3F0312-02, Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (Eicb) Technical Review of the CR-3 Extended Power Uprate LAR

From kanterella
Revision as of 18:10, 6 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (Eicb) Technical Review of the CR-3 Extended Power Uprate LAR
ML12081A293
Person / Time
Site: Crystal River Duke Energy icon.png
Issue date: 03/19/2012
From: Franke J
Progress Energy Florida, Florida Power Corp
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
3F0312-02, TAC ME6527
Download: ML12081A293 (87)
v  d  e


Text

Progress Energy Crystal River Nuclear Plant Docket No. 50-302 Operating License No. DPR-72 March 19, 2012 3F0312-02 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

Subject:

Crystal River Unit 3 - Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (EICB) Technical Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)

References:

1. CR-3 to NRC letter dated June 15, 2011, "Crystal River Unit 3 - License Amendment Request #309, Revision 0, Extended Power Uprate" (Accession No. ML112070659)
2. NRC to CR-3 letter dated February 8, 2012, "Crystal River Unit 3 Nuclear Generating Plant - Request for Additional Information for Extended Power Uprate License Amendment Request (TAC No. ME6527)" (Accession No. ML12003A217)
3. CR-3 to NRC letter dated January 5, 2012, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Instrumentation and Controls Branch Technical Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)" (Accession No. ML12030A209)

Dear Sir:

By letter dated June 15, 2011, Florida Power Corporation, doing business as Progress Energy Florida, Inc., requested a license amendment to increase the rated thermal power level of Crystal River Unit 3 (CR-3) from 2609 megawatts (MWt) to 3014 MWt (Reference 1). On February 8, 2012, the NRC provided a second request for additional information (RAI) required to support the EICB technical review of the CR-3 Extended Power Uprate (EPU) License Amendment Request (LAR) (Reference 2).

Attachment A, "Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (EICB) Technical Review of the CR-3 EPU LAR,"

provides the formal response to the RAI needed to support the EICB technical review of the CR-3 EPU LAR.

Attachment B, "List of Regulatory Commitments," includes regulatory commitments to provide:

an Inadequate Core Cooling Mitigation System failure mode and effects analysis, summary of the test results associated with electromagnetic and radio frequency interference emissions and Progress Energy Florida, Inc. Z 0o (

Crystal River Nuclear Plant 15760 W. Powerline Street Crystal River, FL 34428

U.S. Nuclear Regulatory Commission Page 2 of 3 3F0312-02 susceptibility, and a reliability report by November 9, 2012; and an Inadequate Core Cooling Mitigation System testing summary report by February 28, 2013. , "Updated FCS and ICCMS Annunciator Drawing," to Attachment A provides a revised drawing that supersedes the annunciator drawing provided in a letter from CR-3 to the NRC dated January 5, 2012 (Reference 3). Enclosure 2, "Fast Cooldown System Failure Mode and Effects Analysis," to Attachment A is provided in support of the EICB technical review RAI response.

If you have any questions regarding this submittal, please contact Mr. Dan Westcott, Superintendent, Licensing and Regulatory Programs at (352) 563-4796.

Sincerely,

(

Jon A. Fr Vice PZsi River Nuclear Plant JAF/gwe Attachments:

A. Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (EICB) Technical Review of the CR-3 EPU LAR B. List of Regulatory Commitments

Enclosures:

1. Updated FCS and ICCMS Annunciator Drawing
2. Fast Cooldown System Failure Mode and Effects Analysis xc: NRR Project Manager Regional Administrator, Region II Senior Resident Inspector State Contact

U.S. Nuclear Regulatory Commission Page 3 of 3 3F0312-02 STATE OF FLORIDA COUNTY OF CITRUS Jon A. Franke states that he is the Vice President, Crystal River Nuclear Plant for Florida Power Corporation, doing business as Progress Energy Florida, Inc.; that he is authorized on the part of said company to sign and file with the Nuclear Regulatory Commission the information attached hereto; and that all such statements made and matters set forth therein are true and correct to the best of his knowledge, information, and belief.

