculation cooler train.

Control switches and indicating lights for the service water pump motors are provided on the main control board and at the switchgear. REMOTE/LOCAL control selector switches and LEAD/FOLLOW pump selector switches are located at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. One service water pump in each train is started manually. The standby pump is started automatically by a pressure switch detecting low discharge pressure in the associated header. The action of these pressure switches is blocked by a LOP signal.

The service water pumps are operated in the following manner under the indicated accident conditions:

1. LOCA with off site power available. All pumps that are operating prior to the accident continue to operate.
2. LOCA coincident with loss of off site power. Two pumps, one on each emergency bus, start automatically in accordance with the emergency generator loading sequence. Should one of the two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.
3. Loss of offs ite power. Two pumps, one of each emergency bus, start automatically in accordance with the emergency generator loading sequence. Should one of the two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.

7.3-38 Rev. 30

MPS3 UFSAR The service water system is also a cooling source for the control building chilled water system.

Power and slave valves in the chiller condenser outlet line and a temperature element/controller in the booster pump discharge line provide temperature control for the chilled water system condenser by means of a controlled bypass from the slave valve to the booster pump suction.

The control building chilled water system service water booster pumps are interlocked to start and stop with the associated control building chilled water pump. Pressure in the service water headers is indicated in the control room. For reliability purposes, correct operation of the pressure measuring loop in the service water header is verified by valving the pressure transmitter out of service and applying a simulated signal. Similarly, the header low pressure annunciation is also verified during normal operation. These tests verify correct operation of the loops and of the indications provided in the control room.

Service water discharge flow indicators and high/low flow annunciators are provided on the main control board for the containment recirculation coolers and reactor plant component cooling heat exchangers. High/low service water outlet flow annunciators are provided on the main control board for the diesel engine jacket water coolers. Correct operation of flow measuring loops is verified by valving the flow transmitter or switch out of service and applying a simulated signal.

The operability of the service water system controls and indications common for both normal and emergency mode of operation is verified by their normal use. Instrumentation provided for the containment recirculation coolers is tested in conjunction with the containment recirculation system test.

Bypass indication is provided in the control room for the service water system.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two redundant service water trains (A and B) and there are two service water pumps in each train. Normally one pump in each train is running with the other in standby. The pumps in Train A are supplied from one emergency bus and Train B pumps are supplied from a separate emergency bus. No single failure at the system level will prevent the service water pumps from supplying service water.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

7.3-39 Rev. 30

MPS3 UFSAR

  • Service water pump loss of control power or breaker racked out or control switch in pull to lock and the other pump in the same train with loss of control power or breaker racked out or control switch in pull to lock.
  • Service water pump area air conditioning unit circuit breaker open or loss of control power.
  • Service water pump area air conditioning unit control switch in pull to lock.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is initiated, the lead service water pump in each Train (A and B) will start. In the event that the lead pump does not start, the follow pump will start one-half second later. To stop a running service water pump requires deliberate operator action; the safety signals must be reset and manual controls used to stop the pump.

e. IEEE Standard 279-1971, Paragraph 4.17:

The service water pumps have manual controls located on the main control board and at the switchgear. REMOTE/LOCAL control selector switches at the switchgear are alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The service water system is periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

Reactor Plant Component Cooling Water System The reactor plant component cooling water system design is described in Section 9.2.2.1 and the flow diagram is shown on Figure 9.2-2.

Manual controls and indicating lights for the reactor plant component cooling water pumps are provided in the control room and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear; an annunciator is alarmed in the control room when LOCAL control is selected. Normally, two pumps are operating with the third pump on stand-by in Train 7.3-40 Rev. 30

MPS3 UFSAR B. Three pump motor breakers are supplied for four breaker cubiclestwo for each train. The pumps for Trains A and B are normally racked into their respective cubicles, with the third pump breaker racked into its Train B cubicle. The third pump may be operated on Train A by first racking its breaker out of Train B and then racking it into the Train A cubicle. An electrical interlock prevents simultaneous operation of two pumps on the same train. A keylock switch is provided which allows the third pump to operate on one train or the other, but not on both at once.

Motor overcurrent and auto trip are alarmed in the control room. Status lights and bypass indication are provided in the control room. Power to Trains A and B reactor plant component cooling water pump motors is supplied from separate emergency buses.

The reactor plant component cooling pumps are started automatically by an SIS or LOP signal.

The pumps are sequenced on by the emergency generator load sequencer when an LOP signal exists.

Redundant level switches located on the surge tank for the reactor plant component cooling water system are set to detect a sudden drop in reactor plant component cooling water system surge tank level, which would result from a rupture of nonsafety-related system piping. These level switches automatically close isolation valves, thus isolating the systems safety-related portions from the nonsafety-related.

All supply lines to reactor plant component cooling water users, both safety related and nonsafety related, are provided with flow indicators and high flow alarms in the control room. Flow is totaled by the plant computer. Remote temperature indicators are provided in the suction lines of each reactor plant component cooling pump. Each compartment of the reactor plant component cooling water surge tank is provided with a level sensing instrument. The makeup to the surge tank is automatically controlled by level in the compartment. The level in each compartment is indicated, and low and high level extremes are alarmed in the control room.

A radiation monitor is utilized to monitor Train A or Train B outlet from the reactor plant component cooling water heat exchangers. Indication and alarm are provided locally; and indication, recording, and alarm are provided in the control room (Section 11.5).

The containment isolation valves in the reactor plant component cooling water lines serving the equipment inside the containment structure are closed automatically on receipt of a CIB signal.

Trains A and B cross-connect valves inside the containment are closed automatically on receipt of an SIS or surge tank low level signal.

Following a LOP or CIA signal, the cooling water source for the nonsafety-related components inside the containment structure is automatically transferred from the chilled water system to the reactor plant component cooling water system.

ESF status lights are provided in the control room for the reactor plant component cooling water system valves that receive a safety signal. Reactor plant component cooling water system bypass alarms are provided on the main control board.

7.3-41 Rev. 30

MPS3 UFSAR Analysis of Reactor Plant Component Cooling Water System Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The reactor plant component cooling water system is divided into two separate, redundant mechanical and electrical trains. The system can be cross-connected; the cross-connect valves are closed automatically by an SIS supplied or surge tank low-level signal. The cross-connect valves are air-operated and fail close on loss of air or loss of power to the associated solenoid valve. No single failure at the system level will prevent the system from supplying reactor plant component cooling water for at least one train.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A reactor plant component cooling system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Reactor plant component cooling pump (A or B) control switch in pull to lock or circuit breaker racked out or loss of control power and reactor plant component cooling pump (C) control switch in pull to lock or circuit breaker racked out or loss of control power.
  • Containment isolation valve not fully open.
  • Reactor plant component cooling heat exchanger service water supply valve not fully open.
  • Manual bypass push button depressed.
  • Reactor plant component cooling pump area vent system bypass.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is received, the reactor plant component cooling pumps are started automatically. When a LOP exists, the pumps are automatically started by the emergency generator load sequencer. Deliberate operator action must be taken to stop a pump. The SIS and LOP must be reset and manual control used to stop a pump.

7.3-42 Rev. 30

MPS3 UFSAR The containment air recirculation cooling coil supply and return valves are opened automatically by a LOP or CIA signal. The LOP and CIA must be reset to close the valves manually. The valves close automatically on reactor plant component cooling water surge tank low-level. The surge tank low-level signal must be cleared and the CLOSE/AUTO push button depressed before the valves can be opened automatically or manually.

The nonsafety header supply and return isolation valves close automatically on receipt of a CIA or reactor plant component cooling surge tank low-level signal.

The CIA must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.

The reactor plant component cooling cross-connect valves close automatically on receipt of a SIS or reactor plant component cooling surge tank low-level signal.

The SIS must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.

The containment isolation valves close automatically on receipt of a CIB signal.

The CIB signal must be reset and manual controls used to open the valves.

The reactor plant component cooling heat exchanger service water supply valves close automatically on receipt of a CDA signal. The CDA signal must be reset and manual controls used to open the valves.

e. IEEE Standard 279-1971, Paragraph 4.10:

The reactor plant component cooling system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the reactor plant component cooling water system. REMOTE/LOCAL control selector switches are provided for the reactor plant component cooling water pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

Chilled Water Description of instrumentation and controls is provided in Section 9.4.1.5.

Electrical Description of the onsite electrical system is found in FSAR Sections 8.1.4, 8.1.5 and 8.3.

7.3-43 Rev. 30

MPS3 UFSAR Emergency Generator Load Sequencer The emergency generator loading sequencer (EGLS) is a solid-state digital system which provides relay contact outputs to shed loads, block manual starts, and sequentially load the plant emergency AC buses during emergency conditions. The system is composed of two cabinets, one each for Train A and Train B. The primary purpose of the EGLS is to automatically control the loading of the emergency AC buses when a loss of offsite power has occurred and the buses are being re-energized by the emergency diesel generator.

The EGLS accepts bus undervoltage (BUV), safety injection (SIS), containment depressurization actuation (CDA), recirculation (RECIRC), auxiliary reserve breaker (AR BKR) status, and diesel generator breaker (DG BKR) status input signals in the form of contact closures and will provide a predetermined sequence of outputs.

The EGLS has seven operating modes. Five of these modes are for plant emergency conditions which involve a loss of off site power. The other two are for plant emergency conditions which do not involve a loss of off site power. The modes, in terms of which EGLS inputs are activated, are as follows.

1. SIS only
2. CDA only or SIS and CDA
3. LOP only
4. SIS and LOP
5. CDA and LOP or SIS and CDA and LOP
6. SIS, RECIRC, and LOP
7. CDA or SIS and CDA, RECIRC, and LOP The modes are prioritized such that a CDA mode will always take precedence over a SIS mode when both inputs are present and such that a LOP mode will always take precedence over a non-LOP mode.

In each of the LOP operating modes, the EGLS first recognizes a loss of power on the plant safety buses and immediately generates LOP and manual start block (MSB) output signals to plant safety equipment. These signals effectively strip the bus, block closing of the DG BKR for a time period sufficient to strip the bus, and temporarily inhibit the operator from restarting any loads.

This allows the diesel generator time to start, achieve proper voltage and frequency and, via the DG BKR, be connected to the plant safety bus without incurring adverse loading conditions.

Upon receiving a signal confirming that the DG BKR has closed, the EGLS will begin generating time sequenced safeguard signals (SSS) and manual trip block (MTB) signals to plant equipment.

The SSS and MTB signals, once initiated, are maintained until the EGLS is reset or a change in 7.3-44 Rev. 30

MPS3 UFSAR operating mode occurs. The EGLS automatically terminates individual LOP signals associated with the loads being started and terminates the remaining LOP signals and MSB signals automatically, 40 seconds after the DG BKR has closed. Should a SIS or CDA input occur without a LOP, the appropriate SSS and MTB signals are generated immediately without time sequencing, and the LOP and MSB outputs remain reset. Start signals to the containment recirculation pumps are delayed during a CDA only sequence, even if there is no LOP signal.

The MTB signal inhibits the operator from retripping loads once they have been automatically started.

LOP outputs also are generated for plant equipment which does not have an associated EGLS SSS output signal. In some cases, the LOP outputs are terminated at the end of the 40-second period.

In other cases, the LOP outputs are not terminated until the EGLS is manually reset. In some of the cases, the LOP outputs are also generated by a SIS only or CDA only input.

Initiation of the RECIRC and LOP operating modes differs from the other LOP operating modes in as much as that during recirculation, the SIS or CDA input must have occurred and been reset prior to the loss of power. Otherwise, even though the RECIRC input is present, the EGLS will respond in a SIS and LOP or CDA and LOP operating mode. Internal memories, which must be manually reset, retain the information necessary to allow the EGLS to differentiate between RECIRC and non-RECIRC operating modes.

Station LOP and sequencer LOP memories, which also must be manually reset, are used to retain information concerning the initial loss of power and re-energization of the bus by the diesel generator. Two memories are employed to prevent the EGLS from responding to transient voltage dips appearing on the bus during loading. Normally, the EGLS would not respond to a second loss of power if both memories had not been reset, but circuitry in the EGLS provides a subsequent LOP detection window between the sequencer LOP reset and station LOP reset during which the EGLS will respond to a second or subsequent LOP occurring during reset procedures.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2 The emergency generator load sequencers are divided into two separate, redundant mechanical and electrical trains. No single failure at the system level will prevent the system from sequentially loading the plant safety buses during emergency conditions.
b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

An emergency generator load sequencer bypass annunciator will alarm in the control room whenever any of the following conditions exist (Train A or B):

7.3-45 Rev. 30

MPS3 UFSAR

  • System is in manual Test 2.
  • Control power not available.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.10:

The emergency generator load sequencer is tested periodically in accordance with the Technical Specifications.

The following is a description of the various test modes that will be used to verify the operability of the EGLS.

Auto Test The auto test circuit (ATC) is an EGLS subsystem that is contained within the sequencer panel.

The ATC is designed to run continuously having approximately 50 separate test states. Each test state is 10 m sec in duration with actual testing being performed during the last 1 m sec of each test state. An exception to this is three test states where the test state timer is interrupted long enough to verify the operability of the normal frequency clocks.

The ATC verifies two basic types of EGLS responses. First, that no outputs occur when no Auto Test Inputs (Otis) are applied. Second, that the proper outputs occur when ATIs are applied.

Each odd numbered test state is used to verify that the proper output patterns occur when various combinations of ATIs are injected into the front end (input buffers) of the sequencer logic.

Conversely, each even numbered test state verifies that no outputs occur when no ATIs are applied. The even test states also verify that the EGLS was reset following the last odd numbered test.

For each test, the ATC makes the assumption that the sequencer will fail. At the start of each test, a delayed EGLS fault signal is generated. This, in effect, leaves the sequencer with approximately 1 millisecond in which to properly respond in order to reset the fault delay timer. A successful fault delay reset will allow the ATC to begin the next test state. If a fault is detected, the ATC stops testing the EGLS and provides main board annunciation. The ATC display on the EGLS front panel indicates the specific test state where the fault occurred.

The input and output relays are never actuated by the ATC and, hence, are not verified as operable by the ATC. The input relays will be tested for system operability during the EGLS integrated tests. These tests will be performed during refueling outages as specified in the Surveillance Frequency Control Program. The loads which are actuated by output relays will be tested during the EGLS integrated tests. In addition, if a real plant input is received by the EGLS requiring action, the ATC is automatically faulted to prevent it from interfering with EGLS operation.

7.3-46 Rev. 30

MPS3 UFSAR In summation, the ATC verifies, on a continuing basis, all critical logic paths in which a failure would prevent the EGLS from performing its complete safety function. The ATC may be used to extend the technical specifications actuation logic test requirements per Technical Specifications, Table 4.3-2.

Auto Test Test An auto test test panel is supplied with the EGLS system as test equipment that will be used on a quarterly basis to verify the operability of the ATC.

The auto test test panel has the ability to simulate an EGLS failure for ATC operational verification (the ability of the ATC to identify a failure). This is accomplished by creating auto test outputs (ATOs) when they should not occur or by inhibiting ATOs when they should occur.

Every auto test fault circuit can be verified using the auto test test panel.

Manual Test Features Mode 1 The manual test features provide a means to simulate EGLS inputs and verify response to those inputs. When initiated, Manual Test 1 inhibits all sequencer outputs except MSBs. Each individual load, however, may be selectively unblocked using its associated TEST/INHIBIT switch; i.e., placing the switch into the TEST position. This allows the option of testing the EGLS logic including sequence times or additionally testing selected output relay(s) by actually starting the loads. The latter provides the means to satisfy the requirement of periodically testing safety-related loads.

The inputs to the EGLS are provided by front panel push buttons for LOP, SIS, CDA, and RECIRC. These inputs can be applied at any time and in any order during a test to obtain any mode of operation desired. A DG breaker push button is not provided; rather, a simulated DG breaker closure is automatically generated approximately 10 seconds after the LOP push button is pressed.

Testing the EGLS using Manual Test 1 does not remove the sequencer from service. If at any time during testing a real input is received, the EGLS resets itself to normal operation responding to the input signal regardless of the TEST/INHIBIT switch positions.

Mode 2 Manual Test 2 is identical to Manual Test 1 except that the EGLS is not reset when a real input signal is received. Rather, the EGLS responds to the input condition taking into account the individual load TEST/INHIBIT switches. Manual Test 2 provides the ability to perform integrated systems testing, inhibiting loads that are not desirable to operate.

7.3-47 Rev. 30

MPS3 UFSAR EGLS Actuation Timer Test This test will be performed each refueling to verify system operation by actuating the input relays and monitoring the output logic indicating lights for proper response. A calibrated timer and a video camera will be used to record the proper response of all inputs and outputs and the response time for each output logic signal actuated relative to the beginning of the test. The tests that will be included within the EGLS actuation timer test are listed below.

LOP CDA RECIRC only SIS and LOP SIS followed by CDA CDA and LOP LOP followed by CDA SIS RECIRC and LOP LOP followed by SIS CDA RECIRC and LOP LOP followed by SIS RECIRC SIS only LOP followed by CDA RECIRC CDA only SIS and DG breaker without LOP SIS RECIRC only SIS followed by LOP SIS and Reserve Breaker CDA followed by LOP CDA and Reserve Breaker MSB Verification In Manual Test Mode 1, LOP only CDA followed by LOP prior to RSS Pumps Start Test LOP followed by subsequent LOP during Reset Test Emergency Generator Fuel Oil System The emergency generator fuel oil system design and operation are described in Section 9.5.4 and its piping and instrumentation diagram is shown on Figure 9.5-2.

Level controls and indicators are tested in conjunction with the diesel engine test described in Section 8.3. The frequency of this test is given in the Technical Specifications.

Emergency Diesel Engine Cooling Water System The emergency diesel engine cooling water system is described in Section 9.5.5 and its piping and instrumentation flow diagram is shown on Figure 9.5-3.

The instrumentation requirements for the emergency diesel engine cooling water system are described in Section 9.5.5.5.

Emergency Generator Starting Air System The emergency generator starting air system is described in Section 9.5.6 and its piping and instrumentation diagram is shown on Figure 9.5-3.

The instrumentation requirements for the emergency generator starting air system are described in Section 9.5.6.5.

7.3-48 Rev. 30

MPS3 UFSAR Emergency Diesel Engine Lubrication System The emergency diesel engine lubrication system is described in Section 9.5.7 and its piping and instrumentation diagram is shown on Figure 9.5-3.

The instrumentation requirements for the emergency diesel engine lubrication system are described in Section 9.5.7.5.

Emergency Generator Combustion Air Intake and Exhaust System The emergency generator combustion air intake and exhaust system is described in Section 9.5.8 and its piping and instrumentation diagram is shown on Figure 9.5-3.

The instrumentation requirements for the emergency diesel engine combustion air intake and exhaust system are described in Section 9.5.8.5.

Analysis Note: Analysis addresses all preceding emergency generator auxiliary systems.

a. IEEE Standard 279-1971, Paragraph 4.2:

The emergency generator fuel oil system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the systems capability to supply fuel oil to at least one of the diesel engines.

Each emergency generator has the following associated systems: emergency diesel generator engine cooling water system, starting air system, engine lubrication system, and combustion air intake and exhaust system. The electrical equipment for these associated systems is supplied from separate emergency buses. Nonsafety related electrical equipment associated with the above systems is either disconnected from the emergency buses automatically by a SIS, CDA, or LOP signal or connected to the emergency buses by two Class 1E circuit breakers in series to prevent degrading the emergency buses. The equipment is not required for emergency generator operation. Each emergency generator and its associated system are completely independent and separate from each other with the exception of the fuel oil system. The ability to cross-connect the A and B train fuel oil storage tanks is described in Section 9.5.4.3. No single failure at the system level can prevent the emergency generators from providing power to at least one emergency bus.

7.3-49 Rev. 30

MPS3 UFSAR

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11. The following electrical equipment does not perform an active safety function. The equipment is only required to maintain mechanical integrity:

  • Emergency generator standby jacket coolant pump and heater.
  • Prelube oil filter pump and heater.
  • Rocker arm prelube oil pump.
c. IEEE Standard 279-1971, Paragraph 4.13:

An emergency diesel generator system bypass annunciator is alarmed in the control room whenever any of the following conditions exist:

  • Emergency generator breaker racked out or loss of control power.
  • Emergency generator air compressor loss of control power or motor thermal overload.
  • Emergency generator crankcase vacuum pump loss of control power or motor thermal overload.
  • Emergency generator auxiliary fuel oil pump loss of control power or motor thermal overload.
  • Remote voltage switch in MANUAL.
  • Local voltage mode switch in MANUAL.
  • Manual bypass push button depressed.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once a LOP, SIS, or CDA signal is received, the emergency generator will attempt to start. If engine speed does not reach a specified RPM within 7 seconds, the start signal is blocked and a diesel not ready for AUTO start annunciator will alarm in the control room and at the emergency generator local panel. An emergency diesel reset push button in the control room or at the emergency generator panel must be depressed and the engine will attempt to start again. Once started, deliberate operator action must be taken to stop the emergency generator.

7.3-50 Rev. 30

MPS3 UFSAR

e. IEEE Standard 279-1971, Paragraph 4.10:

SIS, CDA, or LOP signals cause the emergency generator load sequencer to strip certain non-essential emergency generator auxiliary equipment and actuate the starting air system. These functions are periodically verified consistent with Technical Specification requirements.

f. IEEE Standard 279-1971, Paragraph 4.17:

Manual controls and indication are on the main control board and at the emergency generator panels for manual operation of the emergency generators.

Air-Conditioning, Heating, Cooling, and Ventilation Systems The safety-related (QA Category I) air-conditioning, heating, cooling, and ventilation systems are listed in Table 3.2-1.

The system designs, flow diagrams, and instrumentation applications are given in Section 9.4.

The design bases for the control and instrumentation of the safety-related air-conditioning, heating, cooling, and ventilation systems adhere to the following:

1. Automatic operation during normal and accident conditions.
2. Manual controls and indication of the status of all components in the control room.
3. Automatic controls as well as manual controls of redundant components are independent and electrically and physically separated.
4. Failure of an operating component and/or start of the redundant component is annunciated in the control room.
5. Redundant motors and motor-operated dampers have power supplied from separate emergency buses. Each redundant air-operated damper, with solenoid pilot valve, has power supplied from the separate DC bus. The dampers are designed to fail in the position of greater safety on loss of air and/or power supply.

The safety objective of the instrumentation and control for safety-related air conditioning, heating, cooling, and ventilation systems is to maintain the temperatures within the specific areas they serve, within the design limits required, during normal and accident conditions. The control room and instrument rack and computer rooms are automatically supplied air in the pressurized filtration mode of operation upon receiving a control building isolation (CBI) signal. A CBI signal is generated whenever any one of the following conditions exist:

  • Control Building inlet radiation high.
  • Containment pressure hi-1, 2 out of 3 (2/3) hi.

7.3-51 Rev. 30

MPS3 UFSAR

A differential pressure indicator with a scale range from zero to 0.50 in WC is provided in the control room to enable the operator to determine that the pressure in the control room is being maintained slightly above the atmospheric pressure following an accident.

Where high efficiency particulate air (HEPA) filters or carbon absorbers are provided in the system, differential pressure alarms are provided to alert the operator to excessive differential pressure across the filter or absorber and to indicate that changeover to the standby train should be made.

Control Building Isolation The control building isolation (CBI) logic receives automatic signals from one radiation monitor per train located in the intake ventilation to the control building. A containment hi-1 pressure signal (2/3 logic) is also utilized as an input to the CBI logic.

A CBI signal (Train A or B) can be manually initiated from CBI push buttons on the main control board or from the main heating and ventilation panel in the control room. A CBI is also initiated by a manual SIS initiation.

The CBI logic relays are located in auxiliary relay panels AR4 (Train A) and AR5 (Train B). The panels are in the instrument rack room. The output relays have test push buttons in the auxiliary relay panels. The CBI K1 relays are interlocked with the controls for the Control Building Emergency Ventilating Fan 1A inlet damper and the chilled water pump. The CBI K2 relays are interlocked with the Control Building Emergency Ventilating Fan 1B inlet damper. This arrangement allows for testing the emergency ventilation system and chilled water pumps for each Train (A or B). The logic relays are energized to initiate the pressurized filtration mode of operation of the Control Building Emergency Ventilation System. CBI RESET push buttons (Train A and B) are on the main control board.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.1:

A CBI signal is automatically initiated on receipt of a high radiation or containment hi-1 pressure high.

7.3-52 Rev. 30

MPS3 UFSAR

b. IEEE Standard 279-1971, Paragraph 4.2:

The CBI has redundant and separate trains supplied from separate safety-related 120 V AC and separate 125 V DC buses. No single failure will prevent a CBI at the system level.

c. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

d. IEEE Standard 279-1971, Paragraph 4.8:

The radiation monitors and containment pressure transmitters all derive signals that are direct measures of the variable being monitored.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

Testing of the automatic CBI signals from the radiation monitor and containment hi-1 pressure signal (2/3 logic) will be performed by testing each signal for each train.

The inlet ventilation radiation monitors will be calibrated on a refueling basis using solid point calibration sources and a fixed geometry.

On a quarterly basis, an analog channel operational which verifies the alarm set point will be performed.

The individual signals shall automatically initiate the pressurized filtration mode of operation of the Control Building Emergency Ventilation System.

Testing the containment hi-1 pressure (2/3 logic) will be accomplished in accordance with Section 7.3.2.2.5.

f. IEEE Standard 279-1971, Paragraph 4.13:

Bypass and inoperative alarms on the main control board for CBI Train A and B are in accordance with Regulatory Guide 1.47. A CBI bypass annunciator is alarmed on the main control board whenever any of the following conditions exist:

  • CBI bypass push button depressed.
  • Loss of control power to CBI logic relays.
g. IEEE Standard 279-1971, Paragraph 4.16:

7.3-53 Rev. 30

MPS3 UFSAR A CBI initiated on the system level will go to completion. The CBI signal can be reset manually on the main control board.

After a CBI has gone to completion, deliberate operator action is required to return to normal operation. The CBI signal must be manually reset. The emergency ventilation system must be manually stopped, and the control building ventilation realigned for normal operation.

h. IEEE Standard 279-1971, Paragraph 4.17:

A CBI signal can be initiated manually with push buttons on the main heating and ventilation panel and on the main control board. A manual SIS signal also initiates a CBI signal. No single failure within the manual, automatic, or common portions of the CBI system will prevent a CBI initiation.

i. IEEE Standard 279-1971, Paragraph 4.18:

The CBI radiation monitor set points are administratively controlled. The set point cannot be changed at the monitor until a permissive has been granted by a key at the radiation monitoring panel in the control room. The permissive key is administratively controlled.

j. IEEE Standard 279-1971, Paragraph 4.19:

High radiation is alarmed on the main control board and on the radiation monitoring system workstations in the control room. An ESF status light indicates on the main control board when a CBI signal exists. Hi-1 containment pressure high is alarmed on the main control board by any channel. Indicator lights on the main control board indicate each channel that is alarmed and each is monitored for high pressure by the plant computer.

Charging Pumps Cooling System The charging pumps cooling system is a supporting system for the charging pumps and is required to operate during normal unit operation and following a LOCA and/or loss-of-power. The system design and description are given in Section 9.2.2.4 and its flow diagram is shown on Figure 9.2-5.

Control switches and indicator lights for the charging pump cooling pumps are provided on the main control board and on the auxiliary shutdown panel. REMOTE/LOCAL control selector switches are located on the transfer switch panels in the vicinity of the auxiliary shutdown panel.

An annunciator is alarmed in the control room when local control is selected. For normal unit operation, one of the two pumps is required to operate. This pump is started manually and the other pump is placed on standby. The pump in standby is automatically started on low pressure by a pressure switch in the pumps discharge header.

7.3-54 Rev. 30

MPS3 UFSAR Following a loss of power and/or on receipt of an SIS signal, the redundant isolation valves in the charging pumps cooling pumps discharge header crossover, and in the charging pumps coolers outlet crossover automatically close, thus providing the two independent flow paths required during these modes of operation. Each charging pumps cooling pump motors power supply is from a separate emergency bus, and the motors start automatically on loss of power and/or on an SIS. The air-solenoid, pilot-operated isolation valves are supplied from separate DC buses and on loss of air and/or loss of power fail closed.

The charging pumps cooling surge tank is divided into two compartments with each compartment serving one charging pumps cooling pump, thus providing redundancy in the fluid system design.

Instrumentation is provided to monitor and control water level in each compartment of the surge tank at all times. The reactor plant component cooling water system automatically provides normal makeup to each surge tank compartment.

ESF status lights are provided on the main control board to indicate charging pumps cooling pump and crossover valve status.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pumps cooling system is normally cross-connected at the discharge and suction of the cooling pumps. On receipt of a SIS or LOP signal, the cross-connect valves are closed automatically to separate Train A from Train B. There are four normally open, air-operated, cross-connected valves that fail closed on loss of air or loss of power to the solenoid valves. Solenoid valves control air to the cross-connect valves; two are powered from the Train A emergency DC bus and two are powered from the Train B emergency DC bus.

A temperature control valve for each charging pump cooler is controlled by a temperature indicating controller and a safety-related solenoid valve powered from an emergency DC bus. The temperature control valve opens to the heat exchanger on loss of air, loss of power to the solenoid valve, or when the charging pump cooler outlet temperature is greater than a predetermined set point. The solenoid valves are powered from separate buses.

The charging pumps cooling pumps are powered from separate emergency buses.

Normally, one pump is running and the other on standby. On receipt of an SIS or LOP signal, both pumps are started automatically.

No single failure at the system level can prevent cooling water from being supplied to at least one charging pump.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3-55 Rev. 30

MPS3 UFSAR

c. IEEE Standard 279-1971, Paragraph 4.13:

A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Charging pumps cooling control switch in pull to lock position.
  • Charging pumps cooling pump loss of control power.
  • Charging pumps cooling pump motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS or LOP signal is received, the charging pumps cooling pumps are started and the cross-connect valves are closed. Deliberate operator action must be taken to open the valves or stop a pump. The SIS and LOP signals must be reset and manual control used by the operator.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The charging pumps cooling system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the charging pumps cooling system. REMOTE/LOCAL control selector switches are provided at the transfer switch panels outside the control room, and manual controls and indication are on the auxiliary shutdown panels. An annunciator is alarmed in the control room when local control is selected.

Safety Injection Pumps Cooling System The safety injection pumps cooling system is a supporting system for the safety injection pumps and is required to operate only following a LOCA.

The system design and description are given in Section 9.2.2.5, and the flow diagram is shown on Figure 9.2-4. The power supply for each train of the two-train system is from a separate emergency bus.

The starting of the safety injection pumps cooling pumps is interlocked with the starting of the safety injection pumps; i.e., when a safety injection pump is started for testing purposes or due to a SIS, its associated cooling pump is started automatically. The safety injection cooling pumps surge tank is divided into two compartments, with each compartment serving a separate pump, thus providing redundancy in the fluid system design. Instrumentation is provided to monitor and 7.3-56 Rev. 30

MPS3 UFSAR maintain water level in each compartment of the surge tank. The component cooling water system automatically provides normal makeup to each surge tank compartment.

ESF status lights are provided on the main control board to indicate status of the safety injection pumps cooling pumps.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The safety injection pumps cooling system is divided into two mechanical and electrical trains. The safety injection pumps cooling pumps are powered from separate emergency buses. No single failure at the system level can prevent the safety injection pumps cooling system from supplying cooling water to at least one safety injection pump.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A safety injection pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

  • Safety injection pump cooling pump circuit breaker open.
  • Safety injection pump cooling pump loss of control power.
  • Safety injection pump cooling pump motor thermal overload.
d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety injection pump is started, the cooling pump starts automatically.

Deliberate operator action must be taken to stop a cooling pump. The associated safety injection pumps must be stopped and manual controls used to stop the cooling pump.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The safety injection pumps cooling system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

7.3-57 Rev. 30

MPS3 UFSAR Controls and indicators are provided in the control room for manual operation of the safety injection pumps cooling system.

7.3.1.2 Design Bases Information The functional diagrams presented on Figure 7.2-1, Sheets 5, 6, 7, 8, 13, 14, 15 and 16 provide a graphic outline of the functional logic associated with requirements for the ESFAS. Requirements for the ESF system are given in Chapters 6, 10, 11 and 15. Given below is the design bases information required in IEEE Standard 279-1971.

7.3.1.2.1 Generating Station Conditions The following is a summary of those generating station conditions requiring protective action by the ESFAS.

1. Primary System:
a. Loss-of-coolant accident (LOCA).
b. Steam generator tube failure.
c. Dropped fuel assembly.
2. Secondary System:
a. Inadvertent opening of a steam generator relief or safety valve.
b. Steam system piping failure.
c. Loss of feedwater events including feedwater system pipe break.
3. Conditions Requiring Control Building Isolation:
a. High control building inlet ventilation radiation.
b. High containment pressure.

7.3.1.2.2 Generating Station Variables The following list summarizes the generating station variables required to be monitored for the automatic initiation of engineered safety features during each condition identified in the preceding section. Post-accident monitoring requirements are given in Table 7.5-1.

1. Primary System Accidents:
a. Pressurizer pressure.

7.3-58 Rev. 30

MPS3 UFSAR

b. Containment pressure (not required for steam generator tube failure).
c. Containment purge air radiation.
2. Secondary System Accidents:
a. Pressurizer pressure.
b. Steam line pressures and pressure rate.
c. Containment pressure.
d. Steam generator water level.
e. Reactor coolant temperature.
f. Loss of Emergency Bus Power (LOP).
3. Control Building Isolation:
a. Control building inlet radiation high.
b. Containment pressure hi-1.

7.3.1.2.3 Spatially Dependent Variables The only variable sensed by the ESFAS which has significant spatial dependence is reactor coolant hot leg temperature. Its spatial dependence is discussed in Section 7.2.1.2.3.

7.3.1.2.4 Limits, Margins, and Set points Prudent operational limits, available margins, and set points before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the technical specifications.

7.3.1.2.5 Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage protection system components or could cause environmental changes are as follows.

1. Loss-of-coolant accident (Chapter 15)
2. Secondary system accidents (Chapter 15)
3. Earthquakes (Chapters 2 and 3)
4. Fire (Section 9.5.1) 7.3-59 Rev. 30

MPS3 UFSAR

5. Explosion (hydrogen buildup inside containment) (Section 15.4)
6. Missiles (Section 3.5)
7. Flood (Chapters 2 and 3)
8. LOP (Chapter 8)
9. Wind and tornadoes (Section 3.3) 7.3.1.2.6 Minimum Performance Requirements Minimum performance requirements are as follows.
1. Response times Required engineered safety features response time is defined in Section 7.1.2.1.9.

Maximum allowable ESFAS time delays are tabulated in Technical Requirements Manual Table 3.3.2-1. See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.

2. ESFAS channel uncertainties and trip setpoints The method for determining ESFAS setpoints is discussed in Section 7.1.2.1.9.