J A. Franke ice President Crystal River Nuclear Plant The foregoing document was acknowledged before me this day of

.,_2012, by Jon A. Franke.

Signature of Notary Public State of Florida f--." N...CAROLYN E.PORTMANN

  • Commission # DD 937553 SExpires March 1,2014 (Print, type, or stamp Commissioned Name of Notary Public)

Personally 7 Produced Known -OR- Identification

FLORIDA POWER CORPORATION CRYSTAL RIVER UNIT 3 DOCKET NUMBER 50-302 /LICENSE NUMBER DPR-72 ATTACHMENT A RESPONSE TO SECOND REQUEST FOR ADDITIONAL INFORMATION TO SUPPORT NRC INSTRUMENTATION AND CONTROLS BRANCH (EICB) TECHNICAL REVIEW OF THE CR-3 EPU LAR

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 1 of 8 RESPONSE TO SECOND REQUEST FOR ADDITIONAL INFORMATION TO SUPPORT NRC INSTRUMENTATION AND CONTROLS BRANCH (EICB) TECHNICAL REVIEW OF THE CR-3 EPU LAR By letter (Reference 1) dated June 15, 2011, Florida Power Corporation (FPC), doing business as Progress Energy Florida, Inc., requested a license amendment to increase the rated thermal power level of Crystal River Unit 3 (CR-3) from 2609 megawatts (MWt) to 3014 MWt. On February 8, 2012, the NRC provided a second request for additional information (RAI) required to support the EICB technical review of the CR-3 Extended Power Uprate (EPU) License Amendment Request (LAR).

EICB RAI Background The CR-3 engineering change (EC) process requires the generation of separate supporting evaluations, to the extent warranted, based on various factors including the complexity of the EC and the impact to safety functions. For example: an EC that requires a new control system supplied as a complete integrated package and which actuates safety-related or important-to-safety equipment, typically requires vendor deliverables that include reports similar to that requested in the EICB RAI (e.g., failure mode and effects analysis (FMEA), factory acceptance testing (FAT) and associated summary report, and reliability report). Conversely, when adding features to an existing system or adding a relatively simple system modification, FPC addresses the noted considerations as part of the standard EC package.

The safety-related modification activities related to this RAI are the Inadequate Core Cooling Mitigation System (ICCMS), Fast Cooldown System (FCS), atmospheric dump valves (ADVs),

and Emergency Feedwater (EFW) pump recirculation flow control. The ADV replacement and addition of the new FCS are addressed in a single EC package. The new ICCMS is addressed in a separate EC package and includes the output interfaces between the ICCMS and the reactor coolant pumps (RCPs), the Emergency Feedwater Initiation and Control (EFIC) System, and the new FCS. Additionally, the EFW pump recirculation flow control modification is addressed in a separate EC package.

ICCMS The design specification for the ICCMS meets or exceeds the CR-3 current licensing basis (CLB) requirements of Institute of Electrical and Electronics Engineers (IEEE) 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," for CR-3 protection systems. The ICCMS design specification further addresses IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."

For additional clarification, the ICCMS modification does not fundamentally affect the function(s) of the existing EFIC System. The EFW System initiation, EFW System vector valve control, main steam line isolation, and main feedwater isolation functions; and associated instrument setpoints are not altered as a result of the ICCMS modification. The ICCMS to EFIC System interface is an ICCMS automatic signal to the EFIC steam generator level controllers that parallels the current manual pushbutton to raise the steam generator level to a higher target value when required.

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 2 of 8 ADV/FCS The fundamental function of the ADV/FCS modification is to enhance thermal-hydraulic capabilities during plant transients and accidents at EPU conditions. Thus, much of the ADV/FCS EC package is related to the replacement of the ADVs (e.g., larger ADVs and associated piping and supports) and therefore, is mechanical in nature. However, the ADV/FCS EC modification does include associated controls and support system enhancements. The FCS portion of the modification provides an alternate safety-related controller that rapidly depressurizes the secondary system by opening the ADVs until the specified lower pressure is reached and subsequently controlling at the specified lower pressure. The ADV/FCS EC package is nearly complete; however, many of the instrumentation and controls (I&C) components associated with this EC package have not been procured. A FAT report is not being generated in support of this EC package. Also, in lieu of a reliability report, an FMEA has been performed to qualitatively assess reliability and is provided in Enclosure 2 to this attachment.

The FCS and ADVs are considered safety-related and are being designed/modified to meet the applicable industry codes and standards and other regulatory requirements as specified by the CR-3 current licensing and design basis in accordance with 10 CFR 50.55a(h)(2). Specifically, the current electrical and I&C design configuration for the EFIC System are designed and installed in accordance with IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations." As such, the ADV/FCS modification, including EFIC System electrical interfaces, is designed to meet, as a minimum, the CR-3 CLB standard; IEEE 279-1971.

As discussed with the NRC staff during a teleconference on February 2, 2012 regarding the EICB RAI, a brief description of the FCS bypass is provided as follows: Each FCS control switch in the control room provides the capability to bypass the FCS pressure controller to allow manual or automatic operation of the ADVs via the EFIC System. As stated in Section 2.3.5, "Station Blackout," and Section 2.11.1, "Human Factors," of the EPU Technical Report (TR)

(Reference 1, Attachments 5 and7), the FCS control switches will be placed in the "BYP" position during a station blackout (SBO) event with a loss of subcooling margin allowing the operators to perform the required cooldown in accordance with existing procedure guidance with the normal ADV controls. Consistent with Section 7.1, "Protection Systems," of the Final Safety Analysis Report (FSAR), the FCS bypass function is operated during abnormal or emergency operating conditions (e.g., a SBO event) and is not considered an "operating bypass" within the context of Section 4.12 of IEEE 279-1971. Once the FCS is manually bypassed, it remains bypassed until manually restored. Enclosure 1, "Updated FCS and ICCMS Annunciator Drawing," shows the proposed FCS annunciator which alerts the operator when an FCS control switch is in the "BYP" position consistent with the guidance of Regulatory Guide 1.47, Revision 1, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." This updated drawing also shows the current proposed location of other new FCS and ICCMS annunciators and supersedes the annunciator drawing provided in the letter from CR-3 to the NRC dated January 5, 2012 (Reference 2). Note that the precise annunciator locations and labeling may change as the ICCMS and FCS modifications are finalized.

EFW Pump Recirculation Flow Control The EFW pump recirculation flow control modification is a relatively small I&C related modification. It is comprised largely of differential pressure switches linked to new solenoid-

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 3 of 8 operated isolation valves in each safety-related EFW pump recirculation line. The EFW pump recirculation flow control modification does not interface with the existing EFIC System. The components for this modification will be procured as safety-related and qualified as appropriate.

A FAT report is not being generated in support of this EC package. Also, in lieu of a reliability report, an FMEA has been performed to qualitatively assess reliability and a summary was provided in a letter from CR-3 to the NRC dated August 11, 2011 (Reference 3).

The EFW pump recirculation flow control modification is designed to meet the applicable industry codes and standards and other regulatory requirements as specified by the CR-3 current licensing and design basis in accordance with 10 CFR 50.55a(h)(2). Specifically, the current electrical and I&C design configuration for the EFIC System are designed and installed in accordance with IEEE 279-1971, which ensures independence with no cross-train dependence.

The new EFW pump recirculation solenoid valves, related control circuits, control room switches, and alarms are also being designed to IEEE 279-1971 in accordance with the CR-3 CLB.

EICB RAIs For tracking purposes, each item related to this RAI is uniquely identified as EICB X-Y, with X indicating the RAI set and Y indicating the sequential item number.