The ESFAS setpoints, allowable values for use in surveillance testing and instrumentation channel uncertainty components are tabulated in Technical Specifications Table 3.3-4.

3. Instrumentation ranges ESFAS instrumentation ranges are tabulated in Table 7.3-2. Range selection for ESFAS instrumentation encompasses the expected range of the process variable being monitored, for normal power operation and accident conditions, for which generating an ESFAS actuation signal is required.

7.3.1.3 Final System Drawings The schematic diagrams for the systems discussed in this section are listed in Section 1.7 and are submitted in support of this application.

7.3.2 ANALYSIS Failure mode and effects analyses have been performed on ESF systems equipment within the Westinghouse scope of supply (WCAP-8584, Rev. 1). The Millstone ESF systems, although not identical, have been designed to equivalent safety design criteria. The system designs within the BOP scope meet the interface criteria in Appendixes B and C of WCAP-8584, Rev. 1.

7.3-60 Rev. 30

MPS3 UFSAR Analyses of the instrumentation and control systems used to initiate the operation of the ESF systems and their essential auxiliary supporting systems have been made. For balance-of-plant safety systems, the assurance that safety-related instrumentation and control fulfill their functions (assuming a single failure) is achieved by the use of redundant channels, trains, components, and power supplies with the appropriate separation provided between them. Detailed documentation in the form of the failure modes and effects analysis or fault tree analyses (based on actual wiring diagrams and components of the plant) are presented in a separate report described in Section 7.3.2.1. The analyses were made to assure that each system satisfies the applicable design criteria and performs as intended during all plant operations and accident conditions for which its function is required.

The ESF and essential supporting systems are designed so that a loss of plant instrument air, the loss of cooling water to vital equipment, a plant load rejection, or a turbine trip does not prevent the completion of the safety function under postulated accidents and failures. Evaluation of the individual and combined capabilities of the ESF and supporting systems can be found in Chapters 6, 8, 9, 10 and 15.

7.3.2.1 Failure Modes and Effects Analysis The systematic, organized, analytical procedure for identifying the possible modes of failure and evaluating their consequences is called a failure modes and effects analysis (FMEA). Its purpose is to demonstrate and verify how the General Design Criteria (GDC) and IEEE Standard 279-1971 requirements are satisfied. FMEAs that are performed on the Class 1E electric power and instrumentation and control portions of the safety-related auxiliary supporting systems also determine if they meet the single failure criteria.

The FMEA is produced in the form of a computerized tabulation that identifies the component, its failure mode, the method of failure detection, and its effect on the safety-related system. This tabulation is derived from the fault tree analysis (FTA). Figure 7.3-1 shows a typical page from a FMEA.

The FTA is a technique by which failures that can contribute to an undesired event are systematically and deductively organized from a top event down to subordinate events. It is pictorially represented by rectangular blocks connected via flow lines to logic gates, all placed together in a tree-shaped configuration.

The FTA identifies all failure modes that are significant to the failure of the safety-related system, the failure paths from the failed items up through the fault tree to a single top failure event and any single failures that may result in the failure of the system to perform its intended safety function. It also provides a visual display of how the system can malfunction. See Figure 7.3-2 for an example of a computer-plotted fault tree diagram.

When the event blocks and logic gates have been assigned unique computer readable codes, the FTA can be processed and printed out as a standard format, auditable permanent record tabulation called the FMEA. The FMEAs for the systems listed in Table 7.3-10 are in a report titled Failure Modes and Effects Analysis, submitted as part of the documentation provided in Section 1.7.4.

7.3-61 Rev. 30

MPS3 UFSAR 7.3.2.2 Compliance with Standards and Design Criteria Discussion of the GDC is provided in various sections of Chapter 7 where a particular GDC is applicable. Applicable GDCs include Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, and 46 of the 1971 GDC. Compliance with certain IEEE Standards is presented in Sections 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11. Compliance with Regulatory Guide 1.22 is discussed in Section 7.1.2.5. The discussion given below shows that the ESFAS complies with IEEE Standard 279-1971 (Institute of Electrical and Electronics Engineers, Inc. 1971).

7.3.2.2.1 Single Failure Criteria The discussion presented in Section 7.2.2.2.3 is applicable to the ESFAS with the following exception.

In the FSFAS, a loss of instrument power will cause the specific bistable or trip actuating device which lost power to change to its actuated position with the exception of Hi-3 Containment pressure which affects containment spray. The power supply for the protection systems is discussed in Section 7.6 and in Chapter 8. For containment spray, the final bistables are energized to trip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous actuation of two manual controls. This is considered acceptable because spray actuation on hi-3 containment pressure signal provides automatic initiation of the system via protection channels.

Moreover, two sets (two switches per set) of containment spray manual initiation switches are provided to meet the requirements of IEEE Standard 279- 1971. Also, it is possible for all ESF equipment (valves, pumps, etc) to be individually manually actuated from the control board.

Hence, a third mode of containment spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 GDC.

7.3.2.2.2 Equipment Qualification Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3.2.2.3 Channel Independence The discussion presented in Section 7.2.2.2.3 is applicable. The ESF slave relay outputs from the solid state logic protection cabinets are redundant, and the actuation signals associated with each train are energized up to and including the final actuators by the separate ac power supplies which power the logic trains.

7.3.2.2.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2.3 are applicable.

7.3.2.2.5 Capability for Sensor Checks and Equipment Test Calibration The discussions of system testability in Section 7.2.2.2.3 are applicable to the sensor, analog circuitry, and logic trains of the ESFAS.

7.3-62 Rev. 30

MPS3 UFSAR The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system.

Testing of Engineered Safety Features Actuation Systems The ESFASs are tested to provide assurance that the systems operate as designed and are available to function properly in the unlikely event of an accident. The testing program meets the requirements of Criteria 21, 37, 40, 43 and 46 of the 1971 GDC and Regulatory Guide 1.22 as discussed in Section 7.1.2.8. The tests described in Section 7.3.2.2.3 and further discussed in Section 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37, except for the operation of those components that would cause an actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources, and the operation of associated cooling water systems. After the safety injection and residual heat removal pumps are started and operated, their performance is verified in a separate test discussed in Section 6.3.4.

When the pump tests are considered in conjunction with the ECCS test, the requirements of GDC 37 on testing of the ECCS are met as closely as possible without causing an actual safety injection.

The system design, as described in Sections 6.3.4, 7.2.2.2.3, and 7.3.2.2.3, provides complete periodic testability during reactor operation of all logic and components associated with the ECCS. This design meets the requirements of Regulatory Guide 1.22 as discussed in the above sections. The program is as follows:

1. Prior to initial plant operations, ESF system tests are conducted.
2. Subsequent to initial startup, ESF system tests are conducted during regularly scheduled refueling outage. As specified in the Surveillance Frequency Control Program.
3. During on-line operation of the reactor, all of the ESF analog and logic circuitry can be fully tested. In addition, essentially all of the ESF final actuators can be fully tested. The remaining few final actuators, whose operation is not compatible with on-line plant operation, can be checked by means of continuity testing or other means.
4. During normal operation, the operability of testable final actuation devices of the ESF systems can be tested by manual initiation from the control room or, as indicated in 3 above, by actuation of the solid state protection system slave relays from the ESF test cabinets.

Performance Test Acceptability Standard for the Safety Injection Signal and For the Automatic Signal for Containment Depressurization Actuation Generation During reactor operation, the basis for ESFAS acceptability will be the successful completion of the overlapping tests performed on the initiating system and the ESFAS (Figure 7.3-3). Checks of 7.3-63 Rev. 30

MPS3 UFSAR process indications verify operability of the sensors. Analog checks and tests verify the operability of the analog circuitry from the input of these circuits through to and including the logic input relays except for the input relays associated with the containment spray function which are tested during the solid state logic testing. Solid state logic testing also checks the digital signal path from and including logic input relay contacts through the logic matrices and master relays and perform continuity tests on the coils of the output slave relays; final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant upset. A continuity check and/or other measures are performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their travel.

The basis for acceptability for the ESF interlocks will be control board indication of proper receipt of the signal upon introducing the required input at the appropriate set point.

Equipment which makes up the ESFAS is qualified for its required application. Equipment not qualified for the life of the plant is periodically replaced or maintained consistent with equipment qualification program requirements.

Frequency of Performance of Engineered Safety Features Actuation Tests During reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed periodically as specified in the Technical Specifications. Testing, including the sensors, is also performed during scheduled plant shutdown for refueling.

Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the online portion of the testing program. The guidelines used in developing the circuitry and procedures are:

1. The test procedures must not involve the potential for damage to any plant equipment.
2. The test procedures must minimize the potential for accidental tripping.
3. The provisions for online testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

Description of Initiation Circuitry Several systems, as listed in 7.3.1.1.1, comprise the total engineered safety features system, the majority of which may be initiated by different process conditions and be reset independently of each other.

7.3-64 Rev. 30

MPS3 UFSAR The remaining functions are initiated by a common signal (safety injection) which in turn may be generated by different process conditions.

In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling, and service water, is initiated by the safety injection signal.

The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the solid state logic protection cabinets designated Train A and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor-operated valve contractors, solenoid-operated valves, emergency generator starting, etc.

Analog Testing Analog testing methods are identical to those used for reactor trip circuitry and are described in Section 7.2.2.2.3.

An exception to this is containment spray, which is energized to actuate 2-out-of-4 and reverts to 2-out-of-3 when one channel is in test.

Periodic tests of the following ESFAS instrumentation channels are performed:

a. Steam generator water level protection channels*
b. Steam pressure protection channels
c. Containment pressure protection channels
d. Pressurizer pressure protection channels *
e. TAVG protection channels *
f. Containment purge air radiation protection channels
g. Control building inlet radiation protection channels
h. Emergency AC bus undervoltage relays

Solid State Logic Testing Except for containment spray channels, solid state logic testing is the same as that discussed in Section 7.2.2.2.3. During logic testing of one train, the other train can initiate the required engineered safety features function. For additional details, see WCAP-7488-L (1971).

7.3-65 Rev. 30

MPS3 UFSAR Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. The ESFAS logic slave relays in the SSPS output cabinets are subjected to coil continuity tests by the output relay tester in the SSPS cabinets. Slave relays (K601, K602, etc.) do not operate because of reduced voltage applied to their coils by the mode selector switch (TEST/OPERATE). A multiple position master relay selector switch chooses different master relays and corresponding slave relays to which the coil continuity is applied. The master relay selector switch is returned to OFF before the mode selector switch is placed back in the OPERATE mode. However, failure to do so will not result in defeat of the protective function. The ESFAS slave relays are activated during testing by the online test cabinet so that overlap testing is maintained.

The ESFAS final actuation device or actuated equipment testing is performed from the engineered safeguards test cabinets. These cabinets are located near the solid state logic protection system equipment. There is one test cabinet provided for each of the two protection Trains A and B. Each cabinet contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators has been made such that groups of devices or actuated equipment can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that an SIS is initiated during the test of the final device that is actuated by this test, the device will already be in its safeguards position.

During this last procedure, close communication between the main control room operator and the operator at the test panel is maintained. Prior to the energizing of a slave relay, the operator in the main control room assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the main control room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps and annunciators on the control board, and records all operations. He then resets all devices and prepares for operation of the next slave relay actuated equipment.

By means of the procedure outlined above, all ESF devices actuated by ESFAS initiation circuits, with the exceptions noted in Section 7.1.2.5 under a discussion of Regulatory Guide 1.22 are operated by the automatic circuitry.

Actuator Blocking and Continuity Test Circuits Devices that cannot be actuated during plant operation (discussed in Section 7.1.2.5) fall into two categories. These devices either have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation to a final device upon operation of the associated slave relay during testing or they were originally intended to be tested during normal plant operation but were later removed from the on-line testing program. For the latter case, these devices have been assigned slave relays without the special test circuitry. Therefore, during the performance of online slave relay testing, other measures are taken (i.e., jumpers, removal of motor overloads, etc.) to prevent selected equipment from actuating. For devices which have been 7.3-66 Rev. 30

MPS3 UFSAR assigned to slave relays with the additional test circuitry, operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts, the devices control circuit cabling, control voltage, and the devices actuation solenoids. Interlocking prevents blocking the output from more than one output relay in a protection train at a time. Interlocking between trains is also provided to prevent continuity testing both trains simultaneously, therefore the redundant device associated with the protection train not under test will be available if event protection action is required. If an accident occurs during testing, the automatic actuation circuitry will override testing as noted above. One exception to this is that if the accident occurs while testing a slave relay whose output must be blocked, those few final actuation devices associated with this slave relay will not be overridden; however, the redundant devices in the other train would be operational and would perform the required safety function. Actuation devices which cannot be tested at full power so as not to damage equipment or upset plant operation are identified in Section 7.1.2.5.

For those components which cannot be actuated online and have been assigned slave relays with the special test circuitry, the continuity test circuits are verified by test lights on the safeguards test cabinets.

Devices 9-13 identified within Subsection 7.1.2.5 are blocked by administrative controls. If an accident occurs while testing, the redundant equipment in the other train would be operational and would perform the required safety function.

The typical schemes for blocking operation of selected protection function actuator circuits are shown on Figure 7.3-4 as details A and B. The schemes operate as explained below and are duplicated for each safeguards train.

Detail A shows the circuit for contact closure for protection function actuation. Under normal plant operation and equipment not under test, the test lamps DS* for the various circuits will be energized. Typical circuit path will be through the normally closed test relay contact K8* and through test lamp connections 1 to 3. Coils X1 and X2 will be capable of being energized for protection function actuation upon closure of solid state logic output relay contacts K*. Coil X1 or X2 is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts K8* are opened to block energizing of coil X1 and X2, the white lamp is de-energized, and the slave relay K* may be energized to perform continuity testing. To verify operability of the blocking in both blocking and restoring normal service, open the blocking relay contact in series with lamp connections - the test lamp should be de-energized; close the block relay contact in series with the lamp connections - the test lamp should now be energized, which verifies that the circuit is now in its normal, i.e., operable condition.

Detail B shows the circuit for contact opening for protection function actuation. Under normal plant operation and equipment not under test, the white test lamps DS* for the various circuits will be energized, and the green test lamp DS* will be de-energized. Typical circuit path for white lamp DS* will be through the normally closed solid state logic output relay contact K*

and through test lamp connections 1 to 3. Coils Y1 and Y2 will be capable of being de-7.3-67 Rev. 30

MPS3 UFSAR energized for protection function actuation upon opening of solid state logic output relay contacts K*. Coil Y2 is typical for a solenoid valve coil, auxiliary relay, etc. When the contacts K8*

are closed to block de-energizing of coils Y1 and Y2, the green test lamp is energized and the slave relay K* may be energized to verify operation (opening of its contacts). To verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the green lamp - the green test lamp should now be energized also; open this blocking relay contact - the green test lamp should be de-energized, which verifies that the circuit is now in its normal, i.e., operable position.

Time Required for Testing Analog testing can be performed at a rate of several channels per hour. Logic testing of Trains A and B can be performed in less than 30 minutes each. Testing of actuated components (including those which can only be partially tested) will be a function of control room operator availability. It requires several shifts to accomplish these tests. During this procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. Continuity testing associated with a blocked slave relay takes several minutes. During this time, the redundant devices in the other train would be functional.

Summary of Online Testing Capabilities The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contractors, pilot solenoid valves, etc, including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device, a continuity test of the individual control circuits is performed, or other measures are taken such as installation of jumpers, removal of thermal overloads, etc.

The procedures require testing at various locations:

1. Analog testing and verification of bistable set point are accomplished at process analog racks. Verification of bistable relay operation is done at the main control room status lights.
2. Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic rack test panel.
3. Testing of pumps, fans, and valves is done at a test panel located in the vicinity of the logic racks in combination with the control room operator.
4. Continuity testing for those circuits assigned that cannot be operated is done at the same test panel mentioned in 3 above.

7.3-68 Rev. 30

MPS3 UFSAR The reactor coolant pump essential service isolation valves consist of the isolation valves for the component cooling water return and the seal water return header.

The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although pump damage from this type of test would not result in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the reactor for an extended period of time while the reactor coolant pump or certain of its parts could be replaced.

Testing During Shutdown ECCS tests will be performed periodically in accordance with the Technical Specifications with the reactor coolant system isolated from the ECCS by closing the appropriate valve. A test SIS will then be applied to initiate operation of active components (pumps and valves) of the ECCS.

This is in compliance with Criterion 37 of the 1971 GDC.

Containment spray system tests will be performed periodically. The pump tests will be performed with the isolation valves in the spray supply lines at the containment blocked closed and the valves will be tested periodically with the pumps shutdown.

System Performance Monitoring ESFAS performance is monitored to ensure that the reliability of the system remains within established performance criteria. Performance criteria is established for various aspects of ESFAS operation. A record is maintained of the functional failures which might cause one of the redundant channels or trains to be unable to perform its safety function. Appropriate corrective action is required if the system fails to meet its established performance criteria. System performance monitoring is performed for the following ESFAS equipment.

1. Process instrumentation & control system
2. Solid state protection system.
3. Engineered safety features test cabinets.
4. Analog sensor and digital contact inputs.
5. Emergency generator load sequencer.
6. Control building inlet and containment area radiation monitors.

The balance of the requirements listed in Institute of Electrical and Electronic Engineers, Inc.

(1976) (Paragraphs 4.11 through 4.22) are discussed in Section 7.2.2.2.1. Paragraph 4.20 receives special attention in Section 7.5.

7.3-69 Rev. 30

MPS3 UFSAR 7.3.2.2.6 Manual Resets and Blocking Features The manual reset feature associated with containment spray actuation is provided in the design of the solid state protection system for two basic purposes. First, the feature permits the operator to start an interruption procedure of automatic containment spray in the event of false initiation of an actuate signal. Second, although spray system performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident.

Manual control of the spray system does not occur, once actuation has begun, by just resetting the associated logic devices alone. Components will seal in (latch) so that removal of the actuate signal, in itself, will neither cancel nor prevent completion of protective action or provide the operator with manual override of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic performance, the operator must deliberately unlatch relays which have sealed in the initial actuate signals in the associated motor control center, in addition to tripping the pump motor circuit breakers, if stopping the pumps is desirable or necessary.

The manual reset feature associated with containment spray, therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control from the automatic system or interrupt its completion should such an action be considered necessary.

In the event that the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in one train (by operating and holding the corresponding reset switch at the time the initiate signal is transmitted) the other train will automatically carry the protective action to completion. In the event that the reset condition is imposed simultaneously in both trains at the time the initiate signals are generated, the automatic sequential completion of system action is interrupted and control has been taken by the operator.

Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal exists. Should the initiate signal then clear and return again, automatic system actuation will repeat. No procedures or training direct the operator to manually interrupt automatic actuation of the containment spray system using the containment spray manual reset switch.

Note also that any time delays imposed on the system action are to be applied after the initiating signals are latched. Delay of actuate signals for fluid systems lineup, load sequencing, etc., do not provide the operator time to interrupt automatic completion, with manual reset alone, as would be the case if time delay was imposed prior to sealing of the initial actuate signal.

The manual block features associated with pressurizer and steam line SISs provide the operator with the means to block initiation of safety injection and steam line isolation during plant startup and shutdown. These block features meet the requirements of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

7.3-70 Rev. 30

MPS3 UFSAR 7.3.2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62)

There are four individual main steam isolation trip valve momentary control switches (one per loop) mounted on the control board. Each switch, when actuated, isolates one of the main steam lines. In addition, there are two system level switches. Operating either switch actuates all four main steam line isolation and bypass valves at the system level.

Manual initiation of switchover to recirculation is in compliance with Section 4.17 of IEEE Standard 279-1971 with the following comment.

Manual initiation of either one of two redundant safety injection actuation main control board mounted switches provides for actuation of the components required for reactor protection and mitigation of adverse consequences of the postulated accident. Manual safety injection actuation will initiate delayed actuation of sequenced started emergency electrical loads if a LOP signal is also present. The safety injection mode is completed when the residual heat removal (RHR) pumps automatically stop on receipt of a low-low RWST level signal. Refer to Section 6.3 for a discussion of the manual switchover from injection mode to cold leg recirculation mode. Manual operation of other components or manual verification of proper position as part of emergency procedures is not precluded nor otherwise in conflict with the above described compliance to paragraph 4.17 of IEEE Standard 279-1971 of the semi-automatic switchover circuits.

No exception to the requirements of IEEE Standard 279-1971 has been taken in the manual initiation circuit of safety injection. Although Paragraph 4.17 of IEEE Standard 279-1971 requires that a single failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation functions associated with one actuation train (e.g., Train A) shares portions of the automatic initiation circuitry logic of the same logic train; however, a single failure in shared functions does not defeat the protective action of the redundant actuation train (e.g., Train B). A single failure in shared functions does not defeat the protective action of the safety function. It is further noted that the sharing of the logic by manual and automatic initiation is consistent with the system level action requirements of the IEEE Standard 279-1971, Paragraph 4.17 and consistent with the minimization of complexity.

7.3.2.3 Further Considerations 7.3.2.3.1 Instrument Air and Component Cooling In addition to the considerations given above, a loss of instrument air or loss of component cooling water to vital equipment has been considered. Neither the loss of instrument air nor the loss of component cooling water (assuming no other accident conditions) can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either one of the two will not adversely affect the core or the reactor coolant system nor will it prevent an orderly shutdown (to hot standby) if this is necessary. Furthermore, all pneumatically operated valves and controls will assume a preferred operating position upon loss of instrument air. It is also noted that 7.3-71 Rev. 30

MPS3 UFSAR for conservatism during the accident analysis (Chapter 15), credit is not taken for the instrument air systems nor for any control system benefit.

The design does not provide any circuitry which will directly trip the reactor coolant pumps on a loss of component cooling water. Normally, indication in the control room is provided whenever component cooling water is lost to the reactor coolant pumps. The reactor coolant pumps can run about 20 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant if necessary.

7.3.2.4 Summary The effectiveness of the ESFAS is evaluated in Chapter 15, based on the ability of the system to contain the effects of Condition II, III and IV faults, including loss-of-coolant and steam break accidents. The ESFAS parameters of time response, channel uncertainty and range are based upon the component performance specifications which are provided by the manufacturer and/or verified by test for each component. ESFAS setpoints are determined by the safety limits assumed in the accident analyses as documented in Chapter 15 as well as appropriate allowances to account for process measurement accuracy, drift, calibration, environmental effects and other uncertainties.

The ESFAS must detect Condition II, III and IV faults and generate signals which actuate the ESF. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by, and consistent with, the accident analyses in Chapter 15.

Much longer times are typically associated with the actuation of the mechanical and fluid system equipment associated with engineered safety features than for the generation of actuation signals.

This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load.

The Technical Specifications establish the requirements for ESFAS operability. However, the redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode or bypass mode in the case of HI-3 containment pressure.

7.3.2.4.1 Loss-of-Coolant Protection By analysis of LOCAs and in system tests, it has been verified that except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the effects of various LOCAs are reliably detected by the low pressurizer pressure signal which will ensure the ECCS is actuated in time to prevent or limit core damage.

For large coolant system breaks, the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active ECCS phase and provides the high flow rate necessary to begin refilling the reactor vessel.

7.3-72 Rev. 30

MPS3 UFSAR High containment pressure also actuates the ECCS. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is, the ESFAS detects the discharge and flashing of the coolant into the containment.

Containment spray provides emergency cooling and pressure control of containment and also limits fission product release upon sensing elevated containment pressure (hi-3) to mitigate the effects of a LOCA.

ESF response times are periodically confirmed including the times associated with the generation of actuation signals by the ESFAS, sequencing time delays and the time for actuated equipment to operate. The response times confirmed are those specified in the Technical Requirements Manual.

In general, ESFAS actuation signal time delays are short compared to sequencing time delays and the time required for actuated equipment to operate.

The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss-of-coolant.

7.3.2.4.2 Steam Line Break Protection The ECCS is also actuated in order to protect against a steam line break. The response time for sensing low steam line pressure and generation of the safety injection and steam line isolation actuation signals are short compared to sequencing time delays and the time required for actuated equipment to operate. Analysis of steam break accidents assuming this delay for signal generation shows that the ECCS is actuated for a steam line break in time to limit or prevent further core damage for steam line break cases. There is a reactor trip but the core reactivity is further reduced by the highly borated water injected by the ECCS.

Additional protection against the effects of steam line break is provided by feedwater isolation which occurs upon actuation of the emergency core cooling system. Feedwater line isolation is initiated in order to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant system boundary and reduce reactivity addition to the core to limit the potential for core damage. It also limits mass/energy release to the containment to reduce the pressure and temperature transients in containment.

Additional protection against a steam break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all steam generators. The ESF response time for steam line isolation which includes closing of the fast acting steam line isolation valves is less than or equal to 11.8 seconds. ESF response times are provided in the Technical Requirements Manual Table 3.3.2-1.

In addition to actuation of the ESF, the effect of a steam line break accident also generates a signal resulting in a reactor trip on overpower or following ECCS actuation. The core reactivity is further reduced by the highly borated water injected by the ECCS.

7.3-73 Rev. 30

MPS3 UFSAR The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of steam line break accidents.

7.

3.3 REFERENCES

FOR SECTION 7.3 7.3-1 IEEE Standard 279-1971. The Institute of Electrical and Electronics Engineers, Inc. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations.

7.3-2 WCAP-7913, 1973, Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant using WCID 7300 Series Process Instrumentation).

7.3-3 WCAP-7488-L (Proprietary) and WCAP-7672, 1971 (Non proprietary) 1971.

7.3-4 WCAP-7705, Revision 2 (Information only; i.e., not a generic topical WCAP) 1976, Swogger, J. W., Testing of Engineered Safety Features Actuation System.

7.3-74 Rev. 30

MPS3 UFSAR TABLE 7.3-1 INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Input Function Performed P-4 Reactor trip Actuates turbine trip Closes main and bypass feedwater valves on Tavg below setpoint Prevents opening of main and bypass feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Transfer steam dump control from the load rejection controller to the plant trip controller Reactor not tripped Defeats the block preventing automatic reactuation of safety injection P-11 2/3 Pressurizer pressure Allows manual block of safety injection actuation below setpoint on low pressurizer pressure signal Allows manual block of safety injection actuation and steam line isolation on low compensated steam line pressure signal, and allows steam line isolation on high steam line negative pressure rate 2/3 Pressurizer pressure Defeats manual block above setpoint of safety injection actuation on low pressurizer pressure.

Defeats manual block of safety injection and steam line isolation on low steam line pressure and defeats steam line isolation on high steam line negative pressure rate. Provides open signal to accumulator isolation valves.

P-12 2/4 Tavg below setpoint Blocks steam dump. Allows manual bypass of steam dump block for the cooldown valves only 3/4 Tavg above setpoint Defeats the manual bypass of steam dump block P-14 2/4 Steam generator water Closes all feedwater control valves and isolation level above setpoint on valves any steam generator Trips all main feedwater pumps which closes the pump discharge valves Actuates turbine trip P-19 2/4 Pressurizer pressure Allows charging pump safety injection to RCS below setpoint cold leg 7.3-75 Rev. 30

MPS3 UFSAR TABLE 7.3-2 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION ESF Actuation Signal Process Measurement Range

1. Pressurizer low pressure 1700 to 2500 psia
2. Reactor coolant average temperature THOT 530 to 650 °F TCOLD 510 to 630 °F TAVG 530 to 630 °F
3. Steam line low pressure 0 to 1300 psig
4. Steam line negative pressure rate 0 to 1300 psig
5. Steam generator low-low water level Span between narrow range level taps (approximately 128 inches)
6. Steam generator high-high water level Span between narrow range level taps (approximately 128 inches)
7. Containment high pressure 0 to 60 psia
8. Control building inlet radiation 10-6 to 10-1 Ci/cc
9. Containment purge exhaust and supply 10-2 to 105 R/hr valves radiation monitors *
  • Radiation monitors are not credited in Section 15.7.4 for post-accident mitigation of a fuel handling accident.

7.3-76 Rev. 30

MPS3 UFSAR TABLE 7.3-3 SAFETY INJECTION SIGNAL BOP/ Accident Accident NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condition NSSS 3CHS*LCV112B Closed VCT outlet isol 3CHS*LCV112C Closed NSSS 3CHS*LCV112D Open RWST to charging pump 3CHS*LCV112E Open NSSS 3CHS*MV8105 Closed Charging pump to reactor clnt sys 3CHS*MV8106 Closed Isol NSSS 3CHS*MV8110 Closed Charging pump mini-flow isol 3CHS*MV8111A, B, C Closed NSSS 3CHS*MV8511A Open Charging pump alternate mini-flow 3CHS*MV8511B Open control valve NSSS 3SIH*MV8801A Note 3 Charging pump to reactor cold leg 3SIH*MV8801B Note 3 isol NSSS 3SIL*MV8808C Open Accumulator isolation 3SIL*MV8808D Open NSSS 3SIL*MV8808A Open Accumulator isolation 3SIL*MV8808B Open MPS3 UFSAR BOP 3HVR*AOD85 Closed Electrical tunnel area EXH dampers 3HVR*AOD86 Closed BOP 3HVR*FN12A On SLCR exhaust fan 3HVR*FN12B On BOP 3GWS*AOD78A Closed Gaseous wastes to Unit 1 stack 3GWS*AOD78B Closed isolation vv BOP 3QSS*AOV27 Closed Refueling water recirc pump suct isol 3QSS*AOV28 Closed BOP 3RPS*PNLESCA Note 1 Emergency gen load sequencer 3RPS*PNLESCB Note 1 7.3-77 Rev. 30

MPS3 UFSAR TABLE 7.3-3 SAFETY INJECTION SIGNAL BOP/ Accident Accident NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condition BOP 3HVV*FN1D Stopped Main steam vlv bldg ventilation 3HVV*FN1C Stopped 3HVV*AOD50A2 Closed 3HVV*AOD50B2 Closed 3HVV*AOD50B1 Closed 3HVV*AOD50A1 Closed 3HVV*MOD50D Closed 3HVV*MOD50C Closed 3HVV*MOD51A Closed 3HVV*MOD51B Closed 3HVV*MOD51D Closed 3HVV*MOD51C Closed BOP 3CCP*AOV179A Closed Component cooling water cross 3CCP*AOV179B Closed connect BOP 3CCP*AOV180A Closed Component cooling water cross 3CCP*AOV180B Closed connect BOP 3HVQ*AOD41A, 40A, Closed ESF bldg ventilation 3HVQ*AOD41B, 40B, 41D, Closed MPS3 UFSAR 41C, 43A, 42A, 43C, 43B, 42B, 43D, 42D, 40D 42C, 40C 3HVQ-FN1 Stopped 3HVQ-FN1 Stopped BOP 3HVR*AOD33B Closed Aux bldg heating and ventilating 3HVR*AOD35B Closed 3HVR*AOD33A Closed 3HVR*AOD35A Closed 3HVR-HVU2A Stopped 3HVR-HVU2A Stopped 3HVR-HVU2B Stopped 3HVR-HVU2B Stopped BOP 3HVR*AOD174A Closed Ctmt purge inlet dampers 3HVR*AOD55A Closed 3HVR*AOD174B 3HVR*AOD55B BOP 3FWA*AOV23A Closed Aux feedwater alternate suction valve 3FWA*AOV23B Closed 7.3-78 Rev. 30

MPS3 UFSAR TABLE 7.3-3 SAFETY INJECTION SIGNAL BOP/ Accident Accident NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condition BOP 3FWA*AOV61A Open DWST to aux feed-pump suction 3FWA*AOV61B Open valve BOP 3FWA*AOV62A Closed Aux feed-pump discharge crossover 3FWA*AOV62B Closed valve BOP

Note 2: An SI signal also initiates Feedwater Isolation (Table 7.3-6), Containment Isolation Phase A (Table 7.3-4) and, on a manual SI signal only, Control Building Isolation (Table 7.3-7). Refer to FSAR Figures 7.2-1, Sheets 8, 13 and 14 for interaction among these MPS3 UFSAR ESFAS functions.

Note 3: 3SIH*MV8801A and B will open on SI coincident with a cold leg injection permissive (P-19).

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table

  • The Main Turbine and Feedwater Pumps listed receive their trip signals from SSPS slave relay K620A(B) through isolation relay K620X.

7.3-79 Rev. 30

MPS3 UFSAR TABLE 7.3-4 CONTAINMENT ISOLATION PHASE A Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition NSSS 3CHS*CV8160 Closed Letdown line isolation 3CHS*CV8152 Closed NSSS 3SIL*CV8968 Closed Accum nitrogen line isol 3SIL*CV8880 Closed NSSS 3SIL*CV8890A Closed RHR pp/cold leg test line NSSS 3SIL*CV8825 Closed SI pp/ hot leg test line NSSS 3SIL*CV8890B Closed RHR pump cold leg test line NSSS 3SIH*CV8871 Closed Test line header isolation 3SIH*CV8964 Closed NSSS 3SIH*CV8881 Closed SI pp hot leg test line isol NSSS 3SIH*CV8823 Closed SI pp/cold leg test line isol NSSS Accum fill line isolation 3SIH*CV8888 Closed NSSS 3SIH*CV8824 Closed SI pp/hot leg test line isol MPS3 UFSAR NSSS 3SIH*CV8843 Closed Charging pp test line isolation NSSS 3CHS*MV8112 Closed RCP seal water isolation 3CHS*MV8100 Closed NSSS 3SSR*CV8026 Closed PZR rel tank gas space sample isolation 3SSR*CV8025 Closed BOP 3SSR*CTV20 Closed Pressurizer vapor space sample isolation 3SSR*CTV21 Closed BOP 3SSR*CTV26 Closed Reactor coolant hot leg sample isolation 3SSR*CTV27 Closed BOP 3SSR*CTV32 Closed Safety injection accumulator sample isol 3SSR*CTV33 Closed BOP 3SSR*CTV29 Closed Reactor coolant cold leg sample isolation 3SSR*CTV30 Closed BOP 3IAS*PV15 Closed Containment instrument air supply isolation 3IAS*MOV72 Closed BOP 3CCP*AOV10A Closed Reac plnt comp cooling nonsafety header sup 3CCP*AOV10B Closed and return isol 3CCP*AOV19A Closed 3CCP*AOV19B Closed 7.3-80 Rev. 30

MPS3 UFSAR TABLE 7.3-4 CONTAINMENT ISOLATION PHASE A Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3CCP*MOV222 Open Reac plant comp cooling x-conn to chilled wtr 3CCP*MOV226 Open 3CCP*MOV223 Open 3CCP*MOV227 Open BOP 3CCP*MOV224 Open Reac plant comp cooling x-conn to chilled wtr 3CCP*MOV228 Open 3CCP*MOV225 Open 3CCP*MOV229 Open BOP 3CCP*AOV194 Closed React plant comp cooling nonsafety header sup 3CCP*AOV194A Closed B and return isol 3CCP*AOV197 Closed 3CCP*AOV197A Closed B

BOP 3CDS-AOV45C Closed Containment air recirc coil chill wtr isol 3CDS-AOV45B Closed 3CDS-AOV46C Closed 3CDS-AOV46B Closed BOP 3CDS*CTV39B Closed Chilled water containment isolation 3CDS*CTV40B Closed MPS3 UFSAR 3CDS*CTV38A Closed 3CDS*CTV91A Closed BOP 3CDS*CTV38B Closed Chilled water con Closed tainment isolation 3CDS*CTV91B Closed 3CDS*CTV39A Closed 3CDS*CTV40A Closed BOP 3GSN*CTV105 Closed Pressurizer relief tank nitrogen sply isol 3GSN*CV8033 Closed NSSS 3PGS*CV8046 Closed Pressurizer relief tank water sply isol 3PGS*CV8028 Closed BOP 3DAS*CTV24 Closed Reactor plant aerated drains isol 3DAS*CTV25 Closed BOP 3CVS*CTV20A Closed Containment vacuum system isol 3CVS*CTV21A Closed 3CVS*CTV20B Closed 3CVS*CTV21B Closed BOP 3CMS*CTV20 Closed Containment atmosphere monitoring sys isol 3CMS*CTV21 Closed 3CMS*CTV23 Closed 3CMS*MOV24 Closed 7.3-81 Rev. 30

MPS3 UFSAR TABLE 7.3-4 CONTAINMENT ISOLATION PHASE A Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3VRS*CTV20 Closed Reactor plant gaseous vents isolation 3VRS*CTV21 Closed BOP 3DGS*CTV24 Closed Reactor plant gaseous drains isolation DGS*CTV25 Closed BOP 3FPW*CTV48 Closed Containment fire protection water isolation 3FPW*CTV49 Closed BOP 3SSP*CTV7 Closed Post-Accident Sample Valve BOP 3SSP*CTV8 Closed Post-Accident Sample Return MPS3 UFSAR 7.3-82 Rev. 30

MPS3 UFSAR TABLE 7.3-5 STEAM LINE ISOLATION Train A Equip Mark Accident Train B Equip Mark Accident BOP/NSSS No. Condition Function No. Condition BOP 3MSS*HV28A Closed Main steam isolation bypass 3MSS*HV28A Closed BOP 3MSS*HV28B Closed Main steam isolation bypass 3MSS*HV28B Closed BOP 3MSS*HV28C Closed Main steam isolation bypass 3MSS*HV28C Closed BOP 3MSS*HV28D Closed Main steam isolation bypass 3MSS*HV28D Closed BOP 3MSS*CTV27A Closed Main steam isolation 3MSS*CTV27A Closed BOP 3MSS*CTV27B Closed Main steam isolation 3MSS*CTV27B Closed BOP 3MSS*CTV27C Closed Main steam isolation 3MSS*CTV27C Closed BOP 3MSS*CTV27D Closed Main steam isolation 3MSS*CTV27D Closed BOP 3DTM*AOV29A Closed Main steam line drain valve 3DTM*AOV61A Closed BOP 3DTM*AOV29B Closed Main steam line drain valve 3DTM*AOV61B Closed MPS3 UFSAR BOP 3DTM*AOV29C Closed Main steam line drain valve 3DTM*AOV61C Closed BOP 3DTM*AOV29D Closed Main steam line drain valve 3DTM*AOV61D Closed BOP 3DTM*AOV63A Closed Main steam line drain valve 3DTM*AOV64A Closed BOP 3DTM*AOV63B Closed Main steam line drain valve 3DTM*AOV64B Closed BOP 3DTM*AOV63D Closed Main steam line drain valve 3DTM*AOV64D Closed BOP 3MSS*PV20B Closed Steam Generator atmospheric relief 3MSS*PV20A Closed valve 3MSS*PV20D Closed 3MSS*PV20C Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent actuation signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.

7.3-83 Rev. 30

MPS3 UFSAR TABLE 7.3-6 FEEDWATER ISOLATION Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3FWS*FCV510 Closed Main fdwtr flow control vv loop 1 BOP 3FWS*FCV520 Closed Main fdwtr flow control vv loop 2 BOP 3FWS*FCV530 Closed Main fdwtr flow control vv loop 3 BOP 3FWS*FCV540 Closed Main fdwtr flow control vv loop 4 BOP Main fdwtr isolation vv loop 1 3FWS*CTV41A Closed BOP Main fdwtr isolation vv loop 2 3FWS*CTV41B Closed BOP Main fdwtr isolation vv loop 3 3FWS*CTV41C Closed BOP Main fdwtr isolation vv loop 4 3FWS*CTV41D Closed BOP 3FWS*LV550 Closed Fdwtr cont vv bypass loop 1 BOP 3FWS*LV560 Closed Fdwtr cont vv bypass loop 2 MPS3 UFSAR BOP 3FWS*LV570 Closed Fdwtr cont vv bypass loop 3 BOP 3FWS*LV580 Closed Fdwtr cont vv bypass loop 4 BOP 3SGF*AOV24A Closed Stm gen chem feed pp isol vv 3SGF*AOV24B Closed BOP 3SGF*AOV24C Closed Stm gen chem feed isol vv 3SGF*AOV24D Closed BOP

MPS3 UFSAR NOTES:

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

7.3-85 Rev. 30

MPS3 UFSAR TABLE 7.3-7 CONTROL BUILDING ISOLATION Train A Equip Train B Equip Mark BOP/NSSS Mark No. Accident Condition Function No. Accident Condition BOP 3HVC*AOD27A Closed Control bldg 3HVC*AOD27B Closed ventilation makeup air damper BOP 3HVC*AOV20 Closed Control room vent 3HVC*AOV21 Closed outlet air isol valve BOP 3HVC*AOV25 Open Control room vent 3HVC*AOV26 Open inlet air isol valve BOP 3HVC*AOV22 Closed Control room purge 3HVC*AOV23 Closed outlet air isol valve BOP 3HVK*P1A 1 pump run and 1 pump Control bldg chilled 3HVK*P1B 1 pump run and 1 standby (a) water pump standby (a)

BOP 3HVC*MOD33A Open Control building 3HVC*MOD33B Open MPS3 UFSAR emergency ventilation fan inlet damper BOP 3HVC*AOD119 Open Control building 3HVC*AOD119B Open A emergency ventilation filter air return damper BOP 3HWS-MOD29 Closed TSC Vent. Exhst. Air 3HWS-MOD29 (b) Closed (b) Damper BOP 3HWS-MOD31(b) Open TSC Vent. Recirc. 3HWS-MOD31 (b) Open Damper.

BOP 3HWS-MOD30 Closed TSC Vent. Outdoor 3HWS-MOD30 (c) Closed (c) Air Damper 7.3-86 Rev. 30

MPS3 UFSAR TABLE 7.3-7 CONTROL BUILDING ISOLATION Train A Equip Train B Equip Mark BOP/NSSS Mark No. Accident Condition Function No. Accident Condition BOP 3HWS-MOD33 Closed TSC Vent. Outdoor 3HWS-MOD33 (b) Closed (b) Air Damper (a) Normal operation - one pump running, one pump in standby.Control Building Isolation signal prevents manual stop. In normal operation, the chilled water pumps are not affected by a CBI signal.

(b) Damper is operated on both A and B Train Signals.

(c) Damper is operated on both A and B Train Signals. Loop also includes a time delay to open damper if there is sufficient flow.

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.

MPS3 UFSAR 7.3-87 Rev. 30

MPS3 UFSAR TABLE 7.3-8 CONTAINMENT DEPRESSURIZATION ACTUATION Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3SWP*MOV54A Open Containment recirc clr supply 3SWP*MOV54B Open BOP 3SWP*MOV54C Open Containment recirc clr supply 3SWP*MOV54D Open BOP 3RSS*MOV20A Open Containment recirc wtr spray hdr isol 3RSS*MOV20B Open BOP 3RSS*MOV20C Open Containment recirc wtr spray hdr isol 3RSS*MOV20D Open BOP 3SWP*MOV50A Closed Reactor plant comp clg hx supply valve 3SWP*MOV50B Closed BOP 3SWP*MOV71A Closed Turbine plant component clg hx inlet 3SWP*MOV71B Closed BOP 3RSS*MOV23A Open Containment recirc pump suct valve 3RSS*MOV23B Open BOP 3RSS*MOV23C Open Containment recirc pump suct valve 3RSS*MOV23D Open BOP 3QSS*MOV34A Open Quench spray header isol valve 3QSS*MOV34B Open BOP 3SWP*MOV115A Closed Circ wtr pp brg lube wtr supply valve 3SWP*MOV115B Closed MPS3 UFSAR BOP 3WTC*AOV25A Closed Service wtr feed to chlorination system 3WTC*AOV25B Closed BOP 3RPS*PNLESCA Emergency generator load sequencer 3RPS*PNLESCB BOP 3FWA*AOV23A Closed Aux feedwater alternate suction valve 3FWA*AOV23B Closed BOP 3FWA*AOV61A Open DWST to aux feedpump suction valve 3FWA*AOV61B Open BOP 3FWA*AOV62A Closed Aux feedpump discharge crossover valve 3FWA*AOV62B Closed Note 1:Equipment receiving an actuation signal from the EGLS is not listed in this table. Refer to drawing LSK-24-9.4.

Note 2:A CDA signal also initiates Containment Isolation Phase B (Table 7.3-9). Refer to FSAR Figure 7.2-1, Sheet 8 for interaction between these ESFAS functions.

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

7.3-88 Rev. 30

MPS3 UFSAR TABLE 7.3-9 CONTAINMENT ISOLATION PHASE B Accident Accident BOP/NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condition BOP 3CCP*MOV45A Closed RPCCW Cont Isol valve 3CCP*MOV45B Closed BOP 3CCP*MOV48A Closed RPCCW Cont Isol valve 3CCP*MOV49A Closed BOP 3CCP*MOV49B Closed RPCCW Cont Isol valve 3CCP*MOV48B Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

MPS3 UFSAR 7.3-89 Rev. 30

MPS3 UFSAR TABLE 7.3-10 INSTRUMENTATION AND CONTROL SYSTEMS FOR ENGINEERED SAFETY FEATURES AND ESSENTIAL AUXILIARY SUPPORTING SYSTEMS FSAR Section Reference A. Engineered Safety Features Systems

1. Emergency core cooling system (ECCS) 6.3
2. Containment depressurization system 6.2.2
a. Quench spray system
b. Containment recirculation system
3. Containment isolation system: 6.2.4
a. Main steam isolation 10.3
b. Feedwater isolation 10.4.7
4. Hydrogen recombiner system 6.2.5
5. Supplementary leak collection and release system 6.2.3
6. Auxiliary feedwater system 10.4.9
7. ESF filtration system
a. Control room emergency ventilation system 9.4.1
b. Charging pump, component cooling water pump and heat 9.4.5 exchanger ventilation system (part of auxiliary building filter system)

B. Essential Auxiliary Support System

1. Service water system (heat removal portion) 9.2.1
2. Reactor plant component cooling water system 9.2.2
3. Chilled water system (control building only) 9.4.1
4. Electrical system Chapter 8
5. Emergency generator fuel oil system 9.5.4
6. Emergency diesel engine cooling water system 9.5.5
7. Emergency generator starting air system 9.5.6
8. Emergency diesel engine lubrication system 9.5.7
9. Emergency generator combustion air intake and exhaust system 9.5.8
10. Air conditioning, heating, cooling, and ventilation systems
a. Diesel room ventilation 9.4.6
b. Battery room cooling 9.4.1 7.3-90 Rev. 30

MPS3 UFSAR TABLE 7.3-10 INSTRUMENTATION AND CONTROL SYSTEMS FOR ENGINEERED SAFETY FEATURES AND ESSENTIAL AUXILIARY SUPPORTING SYSTEMS FSAR Section Reference

c. Switchgear area HVAC 9.4.1
d. ESF building ventilation 9.4.5
11. Charging and safety pumps cooling systems 9.2.2 7.3-91 Rev. 30

MPS3 UFSAR FIGURE 7.3-1 FAILURE MODES AND EFFECTS ANALYSIS QUENCH SPRAY SYSTEM 7.3-92 Rev. 30

MPS3 UFSAR FIGURE 7.3-2 FAULT TREE DIAGRAM QUENCH SPRAY SYSTEM 7.3-93 Rev. 30

MPS3 UFSAR FIGURE 7.3-3 TYPICAL ESF TEST CIRCUITS 7.3-94 Rev. 30

MPS3 UFSAR FIGURE 7.3-4 ENGINEERED SAFEGUARDS TEST CABINET 7.3-95 Rev. 30

MPS3 UFSAR 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the primary and secondary systems of the nuclear steam supply system (NSSS). These channels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protective functions.

However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems in the NSSS. The discussion of these systems together with the applicable codes, criteria and guidelines is found in other sections of the Safety Analysis Report. In addition, the alignment of shutdown functions associated with the engineered safety features (ESF) which are invoked under postulated limiting fault situations is discussed in Chapter 6 and Section 7.3.

Two kinds of shutdown conditions, both capable of being achieved with or without offsite power, are addressed in this section: hot standby and cold shutdown. Hot standby is a stable condition of the reactor achieved shortly after a programmed or emergency shutdown of the plant. Cold shutdown is a stable condition of the plant achieved after the residual heat removal process has brought the primary coolant temperature below 200°F. A description of systems required to achieve and maintain cold shutdown are described in Section 5.4.7, RHS heat removal system.

For either case of safe shutdown, i.e., hot standby or cold shutdown, the reactivity control systems maintain a subcritical condition of the core. The plant technical specifications explicitly define both hot standby and cold shutdown conditions.

As a minimum, the electrically powered equipment necessary to be aligned for achieving and maintaining safety grade cold shutdown without offsite power, and with an event initiated by a single random failure, with limited operator action outside the control room, are:

1. Emergency Class IE electrical power supply
2. Auxiliary feedwater system
3. Residual heat removal (and isolation) system
4. Borated water inventory supply to centrifugal charging pump suction via the gravity feed system
5. Redundant discharge system from and including centrifugal charging pump system supplying RCS and RCP seals
6. Pressure relief system for RCS
7. Accumulator isolation or venting.
8. Decay heat removal using steam generator PORVs and bypass 7.4-1 Rev. 30

MPS3 UFSAR

9. Reactor head vent letdown system
10. Reactor protection system The instrumentation and functions which are required to be aligned for maintaining hot standby are:
1. Prevent the reactor from achieving criticality in violation of the technical specifications
2. Provide an adequate heat sink such that design and safety limits are not exceeded
3. Pressurizer pressure control
4. Reactor coolant system inventory control 7.

4.1 DESCRIPTION

The hot standby systems are identified in the following lists together with the associated instrumentation and controls systems. The identification of the monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) are those necessary for maintaining a hot standby.

The equipment and services for a cold shutdown are identified in Section 7.4.1.4. Instrumentation and controls provided outside the control room for safe shutdown are listed in Table 7.4-1. Loss of the auxiliary shutdown panel (ASP) and normal automatic systems are not assumed coincident with evacuation. For applicable drawings, see Section 1.7.

7.4.1.1 Monitoring Indicators The characteristics of these indicators, which are provided outside as well as inside the control room, are described in Section 7.5. The necessary indicators are as follows:

1. Water level indicator for each steam generator
2. Pressure indicator for each steam generator
3. Pressurizer water level indicator
4. Pressurizer pressure indicator
5. Reactor trip breaker indication
6. Auxiliary feedwater flow rate
7. Loop hot leg temperature
8. Loop cold leg temperature 7.4-2 Rev. 30

MPS3 UFSAR

9. DWST level
10. Emergency bus voltmeters
11. Boric acid tank level 7.4.1.2 Controls 7.4.1.2.1 General Considerations
1. The turbine is tripped. (Note that this can be accomplished at the turbine as well as in the control room.)
2. The reactor is tripped. (Note that this can be accomplished at the reactor trip switchgear as well as in the control room.)
3. Safety related manual controls for hot standby shutdown are located inside as well as outside the main control room. These controls are provided with REMOTE/

LOCAL selector switches located outside the main control room. An annunciator is alarmed in the main control room and the indicator lights in the main control room are turned off when LOCAL CONTROL is selected.

7.4.1.2.2 Pumps and Fans

1. Auxiliary feedwater pumps In the event of a main feedwater pump stoppage due to a loss of electrical power, the auxiliary feedwater pumps start automatically or can be started manually.

START/STOP controls located outside as well as inside the control room are provided.

2. Charging pumps START/STOP motor controls for these pumps are located outside, as well as inside the control room.
3. Service water pumps These pumps start automatically following a loss of normal electrical power.

START/STOP motor controls are located outside as well as inside the control room.

7.4-3 Rev. 30

MPS3 UFSAR

4. Component cooling water pumps These pumps, energized from the emergency generator, start automatically following a loss of normal electrical power. START/STOP controls are located outside as well as inside the control room.
5. Control room ventilation units including the control room air inlet dampers.

The control room ventilation units are started and stopped by the associated control building chilled water pumps. The chilled water pumps have LOCAL/

REMOTE switches. Normally, one air-conditioning train is operating with the other train on standby. Upon a loss of power, one train starts automatically with the second on standby. The control room ventilation isolation valves are automatically opened (if closed) on receipt of a control building isolation (CBI) signal. The isolation valves can also be operated manually from within the control room.

7.4.1.2.3 Emergency Generators These units start automatically following a loss of normal AC power. However, manual controls for diesel startup are provided locally at the emergency generator (as well as within the control room). For a description of Class IE power supplies, refer to Section 8.3.

7.4.1.2.4 Valves and Heaters

1. Charging flow control Flow control valves fail open. Subsequent control can be maintained by the use of solenoid valves described in Section 5.4.7 controlled manually from both inside and outside the control room.
2. Letdown valves Letdown can be established through the RCS head vent, if normal letdown is unavailable, by manual control from both inside and outside the control room (Section 5.4.15).
3. Auxiliary feedwater control valves Manual control for these valves are located on the ASP. Transfer switches for these valves are located on the Transfer Switch Panel. These controls duplicate functions that are inside the control room.
4. Steam generator safety valves 7.4-4 Rev. 30

MPS3 UFSAR

5. Pressurizer heater control ON/OFF control selector switches are provided for two backup heater groups on the ASP. The heater groups are connected to separate buses, such that each can be connected to separate emergency generators in the event of loss of outside power.

The controls are grouped with the charging flow controls and duplicate functions available in the control room.

7.4.1.3 Control Room Evacuation It is noted that the instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2 which are used to achieve and maintain a safe shutdown are available in the event that an evacuation of the control room is required. These controls and instrumentation channels together with the equipment identified in Section 7.4.1.4 identify the potential capability for cold shutdown of the reactor subsequent to a control room evacuation through the use of suitable procedures. The control room evacuation shall not occur simultaneously or coincident with an abnormal operating condition (ANS Condition II, III, or IV), except the loss of offsite power which would be coincident. The auxiliary shutdown panel and the equipment used to maintain remote shutdown fulfills the single failure criterion.

7.4.1.4 Equipment and Systems Necessary for Cold Shutdown

1. Auxiliary feedwater pumps (Section 10.4.9)
2. Boration capability (Section 9.3.4). In the event the boric acid transfer pump is not available, the gravity feed will be utilized.
3. Charging pumps (Section 9.3.4)
4. Service water pumps (Section 9.2.1)
5. Control room ventilation (Section 9.4.1)
6. Component cooling pumps (Section 9.2.2.1)
7. Residual heat removal pumps (Section 5.4.7)
8. Certain motor control center and switchgear (Section 8.3.1)
9. Controlled steam release (Sections 7.7 and 10.4.4)
10. Nuclear instrumentation system (NIS) (source range or intermediate range)

(Section 7.2). For a more complete description of the NIS, refer to WCAP 8255.

11. Reactor coolant inventory control (charging and letdown) (Section 9.3.4 and Section 5.4.15) 7.4-5 Rev. 30

MPS3 UFSAR

12. Pressurizer pressure control including opening control for pressurizer relief valves and heater control (Sections 5.4.10 and 7.6)
13. Accumulator piping and valving for isolation and venting (Section 6.3)

In addition, the pressurizer pressure and steam line pressure safety injection trip signals must be blocked and the accumulator isolation valves closed.

Controls are provided to block the steamline low pressure and pressurizer low pressure signals.

These controls prevent an SIS provided that the pressure within the pressurizer is less than a predetermined design level.

Instrumentation and controls provided outside the control room for cold shutdown are listed in Table 7.4-1.

7.4.1.5 Other Considerations

1. Additional shutdown air compressors are powered from Class IE buses and are provided to increase availability of normal controls and minimize operator actions.
2. Other equipment supplied from Class IE buses to minimize impact on nonsafety equipment in containment include:
a. Containment recirculation coolers
b. CRDM air cooling fans
3. Loss of instrument air does not prevent the operation of the minimum systems necessary for hot standby or cold shutdown described in Section 7.4.1.

7.4.2 ANALYSIS Hot shutdown is a stable plant condition, automatically reached following a reactor trip from power. The plant design features also permit the achievement of cold shutdown as referred to in Section 7.4.1.2 and described in Section 5.4.7. In the unlikely event that access to the control room is restricted, the plant can be safely kept at a hot standby by the use of the monitoring indicators and the controls listed in Sections 7.4.1.1 and 7.4.1.2, and described in Section 7.4.1.3, until the control room can be re-entered.

Cold shutdown conditions can be achieved from outside the control room through the use of suitable procedures and by virtue of local control of the equipment listed in Section 7.4.1.2, in conjunction with the instrumentation and controls provided on the auxiliary shutdown panel (ASP) (Table 7.4-1). The layout of the ASP is provided in the ESK series drawings, listed in Section 1.7.

7.4-6 Rev. 30

MPS3 UFSAR The design basis for the ASP is as follows:

1. The design of the system to provide redundant safety grade capability to achieve and maintain a safe shutdown condition from location(s) remote from the control room is as follows.

Panels and associated equipment used in control room evacuation are located at elevation 4 feet 6 inches in the control building. Also located at elevation 4 feet 6 inches is the emergency switchgear for each train, along with two transfer switch panels (TSP) and the ASP.

Controls which are located outside the control room are listed in Table 7.4-1. Most pumps have their controls located at their respective emergency switchgear.

Two rooms are provided to separate the redundant emergency switchgear and the transfer switch panels. The ASP panel is located in the purple switchgear room (Train B) and the two trains (A and B) of the ASP are separated by a non-train panel.

2. All controls and instrumentation required for the reactor hot and cold shutdown from ASP are decoupled from those normally used in the main control room in order to ensure that the control room evacuation event does not defeat the operation of equipment and controls necessary for remote shutdown in case of failure of equipment in the main control room.
3. The ASP is provided with a communication network to important plant locations which include locations of equipment required for reactor shutdown. The control room and cable spreading room can be isolated from the system by controls at the ASP.
4. The following design criteria are applicable to the instrumentation and control devices located on the ASP:

ANSI C37.90 1978 IEEE 279 1971 IEEE 308 1974 IEEE 323 1974 IEEE 344 1975 IEEE 338 1971 IEEE 379 1972 IEEE 384 1974 IEEE 420 1974 7.4-7 Rev. 30

MPS3 UFSAR NUREG-0588 Dec. 1979 RG 1.75 Feb. 1974

5. Redundant instrumentation and controls (Trains A and B) are provided on the auxiliary shutdown panel and are listed in Table 7.4-1.
6. There are no cases in which transfer from the main control room to the auxiliary shutdown panel requires a jumper or equipment to be received.
7. The design is such that transfer of equipment from the main control room to the alternate shutdown area will not change the status of the equipment.
8. Loss of offsite power will not negate shutdown capability from the remote shutdown area.
9. The design is such that access to the remote shutdown stations at the ASP, the TSPs and the 4 kV switchgear requires keys for operation of equipment. Access to these areas is under administrative control.

Each cabinet located at the remote shutdown area (TSPs, ASP) has door limit switches mounted on the front and rear doors which annunciate in the main control room whenever personnel gain access to the equipment. Also, each transfer switch mounted on the TSPs is annunciated in the main control room whenever local control of assigned equipment has been taken over.

10. The ASP is located such that it can be safely occupied during a remote shutdown event. Ventilation temperature control is provided to allow continuous occupancy.
11. The design requirements for compliance with Appendix R, 10 CFR 50, are explained in the Millstone 3 Fire Protection Evaluation Report.

The controls available on the ASP provide the capabilities of achieving and maintaining a safe shutdown when the main control room is inaccessible. The controls necessary for immediate operator action to establish a stable plant condition are available on the ASP or in adjacent emergency switchgear rooms. The controls provide a means of sustaining the capability for boration, letdown, residual heat removal, natural circulation, continuing reactor coolant pump seal injection and for thermal barrier cooling water flow, and depressurization. The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed above are the minimum number of instrumentation and control functions.

Proper operation of other nonsafety related systems allows a more normal shutdown to be made and maintained by preventing a transient (Section 7.7).

7.4-8 Rev. 30

MPS3 UFSAR In considering more restrictive conditions than those discussed in Section 7.4, certain accidents and transients are postulated in the Chapter 15.0 safety analyses which take credit for safe shutdown when the protection systems reactor trip terminates the transients and the engineered safety features system mitigates the consequences of the accident. In these transients, in general, no credit is taken for the control system operation should such operation mitigate the consequences of a transient. Should such operation not mitigate the consequences of a transient, no penalties are taken in the analyses for incorrect control system actions over and above the incorrect action of the control system, whose equipment failure was assumed to have initiated the transient. These analyses in Chapter 15.0 show that safety is not adversely affected when such transients include the following:

1. Inadvertent boron dilution
2. Loss of normal feedwater
3. Loss of external electrical load and/or turbine trip
4. Loss of AC power to the station auxiliaries The results of the analysis which determined the applicability of the nuclear steam supply system safe shutdown systems to the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1. The functions considered and listed below include both safety-related and nonsafety-related equipment.
1. Reactor trip system
2. Engineered safety features actuation system
3. Safety related display instrumentation for post-accident monitoring
4. Main control board
5. Auxiliary shutdown station
6. Residual heat removal
7. Instrument power supply
8. Control systems 7.4-9 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

RHR Heat Exchanger (0-800 gpm x 10) 3CCP*FI67A2 3CCP*FI67B2 Outlet Cooling Flow Boric Acid Tank 5A (0-240 gal x 100) 3CHS*LI102A 3CHS*LI104A Level Boric Acid Tank 5B (0-240 gal x 100) 3CHS*LI105A 3CHS*LI106A Level Stm Gen 1 Level (0-100%) 3FWS*LI501A 3FWS*LI519A Stm Gen 2 Level (0-100%) 3FWS*LI529A 3FWS*LI502A Stm Gen 3 Level (0-100%) 3FWS*LI503A 3FWS*LI537A Stm Gen 4 Level (0-100%) 3FWS*LI548A 3FWS*LI504A RCS Pressure (0-300 psia x 10) 3RCS*PI405B 3RCS*PI403B Demin Water Storage (18,520-352,435 gal) 3FWA*LI20A2 3FWA*LI20B2 Tank Level Stm Gen 1 Aux Fdwtr (0-350 gpm) 3FWA*FI51A2 Note 1 Flow Stm Gen 2 Aux Fdwtr (0-350 gpm) Note 1 3FWA*FI33B2 Flow Stm Gen 3 Aux Fdwtr (0-350 gpm) Note 1 3FWA*FI33C2 Flow Stm Gen 4 Aux Fdwtr (0-350 gpm) 3FWA*FI51D2 Note 1 Flow Refueling Water (0-1.2 gal x 106) 3QSS*LI930A 3QSS*LI931A Storage Tank Level RC Loop 1 Hot Leg (0-700°F) 3RCS*TI413C Note 2 Temp RC Loop 2 Hot Leg (0-700°F) 3RCS*TI423C Note 2 Temp RC Loop 3 Hot Leg (0-700°F) 3RCS*TI433C Note 2 Temp RC Loop 4 Hot Leg (0-700°F) 3RCS*TI443C Note 2 Temp 7.4-10 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

RC Loop 1 Cold Leg (0-700°F) Note 2 3RCS*TI413D Temp RC Loop 2 Cold Leg (0-700°F) Note 2 3RCS*TI423D Temp RC Loop 3 Cold Leg (0-700°F) Note 2 3RCS*TI433D Temp RC Loop 4 Cold Leg (0-700°F) Note 2 3RCS*TI443D Temp Pressurizer Level (0-100%) 3RCS*LI459C RCS*LI460C Pressurizer Pressure (170-250 psia x 10) 3RCS*PI455B 3RCS*PI456B Stm Gen 1 Pressure (0-1300 psig) 3MSS*PI514B 3MSS*PI515B Stm Gen 2 Pressure (0-1300 psig) 3MSS*PI524B 3MSS*PI525B Stm Gen 3 Pressure (0-1300 psig) 3MSS*PI534B 3MSS*PI535B Stm Gen 4 Pressure (0-1300 psig) 3MSS*PI544B 3MSS*PI545B Emer 4.16 kV Bus 34C (0-5250V) VM2-3ENS*SWG-A Note 3 Train A Emer 4.16 kV Bus 34D (0-5250V) Note 3 Train B VM2-3ENS*SWG-B Containment Pressure (0-60 psia) 3LMS*PI937A 3LMS*PI936A Safety-Related Equipment with Controls on ASP Aux Fdwtr Control Valve (Throttling) 3FWA*HV31A 3FWA*HV31B Aux Fdwtr Control Valve (Throttling) 3FWA*HV31D 3FWA*HV31C Aux Fdwtr Control Valve (Throttling) 3FWA*HV32A 3FWA*HV32B Aux Fdwtr Control Valve (Throttling) 3FWA*HV32D 3FWA*HV32C Aux Fdwtr Control Valve (Throttling) 3FWA*HV36B 3FWA*HV36A Aux Fdwtr Control Valve (Throttling) 3FWA*HV36C 3FWA*HV36D Aux Fdwtr Isolation Valve 3FWA*MOV35B 3FWA*MOV35A Aux Fdwtr Isolation Valve 3FWA*MOV35C 3FWA*MOV35D Aux Fdwtr Pump Alt Suction Valve 3FWA*AOV23A 3FWA*AOV23B 7.4-11 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

Turbine Driven Aux Fdwtr Pump Stm Supply 3MSS*AOV31A 3MSS*AOV31B Valve Turbine Driven Aux Fdwtr Pump Stm Supply Note 4 3MSS*AOV31D Valve Main Stm Pressure Relieving Valve Isol Valve 3MSS*MOV18A 3MSS*MOV18B Main Stm Pressure Relieving Valve Isol Valve 3MSS*MOV18C 3MSS*MOV18D Main Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74B 3MSS*MOV74A Main Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74D 3MSS*MOV74C Pressurizer Power Relief Valve 3RCS*PCV455A 3RCS*PCV456 Pressurizer Relief Isol Valve 3RCS*MV8000A 3RCS*MV8000B Pressurizer Aux Spray Valve 3RCS*AV8145 Note 5 Reactor Vessel Head Vent Isol Valve 3RCS*SV8095A 3RCS*SV8095B Reactor Vessel Head Vent Isol Valve 3RCS*SV8096A 3RCS*SV8096B Reactor Vessel to Excess Letdown Valve 3RCS*MV8098 Note 6 Reactor Vessel to Pressurizer Relief Tank 3RCS*HCV442A 3RCS*HCV442B Letdown Valve Pressurizer Level Control Valve 3RCS*LCV459 Note 7 Pressurizer Level Control Valve 3RCS*LCV460 Note 7 Letdown Orifice Isol Valve 3CHS*AV8149A Note 8 Letdown Orifice Isol Valve 3CHS*AV8149B Note 8 Letdown Orifice Isol Valve 3CHS*AV8149C Note 8 Letdown to VCT/GWS Divert Valve 3CHS*LCV112A Note 9 Vol Control Tank Outlet Isol Valve 3CHS*LCV112B 3CHS*LCV112C RWST to Charging Pump Suction Valve 3CHS*LCV112D 3CHS*LCV112E Charging System to RCS Isol Valve 3CHS*AV8147 3CHS*AV8146 Boric Acid Gravity Feed Valve 3CHS*MV8507A 3CHS*MV8507B Charging Header Isol Valve 3CHS*MV8438A 3CHS*MV8438B Charging Header Isol Valve 3CHS*MV8438C Note 10 Charging Pump A Recirc Valve Note 11 3CHS*MV8111A 7.4-12 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

Charging Pump B Recirc Valve Note 11 3CHS*MV8111B Charging Pump C Recirc Valve Note 11 3CHS*MV8111C LPSI to Charging Pumps Suction Valve 3CHS*MV8468A 3CHS*MV8468B Charging Header Flow Control Valve 3CHS*HCV190A 3CHS*HCV190B Charging Header Isol Bypass Valve 3CHS*MV8116 Note 12 Charging Pump to RCS Isol Valve 3CHS*MV8105 3CHS*MV8106 Charging Pump Miniflow Control Valve 3CHS*MV8511A 3CHS*MV8511B RHS Heat Exchanger Component Cooling Water 3CCP*FV66A 3CCP*FV66B Outlet Valve RHS to Cold Leg Isol Valve 3SIL*MV8809A 3SIL*MV8809B RWST to RHR Pump Suction Valve 3SIL*MV8812A 3SIL*MV8812B Safety Injection Accumulator Tank Isol Valve 3SIL*MV8808A 3SIL*MV8808B Safety Injection Accumulator Tank Isol Valve 3SIL*MV8808C 3SIL*MV8808D Safety Injection Accumulator Tank 1 Nitrogen 3SIL*SV8875A 3SIL*SV8875E Supply Safety Injection Accumulator Tank 2 Nitrogen 3SIL*SV8875B 3SIL*SV8875F Supply Safety Injection Accumulator Tank 3 Nitrogen 3SIL*SV8875C 3SIL*SV8875G Supply Safety Injection Accumulator Tank 4 Nitrogen 3SIL*SV8875D 3SIL*SV8875H Supply Safety Injection Accumulator Vent Control 3SIL*HCV943A 3SIL*HCV943B RHS Inlet Isol Valve 3RHS*MV8701A 3RHS*MV8701B (Note 13)

RHS Inlet Isol Valve 3RHS*MV8701C 3RHS*MV8702B RHS Inlet Isol Valve RHS*MV8702A 3RHS*MV8702C Charging Pump Cooling Pump 3CCE*P1A 3CCE*P1B Pressurizer Heater Backup 3RCS*H1A 3RCS*H1B (Group A) (Group B)

Cold Shutdown Air Compressor 3IAS-C2A 3IAS-C2B 7.4-13 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

Air Conditioning Unit for SI, QS, and RHR Pump 3HVQ*ACUS1A 3HVQ*ACUS1B Area Safety-Related Miscellaneous Controls Main Stm Line Safety Injection Block/Reset Train A Train B Pressurizer Pressure Safety Injection Block/Reset Train A Train B Sequencer LOP Reset Train A Train B Sequencer LOP Reset Light Train A Train B Sequencer Manual Start Block Light Train A Train B RCS Cold Overpressure Mitigating Arm/Block Train A Train B NonSafety-Related Instruments on ASP Section 2/Non-Train Reserve Instrument Air (0-150 psig) 3IAS-PI73B Header Pressure NIS-Source Range (100 - 106 CPS) 3NMS-NI31C Count Rate NIS-Source Range (100 - 106 CPS) 3NMS-NI32C Count Rate RHR Heat Exchanger (50-400°F) 3RHS-TI604 A Outlet Temp NIS-Intermediate (10 10-3 AMPS) 3NMI-NI35C Range Neutron Flux NIS-Intermediate (10 10-3 AMPS) 3NMI-NI36C Range Neutron Flux Condensate Storage (0-300 x 103 GAL) 3CNS-LI15A Tank Level Volume Control Tank (0-100%) 3CHS-LI112A Level Letdown Flow (0-200 gpm) 3CHS-FI132A Regenerative Heat (100-600°F) 3CHS-TI126A Exchanger Outlet Temp 7.4-14 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

RHR Heat Exchanger (50-400°F) 3RHS-TI605 B Outlet Temp RCP 1 Seal Water Flow (0-15 gpm) 3CHS-FI145C RCP 2 Seal Water Flow (0-15 gpm) 3CHS-FI144C RCP 3 Seal Water Flow (0-15 gpm) 3CHS-FI143C RCP 4 Seal Water Flow (0-15 gpm) 3CHS-FI142C 7.4-15 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Description Mark No.