21. (EICB 2-1)

In response to EICB acceptance review RAI question 3, the licensee submitted Enclosure 3 "IEEE [Institute of Electrical and Electronics Engineers] 603-1991 and IEEE 279-1971 Compliance Matrix" on August 18, 2011 (ADAMS Accession No. ML11234A427), which provides a summary of how the inadequate core cooling monitoring system (ICCMS), FCS, ADVs and the affected portions of emergency feedwater initiation and control (EFIC) system will meet applicable clauses of IEEE 603-1991 and IEEE 279-1971. The licensee lists the system specification statements for each requirement criterion of IEEE 603-1991 and IEEE 279-1971, but does not demonstrate (e.g., through the analysis or test) how the equipment meets the requirements in IEEE 603-1991 and IEEE 279-1971.

a. Please provide the failure modes and effects analyses, overall availability reports, reliability reports, the summary of factory acceptance test results, and additional information for those systems (ICCMS, FCS, ADVs and the affected portions of EFIC system) to allow the NRC staff to confirm that tests are conducted to demonstrate that the safety system performance is adequate to ensure completion of protection over the range of transient and steady-state conditions and meet the requirements in IEEE 603-1991.
b. Provide the detail summary of test results of ICCMS for Class 1E equipment per Regulatory Guide (RG) 1.89; seismic qualification per RG 1.100; electromagnetic and radio-frequency interferences qualification per RG 1.180; and qualified isolation used between the nonsafety-related RCP trip circuits and ICCMS per RG 1.75.

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 4 of 8

Response

a. As described in the EICB RAI Background Section above, some of the requested information is not provided for the FCS. Additionally, the I&C portions of the FCS, ADVs, and affected portion of the EFIC System meets the CLB requirements of IEEE 279-1971 instead of IEEE 603-1991.

ICCMS The I&C portion of ICCMS is predominantly contained in a set of stand-alone instrument cabinets which will be subjected to a FAT prior to shipment from the vendor. The ICCMS FAT is scheduled for late 2012 and the FAT summary report will be available the first quarter of 2013. As indicated in Attachment B, "List of Regulatory Commitments," FPC will provide an ICCMS testing summary report, which includes a summary of the FAT results, to the NRC staff by February 28, 2013. In addition, FPC will provide an FMEA and a reliability report, which includes overall availability results, for the ICCMS by November 9, 2012 as indicated in Attachment B. Further, post-modification and in-situ integrated testing for this modification is described in Section 2.12, "Power Ascension and Testing Plan," of the EPU TR (Reference 1, Attachments 5 and 7).

ADV/FCS There is no integrated FAT planned for the ADV/FCS plant modification. Similarly, an overall availability report and reliability report are not discrete parts of the ADV/FCS EC package; but, are integral to the package. However, the ADV/FCS components are conservatively designed to operate over the operating range of service conditions. Post-modification and integrated in-situ testing will be performed as described in Section 2.12 of the EPU TR (Reference 1, Attachments 5 and 7) to test the ADV/FCS and associated components prior to operation at EPU conditions.

Enclosure 2, "Fast Cooldown System Failure Mode and Effects Analysis," provides the current FMEA for the ADV/FCS modification. However, the FMEA may change further as the design is finalized and issued. The FMEA was prepared in accordance with the general guidelines of IEEE 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems." The FCS FMEA concludes that there is no credible single failure of any FCS component that will result in: the failure of a channel of FCS pressure control or an ADV; concurrent with a degradation of high pressure injection (HPI) line flow. Thus, the capability to mitigate a small break loss-of-coolant accident (SBLOCA) remains available in the event of a single failure of either the FCS or an HPI train. This FMEA also concludes that there is no failure of an FCS component that will migrate into the EFIC cabinets or impact the capability of EFW System initiation, EFW System vector valve control, main steam line isolation, and main feedwater isolation functions.