Equipment with Nonsafety-Related Controls ASP Section 2/Non-Train Excess Letdown Flow Control Valve 3CHS*HCV123 RHR Letdown Flow Control Valve 3CHS*HCV128 Charging Flow Control Valve 3CHS*FCV121 Low Pressure Letdown Control Valve 3CHS*PCV131 RCP Seal Water Supply Control Valve 3CHS*HCV182 RHR Heat Exchanger A Outlet Flow Control 3RHS*HCV606 RHR Heat Exchanger A Bypass Control 3RHS*FCV618 RHR Heat Exchanger A Component Cooling 3CCP*FV66A Flow Control RHR Heat Exchanger B Component Cooling 3CCP*FV66B Flow Control RHR Heat Exchanger B Outlet Flow Control 3RHS*HCV607 RHR Heat Exchanger B Bypass Flow Control 3RHS*FCV619 Main Stm Pressure Relieving Valve 3MSS*PV20A Main Stm Pressure Relieving Valve 3MSS*PV20B Main Stm Pressure Relieving Valve 3MSS*PV20C Main Stm Pressure Relieving Valve 3MSS*PV20D Miscellaneous Controls ASP Section 2/Non-Train White Indicator Light (Steam Line Safety Injection Blocked, Train A)

White Indicator Light (Steam Line Safety Injection Blocked, Train B)

White Indicator Light (Pressurizer Safety Injection Blocked, Train A)

White Indicator Light (Pressurizer Safety Injection Blocked, Train B)

Safety-Related Controls on 4160V Emergency Switchgear Motor-Driven Aux 3FWA*P1A, Train A Fdwtr Pumps 3FWA*P1B, Train B Charging Pumps 3CHS*P3A, Train A 7.4-16 Rev. 30

MPS3 UFSAR TABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN Description Mark No.

3CHS*P3B, Train B 3CHS*P3C, Swing Pump Service Water Pumps 3SWP*P1A, Train A 3SWP*P1C, Train A 3SWP*P1B, Train B 3SWP*P1D, Train B Reactor Plant Component Cooling Pumps 3CCP*P1A, Train A 3CCP*P1B, Train B 3CCP*P1C, Swing Pump Control Building Chilled Water Pumps 3HVK*P1A, Train A 3HVK*P1B, Train B RHR Pumps 3RHS*P1A, Train A 3RHS*P1B, Train B Local, Manual Valve Control Adjustable travel limiters 3RHS*FCV618, Train A (to be used during safety grade cold shutdown 3RHS*FCV619, Train B with single failure loss of one train of RHS and loss of all instrument air.)

NOTES:

1 There is one auxiliary feedwater flow indicator per steam generator on the ASP - two are Train A and two are Train B.

2 The RC loop hot leg temperature indicators are Train A; the cold leg temperature indicators are Train B.

3 There is one emergency bus volt meter for each emergency bus (Trains A and B) on the ASP.

4 There are three steam supply valves for the turbine-driven auxiliary feedwater pump - one is Train A and two are Train B.

5 The pressurizer auxiliary spray valve is Train A only.

6 There is no Train B reactor vessel to the excess letdown valve.

7.4-17 Rev. 30

MPS3 UFSAR 7 3RCS*LCV459 and 460 are in series; both are Train A letdown valves.

8 The three letdown orifice isolation valves are all Train A.

9 3CHS*LCV112A is Train A; 3CHS*AOV71 up stream of 3CHS*LCV112A is non-train and can be controlled from the main board or gaseous waste panel.

10 3CHS*MV8438C is Train A only; it is the charging header cross connect valve.

11 3CHS*MV8111A, B, and C - charging pump recirculation valves are all Train B.

3CHS*MV8110 is the Train A common recirculation valve and can be operated from the main control board; it is normally OPEN.

12 The charging header isolation bypass valve is Train A only.

13 3RHS*MV8701A is not interlocked with RCS pressure low from ASP control.

14 In the event of a loss of Control Room and transfer of operations to the ASP, Local-Remote switches outside the Control Room are used to transfer certain control functions.

Control power to operate valves 3RHS*HCV 606 & 607 and 3RHS*FCV 618 & 619 (energize solenoid operated valves on pneumatic tubing) will be shifted via the local-remote switch that transfers control of valves 3SIL*MV8809 A & B to the ASP.

7.4-18 Rev. 30

MPS3 UFSAR 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION 7.

5.1 DESCRIPTION

An analysis was conducted to identify the appropriate variables and establish appropriate design bases and qualification criterion for instrumentation employed by the operator for monitoring conditions in the reactor coolant system, the secondary heat removal system and the containment, including engineered safety functions and other systems normally employed for attaining a safe shutdown condition.

The instrumentation is used by the operators to monitor Millstone 3 throughout all operating conditions, including anticipated operational occurrences and accidents and post accident conditions. Table 7.5-1 provides a listing of the variables identified to meet the intent of Regulatory Guide 1.97 Revision 2. The table includes the following information for each variable identified:

1. Sensor and Main Board Instrument Component Identification Tag Numbers.
2. Recommended Range and Regulatory Guide 1.97 Design Category, versus, Actual Range and Design Category.
3. Designed Redundancy.
4. Type of Power Supply.
5. Display Methodology (Variable, Trend, and/or Safety Parameter Display System (SPDS) or Offsite Facilities Information System (OFIS) availability).
6. Regulatory Guide 1.97 Revision 2, Type and Category (as defined in Specification SP-M3-IC-022).
7. Environmental Qualification (as defined in Specification SP-M3-IC-022).
8. Seismic Qualification (as defined in Specification SP-M3-IC-022).
9. Quality Assurance Qualification (as defined in Specification SP-M3-IC-022).

To assist in understanding the process for identifying the variables in Table 7.5-1, Specification SP-M3-IC-022 The Millstone 3 Design Basis to Respond to Regulatory Guide 1.97, Revision 2, describes:

1. Plant conditions under which the instrumentation must be operable
2. Selection criteria (Type A, B, C, D, or E)
3. Qualification criteria (Category 1, 2, or 3) 7.5-1 Rev. 30

MPS3 UFSAR

4. Design criteria (number of channels, power requirements, servicing requirements, etc.)
5. Processing display criteria (assessibility, historical record, etc.)

The title of this section originates from Regulatory Guide 1.70. Although this section is titled Safety Related Display Instrumentation, not all the instruments discussed in this section are safety related.

7.5.1.1 Safety Parameter Display System The purpose of the Safety Parameter Display System (SPDS) is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. SPDS is designed to assist the operator in implementing the functional restoration guidelines in the Emergency Operations Procedures (EOPs) by providing computer-driven displays that show the current state of the plants critical safety functions used by the guidelines. Details of the SPDS design are provided in Specification SP-EE-149A.

The means of displaying the variables identified in Table 7.5-1 as part of the Safety Parameter Display System and the Emergency Response Facilities (EOF/TSC) are discussed in Specification SP-M3-IC-022.

7.5.1.2 Emergency Response Facilities The Emergency Response Facilities are discussed in Section 13.3 of the FSAR as part of the Millstone Nuclear Power Station Emergency Plan.

7.5.2 ANALYSIS Analyses for compliance with the requirements of this section are addressed in Table 7.5-1.

Further information is provided in Specification SP-M3-IC-022 The Millstone 3 Design Basis to Respond to Regulatory Guide 1.97, Revision 2.

7.5.3 COMPLIANCE WITH OTHER REGULATORY REQUIREMENTS

1. Compliance with Regulatory Guide 1.47 for bypassed and inoperable status design philosophy is described below.
a. An indicator of bypass is provided for each protection system. Bypass includes any deliberate action which renders a protection system inoperable.
b. The indicator is at the system level, not the channel or component level.

(Quench spray is a system. A quench spray pump is a component.) There is a separate indicator for each train.

7.5-2 Rev. 30

MPS3 UFSAR

c. The indicator is operated automatically only by actions which meet all these criteria:
  • The action is deliberate. (Component failure may be indicated by component failure indicators but should not operate the system bypass indicator. It is not the intent of the indicator to show operator errors or component failures.)
  • The action is expected to occur more often than once a year. This more often than once a year criterion should be interpreted liberally. If an accessible, permanently installed electrical control device will bypass a safety system, assume that it will be used more than once a year.

Devices within the containment are not accessible.

  • The action is expected when the protection system must be operable. (Bypass of source range flux trip during normal power operation should not, for example, be indicated on the system bypass indicator. It may be indicated on a channel or component status indicator.)
  • The action renders the system inoperable, not merely potentially inoperable. (If, for example, redundant, parallel, 100 percent valves are provided for the discharge line of a spray pump, the system bypass indicator should not be actuated by the closing of only one of those valves. Valve closing may be indicated on a component status indicator. If both valves have been deliberately moved from the Open position, the system bypass indicator should be operated. If, on the other hand, each valve carried only 50 percent flow, the system would be inoperable if either was not open. That inoperability should be indicated at the system level. Also, if a system is put in the Trip mode during test, there should be no operation of the system bypass indicator. Such a test may be indicated on a channel status indicator. If a channel is put into bypass mode for test and sufficient redundant channels remain capable of operating the protection system and not more than one channel at a time is expected to be tested, the channel bypass should not be indicated at the system level. If an actuation signal will override the bypass, the system bypass indicator should not be operated.
  • Some deliberate action has taken place in the protection system or a necessary supporting system. (For example, if the cooling water inlet valve for a recirculation spray heat exchanger is deliberately 7.5-3 Rev. 30

MPS3 UFSAR closed, the system bypass indicator for the recirculation spray system should be operated.)

d. The bypass indicators are separate from other plant indicators and grouped in a logical fashion.
e. A capability is provided to operate each bypass indicator manually. This lets the operator provide bypass indication for an event that renders a safety system inoperable but does not automatically operate the system bypass indicator.
f. There is not any capability to defeat an automatic operation of a bypass indicator. (Audible alarms may be silenced.)
g. The bypass indicators are accompanied by audible alarm.
h. No immediate operator action is required as a result of any system bypass indication.
i. The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. No fault in the indicator system can impair the ability of the safety system to perform its safety-related function. The bypass indicators are not considered safety-related; i.e., they need not be designed to safety system criteria such as IEEE-279.
j. In accordance with IEEE-279, Paragraph 4.20, the operator must be able to determine why a system level bypass is indicated. This information is provided by the plant computer.
k. Inoperative indicators are provided for the Service Water, Emergency Diesel Generator, Control Building Chilled Water, Reactor Plant Component Cooling Water, and Vital Battery systems. These support systems are unique. They are important enough to warrant bypass indicators, but these indicators are differentiated from non-support system bypass indicators by color.
l. System design meets the recommendations of Branch Technical Position ICSB-21 as follows:
  • Each safety system has a Train A (orange) and Train B (purple) bypass indicator. The indicators are grouped together by train on the main control board. Support systems have white bypass indicators and are arranged together with the associated train of bypass indicators.

7.5-4 Rev. 30

MPS3 UFSAR

  • Millstone 3 has no shared safety systems.
  • Means by which the operator can cancel erroneous bypassed indications are not provided.
  • The bypass indication systems does not perform functions essential to safety. No operator action is required based solely on the bypass indication.
  • The indication system has no effect on plant safety systems.
  • The bypass indicating and annunciating function can be tested during normal plant operation.
2. Compliance with Regulatory Guide 1.75 for separation criteria is described in Section 1.8 and Specification SP-M3-IC-022.
3. Compliance with Regulatory Guide 1.105 for instrument spans and setpoints is described in Sections 1.8 and Specification SP-M3-IC-022 and referenced in Section 7.1.

7.5-5 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 DEVIATIONS TO REGULATORY GUIDE 1.97 REVISION 2 7.5A-i Rev. 30

MPS3 UFSAR APPENDIX 7.5A Table of Contents Deviation Number Variable Page Deviation Number 1 RCS Pressure (Wide Range) .............................................................................1 Deviation Number 2 RCS Wide Range T-Hot ...................................................................................2 Deviation Number 3 RCS Wide Range T-Cold .................................................................................3 Deviation Number 4 Steam Generator Level (Wide Range) ..............................................................4 Deviation Number 5 Deleted ........................................................................................................ 5 Deviation Number 6 Steamline Pressure ............................................................................................6 Deviation Number 7 RCS Subcooling ................................................................................................7 Deviation Number 8 Containment Hydrogen Concentration .............................................................8 Deviation Number 9 Reactor Coolant Level ......................................................................................9 Deviation Number 10 Containment Isolation Valve Status ...............................................................10 Deviation Number 11 RHR-Heat Exchanger Discharge Temperature ...............................................11 Deviation Number 12 Accumulator Tank Pressure ............................................................................12 Deviation Number 13 Accumulator Level .........................................................................................13 Deviation Number 14 Pressurizer Heater Breaker Position ...............................................................14 Deviation Number 15 Containment Sump Water Temperature .........................................................15 Deviation Number 16 Containment Sump Level (NR) ......................................................................16 7.5A-ii Rev. 30

MPS3 UFSAR (Continued)

Deviation Number Variable Page Deviation Number 17 VCT Level ......................................................................................................17 Deviation Number 18 High Level Liquid Radwaste Tank Level .......................................................18 Deviation Number 19 Condenser Air Ejector ....................................................................................19 Deviation Number 20 Reactor Coolant System Soluble Boron Concentration ..................................20 Deviation Number 21 Heat removal by the Containment Fan Heat Removal System ......................21 Deviation Number 22 Radioactive Gas Holdup Tank Pressure .........................................................22 Deviation Number 23 Radiation Exposure Rate (inside building or areas which are in direct contact with primary containment where penetrations and hatches are located) ........23 Deviation Number 24 Radiation Exposure Rate (inside buildings or areas where access is required to service equipment important to safety) ...........................................................24 Deviation Number 25 Deleted by FSARCR 05-MP3-006 .................................................................25 Deviation Number 26 Pressurizer Relief Tank Level, Pressure, and Temperature ............................26 Deviation Number 27 Hydrogen Recombiner Cubicle Ventilation Monitor .....................................27 Deviation Number 28 This Deviation deleted per FSARCR 01-MP3-33. .........................................28 Deviation Number 29 Flow rate to Millstone Stack (SLCRS) ...........................................................29 Deviation Number 30 Flow out Ventilation Vent ..............................................................................30 Deviation Number 31 Deleted ............................................................................................................31 Deviation Number 32 Valve Status ....................................................................................................32 7.5A-iii Rev. 30

MPS3 UFSAR Deviation Number 33 Main Steam Isolation and Bypass Valve Status .............................................34 Deviation Number 34 Steam Generator Safety Valve Status .............................................................36 7.5A-iv Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 1 Variable Name AMI Table Item Number RCS Pressure (Wide Range) A1, B5, B15, C5, D4, D18 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 3000 PSIA, versus a recommended range of 3000 PSIG.

Justification The actual range of 0-3000 PSIA, which is approximately -14.7 to 2985.3 PSIG, is adequate to monitor the Reactor Coolant System pressure. In addition, RCS pressure (Extended Range, 15-3500 PSIA) which is also a Regulatory Guide 1.97 variable, envelopes the recommended range as described above.

7.5A-1 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 2 Variable Name AMI Table Item Number RCS Wide Range T-Hot A2, B2, B13 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range is 0-700°F, versus a recommended range of 50-750°F.
2. Main board indicators are not redundant as recommended for Category 1 variables.

Justification Both the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.

7.5A-2 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 3 Variable Name AMI Table Item Number RCS Wide Range T-Cold A3, B3, B14 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range is 0-700°F, versus a recommended range of 50-750°F.
2. Main board indicators are not redundant as recommended for Category 1 variables.

Justification Both the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.

7.5A-3 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 4 Variable Name AMI Table Item Number Steam Generator Level (Wide Range) A4, B7, B10, B18, D27 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Main board indicators are not redundant as recommended for Category 1 variables.

Justification Wide Range Steam Generator Level and Auxiliary Feedwater Flow is considered diverse redundant instrumentation. Although loss of one division of power supply would result in loss of indication of both flow and wide range level for two of the four steam generators, the design has been determined acceptable in accordance with the intent of Regulatory Guide 1.97, since only one steam generator is required for safe shutdown and Narrow Range Steam Generator Level instruments provide adequate backup information. Refer to NRC Inspection Report 50-423/90-12; August 14, 1990.

7.5A-4 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 5 Variable Name AMI Table Item Number Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Deleted Justification 7.5A-5 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 6 Variable Name AMI Table Item Number Steamline Pressure A8, B19, D23 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 0 to 1300 PSIG, versus a recommended range of from Atmospheric pressure to 20% above the lowest safety valve setting. The lowest safety valve setting is 1185 PSIG.

Justification This range deviation has been accepted per SSER 4, Appendix L, 3.3.14.

7.5A-6 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 7 Variable Name AMI Table Item Number RCS Subcooling A15, B16 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance This variable is designed as a Category 2, versus a recommended Category 1 design.

Justification The Inadequate Core Cooling Monitor (ICCM) is designed and installed as a Class 1E System.

However, its primary means of display in the Main Control Room is the Safety Parameter Display System (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of NUREG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, Appendix L, 3.3.4 and SSER 5, 4.4.8.

7.5A-7 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 8 Variable Name AMI Table Item Number Containment Hydrogen Concentration C12 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 0-10% (capable of operating from 11.76 PSIA to maximum design pressure),

versus a recommended range of 0-10% (capable of operating from 10 PSIA to maximum design pressure).

Justification This range deviation has been accepted per SSER 4, Appendix L, 3.3.7.

7.5A-8 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 9 Variable Name AMI Table Item Number Reactor Coolant Level B11 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range of Plenum Level: 0 to 100% and Head Level: 63 to 100%, versus a recommended range of Bottom of Core to Top of Vessel.
2. This variable is designed as a Category 2, versus a recommended Category 1 design.

Justification

1. The actual range is consistent with the recommended range in Regulatory Guide 1.97 Rev. 3 of Top of Vessel to Top of Core. This range deviation has been accepted per SSER 4, Appendix L, 3.3.3.
2. The Inadequate Core Cooling Monitor (ICCM) processes the reactor coolant level information for display. The ICCM is designed and installed as a Class 1E System.

However, its primary means of display in the Main Control Room is the Safety Parameter Display System (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of NUREG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, Appendix L, 3.3.3 and SSER 5, 4.4.8.

7.5A-9 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 10 Variable Name AMI Table Item Number Containment Isolation Valve Status C16 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Containment Isolation Valves are qualified to recommended Category 1 requirements with exception of redundancy of associated main board valve indicators. Therefore, this variable will be considered a Category 2 variable.
2. Containment Isolation Valve 3CVS*MOV25 is not supplied with highly reliable power as recommended for Category 2 variables.

Justification

1. Type C variables which indicate the actual breach of a fission product barrier have been designated as preferred backup information and are qualified to Category 2 criteria. The deviation regarding redundancy of main board indicators has been accepted per SSER 4, Appendix L, 3.3.5.
2. Containment Isolation Valve 3CVS*MOV25 is locked closed. This valve does not perform a containment isolation function during a Design Basis Accident and should not be considered a Regulatory Guide 1.97 variable.

7.5A-10 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 11 Variable Name AMI Table Item Number RHR-Heat Exchanger Discharge Temperature D1 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 50-400°F, versus a recommended range of 32-350°F.

Justification This range deviation has been accepted per SSER 4, Appendix L, 3.3.8.

7.5A-11 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 12 Variable Name AMI Table Item Number Accumulator Tank Pressure D10 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 0-700 PSIA, versus a recommended range of 0-750 PSIG.

Justification This range deviation has been accepted per SSER 4, Appendix L, 3.3.10. However, the acceptance was based on a designed range of 0-700 PSIG, while the actual range is 0-700 PSIA, which is approximately -14.7 - 685.3 PSIG. The existing range is adequate to monitor expected accumulator tank pressures.

7.5A-12 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 13 Variable Name AMI Table Item Number Accumulator Level D13 Deviation From Regulatory Guide 1.97 Rev. Guidance This variable is designed as a Category 3, versus a recommended Category 2 design.

Justification The NRC has accepted the design category deviation per NRC letter to John F Opeka, dated April 9, 1992, Docket Number 50-423. Refer to SSER 4, Appendix L, 3.3.9.

7.5A-13 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 14 Variable Name AMI Table Item Number Pressurizer Heater Breaker Position D16 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Pressurizer Heater Breaker Position is monitored, versus a recommended measurement of electric current.

Justification This deviation was accepted per SSER 4, Appendix L, 3.3.13.

7.5A-14 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 15 Variable Name AMI Table Item Number Containment Sump Water Temperature D37 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance This variable is designed as a Category 3, versus a recommended Category 2 design.

Justification Approval of the installation of containment sump temperature as a Category 3 variable was granted by the NRC with the issue of Amendment 42 to Operating License NPF-49 in response to the NNECO request of August 14, 1989, which deleted license condition 2.C (6).

7.5A-15 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 16 Variable Name AMI Table Item Number Containment Sump Level (NR) D38 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance This variable is designed as a Category 3, versus a recommended Category 2 design.

Justification This deviation was explicitly described in the Response to NRC question 420.6. The NRC approved the response to question 420.6 as part of SSER 4. The response to 420.6 states that two Class 1E qualified wide range and one unqualified narrow range sump water level channels are used to monitor the Containment Water Level. The narrow and wide range channels overlap.

7.5A-16 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 17 Variable Name AMI Table Item Number VCT Level D44 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Only the cylindrical portion of the tank is measured for level, versus a recommended measurement of Top to Bottom.

Justification This deviation was accepted per SSER 4, Appendix L, 3.3.19.

7.5A-17 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 18 Variable Name AMI Table Item Number High Level Liquid Radwaste Tank Level D63 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Indication via dial, digital, CRT, or stripchart recorder of tank level is not provided in the Main Control Room as recommended for Category 3 variables.

Justification Only a common trouble alarm is available in the Main Control Room. Variable indication and high/low level alarms are provided locally. This deviation has been accepted per SSER 4, Appendix L, 3.3.21 7.5A-18 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 19 Variable Name AMI Table Item Number Condenser Air Ejector C9 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 1.5x10-5 to 100Ci/cc, versus a recommended range of 10-6 to 10-2Ci/cc.

Justification The low range or sensitivity of this monitor depends on the radionuclide mix and on the monitor background radiation. Both of these parameters are variable and therefore so is the monitors sensitivity. The ability to detect certain size RCS leakage into the steam generator secondary side is also highly dependent on the reactor coolant activity, which is also highly variable. Even with low coolant activity, these monitors meet the intent of Regulatory Guide 1.97 Rev. 2, in that any major RCS leakage, including a tube rupture, would be easily detected and alarmed by the Condenser Air Ejector Monitor.

7.5A-19 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 20 Variable Name AMI Table Item Number Reactor Coolant System Soluble Boron Concentration Not Listed Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends Category 3 instrumentation with a range of 0 to 6000 parts per million for this variable.

Justification Category 1 Neutron Flux monitoring will adequately perform this function. This is being addressed by the NRC as part of their review of NUREG-0737, Item II.B.3 as described in SSER 4, Appendix L, 3.3.1 7.5A-20 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 21 Variable Name AMI Table Item Number Heat removal by the Containment Fan Heat Removal System Not Listed Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends plant specific instrumentation for this variable.

Justification The containment air coolers are not used in an accident or post-accident condition, and, therefore this is not considered a Regulatory Guide 1.97 variable. This has been accepted per SSER 4, Appendix L, 3.3.16.

7.5A-21 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 22 Variable Name AMI Table Item Number Radioactive Gas Holdup Tank Pressure Not Listed Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends instrumentation for this variable.

Justification Millstone 3 does not have radioactive gas holdup tanks and therefore will not provide instrumentation for this variable. This has been accepted per SSER 4, Appendix L, 3.3.22.

7.5A-22 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 23 Variable Name AMI Table Item Number Radiation Exposure Rate (inside building or areas which are in Not Listed direct contact with primary containment where penetrations and hatches are located)

Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings or areas, e.g., auxiliary building, reactor shield building annulus, fuel handling building, which are in direct contact with primary containment where penetrations and hatches are located, for the purpose of monitoring the containment structure for an indication of breach. This variable is listed under type C variables.

Justification The utility is providing area radiation monitors, some of which happen to satisfy this requirement.

The monitors are listed in FSAR Table 12.3-2. The utility declines to list these monitors in any accident plans and does not consider them to be safety related, nor Regulatory Guide 1.97 variables for the following reasons. Regulatory Guide 1.97 Rev. 2 requires the monitors for indication of breach of containment. Breach of containment is best indicated by the effluent monitors and field test results. The proposed area monitors would be essentially useless for this purpose. During a serious accident, typical streaming and shine dose rates from the containment would be approximately 100 R/hr in these areas. Add to this the direct dose rates from any piping sources (e.g., RHR piping could be reading 106 R/hr) and it is obvious that the accident levels in these areas would preclude any determination of airborne leakage. Even if containment breach could be detected, these monitors would not be used for a quantitative estimate of release rates.

Refer to response to NRC question 420.6, note 29.

7.5A-23 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 24 Variable Name AMI Table Item Number Radiation Exposure Rate (inside buildings or areas where Not Listed access is required to service equipment important to safety)

Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings or areas where access is required to service equipment important to safety, for the purpose of detection of significant releases, release assessment, and long-term surveillance. This variable is listed under type E variables.

Justification The utility is providing area radiation monitors, some of which happen to satisfy this requirement.

These monitors are listed in FSAR Table 12.3.2. The utility declines to list these monitors in any accident plans and does not consider them safety related, nor Regulatory Guide 1.97 variables for the following reason. Regulatory Guide 1.97 states that these areas should have monitors with a range of 10-1 R/hr to 104 R/hr. This range is too high because dose rates above 102 R/hr will preclude personnel access to the area. At Millstone Unit 3, any radiation areas that need personnel access will be surveyed by radiation protection teams using portable survey instruments to obtain a more accurate radiation picture than would be obtained with a single permanently mounted high range area monitor. Also, the high range area monitors would not be used for any post-accident dose assessments nor corrective actions. Refer to response to NRC Question 420.6, Note 67.

7.5A-24 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 25 Variable Name AMI Table Item Number Deleted by FSARCR 05-MP3-006 Deleted 7.5A-25 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 26 Variable Name AMI Table Item Number Pressurizer Relief Tank Level, Pressure, and Temperature Not Listed Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Regulatory Guide 1.97 Rev. 2 recommends instrumentation to monitor Quench Tank Level, Pressure, and Temperature. Millstone Unit 3 does not list these instruments as accident monitoring variables.

Justification Instrumentation is provided for the above variables that meet the requirements of Regulatory Guide 1.97 Rev. 2. However, the utility does not consider these instruments as post-accident monitoring instrumentation. This deviation was accepted by the NRC as part of the response to NRC question 420.6.

7.5A-26 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 27 Variable Name AMI Table Item Number Hydrogen Recombiner Cubicle Ventilation Monitor C10, E10 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Actual range is 10-6 to 100Ci/cc, versus a recommended range of 10-6 to 102Ci/cc.

Justification This variable is not considered a release point, but is used to actuate closure of the hydrogen recombiner cubicle. Because this is not a release point, instrumentation in conformance to Regulatory Guide 1.97 Rev. 2 is not needed. This has been accepted per SSER 4 Appendix L, 3.3.24.

7.5A-27 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 28 This Deviation deleted per FSARCR 01-MP3-33.

7.5A-28 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 29 Variable Name AMI Table Item Number Flow rate to Millstone Stack (SLCRS) E3 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance SLCRS accident monitoring instrumentation flow rate range is 150 to 12,150 Standard Cubic Feet per Minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.

Justification Regulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 percent of design flow rate. The SLCRS design maximum flow rate is 10,800 SCFM. The flow rate corresponding to 110 percent of the SLCRS design flow is 11,880 SCFM. The flow rate of the low end of the indication range, 150 SCFM, corresponds to 1.4 percent of the SLCRS design flow.

The actual SLCRS flow range is approximately 200 SCFM to 10,800 SCFM. Actual minimum flow during SLCRS accident operation is 7600 SCFM and maximum flow is 10,800 SCFM.

Therefore, the accident monitoring instrumentation flow range of 150 to 12,150 SCFM is conservative and bounding. This range exceeds 110 percent requirement of the Regulatory Guide for flow rate to the Millstone Stack. The minimum flow rate indication of 150 SCFM bounds the minimum system flow rate of 200 SFCM, although it deviates slightly from the Regulatory Guide 1.97 requirement of 0 percent flow rate. Based on this minor nature of the deviation, and the fact that the indication provided fully bounds the expected system flow rates, this deviation is considered insignificant.

7.5A-29 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 30 Variable Name AMI Table Item Number Flow out Ventilation Vent E2 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Flow out Ventilation Vent instrumentation flow rate range is 30,000 to 280,000 Standard Cubic Feet per minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.

Justification Regulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 percent of design flow rate. The Ventilation Vent maximum flow rate is 232,000 SCFM. The flow rate corresponding to 110 percent of the Ventilation Vent maximum flow is therefore 255,200 SCFM. The measurement flow rate at the low end of the indication range, 30,000 SCFM, corresponds to 13 percent of the Ventilation Vent maximum flow.

The actual SLCRS flow range is approximately 17,000 SCFM to 232,000 SCFM. Therefore, the Ventilation Vent flow instruments measurement range is conservative and bounding at the high end but will not measure down to the minimum flow rate that is possible. This minimum flow rate would result when a loss of power (LOP) occurs during cold weather conditions, i.e., when the charging pump cubicle dampers have been manually throttled. This system alignment isolates all but the ventilation from the Charging Pump Cubicles and with the dampers partially closed in their winter mode will result in approximately 17,000 SCFM. Otherwise, the expected minimum system flow will be above the instruments minimum flow value of 30,000 SCFM. The flow instrument provides input to the Ventilation Vent radiation monitor computer to support a calculation of the amount of radioactivity released from the Ventilation Vent for the purpose of offsite dose estimates. Should a LOCA occur during this condition of flow rates below the instruments measurement capability, the flow instrument will default to its minimum signal value which will result in a conservative (larger) estimate of activity release. While less than desirable, this will result in conservative decisions with respect to Emergency Plan actions resulting from the dose assessment calculations.

Based upon this conservative result the deviation is determined to be acceptable.

7.5A-30 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 31 Variable Name AMI Table Item Number Deleted 7.5A-31 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 32 Variable Name AMI Table Item Number Main Steam Isolation and Bypass Valve Status B21 Steam Generator Atmospheric Valve Status D20 Main Steam Isolation and Bypass Valve Status D21 MFW Control and Bypass Valve Status D24 MFW Isolation Valve Status D25 Steam Generator Blowdown Isolation Valve Status D29 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Limit switches providing valve position indication are not qualified for long term post accident monitoring following a Main Steam Line Break (MSLB) inside the Main Steam Valve Building (MSVB).

Justification Under the worst case MSLB scenario in the MSVB the NAMCo limit switches monitoring safety related valve position may fail to provide the Regulatory Guide 1.97 required position indication because the limit switch temperature can exceed their qualification temperature during long term post accident periods (Reference 2). The NAMCo limit switches for the subject components are listed in EQRs 109-0-7, 109-8-2 and 109-3-1. As described in Reference 3, the MSVB NAMCo limit switches subjected to the temperature rise for this bounding scenario perform one of the following functions:

1. Valve position indication via lights on the Main Control Board and or local electrical distribution equipment, plant process computer valve position input, and valve position annunciation. Failure of these limit switches will simply result in loss, or ambiguity, of those position signals. Many of these are credited for Regulatory Guide 1.97 post accident monitoring, primarily for containment isolation verification. Because this environmental condition is from a MSLB in the MSVB, containment isolation is not a required function and loss of these indications will not be significant nor impact any safety function. For the other valve position indications which are related to feedwater and/or steam line isolation, the closure of the valve will be recorded in the plant process computer history file once the valve has reached its safety position, which will occur prior to 7.5A-32 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS reaching the NAMCo qualification temperature. Subsequent indirect indication of maintaining valve closure will be evident through monitoring of steam generator level indications. These are indications only and any environmental failure of these limit switches cannot result in a repositioning of these valves from their safety position.

2. Air Operated Valve (AOV) control seal-in circuits which hold the AOVs solenoid valve energized after the momentary push button opens the AOV. These limit switch contacts are normally open in their de-energized state, i.e., the limit switch internal spring opposes contact closure. Once the valves move to their fail safe position, closed, there is no credible failure mechanism on the part of these limit switches that could cause a re-actuation of the solenoid and subsequent opening of the AOV.
3. The Feedwater Isolation Valves (FWIVs) limit switches perform no function in the FWIVs safety action to close upon receipt of a Feedwater Isolation signal, nor can their failure prevent the FWIVs safety action to close. Additionally any failure of the limit switches will not cause the FWIVs to open once they have moved to their fail safe closed position.

Therefore, should any of the subject MSVB NAMCo limit switches fail as a result of being exposed to the bounding worst case MSLB postulated above, they will not prevent any safety functions from occurring, nor will their failure result in any unacceptable consequences.

References

1. Calculation 07-ENG-04255M3, Rev. 00, Impact of SPU on MSVH Temperature

& Pressure Transient due to Steam Line Break.

2. 08-SPUP-04379M3, Rev. 0, Thermal Lag Analysis for NAMCO Limit Switches Exposed to a HELB in the MSVB under SPU conditions.
3. Letter to NRC Serial Number 08-0248A RAI response to Stretch Power Uprate LAR dated May 15, 2008.

7.5A-33 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 33 Variable Name AMI Table Item Number Main Steam Isolation and Bypass Valve Status B21, D21 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance Position sensor coils of the main steam isolation valves (MSIVs) are not qualified for long term post accident monitoring following a Main Steam Line Break (MSLB) inside the Main Steam Valve Building (MSVB).

Justification MSIV (3MSS*CTV27A-D) valve position status is provided via position sensor coils in the valve bodies. The position sensor coils provide confirmation of steam line isolation through valve position indication, following a MSLB. The MSVB environment resulting from the worst case MSLB in the MSVB will result in the Sulzer position sensor coils exceeding their qualification temperature during this event with possible loss of position indication. In a letter to the NRC (Reference 1), it was stated that alternately, steam generator level indication, which does not see the MSVB harsh environment, can be used to establish that isolation has occurred. This is further reinforced by Supplement 5 of the Millstone 3 SER (Reference 2), which states:

In addition , the licensee stated that all Millstone 3 equipment which is required to function to mitigate the consequences of a main steam line break accident is qualified to function at the maximum compartment temperature of 325°F at steam line isolation. The licensee also stated that the equipment will remain in its safe position regardless of the fact that it will be exposed to temperatures above the qualification temperture. The staff reviewed all information provided by the licensee and found it acceptable.

Therefore position indication is not necessary following Main Steam Line Break inside Main Steam Valve Building since alternate methods are available for monitoring.

References

1. Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.

7.5A-34 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS

2. NUREG-1031, Supplement Number 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.

7.5A-35 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS Deviation Number 34 Variable Name AMI Table Item Number Steam Generator Safety Valve Status D22 Deviation From Regulatory Guide 1.97 Rev. 2 Guidance The flow elements (3SVV-FE28A-D, 3SVV-FE29A-D, 3SVV-FE30A-D, 3SVV-FE31A-D, and 3SVV-32A-D) which sense flow through the main steam safety relief valves (3MSS*RV22A-D,

  • RV23A-D, *RV24A-D, *RV25A-D, *RV26A-D), are not qualified for long term monitoring of flow / no flow indication following a Main Steam Line Break (MSLB) inside the Main Steam Valve Building (MSVB).

Justification EQR 191-1-2 currently states the function of the flow elements is to sense flow through the main steam safety relief valves (3MSS*RV22A-D, *RV23A-D, *RV24A-D, *RV25A-D, *RV26A-D), and to provide flow / no flow indication to the plant control room in order to verify whether the safety valves are open or closed. The safety function of the flow element is to provide information on the main steam safety valve position, but they are not required for long term post accident monitoring following an MSLB in the MSVB, since there are other means to detect the safety valve lift. In a Letter from J. F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit No.3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986 states that following a steam line break, the steam generator level indication, which is located inside containment, will be available to identify the faulted loop. The letter further states:

For the intact loops, indication that the steam generators are isolated and level is maintained and heat removal is being accomplished can be obtained from steam generator level, auxiliary feedwater flow and reactor coolant system temperature, none of which are affected by the MSLB environment. Safety valve lift can be detected using main steam flow indication located inside containment or visual indication from the yard, and successful heat removal an be monitored by observing steam generator level, auxiliary feedwater flow and reactor coolant system temperature, as stated above. Containment isolation indication in the main steam valve building is for the MSIV position indication. Isolation can be established via the main steam line pressure transmitters, which will be operable at the time of MSIV closure. Alternatively, steam generator level indication, which does not see the harsh environment, can be used to establish that isolation has occurred.

7.5A-36 Rev. 30

MPS3 UFSAR APPENDIX 7.5A MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS This is further reinforced by Supplement 5 of the Millstone 3 SER NUREG-1031, Supplement Number 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986, which states:

In addition, the licensee stated that all Millstone 3 equipment which is required to function to mitigate the consequences of a main steam line break accident is qualified to function at the maximum compartment temperature of 325°F at steam line isolation. The licensee also stated the the equipment will remain in its safe position regardless of the fact that it will be exposed to temperatures above the qualification temperature. The staff reviewed all the information provided by the licensee and found it acceptable.

Therefore, the Steam Generator safety valve flow elements will not be required to be qualified for long term post accident monitoring following a MSLB inside the MSVB. Alternately, safety valve lift can be detected using main steam flow indication located inside containment or visual indication from the yard, and successful heat removal can be monitored by observing steam generator level, auxiliary feedwater flow and reactor coolant system temperature. Deviation to Regulatory Guide 1.97 Program, specific to MSLB in MSVB, has no adverse impact on any other structures, systems, or components important to safety.

References

1. Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.
2. NUREG-1031, Supplement No. 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.

7.5A-37 Rev. 30

0-700°F

  • NO ** VITAL UPS 3RCS*TI413A 3RCS-TR413A RCS-T413A 1 YES YES YES 3RCS*TI423A 3RCS*TR433A RCS-T423A RCS-T433A RCS-T443A 0-700°F
  • NO ** VITAL UPS 3RCS*TI413B 3RCS-TR413B RCS-T413B 1 YES YES YES 3RCS*TI423B 3RCS*TR433B RCS-T423B RCS-T433B RCS-T443B 0-100% OF NO
  • VITAL UPS 3FWS*LI501 3FWS-LR501 FWS-L501 1 YES YES YES SPAN FROM 3FWS*LI502 3FWS-LR503 FWS-L502 TUBE SHEETS TO 3FWS*LI503 FWS-L503 SEPARATORS 3FWS*LI504 FWS-L504 0-100% OF YES VITAL UPS 3FWS*LI517 3FWS-FR510 FWS-L517 1 YES YES YES SPAN 3FWS*LI518 3FWS-FR520 FWS-L518 3FWS*LI519 3FWS-FR530 FWS-L519 3FWS*LI527 3FWS-FR540 FWS-L551 3FWS*LI528 FWS-L527 3FWS*LI529 FWS-L528 3FWS*LI537 FWS-L529 3FWS*LI538 FWS-L552 3FWS*LI539 FWS-L537 3FWS*LI547 FWS-L538 3FWS*LI548 FWS-L539 3FWS*LI549 FWS-L553 3FWS-LI551
  • FWS-L547

3MSS*PI534A MSS-P534 3MSS*PI535A MSS-P535 3MSS*PI536A MSS-P536 3MSS*PI544A MSS-P544 3MSS*PI545A MSS-P545 3MSS*PI546A MSS-P546 0 TO 1,200,000 YES VITAL UPS 3QSS*LI930 3QSS-LR930 QSS-L930 1 YES YES YES GAL 3QSS*LI931 QSS-L931 3QSS*LI932 QSS-L932 3QSS*LI933 1 TO 17 FEET ** YES VITAL UPS 3RSS*LI22A 3RSS*LR22 RSS-L22A1 1 YES* YES YES 3RSS*LI22B RSS-L22B1 0 TO 350 GPM YES

  • VITAL & 3FWA*FI33B1 FWA-F33A3, 1 YES YES YES VITAL UPS B3, C3, D3 3FWA*FI51A1 FWA-F51A3, B3, C3, D3 3FWA*FI33C1 3FWA*FI51D1 100 TO 108R/hr YES VITAL UPS 3RMS*RAK1A 3HVR*RR10A RMS-R04A 1 YES YES YES

SEE A14 SEE A14 SEE A2 SEE A2 SEE A3 SEE A3 0 TO 228 STEPS, N/A N/A DIGITAL ROD 3 N/A N/A N/A FULL IN LIGHT POSITION INDICATION DISPLAY SEE A1 SEE A1 SEE A7 SEE A7 SEE A4 SEE A4 SEE A6 SEE A6 SEE A10 SEE A10 SEE A4 SEE A4 PLENUM YES VITAL UPS 3CTS*ICCA NOT CVHDLVL 2* YES YES YES LEVEL: *0 TO REQUIRED 100% PER RG 1.97 REV. 2 HEAD LEVEL: 3CTS*ICCB CVHDLVLA 63 TO 100%

SPDS ** CVHDLVLB CVUPLENLVL

SEE A13 SEE A13 FULLY OPENED, N/A VITAL UPS TWO PAIR OF MSS-Z27A# 2 YES *** YES YES FULLY CLOSED, RED/GREEN

& LIGHTS PER INTERMEDIATE ISOLATION VALVE ONE PAIR OF MSS-Z27B#

RED/GREEN MSS-Z27C#

LIGHTS PER BYPASS MSS-Z27D#

VALVE SEE A7 SEE A7 SEE A13 SEE A13 10 Ci/ml to N/A N/A ** 3 N/A N/A N/A 10 Ci/ml 15-3500 PSIA YES VITAL & 3RCS*P149 RCS-P49 1* YES YES YES VITAL UPS 3RCS*P150

0 TO 200 PSIA YES VITAL & 3LMS*PI24A 3LMS*PR24 LMS-P24A 1 YES YES YES VITAL UPS 3LMS*PI24B LMS-P24B 0-10% YES VITAL 3SSP*AI58A 3SSP*AR58A SSP-A58A 1 ** YES ** YES ** YES **

VITAL UPS 3SSP*AI58B SSP-A58B 5X10-7 TO N/A VITAL & 3HVR*RIY10A 3HVR*RIY10A CVHR10A1 2 NO YES

  • YES VITAL UPS 104 Ci/cc 3HVR*RIY10B 3HVR*RR10B CVHR10B 5X10-7 TO N/A VITAL & 3HVR*RIY19A 3HVR*RR19A CVHVR19A1 2 NO YES YES VITAL UPS 104Ci/cc 3HVR*RIY19B 3HVR*RR19B CVHVR19B 10-6 TO 10-1Ci/ N/A VITAL & 3SWP*RIY60A 3SWP*RR60A CVSWP60A 2 NO YES YES cc VITAL UPS 3SWP*RIY60B 3SWP*RR60B CVSWP60B FULLY NO
  • VITAL & ONE PAIR OF CIA 2 YES YES YES OPENED, VITAL UPS RED/GREEN ****

FULLY NON-VITAL LIGHTS PER CLOSED, & UPS *** VALVE INTERMEDIAT E

CIB

SEE A9 SEE A9 0 TO 1000 N/A NON-VITAL 3SIH-FI917 CHSP3A 2 YES YES NO GPM UPS CHSP3B CHS3C/C CHS3C/D 27 TO 800 GPM N/A NON-VITAL 3SIH-FI918 SIHP1A 2 NO YES NO (FI918) UPS 32 TO 800 GPM N/A 3SIH-FI922 SIHP1B (FI922)

SEE A10 SEE A10 BREAKER N/A VITAL ONE PAIR OF 2 NO YES YES POSITION LIGHTS PER OPEN/CLOSED PUMP 0 TO 700 PSIA

& VALVE INTERMEDIATE FULLY OPENED, N/A VITAL UPS ONE PAIR OF 2 YES YES YES FULLY CLOSED, LIGHTS PER

& VALVE INTERMEDIATE 3SIL*ZI943A 3SIL*ZI943B

SWITCH)

BREAKERS ** N/A VITAL ONE PAIR OF RCS-H1A 2 NO YES YES OPEN/CLOSED LIGHTS PER BREAKER RCS-H1B SEE A6 SEE A6 SEE A1 SEE A1 0 TO 800 AMPS N/A N/A MB5A0403 3 N/A N/A N/A MC5B0203 MB5C0503 MC5D0103 FULLY N/A VITAL & ONE PAIR OF 2 YES ** YES YES OPENED, NON-VITAL LIGHTS PER FULLY UPS

  • VALVE CLOSED, &

INTERMEDIAT E

SEE B21 SEE B21

SVV-F29D SVV-F30A SVV-F30A SVV-F30B SVV-F30C SVV-F30D SVV-F31A SVV-F31B SVV-F31C SVV-F31D SVV-F32A SVV-F32B SVV-F32C SVV-F32D SEE A8 SEE A8 FULLY OPENED, N/A VITAL & ONE PAIR OF 2 YES *** YES YES FULLY CLOSED, NON-VITAL LIGHTS PER

& UPS** VALVE INTERMEDIATE

3FWS-FI541A FWS-F541 SEE A4 SEE A4 SEE A5 SEE A5 FULLY OPENED, N/A VITAL UPS ONE PAIR OF 2 YES ** YES YES FULLY CLOSED, LIGHTS PER

& VALVE INTERMEDIATE SEE A11 SEE A11 FULLY OPENED, N/A SEE ATTCH 1 ONE PAIR OF 2 SEE ATTACHMENT 1 FOR FULLY CLOSED, LIGHTS PER QUALIFICATIONS

& VALVE INTERMEDIATE 18,520 TO YES VITAL & 3FWA*LI20A1 3FWA*LR20 FWA-L20B1 1 YES YES YES 352,435 VITAL UPS GALLONS

  • 3FWA*LI20B1 FWA-L20B2 FWA-L20B3 0 TO 400°F N/A VITAL & 3LMS*TI21A 3LMS*TR21 2 YES YES YES VITAL UPS 3LMS*TI21B SEE A10 SEE A10 FULLY OPENED, N/A VITAL ONE PAIR OF 2 YES YES YES FULLY CLOSED, LIGHTS PER

3RRS-FI40C RSSP1C 3RRS-FI40D RSSP1D 0 TO 5000 GPM N/A NON-VITAL 3QSS-FI32A 3* N/A N/A N/A UPS 3QSS-FI32B 0 TO 200 GPM N/A NON-VITAL 3CHS-FI121A CHS-F121 2 YES YES NO UPS 0 TO 200 GPM N/A NON-VITAL 3CHS-FI132 CHS-F132 2 YES YES NO UPS 0 TO 100% N/A NON-VITAL 3CHS-LI112 CHS-L112 2 YES/ YES/ NO (LI185) ** UPS (CRT) NO* NO*

3CHS-LI185 0 TO 15 GPM N/A NON-VITAL 3CHS-FI142A 2* YES YES NO UPS 3CHS-FI143A 3CHS-FI144A 3CHS-FI145A FULLY OPENED, N/A SEE ATTCH 1 ONE PAIR OF 2 SEE ATTACHMENT 1 FOR FULLY CLOSED, LIGHTS PER QUALIFICATIONS

& VALVE INTERMEDIATE BREAKER N/A VITAL ONE PAIR OF 2 NO YES YES POSITION LIGHTS PER OPEN /CLOSED VALVE FULLY OPENED, N/A VITAL UPS ONE PAIR OF 2 YES YES YES FULLY CLOSED, LIGHTS PER

& VALVE INTERMEDIATE

0-8000 GPM N/A VITAL & 3CCP-FI11A CCP-F11A* 2 YES/ YES/ YES/

(FI11) VITAL UPS & NO* NO* NO*

0-2000 GPM NON-VITAL 3CCP-FI11B CCP-F11B*

UPS (FI15) 0-8000 GPM 3CCP-FI15A CCP-F15A*

(FI67) 3CCP-FI15B CCP-F15B*

3CCP*FI67A1 3CCP*FI67B1 FULLY OPENED, N/A SEE ATTCH 1 ONE PAIR OF 2 SEE ATTACHMENT 1 FOR FULLY CLOSED, LIGHTS PER QUALIFICATIONS *

& DAMPER INTERMEDIATE FULLY OPENED, N/A VITAL & ONE PAIR OF 2 YES/ YES YES FULLY CLOSED, VITAL UPS LIGHTS PER NO*

& VALVE INTERMEDIATE

0 TO 150 VAC MB2S0104 301C1BUS-V 125V BUS: MB2T0104 301D1BUS-V 0 TO 150 VDC MB2Y0104 DG A VOLTS DIESEL MC2U0104 15G-14U-V VOLTS:

0 TO 5250 V MC2V0104 DG B VOLTS DIESEL MC2W0104 15G-15U-V HERTZ:

55 TO 65 HZ MC2X0104 DIESEL AMPS: 120V BUS:

0 TO 1200 MBVA0106 AMPS DIESEL VOLT- MBVA0306 AMPS:

+/- 0 TO 4.36 MCVA0206 MVAR MCVA0406 125V BUS:

MBBY0109 MBBY0309 MCBY0209 MCBY0409 A AND B DIESELS:

AM-3EGS*EG-A, B VM-3EGS*EG-A, B FM-3EGS*EG-A, B VAR-

BREAKER N/A VITAL UPS ONE PAIR OF 2 NO YES YES POSITION LIGHTS PER OPEN / PUMP CLOSED FULLY OPENED, N/A SEE ATTCH 1 ONE PAIR OF 2 SEE ATTACHMENT 1 FOR FULLY CLOSED, LIGHTS PER QUALIFICATIONS.

& VALVE INTERMEDIATE BREAKER N/A VITAL UPS ONE PAIR OF 2 NO YES YES POSITION LIGHTS PER OPEN / PUMP CLOSED HIGH / LOW N/A N/A HIGH / LOW 2 N/A N/A N/A LEVEL LEVEL ALARMS

  • SEE A12 SEE A12 30,000 - 280,000 N/A VITAL & 3HVR*RIY10A CVFE10 2 NO ** NO ** NO **

SCFM VITAL UPS

3RMS-CNSL1 (CRT)

SEE C9 SEE C9 SEE C10 SEE C10

  • N/A N/A * *
  • 3 N/A N/A N/A WIND N/A N/A OFIS OFIS WIND 3 N/A N/A N/A DIRECTION DIRECTION 0 TO 360° CVWD033 WIND SPEED CVWD142 0 TO 100 MPH CVWD374 DELTA TEMP WIND SPEED

-10 °F TO 18 °F CVWS033MPH CVWS142MPH CVWS374MPH DELTA TEMP CVDT142F CVDT374F

and Circuit Breaker position status information is provided for valves and pumps respectively.

R. For design Category 2 and 3 instrumentation this column in marked N/A since there are no specific provisions for redundancy of Reg. Guide 1.97 Rev. 2 Cate An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed un column. The power supplies listed in this table are defined as follows:

which is, at a minimum, backed by the Emergency Diesel Generators.

Panel which is backed by the Emergency Diesel Generators and Class 1E Batteries.

l which is neither backed by the Emergency Diesel Generators nor Class 1E Batteries.

Panel which is, at a minimum, backed by Non-Class 1E Batteries.

efined above, are considered highly reliable power sources.

An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed un column. The power supplies listed in this table are defined as follows:

the TSC/EOF Computer column, display will be via CRTs driven by either OFIS or SPDS.

for this instrumentation as determined by Specification SP-M3-IC-022.

rogram Specification SP-EE-353 Millstone Unit 3 Environmental Qualification Master List. The listed sensor and instrument loop up to and including an isolation ument are determined as part of the EEQ program. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for environmental

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply D3/RHR Valve Status 3RHS*FCV610 Yes Yes Yes Vital 3RHS*FCV611 Yes Yes Yes Vital 3RHS*HCV606 No No No Non-Vital UPS 3RHS*HCV607 No No No Non-Vital UPS 3RHS*MV8701A Yes Yes Yes Vital 3RHS*MV8701B Yes Yes Yes Vital 3RHS*MV8701C Yes Yes Yes Vital 3RHS*MV8702A Yes Yes Yes Vital 3RHS*MV8702B Yes Yes Yes Vital 3RHS*MV8702C Yes Yes Yes Vital MPS3 UFSAR 3RHS*MV8716A Yes Yes Yes Vital 3RHS*MV8716B Yes Yes Yes Vital D31/AFW Valve Status 3FWA*HV31A Yes Yes Yes Vital UPS 3FWA*HV31B Yes Yes Yes Vital UPS 3FWA*HV31C Yes Yes Yes Vital UPS 3FWA*HV31D Yes Yes Yes Vital UPS 3FWA*HV32A No Yes Yes Vital UPS 3FWA*HV32B No Yes Yes Vital UPS 3FWA*HV32C No Yes Yes Vital UPS 3FWA*HV32D No Yes Yes Vital UPS 7.5-1 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3FWA*HV36A Yes Yes Yes Vital UPS 3FWA*HV36B Yes Yes Yes Vital UPS 3FWA*HV36C Yes Yes Yes Vital UPS 3FWA*HV36D Yes Yes Yes Vital UPS 3FWA*AOV23A Yes Yes Yes Vital UPS 3FWA*AOV23B Yes Yes Yes Vital UPS 3FWA*AOV61A Yes Yes Yes Vital UPS 3FWA*AOV61B Yes Yes Yes Vital UPS 3FWA*AOV62A No Yes Yes Vital UPS 3FWA*AOV62B No Yes Yes Vital UPS 3FWA*MOV35A Yes Yes Yes Vital MPS3 UFSAR 3FWA*MOV35B Yes Yes Yes Vital 3FWA*MOV35C Yes Yes Yes Vital 3FWA*MOV35D Yes Yes Yes Vital 3MSS*MOV17A No Yes Yes Vital 3MSS*MOV17B No Yes Yes Vital 3MSS*MOV17D No Yes Yes Vital 3MSS*MOV74A Yes Yes Yes Vital 3MSS*MOV74B Yes Yes Yes Vital 3MSS*MOV74C Yes Yes Yes Vital 3MSS*MOV74D Yes Yes Yes Vital 7.5-2 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply D46/CVCS Valve Status 3CHS*AOV64 No No No Non-Vital UPS 3CHS*AOV68 No No No Non-Vital UPS 3CHS*AOV71 No No No Non-Vital UPS 3CHS*AV002A No No No Non-Vital UPS 3CHS*AV002B No No No Non-Vital UPS 3CHS*AV7010A No No No Non-Vital UPS 3CHS*AV7010B No No No Non-Vital UPS 3CHS*AV7010C No No No Non-Vital UPS 3CHS*AV7010D No No No Non-Vital UPS 3CHS*AV7010E No No No Non-Vital UPS 3CHS*AV7022 No No No Non-Vital UPS MPS3 UFSAR 3CHS*AV7040 No No No Non-Vital UPS 3CHS*AV7041 No No No Non-Vital UPS 3CHS*AV7045 No No No Non-Vital UPS 3CHS*AV7046 No No No Non-Vital UPS 3CHS*AV7054 No No No Non-Vital UPS 3CHS*AV7057 No No No Non-Vital UPS 3CHS*AV8101 No No No Non-Vital UPS 3CHS*AV8141A No No No Non-Vital UPS 3CHS*AV8141B No No No Non-Vital UPS 3CHS*AV8141C No No No Non-Vital UPS 7.5-3 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3CHS*AV8141D No No No Non-Vital UPS 3CHS*AV8143 Yes Yes Yes Vital UPS 3CHS*AV8146 No Yes Yes Vital UPS 3CHS*AV8147 No Yes Yes Vital UPS 3CHS*AV8149A No Yes Yes Vital UPS 3CHS*AV8149B No Yes Yes Vital UPS 3CHS*AV8149C No Yes Yes Vital UPS 3CHS*CV8152 Yes Yes Yes Vital UPS 3CHS*CV8160 Yes Yes Yes Vital UPS 3CHS*FCV110A Yes Yes Yes Vital UPS 3CHS*FCV110B Yes Yes Yes Vital UPS MPS3 UFSAR 3CHS*FCV111A Yes Yes Yes Vital UPS 3CHS*FCV111B Yes Yes Yes Vital UPS 3CHS*FCV110A Yes Yes Yes Vital UPS 3CHS*FCV110B Yes Yes Yes Vital UPS 3CHS*FCV111A Yes Yes Yes Vital UPS 3CHS*FCV111B Yes Yes Yes Vital UPS 3CHS*FCV121 No No No Non-Vital UPS 3CHS*HCV128 No No No Non-Vital UPS 3CHS*HCV182 No No No Non-Vital UPS 3CHS*HCV190A Yes Yes Yes Vital UPS 7.5-4 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3CHS*HCV190B Yes Yes Yes Vital UPS 3CHS*HCV387 No No No Non-Vital UPS 3CHS*LCV112A Yes Yes Yes Vital UPS 3CHS*LCV112B Yes Yes Yes Vital 3CHS*LCV112C Yes Yes Yes Vital 3CHS*LCV112D Yes Yes Yes Vital 3CHS*LCV112E Yes Yes Yes Vital 3CHS*MV8100 Yes Yes Yes Vital 3CHS*MV8104 Yes Yes Yes Vital 3CHS*MV8105 Yes Yes Yes Vital 3CHS*MV8106 Yes Yes Yes Vital MPS3 UFSAR 3CHS*MV8109A Yes Yes Yes Vital 3CHS*MV8109B Yes Yes Yes Vital 3CHS*MV8109C Yes Yes Yes Vital 3CHS*MV8109D Yes Yes Yes Vital 3CHS*MV8110 Yes Yes Yes Vital 3CHS*MV8111A Yes Yes Yes Vital 3CHS*MV8111B Yes Yes Yes Vital 3CHS*MV8111C Yes Yes Yes Vital 3CHS*MV8112 Yes Yes Yes Vital 3CHS*MV8116 Yes Yes Yes Vital 7.5-5 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3CHS*MV8438A Yes Yes Yes Vital 3CHS*MV8438B Yes Yes Yes Vital 3CHS*MV8438C Yes Yes Yes Vital 3CHS*MV8468A Yes Yes Yes Vital 3CHS*MV8468B Yes Yes Yes Vital 3CHS*MV8507A Yes Yes Yes Vital 3CHS*MV8507B Yes Yes Yes Vital 3CHS*MV8511A Yes Yes Yes Vital 3CHS*MV8511B Yes Yes Yes Vital 3CHS*MV8512A Yes Yes Yes Vital 3CHS*MV8512B Yes Yes Yes Vital MPS3 UFSAR 3CHS*PCV131 No No No Non-Vital UPS 3CHS*SOV390A No Yes Yes Non-Vital UPS 3CHS*SOV390B No Yes Yes Non-Vital UPS 3CHS*TCV129 Yes Yes Yes Vital UPS 3CHS*TCV381A No No No Non-Vital UPS 3CHS*TCV381B No No No Non-Vital UPS 3CHS*TCV386 No No No Non-Vital UPS 3RCS*AV8036A No No No Non-Vital UPS 3RCS*AV8036B No No No Non-Vital UPS 3RCS*AV8036C No No No Non-Vital UPS 7.5-6 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3RCS*AV8036D No No No Non-Vital UPS 3RCS*AV8037A No No No Non-Vital UPS 3RCS*AV8037B No No No Non-Vital UPS 3RCS*AV8037C No No No Non-Vital UPS 3RCS*AV8037D No No No Non-Vital UPS 3RCS*AV8153 Yes Yes Yes Vital UPS 3RCS*LCV459 No Yes Yes Vital UPS 3RCS*LCV460 Yes Yes Yes Vital UPS 3RCS*MV8098 No Yes Yes Vital D52/HVAC Damper Positions 3HVC*AOV20 No Yes Yes Vital UPS 3HVC*AOV21 No Yes Yes Vital UPS MPS3 UFSAR 3HVC*AOV22 No Yes Yes Vital UPS 3HVC*AOV23 No Yes Yes Vital UPS 3HVC*AOV25 No Yes Yes Vital UPS 3HVC*AOV26 No Yes Yes Vital UPS 3HVC*AOD27A No Yes Yes Vital UPS 3HVC*AOD27B No Yes Yes Vital UPS 3HVC*MOD33A No Yes Yes Vital 3HVC*MOD33B No Yes Yes Vital 3HVC*AOD119B No Yes Yes Vital UPS 3HVC*AOD119A No Yes Yes Vital UPS 7.5-7 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3HVP*MOD20A No Yes Yes Vital 3HVP*MOD20B No Yes Yes Vital 3HVP*MOD20C No Yes Yes Vital 3HVP*MOD20D No Yes Yes Vital 3HVP*MOD23A No Yes Yes Vital 3HVP*MOD23B No Yes Yes Vital 3HVP*MOD26A No Yes Yes Vital 3HVP*MOD26B No Yes Yes Vital 3HVQ*AOD40A Yes Yes Yes Vital UPS 3HVQ*AOD40B Yes Yes Yes Vital UPS 3HVQ*AOD40C No Yes Yes Vital UPS MPS3 UFSAR 3HVQ*AOD40D No Yes Yes Vital UPS 3HVQ*AOD41A No Yes Yes Vital UPS 3HVQ*AOD41B Yes Yes Yes Vital UPS 3HVQ*AOD41C No Yes Yes Vital UPS 3HVQ*AOD41D No Yes Yes Vital UPS 3HVQ*AOD42A No Yes Yes Vital UPS 3HVQ*AOD42B Yes Yes Yes Vital UPS 3HVQ*AOD42C No Yes Yes Vital UPS 3HVQ*AOD42D No Yes Yes Vital UPS 3HVQ*AOD43A No Yes Yes Vital UPS 7.5-8 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3HVQ*AOD43B Yes Yes Yes Vital UPS 3HVQ*AOD43C Yes Yes Yes Vital UPS 3HVQ*AOD43D No Yes Yes Vital UPS 3HVQ*MOD26A1 No Yes Yes Vital 3HVQ*MOD26B1 No Yes Yes Vital 3HVQ*MOD26C1 No Yes Yes Vital 3HVQ*MOD26A2 No Yes Yes Vital 3HVQ*MOD26B2 No Yes Yes Vital 3HVQ*MOD26C2 No Yes Yes Vital 3HVR*AOD20A Yes Yes Yes Vital UPS 3HVR*AOD20B Yes Yes Yes Vital UPS MPS3 UFSAR 3HVR*AOD29A Yes Yes Yes Vital UPS 3HVR*AOD29B Yes Yes Yes Vital UPS 3HVR*AOD32A Yes Yes Yes Vital UPS 3HVR*AOD32B Yes Yes Yes Vital UPS 3HVR*AOD33A Yes Yes Yes Vital UPS 3HVR*AOD33B Yes Yes Yes Vital UPS 3HVR*AOD35A Yes Yes Yes Vital UPS 3HVR*AOD35B Yes Yes Yes Vital UPS 3HVR*AOD39A Yes Yes Yes Vital UPS 3HVR*AOD39B Yes Yes Yes Vital UPS 7.5-9 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3HVR*AOD40A Yes Yes Yes Vital UPS 3HVR*AOD40B Yes Yes Yes Vital UPS 3HVR*AOD42A Yes Yes Yes Vital UPS 3HVR*AOD42B Yes Yes Yes Vital UPS 3HVR*AOD43A Yes Yes Yes Vital UPS 3HVR*AOD43B Yes Yes Yes Vital UPS 3HVR*AOD44A Yes Yes Yes Vital UPS 3HVR*AOD44B Yes Yes Yes Vital UPS 3HVR*AOD55A Yes Yes Yes Vital UPS 3HVR*AOD55B Yes Yes Yes Vital UPS 3HVR*AOD65A Yes Yes Yes Vital UPS MPS3 UFSAR 3HVR*AOD65B Yes Yes Yes Vital UPS 3HVR*AOD66A Yes Yes Yes Vital UPS 3HVR*AOD66B Yes Yes Yes Vital UPS 3HVR*AOD80A Yes Yes Yes Vital UPS 3HVR*AOD80B Yes Yes Yes Vital UPS 3HVR*AOD81A Yes Yes Yes Vital UPS 3HVR*AOD81B Yes Yes Yes Vital UPS 3HVR*AOD85 Yes Yes Yes Vital UPS 3HVR*AOD86 Yes Yes Yes Vital UPS 3HVR*AOD95A Yes Yes Yes Vital 7.5-10 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3HVR*AOD95B Yes Yes Yes Vital 3HVR*AOD174A Yes Yes Yes Vital UPS 3HVR*AOD174B Yes Yes Yes Vital UPS 3HVR*AOD184 Yes Yes Yes Vital UPS 3HVR*MOD28A Yes Yes Yes Vital 3HVR*MOD28B Yes Yes Yes Vital 3HVR*MOD49A Yes Yes Yes Vital 3HVR*MOD49B Yes Yes Yes Vital 3HVR*MOD49C1 Yes Yes Yes Vital 3HVR*MOD49C2 Yes Yes Yes Vital 3HVR*MOD50A Yes Yes Yes Vital MPS3 UFSAR 3HVR*MOD50B Yes Yes Yes Vital 3HVR*MOD50C1 Yes Yes Yes Vital 3HVR*MOD50C2 Yes Yes Yes Vital 3HVR*MOD72A Yes Yes Yes Vital 3HVR*MOD72B Yes Yes Yes Vital 3HVV*MOD50C No Yes Yes Vital 3HVV*MOD50D No Yes Yes Vital 3HVV*AOD50A1 No Yes Yes Vital UPS 3HVV*AOD50B1 No Yes Yes Vital UPS 3HVV*AOD50A2 No Yes Yes Vital UPS 7.5-11 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3HVV*AOD50B2 No Yes Yes Vital UPS 3HVV*MOD51A Yes Yes Yes Vital 3HVV*MOD51B Yes Yes Yes Vital 3HVV*MOD51C Yes Yes Yes Vital 3HVV*MOD51D Yes Yes Yes Vital 3HVY*AOD23A No Yes Yes Vital 3HVY*AOD23B No Yes Yes Vital 3HVZ*MOD20A No Yes Yes Vital 3HVZ*MOD20B Yes Yes Yes Vital 3HVZ*MOD21A No Yes Yes Vital 3HVZ*MOD21B No Yes Yes Vital MPS3 UFSAR D61/SI Valve Alignment 3SIH*MV8801A Yes Yes Yes Vital 3SIH*MV8801B Yes Yes Yes Vital 3SIH*MV8802A Yes Yes Yes Vital 3SIH*MV8802B Yes Yes Yes Vital 3SIH*MV8806 Yes Yes Yes Vital 3SIH*MV8807A Yes Yes Yes Vital 3SIH*MV8807B Yes Yes Yes Vital 3SIH*MV8813 Yes Yes Yes Vital 3SIH*MV8814 Yes Yes Yes Vital 3SIH*MV8821A Yes Yes Yes Vital 7.5-12 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA Power Supply 3SIH*MV8821B Yes Yes Yes Vital 3SIH*MV8835 Yes Yes Yes Vital 3SIL*MV8840 Yes Yes Yes Vital 3SIH*MV8920 Yes Yes Yes Vital 3SIH*MV8923A Yes Yes Yes Vital 3SIH*MV8923B Yes Yes Yes Vital 3SIH*MV8924 Yes Yes Yes Vital 3SIH*CV8823 Yes Yes Yes Vital 3SIH*CV8824 Yes Yes Yes Vital 3SIH*CV8843 Yes Yes Yes Vital 3SIH*CV8871 Yes Yes Yes Vital MPS3 UFSAR 3SIH*CV8964 Yes Yes Yes Vital 3SIH*CV8881 Yes Yes Yes Vital 3SIH*CV8888 Yes Yes Yes Vital 3SIL*MV8804A Yes Yes Yes Vital 3SIL*MV8804B Yes Yes Yes Vital 3SIL*MV8809A Yes Yes Yes Vital 3SIL*MV8809B Yes Yes Yes Vital 3SIL*MV8812A Yes Yes Yes Vital 3SIL*MV8812B Yes Yes Yes Vital 3SIL*CV8825 Yes Yes Yes Vital UPS 7.5-13 Rev. 30

MPS3 UFSAR TABLE 7.5-1 Accident Monitoring Instrumentation List Attachment 1 Variable No./Name Sensor ID EEQ Seismic QA 3SIL*CV8890A Yes Yes Yes 3SIL*CV8890B Yes Yes Yes 3SIL*SV8875A Yes Yes Yes 3SIL*SV8875B Yes Yes Yes 3SIL*SV8875C Yes Yes Yes 3SIL*SV8875D Yes Yes Yes 3SIL*SV8875E Yes Yes Yes 3SIL*SV8875F Yes Yes Yes 3SIL*SV8875G Yes Yes Yes 3SIL*SV8875H Yes Yes Yes 3SIL*CV8880 Yes Yes Yes 3SIL*CV8968 Yes Yes Yes 3SIL*HCV943A Yes Yes Yes 3SIL*HCV943B Yes Yes Yes 3SIL*MV8808A Yes Yes Yes 3SIL*MV8808B Yes Yes Yes 3SIL*MV8808C Yes Yes Yes 3SIL*MV8808D Yes Yes Yes 7.5-14 Rev. 30

MPS3 UFSAR 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM The instrumentation and control power supply system is described in Section 8.3.