b. The ICCMS components will be qualified in accordance with the CR-3 EC process. With the exception of the new ICCMS input instrumentation (i.e., Reactor Coolant System (RCS) pressure transmitters, incore thermocouple assembly connectors, and HPI flow differential pressure transmitters), the ICCMS components are located in a mild environment and

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 5 of 8 therefore are not qualified in accordance with Regulatory Guide 1.89, "Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants,"

or 10CFR50.49(f) as allowed by 10CFR50.49(c)(3). The new ICCMS input instrumentation, located in a harsh environment (i.e., RCS pressure transmitters, incore thermocouple assembly connectors, and HPI flow differential pressure transmitters), are the same as the instruments currently used to sense these parameters and will be added to the revised vendor qualification packages as applicable. No additional environmental qualification (EQ) testing is required for the ICCMS.

ICCMS testing will be conducted to confirm the ICCMS meets the requirements related to equipment seismic qualification per Regulatory Guide 1.100, "Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants," electromagnetic and radio frequency interference (EMI/RFI) emissions and susceptibility per Regulatory Guide 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," and qualified isolation between nonsafety-related circuits per Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." As indicated in Attachment B, "List of Regulatory Commitments," FPC will provide a summary of the testing results related to seismic qualification, EMI/RFI emissions and susceptibility, and isolation between nonsafety-related RCP trip circuits and ICCMS.

FPC will provide a summary of the test results associated with ICCMS EMI/RFI emissions and susceptibility to the NRC staff by November 9, 2012. FPC will also provide the ICCMS testing summary report, which includes a summary of the test results of the ICCMS seismic qualification and isolation between nonsafety-related RCP trip circuits and ICCMS, to the NRC staff by February 28, 2013.

22. (EICB 2-2)

In the last paragraph of page 2.4.2.2-2 of the original license amendment request (LAR) dated June 15, 2011 (ADAMS Accession No. ML112070659), the licensee discussed the modifications of safety-related EFW recirculation flow control and the replacement of ADVs.

Please describe how FCS, EFW recirculation flow control, and the new ADVs meet the requirement criterion of IEEE 603-1991 quality assurance (e.g., Sections 5.3 Quality, 5.4 Equipment Qualification, 5.15 Reliability) and provide the supporting documents.

Response

As noted in the EICB RAI Background Section above, the ADVs are addressed in the same EC package as the FCS. The EFW pump recirculation flow control modification is addressed in a separate EC package. Additionally, the I&C portions of the FCS/ADVs and EFW pump recirculation flow control modifications meet the CLB requirements of IEEE 279-1971 instead of IEEE 603-1991. The ADV/FCS and EFW pump recirculation flow control modifications and associated components are designed, procured, purchased, inspected, and tested in accordance with the CR-3 Quality Program as described in Section 1.7, "Quality Program (Operational)," of the FSAR. The Progress Energy Quality Assurance Program Manual and associated procedures promulgates compliance with 10CFR50, Appendix B and ensures maintenance and modifications affecting safety-related structures, systems, and components (SSCs) are performed

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 6 of 8 in a manner to assure quality requirements, material specifications, and inspection requirements are met and conform to applicable codes, standards, specifications, and criteria.

ADV/FCS The ADV/FCS modification and associated components are designed, procured, inspected, and tested in accordance with the CR-3 Quality Program as described in Section 1.7 of the FSAR.

The reliability of the FCS design is shown qualitatively with the incorporation of the following methods or features:

Single Failure - the FCS is designed such that any single failure in the FCS electrical power supply, pressure control circuitry, or transfer relay will affect only the FCS control of a single ADV or the EFIC control of a single ADV. An FMEA was performed to determine component failure effect and potential failures including those due to interfacing or support systems such as control complex Heating, Ventilation, and Air Conditioning (HVAC). Refer to Enclosure 2 of this attachment for the FCS FMEA.