7.6.2 RESIDUAL HEAT REMOVAL ISOLATION VALVES 7.6.2.1 Description The residual heat removal system (RHS) isolation valves are normally closed and are only opened for residual heat removal after system pressure is reduced to approximately 375 psig.

The RHS valves are provided with red (OPEN) and green (CLOSED) position indicating lights located at the keylock control switch for each valve. These lights are powered by valve control power and actuated by valve motor operator limit switches.

There are three motor-operated valves in series in each of the two RHS pump suction lines from the reactor coolant system (RCS) hot legs. Two valves in series located close to the containment walls, one inside containment and one outside containment, are provided with interlocks. The interlock features provided for the isolation valves are similar for both trains and are shown on Figure 7.6-1.

Each of the two valves is interlocked so that it cannot be opened unless the RCS pressure is below approximately 412.5 psia. This interlock prevents the valve from being opened when the RCS pressure plus the RHS pump pressure would be above the RHS system design pressure. The interlocks for each train are independent. If the valve remains open and RCS pressure increases to 440 psig, an alarm will sound requiring operator action.

If the plant is in Mode 1, 2, or 3, the operator is required to close all three suction valves. If the plant is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the operator is required to close the motor-operated valve closest to the pump.

It should be noted that these valves can also be controlled from the Auxiliary Shutdown Panel (ASP). Valve 8701A is not interlocked with RCS pressure low to open to provide one train of RHR cooling when the control room is inaccessible. Valve 8701B is interlocked with RCS low pressure to open from the ASP but can be manually opened if necessary, because it is located outside of containment.

The first valve in each train is located in the ESF building closest to the RHS pump and is closed and deenergized at the MCC during power operation. The alarm will function with the valve deenergized.

The third valve in each train is located inside the containment and is closed and deenergized at the MCC during power operation. No interlocks are provided.

7.6-1 Rev. 30

MPS3 UFSAR 7.6.2.2 Analysis Based on the scope definitions presented in IEEE Standard 279-1971 and 338-1971, these criteria do not apply to the RHS isolation valve interlocks; however, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following comments:

1. For the purpose of applying IEEE Standard 279-1971 to this circuit, the protection system shall consist of the two valves in series in each line and all components of their interlocking and closure circuits.
2. IEEE Standard 279-1971, Paragraph 4.10: The above-mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will include the analog signal through to the train signal which activates the slave relay (the slave relay provides the final output signal to the valve control circuit). This is done in the best interests of safety since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low-pressure RHS from the RCS.
3. IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed.

Environmental qualification of the valves and wiring are discussed in Section 3.11.

7.6.3 REFUELING INTERLOCKS Electrical interlocks (i.e., proximity/limit switches), as discussed in Section 9.1.4, are provided for minimizing the possibility of damage to the fuel during fuel handling operations.

7.6.4 ACCUMULATOR MOTOR-OPERATED VALVES The design of the interconnecting of these signals to the accumulator isolation valve meets the following criteria established in previous NRC positions on this matter:

1. Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value specified in the Technical Specifications or (b) a safety injection signal has been initiated. Both signals shall be provided to the valves.
2. Utilization of a safety injection signal (SIS) to automatically remove (override) and bypass features that are provided to allow an isolation valve to be closed for short periods of time when the reactor coolant system is at pressure in accordance with the provisions of the Technical Specifications. As a result of the confirmatory SIS, isolation of an accumulator with the reactor at pressure is acceptable.

7.6-2 Rev. 30

MPS3 UFSAR The control circuit for these valves is shown on Figure 7.6-2. The valves and control circuits are further discussed in sections 6.3.2.2.6 and 6.3.5.5.

The safety injection system accumulator discharge isolation valves are motor operated, normally open valves which are controlled from the main control board.

These valves are interlocked such that:

1. Signals from the ESFAS are provided to the valve(s) upon initiation of SIS. These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).
2. Signals from the ESFAS are provided to the valve(s) upon receipt of high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).
3. They cannot be closed as long as a SIS is present.

The four main control board position switches for these valves provide a spring return to auto from the OPEN position and a maintained closed position.

These normally open motor-operated valves have alarms, indicating a malpositioning (with regard to their ECCS function during the injection phase). The alarms sound in the main control room.

An alarm sounds for any accumulator isolation valve under the following conditions when the RCS pressure is above the SI unblocking pressure:

1. Valve motor-operator limit switch indicates valve not open
2. Valve stem limit switch indicates valve not open. The alarm on this switch repeats itself at given intervals.

Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.

7.6.5 REACTOR COOLANT SYSTEM LOOP ISOLATION VALVE INTERLOCKS.

Startup of an isolated reactor coolant loop is prevented by strict administrative controls until the plant is in Mode 5 or 6 with all conditions of Technical Specification 3/4.4.1.6 satisfied.

The interlocks allow opening of the cold leg loop stop valves (refer to Valve 2 on Figure 7.6-4) whenever:

7.6-3 Rev. 30

MPS3 UFSAR

1. The hot leg isolation valve (Valve 1 on Figure 7.6-4) is opened, and
2. The reactor coolant system temperature is less than a preset amount (170°F), and
3. The cold leg temperature is within 20°F of the highest cold leg temperature in other loops, and the hot leg temperature is within 20°F of the highest hot leg temperature in other loops.

For the logic functions of these interlocks, refer to Figure 7.2-1, Sheets 17, 18, and 19.

7.6.6 FUEL POOL COOLING AND PURIFICATION SYSTEM 7.6.6.1 Description The fuel pool cooling and purification system design is described in Section 9.1.3, and the flow diagram is shown on Figure 9.1-6.

Fuel pool cooling pump motor controls are located on the main control board and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An annunciator is alarmed on the main control board when local control is selected.

The following parameters are indicated on the fuel pool cooling panel:

1. Fuel pool water level
2. Fuel pool demineralizer total flow
3. Fuel pool water temperature
4. Fuel pool coolers outlet temperature
5. Fuel pool cooling return flow
6. Fuel pool cooling pumps discharge pressure
7. Fuel pool purification return flow
8. Fuel pool demineralizer flow The following parameters are provided with first out annunciators on the fuel pool panel:
1. Fuel pool water level low
2. Fuel pool water level high
3. Fuel pool water temperature high 7.6-4 Rev. 30

MPS3 UFSAR

4. Fuel pool coolers outlet temperature high
5. Fuel pool cooling return flow low
6. Fuel pool purification flow low
7. Fuel pool prefilter 3A differential pressure high
8. Fuel pool prefilter 3B differential pressure high
9. Fuel pool demineralizer differential pressure high
10. Fuel pool post filter differential pressure high
11. Fuel pool coarse filter differential pressure high
12. Fuel pool cooler cooling water outlet flow low
13. Fuel pool purification pump 2A auto trip
14. Fuel pool purification pump 2B auto trip A fuel pool cooling system trouble annunciator located on the main control board is alarmed whenever an alarm is received on the fuel pool panel.

Redundant pressure switches are utilized to energize low level indicator lights on the main control board. Temperature is indicated on the main control board by redundant temperature indicators.

Fuel pool level low, fuel pool level high, fuel pool cooling pumps auto trip, and fuel pool temperature high are alarmed on the main control board.

Continuous wide range level indication is provided from the top of the fuel racks to the normal 13-11 operating level of the spent fuel pool by the Spent Fuel Pool Wide Range Level Displays within the Auxiliary Building.

To protect personnel from high radiation doses which could occur due to fuel pool water level lower than normal, or during the refueling process, continuous radiation monitoring above the fuel pool is provided. For a detailed description of the radiation monitor provided above the fuel pool, see Chapter 11, Section 11.5.2.

7.6.6.2 Analysis of Fuel Pool Cooling and Purification System

1. IEEE Standard 279-1971, Paragraph 4.2: For a discussion of system instrumentation redundancy and single failure criteria, refer to FSAR Sections 3.1 and 9.1.3.

7.6-5 Rev. 30

MPS3 UFSAR

2. IEEE Standard 279-1971, Paragraph 4.4: For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11.
3. Design Bases For the fuel pool cooling and purification system design bases, refer to Section 9.1.3.1.
4. IEEE Standard 279-1971, Paragraph 4.6: Instrumentation for the fuel pool cooling and purification system has no multiple instrument channels. The instrument trains (A and B) for this system meet the requirements of General Design Criteria 44 (Section 3.1.2.44).
5. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Calibration of the level switches, alarms, and indicators is verified periodically by removing the device in service and testing with test apparatus compatible with the specific equipment being tested and injecting simulated signals. Inspections and testing requirements are discussed in Section 9.1.3.4.
6. IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.

7.6.7 CONTAINMENT LEAKAGE MONITORING SYSTEM (CONTAINMENT ATMOSPHERE PRESSURE AND TEMPERATURE MONITORING INSTRUMENTATION) 7.6.7.1 Description The containment leakage monitoring system design is shown on Figure 6.2-53.

With the exceptions described below, components mounted between the containment structure and the outer containment isolation valves, including the valves themselves and the two containment air temperature detectors located inside the containment structure, are safety related.

The remainder of the containment leakage monitoring system components inside and outside the containment structure are not safety related.

Four safety related containment pressure transmitters (two extended range and two narrow range) are installed in two of the four containment penetration lines (PT935 and PT936). The extended range containment pressure transmitters transmit the containment pressure signal to the plant computer, and to dual channel indicators in the control room and one channel is recorded. The narrow range containment pressure transmitters transmit the containment pressure signal to dual channel indicators in the control room. The dual channel indicators and recorder in the control room are safety related.

Additional safety related containment atmosphere pressure transmitters are installed in each of the four containment penetration lines (PT-934 through 937). The transmitter output signals are used 7.6-6 Rev. 30

MPS3 UFSAR to form logic matrices which generate the containment pressure Hi-1, Hi-2, and Hi-3 signals for the engineered safety features actuation system. These transmitters are also utilized to provide four channels of containment pressure indication in the control room and two channels on the auxiliary shutdown panels. Two channels are recorded in the control room. Each transmitter may be verified and calibrated by valving the transmitter out of service and applying a simulated signal.

A motor-operated valve is installed in each containment open pressure tap line between the containment and the transmitter connections. This valve is normally open and fails in the AS IS position on loss of power. An inadvertent closed position of these valves is alarmed and a bypass annunciator is alarmed in the control room. The motor-operated valves are remote manually controlled from the control room. Two safety related temperature measuring channels are provided to monitor the containment atmosphere temperature. This temperature is indicated in the control room and one channel is recorded.

7.6.7.2 Analysis

1. IEEE Standard 279-1971, Paragraph 4.2: Redundant channels and trains for pressure and redundant trains of temperature indication supplied from separate power sources preclude a single random failure from preventing a protective action or indication at the system level.
2. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Each pressure transmitter associated with Hi-1, Hi-2, and Hi-3 containment pressure may be tested and calibrated by valving the transmitter out of service and applying a simulated signal.

Temperature transmitters and indicators may be tested and calibrated periodically with a compatible test apparatus.

3. IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.
4. Design Bases For design bases information and a further discussion of compliance with IEEE-279-1971 for engineered safety features, refer to Section 7.3.1.2 and 7.3.2.
5. IEEE Standard 279-1971, Paragraph 4.4: For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11.
6. IEEE Standard 279-1971, Paragraph 4.5: For a discussion of channel independence applicable to Hi-1, Hi-2, and Hi-3 containment pressure, refer to Section 7.3.2.2.3.

7.6-7 Rev. 30

MPS3 UFSAR 7.6.8 INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOW-TEMPERATURE OPERATION.

7.6.8.1 Description The basic function of the RCS pressure control during low-temperature operation is discussed in Subsection 5.2.2. As noted in Subsection 5.2.2, this pressure control includes automatic actuation logic for two pressurizer power operated relief valves (PORV). The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions with actuation logic armed by operator action by means of an ARM/BLOCK main control board (MCB) switch which is placed in the BLOCK position when the plant is at operating pressure. The monitored system temperature signals are processed to generate the reference pressure limit which is compared to the actual monitored RCS pressure. This comparison provides an actuation signal to an actuation device which, if manually armed, causes the PORV to automatically open if necessary to prevent pressure conditions from exceeding allowable limits. See Figure 7.2-1, Sheets 18 and 19, for the logic diagram showing the basic elements used to process the generating station variables for this low-temperature RCS overpressurization preventive interlock. These two sheets present the logic diagram for the pressurizer pressure relief system for Trains A and B that is part of the safety grade cold shutdown system.

The wide range temperature signals are used as input to generate the reference pressure limit program considering the plants allowable pressure and temperature limits. This reference pressure is then compared to the actual RCS pressure monitored by the wide range pressure channel. The error signals derived from the difference between the reference pressure and the measured pressure first annunciates a main board alarm whenever the measured pressure approaches, within a predetermined amount, the reference pressure. On a further increase in measured pressure, the error signal generates an annunciated actuation signal channel, the train independence between protection sets and between Trains A and B is maintained from sensors to the PORVs.

Upon receipt of the actuation signal, the actuation device automatically causes the PORV to open.

Upon sufficient RCS inventory letdown, the operating RCS pressure decreases, clearing the actuation signal. Removal of this signal from the actuation device causes the PORV to close.

7.6.8.2 Analysis of Interlock The logic functions and actuation signals shown on Figure 7.2-1, Sheets 18 and 19, are implemented in NSSS protection equipment. For the criteria for which the protection system was designed, and which apply equally well to the interlocks, which are part of this protection system, see Sections 7.2 and 7.3. The primary purpose of these interlocks is automatic transient mitigation. These interlocks do not perform a primary protective function, but rather provide automatic overpressure protection at low temperature as backup to operator action. However, to assure a well engineered design and improved operability, the instrumentation and control portions of the interlocks for RCS pressure control during low temperature operation will satisfy applicable sections of US NRC Branch Technical Position RSB 5-2 that addresses 7.6-8 Rev. 30

MPS3 UFSAR instrumentation and control and IEEE Standard 279-1971 that will be applied with the following comments:

1. For the purpose of applying IEEE Standard 279-1971 to this circuit, the following definitions will be used:
a. Safety Grade System The block valve and the power operated relief valve (PORV) in series in each of the redundant lines and all components of the interlocks for RCS pressure control during low temperature operation. The I&C equipment for one redundant line is defined as the Train A system; the I&C equipment for the other redundant line is defined as the Train B system.
b. Protective Action The automatic control of RCS pressure during low-temperature operation to prevent the actual pressure from exceeding the calculated reference pressure limit. This protective action can be satisfied by either train of the redundant system, the Train A system or the Train B system.
2. IEEE Standard 279-1971, Paragraph 4.2 Any single random failure within the Train A system or the Train B system will not prevent protective action at the system level when required.
3. (Deleted)
4. IEEE Standard 279-1971, Paragraph 4.12 The protection action is manually blocked by operator action of the MCB ARM/

BLOCK switch which places it in the BLOCK position when the plant is at temperatures greater than the range of concern for RCS low temperature operation.

The annunciator initiated by the low temperature auctioneered circuit will alarm to warn the operator that the ARM/BLOCK switch should be placed in the ARM position. Whether or not the system should be armed and actually is not armed will be indicated to the operator when this annunciator is initiated and the switch is positioned to the maintained BLOCK position. In addition, if the system is armed and the PORV block valve is not fully open, this condition is also annunciated.

7.6.8.3 Pressurizer Pressure Relief System The pressurizer low pressure interlocks shown on Figure 7.2-1, Sheet 6, together with pressurizer pressure control shown on Figure 7.2-1, Sheet 11, and the interlocks for the pressurizer block valves, 8000 A and B, shown on Figure 7.2-1, Sheets 18 and 19, are referred to as the pressurizer pressure relief system.

7.6-9 Rev. 30

MPS3 UFSAR The pressurizer pressure relief (PPR) system provides the following:

1. Capability for RCS overpressure mitigation during cold shutdown, heatup, and cooldown operations to minimize the potential for impairing reactor vessel integrity when operating at or near the vessel ductility limits
2. Capability for RCS depressurization following Condition II, III, and IV events and for safety grade cold shutdown
3. An interlock that, with the RCS cold overpressure protection system armed and the PORV block valves in auto control, opens the PORV block valves
4. A safety related pressure relief function which opens the pressurizer PORVs when two out of four protection channels sense high pressurizer pressure. To avoid spurious PORV opening, the actuation bistables are energized to open the PORVs.

Coincidence logic and PORV actuation is performed by the Solid State Protection System (SSPS). One PORV is controlled by the A train of SSPS while the other PORV is controlled by the B train. The PORVs close after pressurizer pressure has been reduced by a predetermined value. Refer to FSAR Figure 7.2-1 sheets 6, 18 and 19 for additional details.

Interlocks from the PPR system control the opening and closing of the pressurizer PORVs and the PORV block valves. These interlocks provide the following functions:

1. Pressurizer pressure control
2. RCS pressure control during low-temperature operation
3. RCS pressure control to achieve and maintain safety grade cold shutdown and to heat up using equipment that is required for safety The interlock functions that provide pressurizer pressure control are derived from process parameters as shown on Figure 7.2-1, Sheets 6, 11, 18, and 19. The functions shown on Figure 7.2-1, Sheets 18 and 19, include those needed for the PORV block valves as well as the pressurizer PORVs to meet both interlock logic and manual operation requirements where manual operation can be either at the main control board or on the local shutdown panel.

7.6.9 HEAT TRACING OF SAFETY-RELATED SYSTEMS Safety-related systems requiring heat tracing are heated by circuits powered from two independent control panels, 3HTS-PNLF1 and 3HTS-PNLF2. The transformers for each panel are powered by the purple and orange safety trains, respectively. The power from the panels is nonsafety grade. The safety grade power is protected from the nonsafety service by the transformers which are safety grade isolation transformers or isolated by two Class 1E breakers in series.

7.6-10 Rev. 30

MPS3 UFSAR The primary and secondary panels, 3HTS-PNLF1 and 3HTS-PNLF2, respectively, are both energized and provide heat tracing to certain safety related systems upon receipt of individually generated low ambient temperature signals. A temperature sensor on the piping provides an alarm at the primary panel, 3HTS-PNLF1, if it senses a temperature below its setpoint. This also causes an alarm to sound on the main control board identifying trouble at the primary panel. Should the temperature of the piping continue to drop, a second temperature sensor on the piping provides an alarm at the secondary panel, 3HTS-PNLF2, which in turn, provides an additional alarm on the main control board.

7.6.10 SHUTDOWN MARGIN MONITOR 7.6.10.1 Description The safety related shutdown margin monitor is an instrument that measures the count rate from the neutron monitoring instruments and identifies any statistically significant increase that would indicate a loss of reactor shutdown margin.

The monitors input signal is obtained as a pulse output from the existing neutron-flux monitoring system. This design minimizes unwanted background counts from electromagnetic pickup or from alpha, beta, or gamma flux at the detector.

The shutdown monitors have been designed with bipolar discrete components and complimentary metal oxide semiconductor (CMOS) microprocessors and integrated circuitry for high reliability and long life.

The shutdown margin monitors are designed with 20 memory registers that are updated every 30 counts, (detected neutrons) or once a second, whichever is longer. These registers are used to provide an average count rate over a period of time in an effort to reduce noise spikes and unnecessary alarms. This averaging process causes a time delay in the instruments response while monitoring the reactor core at very low count rates, such as following long shutdowns or refueling operations. The time delay of the monitor increases as the instruments count rate decreases. Minimum count rates for operability have been established and procedurealized to account for this time delay.

The shutdown margin monitor will alarm when the monitored count rate increases above the baseline count rate by a pre-set factor (Alarm Ratio). The Alarm Ratio can range from 1.25 to 4 times the baseline count rate. The monitor continually lowers its baseline count rate as the count rate decays with time. This renormalization is required to properly monitor the core for statistically significant neutron flux increases.

7.6.10.2 Function The shutdown margin monitors provide the reactor operator adequate warning if an unintentional loss of shutdown margin occurs. The monitors monitor the count rate from the existing neutron flux at the reactor core for a statistically significant increase. The monitor will alarm once the monitored count rate has increased by a factor of 1.25 to 4, depending on the instrument's 7.6-11 Rev. 30

MPS3 UFSAR setpoint. The shutdown margin monitors are set to alarm once the baseline count rate has increased by a factor listed in the Core Operating Limits Report (COLR) and the Technical Requirements Manual (TRM). The setpoint ensures that the operator will be provided with at least 15 minutes response time to mitigate the boron dilution event.

Section 15.4.6 of the FSAR describes the event of a possible unplanned moderation dilution that could result in an unwanted increase in reactivity and a decrease in shutdown margin. Such an event could be detected by measuring the boron concentration in the moderator. However, the shutdown margin is monitored directly by measuring the neutron flux at the reactor core. The operator will be alerted to any reduction in shutdown margin whether from an unplanned boron dilution or from another cause.

Any increase in reactivity or decrease in shutdown margin due to boron dilution event results in an increase in neutron flux in the reactor core due to an increase in subcritical multiplication. By monitoring the neutron flux at the reactor core during a shutdown, a loss of shutdown will be identified. The shutdown margin monitors are required to be operable in MODES 3, 4 and 5. With both monitors inoperable, mode changes are allowed up to MODE 3 as long as the action statement in the technical specification is completed.

7.6.11 REFERENCES FOR SECTION 7.6 7.6-1 IEEE Standard 279-1971. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations. The Institute of Electrical and Electronic Engineers, Inc.

7.6-2 IEEE Standard 338-1971. IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection System. The Institute of Electrical and Electronic Engineers, Inc.

7.6-12 Rev. 30

MPS3 UFSAR FIGURE 7.6-1 LOGIC DIAGRAM FOR RHS ISOLATION VALVES NOTES TO FIGURE 7.6-1 7.6-13 Rev. 30

MPS3 UFSAR FIGURE 7.6-2 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVES 7.6-14 Rev. 30

MPS3 UFSAR FIGURE 7.6-3 AUTOMATIC RHS AND QSS PUMP SHUTOFF 7.6-15 Rev. 30

MPS3 UFSAR FIGURE 7.6-4 REACTOR COOLANT SYSTEM LOOP WITH LOOP STOP VALVES 7.6-16 Rev. 30

MPS3 UFSAR 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY The general design objectives of the plant control systems are:

1. To establish and maintain power equilibrium between primary and secondary system during steady state operation
2. To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation
3. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system 7.

7.1 DESCRIPTION

The plant control systems described in this section perform the following functions:

1. Reactor Control System
a. Enables the nuclear plant to accept a step load decrease of 10 percent and a ramp decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations. The reactor control system will not withdraw control rods for step and ramp load increases. The operators will take the appropriate actions in response to alarms and maintain control of the plant.
b. Maintains reactor coolant average temperature Tavg within prescribed limits by creating the bank demand signals for moving groups of full length rod cluster control assemblies during normal operation and operational transients. The Tavg control also supplies a signal to pressurizer water level control and steam dump control.
2. Rod Control System Provides for reactor power modulation by manual and automatic control of full length control rod banks in a preselected sequence and for manual operation of individual banks.
3. Systems for Monitoring and Indicating
a. Provide alarms to alert the operator if the required core reactivity shutdown margin is not available, due to excessive control rod insertion.
b. Display control rod position.

7.7-1 Rev. 30

MPS3 UFSAR

c. Provide alarms to alert the operator in the event of control rod deviation exceeding a preset limit.
4. Plant Control System Interlocks
a. Prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a DNBR limit or kW/ft limit.
b. Inhibit automatic turbine load change as required by the nuclear steam supply system.
5. Pressurizer Pressure Control Maintains or restores the pressurizer pressure to a value which is well within reactor trip and relief and safety valve actuation setpoint limits following normal operational transients that induce pressure changes by control (manual or automatic) of the pressurizer heaters and spray valves.
6. Pressurizer Water Level Control Establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational, and unloading transients.

Level changes are produced by means of charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory.

7. Steam Generator Water Level Control
a. Establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients.
b. The steam generator water level control system also restores the steam generator water level to within predetermined limits at unit trip conditions.

It regulates the feedwater flow rate such that under operational transients the heat sink for the reactor coolant system does not decrease below a minimum. Steam generator water inventory control is manual or automatic through the use of feedwater control valves.

8. Steam Dump Control
a. Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser and/or the atmosphere as necessary to accommodate excess power generation in the reactor during turbine load reduction transients.

7.7-2 Rev. 30

MPS3 UFSAR

b. Ensures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no load conditions without actuation of the steam generator safety valves.
c. Maintains the plant at no load conditions and permits a manually controlled cooldown of the plant.
9. Incore Instrumentation Provides information on the neutron flux distribution and on the core outlet temperatures at selected core locations.

7.7.1.1 Reactor Control System The reactor control system enables the nuclear plant to follow load decreases automatically including the acceptance of step load decreases of 10 percent and ramp decreases of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressure relief (subject to possible xenon limitations). The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. Manual control rod operation is required for response to load increases and may be performed at any time.

The reactor control system controls the reactor coolant average temperature by regulation of control rod bank position. The reactor coolant loop average temperatures are determined from hot leg and cold leg measurements in each reactor coolant loop. There is an average coolant temperature (Tavg) computed for each loop, where:

Tavg = (Thot + Tcold)/2 (7.7-1)

The error between the programmed reference temperature (based on turbine impulse chamber pressure) and the highest of the Tavg measured temperatures (which is processed through a lead-lag compensation unit) from each of the reactor coolant loops constitutes the primary control signal as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown on Figure 7.2-1, Sheet 9. The system is capable of restoring coolant average temperature to the programmed value following a decrease in load. The programmed coolant temperature increases linearly with turbine load from zero power to the full power condition. The Tavg also supplies a signal to pressurizer level control and steam dump control and rod insertion limit monitoring.

The temperature channels needed to derive the temperature input signals for the reactor control system are fed from protection channels via isolation amplifiers.

An additional control input signal is derived from the reactor power versus turbine load mismatch signal. This additional control input signal improves system performance by enhancing response and reducing transient peaks.

7.7-3 Rev. 30

MPS3 UFSAR The core axial power distribution is controlled during load follow maneuvers by changing (a manual operator action) the boron concentration in the reactor coolant system. The control board displays (Section 7.7.1.3.1) indicate the need for an adjustment in the axial power distribution.

Adding boron to the reactor coolant will reduce Tavg and require the rods to be moved toward the top of the core. This action will reduce power peaks in the bottom of the core. Likewise, removing boron from the reactor coolant will move the rods further into the core to control power peaks in the tops of the core.

7.7.1.2 Rod Control System 7.7.1.2.1 Full Length Rod Control System The full length rod control system, when operating in automatic, receives rod speed and direction signals to move into the core from the Tavg control system. The rod speed demand signal varies over the corresponding range of 5 to 45 inches per minute (8 to 72 steps/minute) depending on the magnitude of the input signal. Manual control is provided to move a control bank in or out at a prescribed fixed speed.

When the operator selects the AUTOMATIC mode, rod motion is then controlled by the reactor control systems. In the AUTOMATIC mode, the rods are inserted in a predetermined programmed sequence with the control interlocks listed in Table 7.7-1. Rod withdrawal is manually controlled by the operator.

The shutdown banks are always in the fully withdrawn position during normal operation and are moved to this position at a constant speed by manual control prior to criticality. A reactor trip signal causes them to fall by gravity into the core. There are 5 shutdown banks.

The control banks are the only rods than can be manipulated under automatic control. Each control bank is divided into two groups to obtain smaller incremental reactivity changes per step.

All rod cluster control assemblies in a group are electrically paralleled to move simultaneously.

There is individual position indication for each rod cluster control assembly.

Power to rod drive mechanisms are supplied by two motor generator sets operating from two separate 480V, three-phase buses. Each generator is the synchronous type and is driven by a 200 Hp induction motor. The AC power is distributed to the rod control power cabinets through the two series connected reactor trip breakers.

The Rod Control System can insert small amounts of reactivity to accomplish fine control of reactor coolant average temperature about a small temperature deadband. A summary of the rod cluster control assembly sequencing characteristics is given below:

1. Two groups within the same bank are stepped such that the relative position of the groups will not differ by more than one step.
2. The control banks are programmed such that withdrawal of the banks is sequenced in the following order; control bank A, control bank B, control bank C, and control 7.7-4 Rev. 30

MPS3 UFSAR bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.

3. The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite.
4. Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of 1 step.
5. Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 6 steps per minute and a maximum of 68 steps per minute.

7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System The power range channels are important because of their use in monitoring power distribution in the core within specified safe limits. They are used to measure power level, axial flux imbalance, and radial flux imbalance. These channels are capable of recording overpower excursions up to 200 percent of full power. Suitable alarms are derived from these signals as described below.

Basic power range signals are:

1. Total current from a power range detector (four such signals from separate detectors); these detectors are vertical and have a total active length of 10 feet
2. Current from the upper half of each power range detector (four signals)
3. Current from the lower half of each power range detector (four signals)

Derived from these basic signals are the following (including standard signal processing for calibration):

1. Indicated nuclear power (four signals)
2. Indicated axial flux imbalance (), derived from upper half flux minus lower half flux (four signals)

Alarm functions derived are as follows:

7.7-5 Rev. 30

MPS3 UFSAR

1. Deviation (maximum minus minimum of four power range input signals) in indicated nuclear power
2. Upper radial tilt (maximum to average of four power range input signals) on upper-half detector currents
3. Lower radial tilt (maximum to average of four power range input signals) on lower-half detector currents Provision is made to continuously record on strip charts on the control board the 8 ion chamber signals, i.e. upper and lower currents for each detector. Nuclear power and axial unbalance is selectable for recording as well. Indicators are provided on the control board for nuclear power and for axial flux imbalance.

The plant computer monitors the excore detectors and actuates an alarm when the calculated Axial Flux Different (AFD) exceeds the specified limits. The indicated AFD will be monitored and logged in accordance with the Technical Specifications when the AFD alarm is inoperable.

Additional background information on the Nuclear Instrumentation System can be found in WCAP-8255.

7.7.1.3.2 Rod Position Monitoring of Full Length Rods Two separate systems are provided to sense and display control rod position as described below:

1. Digital Rod Position Indication System The digital rod position indication system measures the actual position of each full length rod using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, the coils are interlaced into two data channels, and are connected to the containment electronics (Data A and B) by separate multi-conductor cables. By employing two separate channels of information, the digital rod position indication system can continue to function when one channel fails. Multiplexing is then used to transmit the digital position signals from the containment electronics to the control board display unit.

The control board display unit contains a column of light emitting diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that particular rod. Since shutdown rods are always fully withdrawn with the plant at power, their position is displayed every 6 steps with 4 step accuracy only in the region from rod bottom to 18 steps and from 210 steps to 228 steps. All intermediate positions of the rod are represented by a single transition LED. Each rod of the control banks has its position displayed every 6 steps with 4 step accuracy throughout its range of travel.

7.7-6 Rev. 30

MPS3 UFSAR Included in the system is a rod at bottom signal for each rod that operates a rod bottom light. Also a control room annunciator is actuated when any shutdown rod or control bank rod is at bottom.

2. Demand Position System - The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded group position.

The demand position and digital rod position indication systems are separate systems, but safety criteria were not involved in the separation, which was a result only of operational requirements.

Operating procedures require the reactor operator to compare the demand and indicated (actual) readings from the rod position indication system so as to verify operation of the rod control system.

7.7.1.3.3 Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to reactor power (as indicated by the reactor coolant system loop T) and coolant average temperature. These parameters are used to calculate insertion limits for the control banks. Two alarms are provided for each control bank.

1. The low alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the chemical and volume control system.
2. The low-low alarm alerts the operator to take immediate action to add boron to the reactor coolant system by any one of several alternate methods.

The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following reactor trip and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. Two parameters which are proportional to power are used as inputs to the insertion monitor. These are the T between the hot leg and the cold leg, which is a direct function of reactor power, and Tavg, which is programmed as a function of power. The rod insertion monitor uses parameters for each control rod bank as follows:

ZLL = A(T)auct + B(Tavg)auct + C (7.7-2) where:

ZLL = Maximum permissible insertion limit for a control bank 7.7-7 Rev. 30

MPS3 UFSAR (T)auct = Highest T of all loops (Tavg)auct = Highest Tavg of all loops A, B, C = Constants chosen to maintain ZLL actual limit based on physics calculations The control rod bank demand position (Z) is compared to Z as follows:

If Z - ZLL D a low alarm is actuated If Z - ZLL E a low-low alarm is actuated Since the highest values of Tavg and T are chosen by auctioneering, a conservatively high representation of power is used in the insertion limit calculation.

ZLL has an adjustable upper limit on insertion which is set to a value low enough to prevent nuisance alarms. When ZLL for a given control rod bank is limited, the low and low-low alarms will also be limited, possibly to a value below the insertion limit. However, ZLL is set high enough that the lead control bank and alarm will never be limited.

Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situation. Administrative procedures require the operator to add boron through the chemical and volume control system. Actuation of the low-low alarm requires the operator to initiate boration procedures as required by Technical Specifications. The value for E is chosen such that the low-low alarm would normally (if not limited) be actuated before the insertion limit is reached.

The value for D is chosen to allow the operator to start boration procedures early, prior to reaching the E limit. Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor. The monitor is shown in more detail on the functional diagrams shown on Figure 7.2-1, Sheet 9. In addition to the rod insertion monitor for the control banks, the plant computer, which monitors individual rod positions, provides an alarm that is associated with the rod deviation alarm discussed in Section 7.7.1.3.4. This warns the operator if any shutdown rod cluster control assembly leaves the fully withdrawn position.

Rod insertion limits are established by:

1. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above
2. Establishing the differential reactivity worth of the control rods when moved in normal sequence
3. Establishing the change in reactivity with power level by relating power level to rod position
4. Linearizing the resultant limit curve; all key nuclear parameters in procedure measured as part of the initial and periodic physics testing program 7.7-8 Rev. 30

MPS3 UFSAR Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion.

7.7.1.3.4 Rod Deviation Alarm A rod deviation function is performed as part of the digital rod position indication system where an alarm is generated if a preset limit is exceeded as a result of a comparison of any control rod against the other rods in a bank. The deviation alarm of a shutdown rod is based on a preset insertion limit being exceeded.