Equipment Quality - the FCS equipment enclosures and subcomponents, battery banks, FCS pressure control transmitters and ADVs are designed with a 40-year design life and will be purchased as safety-related or qualified by FPC.

Equipment Qualification - the FCS equipment enclosures and subcomponents, battery banks, FCS pressure control transmitters and ADVs are seismically qualified per IEEE 344-1975, "IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations." ADV/FCS equipment important to safety that is located in harsh EQ zones will be qualified in accordance with 10 CFR 50.49(f) and Regulatory Guide 1.89. However, electrical equipment important to safety located in a mild environment are not qualified in accordance with 10 CFR 50.49(f) or Regulatory Guide 1.89 as allowed by 10 CFR 50.49(c)(3).

Independence - the FCS design incorporates separate, independent, diverse components between those used in the actuation of the HPI pumps and those used in FCS actuation.

Common mode failures due to abnormal environment conditions are minimized by locating functionally redundant equipment in different locations.

Diversity - the FCS design incorporates diverse methods of mitigating SBLOCA and loss of subcooling margin using different types of components (HPI pump versus ADVs) that are located in different locations of the generating station.

Capability is provided for testing and calibrating channels and the devices used to derive the final FCS output signal from the various channel signals. Periodic testing duplicates, as closely as practical, the overall performance required of the FCS and confirms Operability of both the automatic and manual circuitry. The FCS design does include test circuitry and switches which could be used for troubleshooting/functional testing of the transfer relays and of the pressure controllers with the reactor at power. Manual isolation valves and test connections are included in the design to allow testing of the ADVs and accessories with the reactor at power.

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 7 of 8 EFW Pump Recirculation Flow Control The EFW Pump Recirculation Flow Control modification and associated components are designed, procured, purchased, inspected, and tested in accordance with the CR-3 Quality Program as described in Section 1.7 of the FSAR.

Equipment Qualification - the recirculation control valves, differential pressure switches, terminal blocks, and cables associated with the turbine driven EFW pump (EFP-2) are located in a harsh environment. Therefore, these components will be qualified in accordance with 10 CFR 50.49(f) and Regulatory Guide 1.89. The diesel driven EFW pump (EPF-3) components and all other EFW Pump Recirculation Flow Control components are located in a mild environment. Therefore, these components are not qualified in accordance with 10 CFR 50.49(f) or Regulatory Guide 1.89 as allowed by 10 CFR 50.49(c)(3).

Reliability - the EFW Pump Recirculation Flow Control modification does not adversely affect existing redundancy, diversity, or separation of the EFW System. For each EFW train, there will be three differential pressure switches arranged in a two-out-of-three logic and one main control room switch. There are no separation criteria issues as each component is installed in its respective EFW train duty area and fed from its respective train power supply. The three pressure switches, installed in a two-out-of-three logic for each train of EFW, is not required but desired for system reliability and to allow testing and maintenance of an individual switch.

23. (EICB 2-3)

In the last paragraph of page 2.4.2.2-2 of the original LAR, the licensee stated, "The EPU requires an increase in minimum required EFW flow and a decrease in maximum EFW actuation delay time."

Provide the values of the original and revised EFW actuation delay times and demonstrate by the calculation or the design that the revised actuation delay time has been properly implemented.

Response

The EFW System actuation delay time assumption in the pre-EPU safety analyses is 60 seconds.

The EFW System actuation delay time assumption in the EPU safety analyses has been reduced to 40 seconds capturing some EFW actuation delay margin. FPC has confirmed that the actual EFW System actuation delay time has been historically < 40 seconds and is not being revised as a result of EPU. Thus, there are no associated setpoint modifications, calculations, or design changes to the EFIC System actuation instrumentation due to this reduced timing in the safety analyses. Also, actuation delay margin continues to exist such that any additional delay as a result of the stroke timing of the new EFW pump recirculation valves will not impact the ability of the EFW System to deliver the minimum required flow within 40 seconds as assumed in the EPU safety analyses.