The demanded and measured rod position signals are also monitored by the plant computer which provides a visual printout and an audible alarm whenever an individual rod position signal deviates from the other rods in the bank or from the demand position by a preset limit. The alarm can be set with appropriate allowance for instrument error and within sufficiently narrow limits to preclude exceeding core design hot channel factors.

Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system implemented by the plant computer. Additionally, the DRPI system contains rod deviation circuitry that detects and alarms the following conditions:

1. When any 2 rods within the same control bank are misaligned by a preset distance

( 12 steps) or

2. When any shutdown rod is below the full-out position by a preset distance (18 steps) 7.7.1.3.5 Rod Bottom Alarm A rod bottom signal for the full length rods in the digital rod position system is used to operate control relays, which generate the rod bottom alarms.

7.7.1.4 Plant Control System Interlocks The listing of the plant control system interlocks, along with the description of their derivations and functions, is presented in Table 7.7-1. It is noted that the designation numbers for these interlocks are preceded by C. The development of these logic functions is shown in the functional diagrams (Figure 7.2-1, Sheets 4, 5, 7, 9, 10 and 16).

7.7.1.4.1 Rod Stops Rod stops are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by operator violation of administrative procedures.

7.7-9 Rev. 30

MPS3 UFSAR Rod stops are the C1, C2, C3, and C4 control interlocks identified in Table 7.7-1. The C3 rod stop derived from overtemperature T and the C4 rod stop, derived from overpower T are also used for turbine runback, which is discussed below.

7.7.1.4.2 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower or overtemperature condition. This will prevent high power operation that might lead to an undesirable condition, which, if reached, will be protected by reactor trip.

Turbine load reference reduction is initiated by either an overtemperature or overpower T signal.

Two out of four coincidence logic is used.

A rod stop and turbine runback are initiated when T > T rod stop (7.7-3) for both the overtemperature and the overpower condition.when For either condition in general T rod stop = T setpoint-BP (7.7-4) where:

BP = a setpoint bias where T setpoint refers to the overtemperature T reactor trip value and the overpower T reactor trip value for the two conditions. The turbine runback is continued until T is equal to or less than T rod stop. This function maintains an essentially constant margin to trip.

7.7.1.4.3 Turbine Loading Stop An interlock (C-16) is provided to limit turbine loading during a rapid return to power transient when a reduction in reactor coolant temperature is used to increase reactor power (through the negative moderator coefficient). This interlock limits the drop in coolant temperature within cooldown accident limits and preserves satisfactory steam generator operating conditions.

Subsequent manual turbine loading can begin after the interlock has been cleared by an increase in coolant temperature which is accomplished by reducing the boron concentration in the coolant.

7.7.1.5 Pressurizer Pressure Control The reactor coolant system pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer. The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations. These variations are due to heat losses, including those due to a 7.7-10 Rev. 30

MPS3 UFSAR small continuous spray. The remaining (backup) heaters are turned on when the pressurizer pressure controlled signal demands approximately 100 percent proportional heater power.

The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value.

Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Spray flow may be increased by energizing one or more backup heaters. This may be done to improve chemical mixing between the RCS loop and the pressurizer or it may be done to force additional outflow from the pressurizer through the surge line to reduce the risk of thermal shock to the surge line nozzle during unexpected transients. Energizing the backup heaters can shift pressure control from the proportionally controlled heaters to the spray.

Note that power-operated relief valves limit system pressure for large positive pressure transients.

In the event of a large load reduction, not exceeding the design plant load rejection capability, the pressurizer power operated relief valves might be actuated for the most adverse conditions, e.g.,

the most negative Doppler coefficient, and the maximum incremental rod worth. The relief capacity of the power operated relief valves is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above condition. Power-operated relief valves are actuated by safety related circuitry and are, therefore, not part of the nonsafety related pressurizer pressure control system.

A block diagram of the pressurizer pressure control system is shown on Figure 7.7-4.

7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

The water inventory in the reactor coolant system is maintained by the chemical and volume control system. During normal plant operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest average temperature (auctioneered) being used. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match the level changes resulting from the coolant temperature changes as nearly as possible.

To control pressurizer water level during startup and shutdown operations, the charging flow is manually regulated from the main control room. The letdown line isolation valves are closed on low pressurizer level.

7.7-11 Rev. 30

MPS3 UFSAR A block diagram of the pressurizer water level control system is shown on Figure 7.7-5.

7.7.1.7 Steam Generator Water Level Control Each steam generator is equipped with a three-element feedwater flow controller which maintains a programmed water level which is a function of turbine load. The three-element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the water level signal, the programmed level and the pressure compensated steam flow signal. The feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual P with a programmed P ref which is a linear function of steam flow. Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor following a reactor trip and turbine trip. A feedwater isolation signal closes all feedwater valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the feedwater control system is available at all times.

When the nuclear plant is operating at very low power levels (as during startup), the steam and feedwater flow signals will not be usable for control. Therefore, a secondary automatic control system is provided for operation at low power. This system uses the steam generator water level and nuclear power signals in a feed forward control scheme to position a bypass valve which is in parallel with the main feedwater regulating valve. Switchover from the bypass feedwater control system (low power) to the main feedwater control system is initiated by the operator at approximately 25 percent power.

Block diagrams of the steam generator water level control system and the main feedwater pump speed control system are shown on Figures 7.7-6 and 7.7-7.

7.7.1.8 Steam Dump Control The steam dump system, in conjunction with the rod control system, is designed to accept a 50 percent loss of net load without tripping the reactor (Section 10.4.4).

The automatic steam dump system is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the reactor coolant system. By bypassing main steam directly to the condenser and/or the atmosphere, an artificial load is thereby maintained on the primary system. The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. The steam dump steam flow capacity is 28.2 to 35.1 percent of full load steam flow at full load steam pressure.

If the difference between the reference Tavg (Tref) based turbine impulse chamber pressure and the lead/lag compensated auctioneered Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the reactor coolant system temperature within control range until a new equilibrium condition is reached.

7.7-12 Rev. 30

MPS3 UFSAR To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected by the turbine impulse chamber pressure. It is provided to unblock the dump valves when the rate of load rejection exceeds a present value corresponding to a 10 percent step load decrease or a sustained ramp load decrease of 5 percent/minute.

A block diagram of the steam dump control system is shown on Figure 7.7-8.

7.7.1.8.1 Load Rejection Steam Dump Controller This circuit prevents large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/lag compensated auctioneered Tavg and the reference Tavg is based on turbine impulse chamber pressure.

The Tavg signal is the same as that used in the reactor coolant system. The lead/lag compensation for the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning.

Following a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available, in this situation steam dump terminates as the error comes within the maneuvering capability of the control rods.

7.7.1.8.2 Plant Trip Steam Dump Controller Following a reactor trip, the load rejection steam dump controller is defeated and the plant trip steam dump controller becomes active. Since control rods are not available in this situation, the demand signal is the error signal between the lead/lag compensated auctioneered Tavg and the load reference Tavg. When the error signal exceeds a predetermined setpoint, the dump valves are tripped open in a prescribed sequence. As the error signal reduces in magnitude, indicating that the reactor coolant system Tavg is being reduced toward the references no-load value, the dump valves are modulated by the plant trip controller to regulate the rate of removal decay heat and thus gradually establish the equilibrium hot shutdown condition.

7.7.1.8.3 Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine reactor trip on load rejection.

7.7.1.9 Incore Instrumentation The incore instrumentation system consists of chromel-alumel thermocouples at fixed core outlet positions and movable miniature neutron detectors which can be positioned to scan selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The basic system for insertion of these detectors is shown on Figure 7.7-9.

7.7-13 Rev. 30

MPS3 UFSAR 7.7.1.9.1 Thermocouples Chromel-alumel Type K thermocouples are inserted into guide tubes that penetrate the reactor vessel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The thermocouples are provided with two primary seals, a grayloc coupling and swage type seal from conduit to head. Thermocouple readings are monitored by the process computer and the inadequate core cooling monitoring system, which is described in Section 4.4.6.5.

7.7.1.9.2 Movable Neutron Flux Detector Drive System Miniature fission chamber detectors can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. The stainless steel detector shell is welded to the leading end of helical wrap drive cable and to stainless steel sheathed coaxial cable. The retractable thimbles, into which the miniature detectors are driven, are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal table. Their distribution over the core is nearly uniform with about the same number of thimbles located in each quadrant.

The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal table. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal table is provided for the retraction operation.

The drive system for the insertion of the miniature detectors consists basically of drive assemblies, six path transfer assemblies, and fifteen path transfer assemblies, as shown on Figure 7.7-9. The drive system pushes hollow helical wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly consists of a motor which pushes a helical wrap drive cable and a detector through a selected thimble path by means of a special drive box, and includes a storage reel for the total drive cable length.

Each flux thimble is equipped with a passive magnetic ball check valve. These valves are installed in the non-QA position of the detector drive system between the fifteen path transfer assembly and the high pressure seal. These valves are free to open to allow passage of the incore fission chambers during a flux map. However, in the event of a throughwall leak in the flux thimble, RCS pressure will hold the check valve closed, thereby isolating the leak without the need for a containment entry. Flux thimble plugs are also provided for isolating a thimble in the event that nondestructive examination of the thimbles during a refueling reveals excessive wear. The detector/drive cable will have to be retracted above the seal table prior to installing any plugs.

7.7.1.9.3 Control and Readout Description The control and readout system provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors while providing information on neutron flux 7.7-14 Rev. 30

MPS3 UFSAR versus detector position. The control system consists of two sections; one is physically mounted with the drive units and the other is mounted in the control room. Limit switches in each transfer device provide feedback of path selection operation. Each gear box drives an encoder for position feedback. One six path operation selector is provided for each drive unit to insert the detector in one of six functional modes of operation. A fifteen path transfer assembly is the transfer device that will be used to route a detector into any one of up to fifteen selectable paths. Access to a common path is provided to permit cross calibration of the detectors.

The control room contains the necessary equipment for control, position indication, and flux recording for each detector. Additionally, drive motor controls, core path selection, and system status displays are provided.

A flux-mapping consists briefly of selecting flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically.

Flux level, as a function of detector position, is to be obtained during the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner other core locations can be selected and plotted. Each detector provides axial flux distribution data along the center of a fuel assembly. Data from detectors in various radial positions are then combined to obtain a flux map of the core.

The thimbles are distributed nearly uniformly over the core with approximately the same number of thimbles in each quadrant. The number and location of these thimbles have been chosen to permit measurement of local to average peaking factors to an accuracy of 5 percent (95 percent confidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this accuracy. If the measured power peaking is larger than acceptable, reduced power capability will be indicated.

Operating plant experience has demonstrated the adequacy of the In-Core Instrumentation in meeting the design bases stated.

7.7.2 ANALYSIS The plant control systems are designed to assure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed with a high level of reliability.

Proper positioning of the control rods is monitored in the control room by bank arrangements of the individual position columns for each rod cluster control assembly. A rod deviation alarm alerts the operator of a deviation of one rod cluster control assembly from the other rods in that bank or from the bank demand position. There are also insertion limit monitors with visual and audible annunciation. A rod bottom alarm signal is provided to the control room for each full length rod cluster control assembly. Four excore long ion chambers also detect asymmetrical flux distribution indicative of rod misalignment.

Overall reactivity control is achieved by the combination of soluble boron and rod cluster control assemblies. Long term regulation of core reactivity is accomplished by adjusting the 7.7-15 Rev. 30

MPS3 UFSAR concentration of boric acid in the reactor coolant. Short term reactivity control for power changes is accomplished by the plant control system which automatically moves rod cluster control assemblies for load reductions, and manual operator action for load increases. This system uses input signals including neutron flux, coolant temperature, and turbine load.

The axial core power distribution is controlled by moving the control rods through changes in reactor coolant system boron concentration. Adding boron requires the rods to be moved out, thereby reducing the amount of power in the bottom of the core, allowing power to redistribute toward the top of the core. Reducing the boron concentration causes the rods to move into the core thereby reducing the power in the top of the core, the result redistributes power towards the bottom of the core.

The transient analysis performed for the plant control systems shows that they will prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip (See Section 7.7.2.7). The description and analysis of the reactor trip protection is covered in Section 7.7.2.7. Worst case failure modes of the plant control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as the following:

1. Uncontrolled rod cluster control assembly bank withdrawal from a subcritical or low power startup condition
2. Uncontrolled rod cluster control assembly bank withdrawal at power
3. Rod cluster control assembly misalignment
4. Loss of external electrical load and/or turbine trip
5. Loss of non-emergency AC power to the station auxiliaries
6. Excessive heat removal due to feedwater system malfunctions
7. Excessive load increase incident
8. Accidental depressurization of the reactor coolant system These analyses will show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the resulting coolant temperatures produce a DNBR which is not less than the safety analysis limits (see Section 4.4). Thus, there will be no cladding damage and no release of fission products to the reactor coolant system under the assumption of these postulated worst case failure modes of the plant control system.

7.7.2.1 Separation of Protection and Control System In some cases, it is advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel. As such, a failure in the 7.7-16 Rev. 30

MPS3 UFSAR control circuitry does not adversely affect the protection channel. Test results have shown that a short circuit or the application (credible fault voltage from within the cabinets) of 118 VAC or 140 VDC on the isolated output portion of the circuit (non-protection side of the circuit) will not affect the input (protection) side of the circuit.

Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels are capable of providing the protective action even when degraded by a second random failure. This meets the applicable requirements of Section 4.7 of IEEE Standard 279-1971.

The pressurizer pressure channels needed to derive the control signals are electrically isolated from control.

7.7.2.2 Response Considerations of Reactivity Reactor shutdown with control rods is completely independent of the control functions since the trip breakers interrupt power to the full length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of the 1971 General Design Criteria 25.

No single electrical or mechanical failure in the rod control system can cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation. The operator can deliberately withdraw a single rod cluster control assembly in the control bank; this feature is necessary in order to retrieve a rod should one be accidentally dropped. In the event of withdrawal of a single rod cluster control assembly by operator action, whether deliberate or by a combination of errors, rod deviation will be displayed on the plant annunciator, and the individual rod position readouts will indicate the relative positions of the rods in the bank.

Each bank of control and shutdown rods in the system is divided into two groups (groups 1 and 2) of 2 to 5 mechanisms each. The rods comprising a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially such that the first group is always within one step of the second group in the bank. The group 1 and group 2 power circuits are installed in different cabinets as shown on Figure 7.7-14, which also shows that one group is always within one step (5/8 inch) of the other group. A definite schedule of actuation or deactuation of the stationary gripper, moveable gripper, and lift coils of a mechanism is required to withdraw the rod cluster control assembly attached to the mechanism as shown in Figure 7.7-15 since the four stationary gripper, moveable gripper, and lift coils associated with the rod cluster control assemblies of these rod groups are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of one group of rod cluster control assemblies. Mechanical failures are in the direction of insertion, or immobility.

7.7-17 Rev. 30

MPS3 UFSAR Figure 7.7-15 is provided for a discussion of design features that assure that no single electrical failure could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation.

Figure 7.7-15 shows the typical parallel connections on the lift, movable and stationary coils for a group of rods. Since single failures in the stationary or movable circuits will result in dropping or preventing rod (or rods) motion, the discussion of single failure will be addressed to the lift coil circuits. (1) Due to the method of wiring, the gate firing transformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod group could remain turned off when required to fire if, for example, the 120 VAC supply failed open at point X1. Upon up demand, one rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point X2 in the group 2 circuit is required to withdraw one rod cluster control assembly; (2) Timing circuit failures will affect the four mechanisms of a group or the eight mechanisms of the bank and will not cause a single rod withdrawal; (3) More than two simultaneous component failures are required (other than the open wire failures) to allow withdrawal of a single rod.

The identified multiple failure involving the least number of components consists of open circuit failure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal) failure is 0.016 x 10-6 per hour by MIL-HDB-217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is, therefore, too low to have any significance.

Concerning the human element, to erroneously withdraw a single rod cluster control assembly, the operator would have to improperly set the bank selector switch, the lift coil disconnect switches, and the in hold out switch. In addition, the three indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as these.

The rod position indication system provides direct visual displays of each control rod assembly position. The plant computer alarms for deviation of rods from their banks. In addition, a rod insertion limit monitor provides an audible and visual alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow borating procedures as required by Technical Specifications. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system.

An important feature of the control rod system is that insertion is provided by gravity fall of the rods.

In all analyses involving reactor trip, the single, highest worth rod cluster control assembly is postulated to remain untripped in its full out position.

One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. The control board position readouts, one for each full 7.7-18 Rev. 30

MPS3 UFSAR length rod, give the plant operator the actual position of the rod in steps. The indications are grouped by banks (e.g., Control Bank A, Control Bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation.

The plant computer monitors the actual position of all rods with an accuracy of +/-4 steps. Should a rod be misaligned from the other rods in that bank by more than 12 steps, the rod deviation alarm is actuated. Due to rod position measurement uncertainties, the actual rod misalignment may be as large as 20 steps (12.5 inches) at the alarm setpoint.

Misaligned rod cluster control assemblies are also detected and alarmed in the control room by the power range deviation circuits which are independent of the plant computer.

Isolated signals derived from the nuclear instrumentation system are compared with one another to determine if a preset amount of deviation of average power level has occurred. Should such a deviation occur, the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod.

By use of individual rod position readouts, the operator can determine the deviating control rod and take corrective action. The design of the plant control systems meets the requirements of the 1971 General Design Criteria 23. Refer to Section 4.3 for additional information on response considerations due to reactivity.

7.7.2.3 Step Load Changes without Steam Dump The plant control system restores equilibrium conditions, without a trip, following a minus 10 percent step change in load demand, over the 15 to 100 percent power range for automatic control. Steam dump is blocked for load decrease less than or equal to 10 percent. A load demand greater than full power is prohibited by the turbine control load limit devices.

The plant control system minimizes the reactor coolant average temperature deviation during the load decrease transient within a given value and restores average temperature to the programed setpoint. Excessive pressurizer pressure variations are prevented by using spray and heaters.

Automatic rod withdrawal has been disabled, therefore manual operator action is required to respond to any increases in load.

7.7.2.4 Loading and Unloading Ramp unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant. Ramp loading is performed manually. Coolant average temperature is maintained as a function of turbine generator load.

The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer 7.7-19 Rev. 30

MPS3 UFSAR heaters limit the resulting system pressure decrease. The pressurizer water level is programmed such that the water level is above the setpoint for heater cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the overtemperature T setpoint.

During rapid loading transients, a drop in reactor coolant temperature could be used to increase core power. This mode of operation could be applied when the control rods are not inserted deep enough into the core to supply all the reactivity requirements of the rapid load increase (the boron control system is relatively ineffective for rapid power changes). The reduction in temperature would be initiated by continued turbine loading past the point where the control rods are completely withdrawn from the core. The temperature drop would be recovered and nominal conditions restored by a boron dilution operation.

Excessive drops in coolant temperature are prevented by interlock C-16. This interlock circuit monitors the auctioneered low coolant Tavg and the programmed reference temperature which is a function of turbine impulse pressure and causes a turbine loading stop when Tavg reaches the low Tavg or Tavg below Tref setpoints.

The core axial power distribution would be controlled during the reduced temperature return to power because the control rods will be in the manual mode. Normally, power distribution control is not required during a rapid power increase and the rods may proceed to the top of the core. The bite position is reestablished at the end of the transient by decreasing the coolant boron concentration.

7.7.2.5 Load Rejection Furnished by Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the reactor coolant system and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the reactor coolant system temperature within control range until a new equilibrium condition is reached.

The reactor power is reduced at a rate consistent with the capability of the rod control system.

Reduction of the reactor power is automatic. The steam dump flow reduction is as fast as rod cluster control assemblies are capable of inserting negative reactivity.

The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. The steam dump steam flow capacity is 28.2 to 35.1 percent of full load steam flow at full load steam pressure.

The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is, therefore, removed as the coolant average temperature is restored to its programmed equilibrium value.

7.7-20 Rev. 30

MPS3 UFSAR The dump valves are modulated by the reactor coolant average temperature signal. The required number of steam dump valves can be tripped quickly to stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load.

7.7.2.6 Turbine-Generator Trip With Reactor Trip Whenever the turbine generator unit trips at an operating power-level above 51 percent power, the reactor also trips. The unit is operated with a programmed average temperature as a function of load, with the full load average temperature significantly greater than the equivalent saturation pressure of the steam generator safety valve setpoint. The thermal capacity of the reactor coolant system is greater than that of the secondary system, and because the full load average temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for a trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of feedwater to the steam generators.

The steam dump system is controlled from the reactor coolant average temperature signal whose setpoint values are programmed as a function of turbine load. Actuation of the steam dump is rapid to prevent actuation of the steam generator safety valves. With the dump valves open, the average coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is bypassed.

The feedwater flow is cut off following a reactor trip when the average coolant temperature decreases below a given temperature or when the steam generator water level reaches a given high level.

Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level fall rapidly during the transient because of coolant contraction.

The pressurizer water level is programmed so that the level following the turbine and reactor trip is above the heaters. However, if the level at which the heaters become uncovered is approached following the trip, the heaters are cutout, letdown is isolated and the chemical and volume control system will provide additional charging flow to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal.

The steam dump and feedwater control systems are designed to prevent the average coolant temperature from falling below the programmed no load temperature following the trip to ensure adequate reactivity shutdown margin.

7.7-21 Rev. 30

MPS3 UFSAR 7.7.2.7 Operational Transient Analysis The operational transients were analyzed using the NSSS control system settings and setpoints to demonstrate adequate margin exists to relevant reactor trip and ESF actuation setpoints over the Tavg normal operating range of 581.5 °F to 589.5 °F.

The analyses were performed using the multi-loop version of the Westinghouse LOFTRAN computer code. This computer model simulates the overall thermal-hydraulic and nuclear response of the NSSS as well as various control and protection systems. This methodology has been reviewed and approved by the NRC (Reference 7.7-2).

The following inputs are applicable for the transients analyzed:

  • All applicable NSSS control systems were assumed to be functioning as-designed and operating in the automatic mode of control. The automatic withdrawal feature is disabled.

To address the Tavg coastdown maneuver, the limiting transients were analyzed with the rods in manual control.

  • The pressurizer pressure and steam dump control systems were credited in the analyses.

The steam generator and pressurizer level control systems were not explicitly modeled and not specifically addressed in the analysis.

  • In accordance with Westinghouse methodology, two percent conservatism was applied to the initial power level in the analysis. The other plant parameters (RCS Tavg, pressurizer pressure, pressurizer level and steam generator mass at the nominal water level) were assumed to be at the nominal full power values.
  • Best estimate reactor kinetics parameters were modeled (rod worth, moderator temperature coefficient (MTC), doppler power defect, etc.) for the normal operating transient conditions. Since beginning-of-cycle (BOC) core physics parameters have lower differential rod worth and a less negative MTC, modeling BOC core characteristics yield more conservative results that bound the full cycle of operation. To address the Tavg coastdown maneuver, the limiting transients were analyzed at EOC fuel reactivity conditions.
  • The initial conditions for each of the transients were chosen to maximize the transient responses.
  • The analysis took into account two out of service steam dump valves.
  • The load rejection transient was modeled as a ramp load change at a maximum rate of 200 percent per minute.

The following operational transients were addressed:

7.7-22 Rev. 30

MPS3 UFSAR

  • 5 percent per minute unit loading and unloading
  • 10 percent step load increase
  • 10 percent step load decrease
  • 50 percent load rejection (i.e., 50 percent loss of net load at 200 percent per minute)

The results show the following:

  • The plant control system restores equilibrium conditions, without a trip, following a +/-10 percent step change in load demand over the 15-100 percent power range for automatic control.
  • Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant.
  • The results of the 50 percent load rejection transient analysis with the revised steam dump setpoints demonstrated that no reactor trip or engineered safety features were challenged.

The analysis was performed with two steam dump valves out of service. The control systems response was smooth during the transient with no excessive oscillatory responses.

7.7.3 REFERENCE FOR SECTION 7.7 7.7-1 WCAP-8255, 1974 (for background information only), Lipchak, J.B. and Stokes, R.A.,

Nuclear Instrumentation System.

7.7-2 WCAP-7907-A, April 1984, LOFTRAN Code Description.

7.7-3 NUREG-0737, Clarification of TMI Action Plan Requirements, Item II.K.3.10, Proposed Anticipatory Trip Modification, October 1980.

7.7-23 Rev. 30

MPS3 UFSAR TABLE 7.7-1 PLANT CONTROL SYSTEM INTERLOCKS Designation Derivation Function C-1 1-out-of-2 Neutron flux (intermediate Blocks manual control rod withdrawal.

range) above setpoint C-2 1-out-of-4 Neutron flux (power Blocks manual control rod withdrawal .

range) above setpoint C-3 2-out-of-4 Overtemperature T Blocks manual control rod withdrawal above setpoint Blocks turbine load reference increase and initiates a turbine runback..

C-4 2-out-of-4 Overpower T above Blocks manual control rod withdrawal .

setpoint Blocks turbine load reference increase and initiates a turbine runback.

C-7 1-out-of-1 Time derivative (absolute Makes steam dump valves available for value) of turbine impulse chamber either tripping or modulation.

pressure (decrease only) above setpoint P-4 Reactor trip and bypass breakers Blocks steam dump control via the load open rejection controller and makes the plant trip controller available for steam dump control. Makes steam dump valves available for either tripping or modulation.

C-9 Any condenser pressure above Block steam dump to condense.r setpoint or both circulating wawater pumps in an condenser section not running C-11 1-out-of-1 Control Bank D position Alarms Control Bank D above limit.

above setpoint C-16 1-out-of-1 Auctioneered low Tavg Stops automatic turbine loading until below setpoint or below Tref condition clears.

C-20 2-out-of-2 turbine impulse chamber Arms AMSAC; below setpoint, blocks pressure above setpoint AMSAC (generated in AMSAC; see Section 7.8). *

  • Not part of control system (control grade) 7.7-24 Rev. 30

MPS3 UFSAR FIGURE 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM 7.7-25 Rev. 30

MPS3 UFSAR FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR 7.7-26 Rev. 30

MPS3 UFSAR FIGURE 7.7-3 ROD DEVIATION COMPARATOR 7.7-27 Rev. 30

MPS3 UFSAR FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM 7.7-28 Rev. 30

MPS3 UFSAR FIGURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM 7.7-29 Rev. 30

MPS3 UFSAR FIGURE 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM 7.7-30 Rev. 30

MPS3 UFSAR FIGURE 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEED CONTROL SYSTEM 7.7-31 Rev. 30

MPS3 UFSAR FIGURE 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM 7.7-32 Rev. 30

MPS3 UFSAR FIGURE 7.7-9 BASIC FLUX-MAPPING SYSTEM 7.7-33 Rev. 30

MPS3 UFSAR FIGURE 7.7-10 NOT USED 7.7-34 Rev. 30

MPS3 UFSAR FIGURE 7.7-11 NOT USED 7.7-35 Rev. 30

MPS3 UFSAR FIGURE 7.7-12 NOT USED 7.7-36 Rev. 30

MPS3 UFSAR FIGURE 7.7-13 NOT USED 7.7-37 Rev. 30

MPS3 UFSAR FIGURE 7.7-14 SIMPLIFIED BLOCK DIAGRAM OF ROD CONTROL SYSTEM 7.7-38 Rev. 30

MPS3 UFSAR FIGURE 7.7-15 CONTROL BANK B PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM OF POWER CABINETS 1 BD AND 2 BD 7.7-39 Rev. 30

MPS3 UFSAR 7.8 ANTICIPATED TRANSIENTS WITHOUT SCRAM MITIGATION SYSTEM ACTUATION CIRCUITRY 7.

8.1 DESCRIPTION

7.8.1.1 System Description The Anticipated Transient Without Scram (ATWS) Mitigation System Actuation Circuitry (AMSAC) provides a backup to the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) for initiating turbine trip and auxiliary feedwater flow in the event of an anticipated transient; e.g., in the complete loss of main feedwater. The AMSAC is independent of and diverse from the RTS and the ESFAS with the exception of the final actuation devices and is classified as control grade equipment. It is a highly reliable, microprocessor based, single-train system powered by a non-Class 1E source.

The AMSAC continuously monitors level in the steam generators (SG), which is an anticipatory indication of a loss of heat sink, and initiates certain functions when the level drops below a predetermined set point for at least a preselected time and for three of the four SG levels. These initiated functions are the tripping of the turbine, the initiation of auxiliary feedwater, and isolation of the SG blowdown and sample lines.

The AMSAC is designed to be highly reliable, resistant to inadvertent actuation, and easily maintained. Reliability is assured through the use of internal redundancy and continual self-testing by the system. Inadvertent actuations are minimized through the use of internal redundancy and majority voting at the output stage of the system. The time delay on low steam generator level and the coincidence logic used also minimize inadvertent actuations.

The AMSAC automatically performs its actuations when above a preselected power level, determined using turbine impulse chamber pressure, and remains armed sufficiently long after that pressure drops below the set point to ensure that its function will be performed in the event of a turbine trip.

7.8.1.2 Equipment Description The AMSAC consists of a single train of equipment located in a seismically qualified cabinet.

The design of the AMSAC is based on the industry standard Intel multibus format, which permits the use of various readily available, widely used microprocessor cards on a common data bus for various functions.

7.8-1 Rev. 30

MPS3 UFSAR The AMSAC consists of the following:

1. Steam Generator Level Sensing AMSAC utilizes the SG level signals as measured with four differential pressure type level transmitters, measuring the level of each of the main steam generators as shown in Figure 7.2-1, Sheet 7.
2. Turbine Impulse Pressure AMSAC also utilizes the turbine impulse pressure signal for measuring Turbine Power, as shown inFigure 7.2-1, Sheet 16. Turbine impulse pressure is measured at the high pressure turbine.
3. System Hardware The system hardware consists of two primary systems: the Actuation Logic System (ALS) and the Test/Maintenance System (T/MS).

Actuation Logic System The ALS monitors the analog and digital inputs, performs the functional logic required, provides actuation outputs to trip the turbine and initiate auxiliary feedwater flow, and provides status information to the T/MS.

The ALS consists of three groups of input/output (I/O) modules, three actuation logic processors (ALPs), two majority voting modules, and two output relay panels. The I/O modules provide signal conditioning, isolation, and test features for interfacing the ALS and T/MS. Conditioned signals are sent to three identical ALPs for analog-to-digital conversion, set point comparison, and coincidence logic performance. Each of the ALPs perform identical logic calculations using the same inputs and derive component actuation demands which are then sent to the majority voting modules. The majority voting modules perform a two-out-of-three vote on the ALP demand signals. These modules drive the relays providing outputs to the existing turbine trip and auxiliary feedwater initiation circuits. A simplified block diagram of the AMSAC ALS architecture is presented in Figure 7.8-1.

Test/Maintenance System The T/MS provides the AMSAC with automated and manual testing as well as a maintenance mode. Automated testing is the continuously performed self-checking done by the system during normal operation. ALS status is monitored by the T/MS and sent to the plant computer and the main control board.

Manual testing of the system by the Instrumentation and Controls (I&C) staff can be performed on line to provide assurance that the ALS system is fully operational.

The maintenance mode permits the I&C staff, under administrative control, to 7.8-2 Rev. 30

MPS3 UFSAR modify channel set points, channel status and timer values, and initiate channel calibration.

The T/MS consists of a test/maintenance processor, a digital-to-analog conversion board, a memory board, expansion boards, a self-health board, digital output modules, a test/maintenance panel, and a portable terminal/printer.

4. Equipment Actuation The output relay panels provide component actuation signals through isolation relays which then drive the final actuation circuitry as shown in Figure 7.2-1, Sheets 15 and 16, for initiation of auxiliary feedwater and for turbine trip.

7.8.1.3 Functional Performance Requirements Analyses have shown that the two most limiting ATWS events are a loss of external electrical load and a loss of feedwater event both without a reactor trip. AMSAC performs the mitigative actuations of automatically initiating auxiliary feedwater, tripping the turbine, and isolating SG blowdown and sampling lines. These are initiated in order to ensure a secondary heat sink following an anticipated transient (ANS Condition II) without a reactor trip, in order to limit core damage following an anticipated transient without a reactor trip, and to ensure that the energy generated in the core is compatible with the design limits to protect the reactor coolant pressure boundary by maintaining the reactor coolant pressure to within ASME Stress Level C.

7.8.1.4 AMSAC Interlocks A single interlock, designated as C-20, is provided to allow for the automatic arming and blocking of the AMSAC (see Figure 7.2-1, Sheet 16). The system is blocked at sufficiently low reactor power levels when the actions taken by the AMSAC following an ATWS need not be automatically initiated. Turbine impulse chamber pressure in a two-out-of-two logic scheme is used for this permissive. Turbine impulse chamber pressure above the set point will automatically defeat any block; i.e., will arm the AMSAC. Dropping below this set point will automatically block the AMSAC. Removal of the C-20 permissive is automatically delayed for a predetermined time. The operating status of the AMSAC is displayed on the main control board.

7.8.1.5 Trip System The SG level and turbine impulse chamber pressure inputs are used by AMSAC to determine trip demand. Signal conditioning is performed on the transmitter output and used by each of the ALPs to derive a component actuation demand. If three of the four steam generators have a low level at a power level greater than the C-20 permissive, then a trip demand signal is generated. This signal drives output relays for performing the necessary mitigative actions.

7.8-3 Rev. 30

MPS3 UFSAR 7.8.1.6 Isolation Devices AMSAC is independent of the RTS and ESFAS. The AMSAC inputs for measuring turbine impulse chamber pressure and narrow-range SG water level are derived from transmitters and channels within the process protection system. Connections to these channels are made downstream of Class 1E isolation devices which are located within the process protection cabinets. These isolation devices ensure that the existing protection system continues to meet all applicable safety criteria by providing isolation. Buffering of the AMSAC outputs from the safety related final actuation device circuits is achieved through qualified relays. A credible fault occurring in the non safety related AMSAC will not propagate through and degrade the RTS and ESFAS.

7.8.1.7 AMSAC Diversity From the Reactor Protection Systems Equipment diverse from the RTS and ESFAS (excluding sensors and isolation devices) is used in the AMSAC to prevent common mode failures that might affect the AMSAC and the RTS or ESFAS. The AMSAC is a digital, microprocessor based system with the exception of the analog SG level and turbine impulse pressure transmitter inputs. The RTS and ESFAS utilize analog and diverse digital-based protection system components. Where similar components are utilized for the same function in both AMSAC and the RTS and ESFAS, the components used in AMSAC are provided from a different manufacturer.

Common mode failure of identical components in the analog portion of the RTS that results in the inability to generate a reactor trip signal will not impact the ability of the digital AMSAC to generate the necessary mitigative actuations. Similarly, a postulated common mode failure affecting analog components in ESFAS, affecting its ability to initiate auxiliary feedwater, will not impact the ability of the digital based AMSAC to automatically initiate auxiliary feedwater.

7.8.1.8 Power Supply The AMSAC power supply is a dedicated uninterruptible power supply (UPS) which is independent from the RTS power supplies and is backed by batteries which are independent from the existing batteries which supply the RTS.

7.8.1.9 Environmental Variations AMSAC equipment is not designed as safety-related equipment; therefore, it is not required to be qualified as safety related equipment. The AMSAC equipment is located in a controlled environment such that variations in the ambient conditions are minimized. No AMSAC equipment is located inside containment. The SG level transmitters (located inside containment) and the turbine impulse chamber pressure transmitters (located inside the turbine building) supply the input into AMSAC and are qualified for the environment in which they are located.

7.8-4 Rev. 30

MPS3 UFSAR 7.8.1.10 Set Points The AMSAC makes use of two set points in the coincidence logic in order to determine if mitigative functions are required. Water level in each SG is sensed to determine if a loss of secondary heat sink is imminent. The low level set point is selected in such a manner that a true lowering of the level will be detected by the system. The normal small variations in SG level will not result in a spurious AMSAC signal.

The C-20 permissive set point is selected in order to be consistent with ATWS investigations showing that the mitigative actions performed by the AMSAC need not be automatically actuated below a certain power level. The maximum allowable value of the C-20 permissive set point is defined by these investigations.

To avoid inadvertent AMSAC actuation on the loss of one main feedwater pump, AMSAC actuation is delayed by a defined amount of time. This will ensure the reactor protection system (RPS) will provide the first trip signal.

To ensure that the AMSAC remains armed sufficiently long to permit its function in the event of a turbine trip, the C-20 permissive is maintained for a preset time delay after the turbine impulse chamber pressure drops below the set point.

The set points and the capability for their modification in the AMSAC are under administrative control.

7.8.2 ANALYSIS 7.8.2.1 Safety Classification/Safety Related Interface The AMSAC is not safety related and therefore need not meet the requirements of IEEE 279-1971. The AMSAC has been implemented such that the RTS and the ESFAS continue to meet all applicable safety-related criteria. The AMSAC is independent of the RTS and ESFAS.

The isolation provided between the RTS and the AMSAC and between the ESFAS and the AMSAC by the isolator modules and the isolation relays ensures that the applicable safety-related criteria are met for the RTS and the ESFAS.

7.8.2.2 Redundancy System redundancy has not been provided. Since AMSAC is a backup nonsafety-related system to the redundant RTS, redundancy is not required. To ensure high system reliability, portions of the AMSAC have been implemented as internally redundant, such that a single failure of an input channel or ALP will neither actuate nor prevent actuation of the AMSAC.

7.8.2.3 Diversity From the Existing Trip System Diverse equipment has been selected in order that common cause failures affecting both the RTS and the AMSAC or both the ESFAS and the AMSAC will not render these systems inoperable 7.8-5 Rev. 30

MPS3 UFSAR simultaneously. A more detailed discussion of the diversity between the RTS and the AMSAC and between the ESFAS and the AMSAC is presented in Section 7.8.1.

7.8.2.4 Electrical Independence The AMSAC is electrically independent of the RTS and ESFAS from the process protection cabinet signal output (into AMSAC) up to the final actuation devices. Isolation devices are provided to isolate the nonsafety AMSAC circuitry from the safety related actuation circuits of the auxiliary feedwater system as discussed in Section 7.8.1.6.

7.8.2.5 Physical Separation From the RTS and ESFAS AMSAC needs to be and is physically separated from the existing protection system hardware.

The AMSAC outputs are provided from separate relay panels within the cabinets. The two trains are separated within the AMSAC cabinet by a combination of metal barriers, conduit, and distance.

7.8.2.6 Environmental Qualification Equipment related to the AMSAC is qualified to operate under conditions resulting from anticipated operational occurrences for the respective equipment location. The AMSAC equipment, with the exception of the isolation devices, is not designated as safety related equipment and therefore is not required to be qualified as safety related per the requirements of IEEE Standard 279-1971, IEEE Standard for Criteria for Protection Systems for Nuclear Power Generating Stations.

7.8.2.7 Seismic Qualification It is required that only the isolation devices comply with seismic qualification. The AMSAC output isolation device is qualified in accordance with a program that was developed to implement the requirements of IEEE Standard 344-1975, IEEE Standard for Seismic Qualification of Class 1E Electrical Equipment for Nuclear Power Generating Stations.

7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance NRC Generic Letter 85-06, Quality Assurance Guidance for ATWS Equipment that is not Safety Related, requires quality assurance procedures commensurate with the non-safety related classification of the AMSAC. The quality controls for the AMSAC are, at a minimum, consistent with existing plant procedures or practices for non-safety related equipment.

Design of the AMSAC followed procedures relating to equipment procurement, document control, and specification of system components, materials, and services. In addition, specifications also define quality assurance practices for inspections, examinations, storage, shipping, and tests as appropriate to a specific item or service.

7.8-6 Rev. 30

MPS3 UFSAR A computer software verification program and a firmware validation program have been implemented commensurate with the non-safety related classification of the AMSAC to ensure that the system design requirements implemented with the use of software have been properly implemented and to ensure compliance with the system functional, performance, and interface requirements.

System testing is completed prior to the installation and operation of the AMSAC as part of the normal factory acceptance testing and the validation program. Periodic testing is performed both automatically through use of the system automatic self-checking capability and manually under administrative control via the AMSAC test/maintenance panel.

7.8.2.9 Power Supply Power to the AMSAC is from a battery backed, dedicated UPS independent of the power supplies for the RTS and ESFAS. The station battery supplying power to the AMSAC is independent of those used for the RTS and ESFAS. The AMSAC is an energize-to-actuate system capable of performing its mitigative functions with a loss of off-site power.

7.8.2.10 Testability at Power The AMSAC is testable at power. This testing is done via the system test/maintenance panel. The capability of the AMSAC to perform its mitigative actuations is bypassed at a system level while in the test mode. Total system testing is performed as a set of three sequential, partial, overlapping tests. The first of the tests checks the analog input portions of the AMSAC in order to verify accuracy. Each of the analog input modules is checked separately. The second test checks each of the ALPs to verify that the appropriate coincidence logic is sent to the majority voter. Each ALP is tested separately. The last test exercises the majority voter and the integrity of the associated output relays. The majority voter and associated output relays are tested by exercising all possible input combinations to the majority voter. The integrity of each of the output relays is checked by confirming continuity of the relay coils without operating the relays. The capability to individually operate the output relays, confirm integrity of the associated field wiring, and operate the corresponding isolation relays and final actuation devices at plant shutdown is provided.

7.8.2.11 Inadvertent Actuation The AMSAC has been designed such that the frequency of inadvertent actuations is minimized.

This high reliability is ensured through use of three redundant ALPs and a majority voting module. A single failure in any of these modules will not result in a spurious AMSAC actuation.

In addition, a three-out-of-four low SG level coincidence logic and a time delay have been selected to further minimize the potential for inadvertent actuations.

7.8-7 Rev. 30

MPS3 UFSAR 7.8.2.12 Bypass 7.8.2.12.1 Maintenance Bypasses The AMSAC is blocked at the system level during maintenance, repair, calibration, or test. While the system is blocked, the bypass condition is continuously indicated in the main control room.

7.8.2.12.2 Operating Bypasses The AMSAC has been designed to allow for operational bypasses with the inclusion of the C-20 permissive. Above the C-20 set point, the AMSAC is automatically unblocked (i.e., armed);

below the set point, the system is automatically blocked. The operating status of the AMSAC is continuously indicated in the main control room via an annunciator window.

7.8.2.12.3 Indication of Bypasses Whenever the mitigative capabilities of the AMSAC are bypassed or deliberately rendered inoperable, this condition is continuously indicated in the main control room. In addition to the operating bypass, any manual maintenance bypass is indicated via the AMSAC general warning sent to the main control room.

7.8.2.12.4 Means for Bypassing A permanently installed system bypass selector switch is provided to bypass the system. This is a two-position selector switch with NORMAL and BYPASS positions. At no time is it necessary to use any temporary means, such as installing jumpers or pulling fuses, to bypass the system.

7.8.2.13 Completion of Mitigative Actions Once Initiated The AMSAC mitigative actions go to completion as long as the coincidence logic is satisfied and the time delay requirements are met. If the flow in the feedwater lines is reinitiated before the timer expires and the SG water level increases to above the low-low set point, then the coincidence logic will no longer be satisfied and the actuation signal disappears. If the coincidence logic conditions are maintained for the duration of the time delay, then the mitigative actions go to completion. The auxiliary feedwater initiation signal is latched in at the component actuating devices and the turbine trip is latched in at the turbine electrohydraulic control system.

Deliberate operator action is then necessary to terminate auxiliary feedwater flow, clear the turbine trip signal using the main control board turbine trip reset switch, and proceed with the reopening of the turbine stop valves.

7.8.2.14 Manual Initiation Manual initiation of the AMSAC is not provided. The capability to initiate the AMSAC mitigative functions manually (i.e., initiate auxiliary feedwater, trip the turbine, and isolate SG blowdown and sampling lines) exists at the main control board independent of AMSAC.

7.8-8 Rev. 30

MPS3 UFSAR 7.8.2.15 Information Readout The AMSAC has been designed such that the operating and I&C staffs have accurate, complete, and timely information pertinent to the status of the AMSAC. A system level general warning alarm is indicated in the control room. Diagnostic capability exists from the test/maintenance panel to determine the cause of any unanticipated inoperability or deviation.

7.8.2.16 Compliance With Standards and Design Criteria The AMSAC meets the applicable requirements of Part 50.62 of Title 10 of the Code of Federal Regulations and the quality assurance requirements of NRC Generic Letter 85-06. No other standards currently apply to the AMSAC.

7.8-9 Rev. 30

MPS3 UFSAR FIGURE 7.8-1 ACTUATION LOGIC SYSTEM ARCHITECTURE 7.8-10 Rev. 30

MPS-3 FSAR FIGURE 7.1-1 SOLID STATE PROTECTION SYSTEM BLOCK DIAGRAM CONTROL ACTUATE 1l0ARO- )..ft---------+-__ TRAIN Il SWITCHU SAFEGUAROS TRAIN Il TO ROO DRIV!

M£CHANISMS ANAlOC ",OnCTION SYST( .. ~ROJEClION NueUAA INSTRUMENTATION sYln.. lOGIC COM~T[A SYSTEM OR FlllOCONTAcn O£MUX TRAI'UI ROD CONTROL IN~T SYSTEM COllltl'U n R MONITORINQ IIY~ASS IIAKII

..---euv (

INPUT RflAYS CO.HROl BOARD MONITORINC

~ROnCTlON COtiTflOl SYSTEM lOGIC BoARD TRAINA DEMUX CABINET ROO CONrAol CONTROL 1l0ARn SWITCHES M-C

}.jl~ " " _ ACTUATE TRAINA UTS TAAINA SAFEGUARDS July 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.1-2 REACTOR TRIP/ESF ACTUATION MECHANICAL LINKAGE MANUAL REACTOR TRIP (MAIN CONTROL BOARD)

MECHANICAL LINK MECHANICAL LINK AND BARRIER AND BARRIER RESET (A) TRIP (A) RESET (B) TRIP (B) TRIP (A) TRIP (B)

MOMENTARY MOMENTARY MOMENTARY MOMENTARY MOMENTARY MOMENTARY RESET REACTOR RESET REACTOR TRIP (A) TRIP (B)

REACTOR TRIP (A) REACTOR TRIP (A) REACTOR TRIP (B) REACTOR TRIP (B)

SHUNT COIL TO (A) UNDERVOLTAGE COIL TO SHUNT COIL TO (B) UNDERVOLTAGE COIL TO REACTOR TRIP SWGR (A) LOGIC CABINET, SSPS REACTOR TRIP SWGR (B) LOGIC CABINET, SSPS July 1997 Rev. 24

MPS-3 FSAR FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVERTEMPERATURE DELTA T TRIPS f (.~o)

C,

~---B, o

.:1rp - NEUTRON FLUX DIFFERENCE BETWEEN UPPER AND LOWER LONG ION CHAMBERS A" A 2 - LIMIT OF F (.:1dJ) DEADBAND B" B2 - SLOPE OF RAMP; DETERMINES RATE AT WHICH FUNCTION REACHES IT'S MAXIMUM VALUE ONCE DEADBAND IS EXCEEDED C" C2 - MAGNITUDE OF MAXIMUM VALUES THE FUNCTION MAY ATTAIN Rev. 20.3

MPS-3 FSAR FIGURE 7.3 - 1 FAILURE MODES AND EFFECTS ANALYSIS - QUENCH SPRAY SYSTEM COMPONENT FTSK COMPONENT AND FAILURE MODE METHOD OF FAILURE DETECTION EFFECT ON SYSTEM OTHER REMARKS IDENTIFIER 27-12-X Q0115DG3 1A-3QSSA01 PERIODIC TEST MB OR ASP TRIP CIRCUIT ESTABLISHED CONTACT 3 FAILS CLOSED 27-12-X Q0125DG6 1A-3QSSA01 PERIODIC INSPECTION MB OR ASP TRIP CIRCUIT ESTABLISHED IN TRIP OPERATOR ERROR 27-12-E Q0135DG3 ESCA - PERIODIC TEST ESCA-TRIP BLOCK CONTACT CLOSED TRIP BLOCK CONT FAILS CLOSED 27-12-E Q0145DG3 ESCA - PERIODIC TEST ESCA-TRIP BLOCK CONTACT CLOSED ESCA-VITRO INTERFACE NO TRIP BLOCK SIGNAL 27-12-D Q0155DG3 3QSS*P3A PERIODIC TEST QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS ACB CLOS MECH FAILURE 27-12-D Q0165DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS NO 4KV OPER PHR AVAILABLE 27-12-D Q0175DG3 52HL-3QSSA01 PERIODIC TEST QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS CONTACT 6 FAILS OPEN 27-12-D Q0185DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS 35A (+) FUSE FAILS OPEN 27-12-D Q0195DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS 35A (-) FUSE FAILS OPEN 27-12-D Q0205DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS CONTROL PCHER SHORT CIRCUIT 27-12-D Q0215DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS 15A (+) FUSE FAILS OPEN 27-12-D Q0225DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM QUENCH SPRAY SYSTEM TRAIN A FAILURE ONE OF TWO REDUNDANT TRAINS 15A (-) FUSE FAILS OPEN Page 1 of 1 Rev. 20.3

MPS-3 FSAR FIGURE 7.3-2 FAULT TREE DIAGRAM QUENCH SPRAY SYSTEM 3055."11 fAlLS Til 51 "HIT 3QSs.r3l1 105s.r'A rp.ILS TO STAIIT 'AILS TO STMI 0122Y fT£K-27-12-K S6~-30SSAOI "-305501 II IlllIl TIIAIN II CONTACT 1 CONTAd , CONTACT Ol'EN Ol'fN OP~N OC2. OC2i OC21

(.

-~

.,-,05SAOI .'-'0551101 II. Till IIlAIM II IU - 30SSAO 1 CONfACT , II IlllIl TIlAIII II . CONlAn ltiE- 30SSAOI 16KAE02-S[NSA02 IN "LOCAL' ENERCIZEO CONTHCT 1 EN~1I0ltEO orEIIAIOII [1111011 flilLS OPEN flillS 01'£11 fAllS OrEN

. "::"~"""

002350::0-00101;001 0025500' E

0001(003 0026500' fT5"-21-12-0 fTSK-21-12-E Rev. 20.3

MPS-3 FSAR FIGURE 7.3-3 TYPICAL ESF TEST CICUITS ANALOG TESTING ~. MAST£R RELAY TESTING -1 I. LOGIC TESTING .1 11.ol

...f - F_IN_A--=L:......::...D--=E_V_IC_E_O.:...Ft_A--=C_T-=U_A--=T--=O__

R_T.....:E~5.:...1_1 N--=G --I~

EMER.GEN.

BISTABLE LOGIC MASTER SLAVE SOLENOID

~ ~ LOAD INPUT CIRCUIT RELAY ~~ RELAY SEQUENCER VALVES EMER. GEN.

MOTOR MOTOR OPER

~ LOAD ~

SEOUENCER STARTERS VALVES SLAVE SOLENOID

~ RELAY VALVES MOTOR .. MOmR OPER.

STARTERS VALVES Y I EMER.GEN.

SLAVE LOAD PUMP

~ BREAKER .....

RELAY SEQUENCER MOTOR!

SLAVE

~ ACTUATORS RELAY SLAVE ~

ACTUATORS RELAY Y

September 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.3-4 ENGINEERED SAFEGUARDS TEST CABINET (Xl S ('TYp. TERIIIIIAl IIJMBERS I SI' 1 X X SlC STC (II t5 STC SlC J'DI l21 s. l21 K8

~"

u 00 4(

-.... ltq 11$['1 "21

~

... 1  ::s VARISTORS ...

C>

II)

..."'" STC J302 ~ ~

co ~

~ JpOI r r- (4)

SPS J\:~I ""I S'S OETAll A-TYPICAl PROTECTION ACTUATION CIRCUIT 8LOCKING DETAIL B-TYPICAL PROTECTION ACTUATIOH CIRCUIT 8LOCKIHe SCHEMES SCHEMES(CONTACT CLOSURE fOR ACTUATION) (CONTACT OPEHINC fOR ACTUATIOH) 1l0Tts*

I. CIRCUITRY AltD HARDIARE fOR REOl/IIIMT I'IlOTECTIOlI TUlliS TEST LICHT OS~

'l" AIID "8" TEST CA8111£TS ARE DUPLICATE ocm AS "OTED A* mIll "AM onlT 8 - TRAllt -." DilLY

2. III DETAILS A I * 'HE SYMBOL M REPRESENTS THE sumx lIUIl8£RS OF THE DEVICE REf[lIE1lC£\l. SYII!Ol EXAIIPL f: DETAIl C*CUUENT 1l000ITOR OS,.. LEO I" _ SPS SLAVE OUTPUT RELAY, K601, K602,ETC. 'In IKTERUl RESISTOR (ENERGIZE BY PUSHING S.) IllUMINATED PUSHBUTTON SlITQI

~(O) - OrEml"; COIl

  • IOCEPT AS KOnGI

~tR) -RESET COil S" - STC TEST SlITCtI, S802, S8H.ETC K8,. _ STC TEST RnAT Kel1\~817 ETC (COIL NOT SHOWN. REAli OF PAnEl ENERGIZE BY tURNING S-) .

fIGURE 7. ',3- 4 OS" - STC LICHT \.~saU09"Ds'IOJT, ETe x., Yllf, SwGA, MI..C RELAY, E C r ENG INEERED SAFEGUARDS

3. 'DETAIL A" "DETAIL B' mE CIRCUITS ARE OEWUO Oil THE SCHEMATICS. 'DETAil a' CIRCUITS WILL 8£ SUBSTITUTED

,!¥: TEST CABINET fOR 'DETAil A' CIRCUITS WHERE RElUIRED. 4JC MILLSTONE NUCLEAR POWER STATION

~~.~Am~ UcUD UNIT 3 SP S- SOLID STAlE PROlECTlOIl SYSTEM CONTACT lOCATlOII WlfM£ STC - SAFECl1ARDS TESteABIKET fiNAL SAfETY ANALYSIS REPORT X - Slell, MCC, AUlIlIARr RE LAr RACI, m. CAD FILE: 734.dgn/734,clt ASe- AUXILlARr SArUUAIIGS CUIIIET September 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.6-1 LOGIC DIAGRAM FOR RHS ISOLATION VALVES MNPS-3 FSAR RCS HOT LEG PRESSURE RECIRCULATION PUMP DISCHARGE VALVES CLOSED MCB NOTE HI HEAD SUPPLY VALVE CLOSED RWST SUCTION VALVES CLOSED

.... 440 PSIG NOTE 2 CLOSE VALVE OPEN t

ALARM VALVE (VALVE OPEN AND RCS PRESSURE HI) f~NTERLOCK WITHK

"- VALVE 87011. 8702A 87018 II 37028 REC.PUMP 8837A. LSI 88378 LS2 8837A LS2!8837B L..;)1 I DISCHARGE VAlVES 8838A LSI 88388 LS2 8838A lS2 8838B LSI HI-HEAD 8804A 88048 8804A 88046 SUPPLY LSI LS2 LSI VALVE LS2 RWST B8I2A 88128 SUCTION 88128 B8I2A VALVE LSi LS2 LS2 LSi PT 405 A 405 A 403 A 403 A TRAIN A A B B NaTE 1. VALVES ARE ALSO CONTROLLED FROM AUXILARY SHUTDOWN PANEL NOTE 2. VALVE 870lA HAS NO RCS LOW PRESSURE INTERLOCK FROM ASP TO PROVIDE ONE TRAIN OF COOLING FOR APPENDIX R Rev. 21.3

MPS-3 FSAR NOTES TO FIGURE 7.6 - 1 There are two normally closed motor-operated series isolation valves in each of the two RHS pump suction lines from the RCS hot legs. The electrical interlock features provided for isolation valves (8701B and 8702B) are similar to those provided for isolation valves (8701A and 8702A).

Each valve is interlocked against opening unless the following conditions are met:

1. The RCS pressure, as measured by appropriate wide range pressure channels, is less than 412.5 psia. This assures the RHS system cannot be overpressurized by aligning it to the RCS when RCS pressure plus RHS pump head would exceed the RHS system design pressure.

It should be noted that when controlling valve 8701A from the ASP, the RCS low pressure interlock is not available. This design feature allows one train of RHR cooling when the control room is inaccessible.

2. The corresponding RHS pump/RWST suction isolation valve is closed. This assures positive isolation of the RWST and RHS/RWST suction piping before initiating a normal cooldown.
3. The corresponding recirculation line to the CHG/HHSI pumps isolation valve is closed. This assures the suction of the HHSI and/or CHG pumps cannot be overpressurized by normal cooldown flow via an open recirculation line isolation valve.
4. "Closed" indication is present from both of the recirculation pump discharge isolation valves. (Note: Redundancy is provided by the check valves at the recirculation pump discharge.)

Each valve is also alarmed when open and RCS pressure is greater than 440 psig. When the plant is in Mode 1, 2, or 3, the operator is required to close all three suction valves. This assures that both of the interlocked valves in the pump suction line will be closed during a plant startup prior to reaching operating conditions, should one valve have been inadvertently left open by operator omission. These valves may be shut at any time that plant conditions warrant closure of the valves. When the plant is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the operator is required to close the motor-operated valve closest to the RHS pump.

The wide range RCS pressure interlock on the first set of isolation valves is independent and diverse from that provided to the second set of isolation valves. This is specifically required to meet NRC criteria which are applicable to the RHS system design.

1.1-1 Rev. 20.3

MPS-3 FSAR FIGURE 7.6-2 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVES CONTROL BOARD SWITCH MAINTAIN CLOSE, SPRING RETURN FROM OPEN TO AUTO SAFETY INJECTION SYSTEM UNBLOCK PRESSURE SIGNAL (FROM RCPS)*

OPEN AUTO CLOSE SAFETY SAFETY INJECTION INJECTION SIGNAL SIGNAL AND

  • HilS INTERLOCK INDICATES THE METHOD OF APPL YING AUTOMATIC OPENING OF THE AND VALVE, WHENEVER THE RCS PRESSURE EXCEEDS A LIMIT. THIS SIGNAL AUTOMATICALLY OCCURS AT RCS CLOSE PRESSURES ABOVE THE SI UNBLOCK PRESSURE USED TO DERIVE P*ll ACCUMULATOR ISOLATION VALVE Rev. 20.3

MPS-3 FSAR FIGURE 7.6-3 (SHEET 1 OF 2) AUTOMATIC RHS AND QSS PUMP SHUTOFF REFUELING WATER STORAGE TANK LEVEL LS LS LS LS LS LS LS 54 54 54 54 LIS 56 56 56 A C B 0 A C 0 60 LO-LO LO-LO LO-LO LO-LO EMPTY EMPTY EMPTY V V V V V V V 959 987 95B 9B6 959 987 986 A MB A MB A MB OR OR LO HI-HI HI STOP 3RHS* PIA STOP 3RHS*PIB RHS PPA RHS PPB (FIG. 7.6-3 SH-2l (FIG.7.6-3 SH -21 (0-100%)

LEGEND:

TYPICAL LT LT LT LT 930 931 932 933 &. ALARM WINDOW

.& STATUS WINDOW (PAM-2) (PAM-ll (PAM-2) COMPUTER V V V V In (0-100%) 959 958 987 986 MB MAIN CONTROL BOARO TYPICAL ASP AUXILIARY SHUT DOWN PANEL PAM POST ACCIDENT MONITOR (7244 080 SH -37) (7244 080 SH -371 (7244 080 SH-37) (7244 080 SH-37)

Amendment 8 May 1984 Rev. 20.3

MPS-3 FSAR FIGURE 7.6-3 (SHEET 2 OF 2)AUTOMATIC RHS AND QSS PUMP SHUTOFF SPRING RETURN MANUAL RESET TO AUTO (SPRING RETURN TO N) r-----------,

I I I START AUTO STOP I IL_ _ ..JI Mea L.-. I----.-;I PUMP TR IP I SIGNAL I FROM 1/2 I I

IL RWST LO*LO 1 LEVEL SIGNAL I

...J START STOP RESIDUAL HEAT REMOVAL PUMP Amendment 8 May 1998 Rev. 20.3

MPS-3 FSAR FIGURE 7.6-4 REACTOR COOLANT SYSTEM LOOP WITH LOOP STOP VALVES REACTOR STEAM COOLANT GENEHATOR PUMP 1

3 4

L..-- ~ ------.-!(~~.-----

1. T H lOOP STOP VALVE tr
2. TC LOOP STOP VALVE
3. BYPASS VAL VE
4. RELIEF LINE STOP VALVE Rev. 20.3

MPS-3 FSAR FIGURE 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM TIo/OT LEG TCOLO LEC THOT LEC TCOLD LEG THOT LEG TCOLD LEG t r t t AVER"'CE TEMPERATURE UNIT LOCI' 1

  • AVEAAGE TEMPERATURE UNIT LooP 2 AVERAGE TEMPERATURE UNIT LOOP 3

+ t AVER...GE TEMPER ... TURE UNIT LooP' t

TH+T C TH+TC TH+T C TH+T C TAVG-_-:z- TAVC-Z-- TAVG*~ TAVG - - 2-I . . I I AUCTIONEU UNIT I I HIGHEST T AVG I TU". IHE LOAO sia NAL

<~ HIGHEST T'Ave NUCLU," POWER SIGHAL I

TO STEAM DU",," SVSTEM TU"IIINE LOAD SIGN"'L TO ""ESSURIZER LEVEL t .,

Ave".GE LEAD-LAG COMPENSATION

OGRAMMEA POWER MISMATCH TU... £RATURE UNIT COMPENSATION UNIT P"OO"'~E"

. t I

ROO SPEED DIRECTION r1 MANUAL ROO COH"TROL I

. ROD DRIVE REDUNDANT "E"MISSIVE CIRCUIT

("00 INTERLOCKI ... POWER TRIf' SIGNAL

~

SEOUENTIAl ROD ...

IREACTOR 1"1'1" 8REAK(R 1 r-I COH1"ROL UNIT REACTOR TAl" BREAKER 2 II

~TES: 1. TEMPERATURES ARE

+

~1"ROL ROD ROC CRIVE

""E"-SURED AT STEAM ACTUATOR CENER... TOR'SINLET POWER AIoID OUTUT.

~

CONTROL ROD CRIVE MECHANISM September 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR c-- lOW ALARM LARM IT AVG

  • ZLL = A (.1 T) AUCT+ Al 2 AUCT

~LOA

... COMPARATOR I

(.1 T)

BITAVG) AUCT'" C AUCT COMMON FOR ALL FOU R CONTROL BANKS Z

DEMAND BANK SIGNAL TYPICAL OF ONE CONTROL BANK NOTE: 1. ANALOG CIRCUITRY IS USED FOR THE COMPARATOR NETWORK

2. COMPARISON IS DONE FOR ALL CONTROL BANKS Rev. 20.3

MPS-3 FSAR FIGURE 7.7-3 ROD DEVIATION COMPARATOR ALARM COMMAND BANK SIGNAL (ROD CONTROL I INDIVIDUAL ROD POSITION READING OF THOSE RODS CLASSIFIED AS MEMBERS COMPARATOR OF THAT BANK NOTE: 1. DIGITAL OR ANALOG SIGNALS MAY BE USED FOR THE COMPARATOR COMPUTER INPUTS.

2. THE COMPARATOR WILL ENERGIZE THE ALARM IF THERE EXISTS A POSITION DIFFERENCE GREATER THAN A PRESET LIMIT BETWEEN ANY INDIVIDUAL ROD AND THE DEMAND BANK SIGNAL.
3. COMPARISON IS INDIVIDUALLY DONE FOR ALL CONTROL BANKS Rev. 20.3

MPS-3 FSAR FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER CONTROL SYSTEM PRESS URIZE R PRESS URE SIGNA L REFER ENCE PRESS URE PID CONT ROLL ER REMO TE MANU AL POSIT I ONIN G SPRAY CONT ROLL ER W IT YPICA L-SEP ERAT E C ONTR OLLE R FOR E ACH SPRA Y VALV E) r

  • r TO BACK UP TO VARIA BLE MODU LATE HEAT ER HEAT ER SPRAY CONT ROL CONT ROL VALV ES April 1998 Rev. 20.3

MPS-3 FSAR FIGURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM AUCTIONEERED T

AVG PRESSURIZER LEVEL SIGNAL LEVEL PROGRAMMER

(+1 (-)

REMOTE MANUAL CONTROL PI D CONTROLLER AUTO-MANUAL CONTROL (CONTROL ROOM) TO BACKUP HEATER CONTROL AUTO-MANUAL CONTROL (AUXILIARY SHUTDOWN PANEL)

AUTO*MANUAL CONTROL (LOCAL)

CHARGING FLOW CONTROL VALVE POSITION Rev. 20.3

MPS-3 FSAR FIGURE 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM TURBINE IMPULSE STAGE PRESSURE LEVEL PROGRAMMER STEAM GENERATOR WATER LEVEL SIGNAL STEAM FLOW FEEOWATER FILTER FILTER FLOW SIGNAL PI CONTROLLE R PI CONTROLLER REMOTE MANUAL POSITIONING

~---- ~POWERRANGE NEUTRON FLUX PI CONTROLLER

+

MAIN FEEDWATER FEEDWATER CONTROL VALVE BYPASS VALVE DYNAMICS DYNAMICS MAIN FEEDWATER FEEDWAT R BYPASS CONTROL VA LVE POSITION VALVE POSITION Rev. 20.3

NO-LOAD SETPOINT REMOTE MANUAL Ic PI CONTROLLER REMOTE MANUAL M A I N FEEDWATER PUMP SPEED FIGURE 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEEDCONTROL SYSTEM MILLSTONE NUCLEAR POWER STATION UNIT 3 FINAL SAFETY ANALYSIS REPORT

MPS-3 FSAR FIGURE 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM AUCTIONEERED STEAM DUMP CONTROL IN MANUAL T AVG (STEAM PRESSURE CONTROL)

T AVG REFERENCE TURBINE IMPULSE T AVG STAGE PRESSURE NO-LOAD RATE/LAG COMPENSATION P*4 LEAD/LAG REACTOR COMPENSATION TRIP LOAD REJECTION BISTABLE DEFEAT LOAD REJECTION STEAM DUMP CONTROL:

ALLOW PLANT TRIP BISTABLES BISTABLES STEAM DUMP CONTROL STEAM HEADER PRESSURE SET PLANT TRIP PRESSURE CONTROLLER LOAD REJECTION CONTROLLER T I

.--_....;..._...L- _

.. LOAD REJECTiON CONTROL OR PI PLANT TRIP CONTROLLER , CONTROL L OAD REJECTION CONTROL OR PLANT TRIP CONTROL TRIP OPEN STEAM DUMP VALVES NOTE; FOR BLOCKING UN-BLOCKING SIGNAL TO MANUAL --- AUTO (T CONTROL)

AVG CONDENSER STEAM DUMP VALVES SEE FIGURE 7.2-1 (STEAM SHEET 10 PRESSURE AIR SUPPLY TO CONTROL)

DUMP VALVES MODULATE CONDENSER DUMP VALVES Rev. 20.3

MPS-3 FSAR FIGURE 7.7-9 BASIC FLUX - MAPPING SYSTEM SAFETY SWITCHES\

LIMIT SWITCHES \ '"

PATH TRANSFERS INTERCONNECTING DRIVE TUBING UNITS PATH TRANSFERS FLUX THIMBLES Rev. 20.3

MPS-3 FSAR FIGURE 7.7-14 SIMPLIFIED BLOCK DIAGRAM ROD CONTROL SYSTEM SLAVE POWER CONTROL r+ CYCLER CABINET --+ BANKO 1 Bo ~ 1 Bo GROUP 1 I

REACTOR MASTER LIFT COIL

.~ I-... -

CONTROL PULSER CYCLER olSCONN ECl SYSTEM lr SWITCHES SLAVE POWER CONTROL

--... CYCLER CABINET -----.. BAN K 0 2BO ~ 2BO GROUP 2 MANUAL SWITCH BANK -.. BANK SELECTOR OVERLAP MULTIPLEX CIRCUITS t NOTE: ONLY CABINETS 1BD r- -1 AND 2BD SHOWN.

--LIFTING} POWER CABINETS 1AC, GROUP 1 2AC, AND SCD ARE

[ [ SIMILAR.

l'~1-- - t/2 - , ..

I I IOFF TlNG II-I --.Jlr-------I L :  ::F } GROUP 2 NORMAL SEQUENCING OF GROUPS WITHIN BANK September 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.7-15 CONTROL BANK B PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM OF POWER CABINETS 1 BD AND 2 BD CONTROL BANK B GROUP 1 POWER CABINET 1 BD MULTIPLEX THYRISTORS 120 VAC LIFT COIL DISCONNECT SWITCHES 1

STATIONARY MOVABLE GRIPPER GRIPPER CONTROL COILS COILS BANK B GROUP 2 POWER CABINET 2 BD 120 VAC LIFT COIL DISCONNECT SWITCHES LIFT COILS September 1997 Rev. 20.3

MPS-3 FSAR FIGURE 7.8-1 ACTUATION LOGIC SYSTEM ARCHITECTURE ANALOG/DIGIT AL INPUTS DIGITAL DIGITAL ANALOG ANALOG ANALOG SIGNAL SIGNAL SIGNAL COHOITIONING CONDITIONING CONDITIONING ALP *1 ALP *2 ALP *3 AID AID AID CONVERSION CONVERSION CONVERSION PROM.RAU PROM.RAU PROM,RAU CPU CPU CPU SHARED DIGITAL SHARED DIGIT AL SHARED DIGITAL RAM . I/O RAM I/O RAM I/O UAJORIT Y 12/3 ) MAJORITY 12/3)

VOTER -A- VOTER -B-September 1989 Rev. 20.3