U. S. Nuclear Regulatory Commission Attachment A 3F0312-02 Page 8 of 8

24. (EICB 2-4)

In the second to the last paragraph of section "Analog Inadequate Core Cooling Mitigation System" (page Appendix E-48) of Attachment 5 of the original LAR, the licensee briefly described the design fail to a safe state of ICCMS.

Please list the power supply for each initiation channel and each actuation train and explain in more detail how the ICCMS complies with the regulatory guideline in NUREG-0800, Appendix

7. 1-C, Section 5.5 for design fail to a safe state.

Response

ICCMS Initiation Channel 1 and Actuation Train A are powered from the Train A 120VAC vital bus (VBDP-3). ICCMS Initiation Channel 2 and Actuation Train B are powered from the Train B 120VAC vital bus (VBDP-4). These vital buses are powered by the associated station battery or emergency diesel generator. ICCMS Initiation Channel 3 is powered from new dedicated uninterruptible power supply (UPS) units. Each UPS unit is powered from a 480VAC motor control center (3AB) which can be powered from either emergency diesel generator. Each initiation channel and actuation train has dual auctioneered power supplies that are powered via separate breakers from the associated vital bus/UPS.

As stated in Enclosure 3, "Analog Inadequate Core Cooling Mitigation System," of Appendix E of the EPU TR (Reference 1, Attachments 5 and 7), the three initiation channel outputs are designed to fail in the tripped state upon a loss of a 120VAC power supply while the two actuation train outputs are designed to fail to the untripped state upon a loss of a 120VAC power supply. This is considered acceptable since the trip of a single ICCMS initiation channel or the failure of a single actuation train in the untripped state will not result in either actuation of the ICCMS protective features or prevent actuation of the ICCMS protective features. Two-of-three initiation channels tripped and one-of-two actuation trains tripped are required for actuation of the ICCMS protective features. In addition, a single failure of a power supply will not override an ICCMS protective feature that has occurred (i.e., RCPs remain tripped, steam generator level continues to be automatically controlled at the target level, and the FCS remains actuated).

References

1. CR-3 to NRC letter dated June 15, 2011, "Crystal River Unit 3 - License Amendment Request #309, Revision 0, Extended Power Uprate." (Accession No. ML112070659)
2. CR-3 to NRC letter dated January 5, 2012, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Instrumentation and Controls Branch Technical Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)." (Accession No. ML12030A209)
3. CR-3 to NRC letter dated August 11, 2011, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Balance of Plant Branch Acceptance Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)." (Accession No. ML11228A032)

FLORIDA POWER CORPORATION CRYSTAL RIVER UNIT 3 DOCKET NUMBER 50-302 /LICENSE NUMBER DPR-72 ENCLOSURE 1 UPDATED FCS AND ICCMS ANNUNCIATOR DRAWING

FLORIDA POWER CORPORATION CRYSTAL RIVER UNIT 3 DOCKET NUMBER 50-302 /LICENSE NUMBER DPR-72 ENCLOSURE 2 FAST COOLDOWN SYSTEM FAILURE MODE AND EFFECTS ANALYSIS

EC 71855 X64R0 FMEA for EC71855 Fast Cooldown Systems Components Scope This FMEA is developed using the guidelines of EGR-NGGC-0154, Single Failure Analysis and IEEE 352-1987, IEEE guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety systems.

This FMEA is developed to evaluate the design of the EC17855 fast cooldown system as an alternate, redundant method to mitigate a SBLOCA and LSCM event if HPI injection pump flow is inadequate due to a failure of an HPI pump, HPI injection line valve, or associated power/controls.

The FMEA is evaluating the impact of failure of each of the active components and some of the passive components of the fast cooldown system on the capability of the fast cooldown system to adequately cooldown the secondary side of both OTSGs with two independent channels of DC power and pressure control circuitry. The FMEA is based on the AREVA calculation 32-908876-002 and EIR 51-9144830-000 that has determined that either

a. two HPI pumps and their associated valves and piping are adequate to mitigate SBLOCAs during a LSCM condition or
b. two ADVs and associated pressure control circuits and one HPI pump and associated valve and piping The FMEA is based on the criteria that any failure that can create a failure of an ADV or its fast cooldown pressure control circuit cannot create a failure of any electrical, control, or mechanical components of any HPI pump or injection line.

System Interfaces The fast cooldown system is installing separate, independent battery banks, battery chargers, 24 VDC (nominal) DC bus supply components, pressure transmitters, pressure controllers, transfer and alarm relays, and test and selector switches. There are a limited number of interface systems that are required to support the fast cooldown system components. This FMEA will evaluate the impact of failure of the required support system on the fast cooldown system components.

The interface systems/components are as follows:

a. Control Complex HVAC for maintaining temperatures within various control complex rooms within the component rated temperatures.
b. Control Complex HVAC for circulating air flow through the battery rooms for hydrogen removal.
c. EFIC auxiliary equipment cabinets for interface with transfer relays that can transfer ADV control from EFIC to the fast cooldown pressure controllers
d. Instrument air system for normal air supply to ADV control air components and actuators Page 1 of 70

EC 71855 X64R0

e. Main steam system piping for new ADV valve bodies and new (manual) isolation valves and interface with EFIC pressure transmitter tubing for MS-106, l08, 111, 113-PT due to sharing common pressure sensor tubing
f. Power supply from ACDP-10 for Battery Chargers
g. Interface with Remote Shutdown Relays
h. Interface with HPI low range flow indication loops of MU-23-dpt5, dpt6. Dpt7, dpt8
i. Interface with RECALL/EM systems for new RECALL points EC 71855 does provide additional RECALL point input and provides algorithm for SPDS curve of RCS pressure versus HPI total low range flow (from four injection lines). However, SPDS internal programming changes are not part of EC 71855 but are installed and tested with EC 75574.

Analysis Depth for System Interfaces The interface systems/components will be evaluated as follows:

a.1 Control Complex HVAC failures during LOOP and SBO This interface was selected because of the common location for both the station batteries that provide switchgear closure control for HPI pump and diesel loading and also for the fast cooldown batteries. As noted below, all electrical and instrument components are designed for operability at LOCA temperatures as per CR3 EQPPD.

a.2 Evaluation of the credibility of battery room fire damper failure and required operator action to maintain room temperatures

b. 1 Control Complex HVAC restoration requirements after loss of HVAC due to LOOP and SBO to maintain hydrogen concentration at less than 1% in battery rooms b.2 Evaluation of the credibility of battery room fire damper failure and required response time to maintain hydrogen concentration at less than 1% in battery rooms c.1 Impact of transfer relay failures on capability of ADVs to control from EFIC c.2 Impact of transfer relay failures on capability of ADVs to control from fast cooldown pressure controller
c. 3 Evaluation of EFIC cabinet MSLI, MFWI, FOGG capability to mitigate a spurious opening of ADV valve in a main steam line break type event due to transfer relay failure
d. Evaluation of loss of instrument air header pressure to ADV control air components e.1 Since the interface with main steam header piping is only welding in main steam piping, no evaluation of this interface is being performed. See Ground Rules and Assumptions No. 16 for the DBD92 evaluation of piping breaks.

e.2 . Evaluation of root valve for potential impact of new fast cooldown pressure transmitters with creating failure of EFIC pressure transmitters MS-106, 108, 111, 113-PY due to sharing common pressure sensor tubing

f. Failure of ACDP-10 breaker to supply battery charger power
g. Impact on Remote Shutdown transfer relay VBDP power source and evaluation of new relay failure on Remote Shutdown control location functionality for MSV-26 and MSV-26 Page 2 of 70

EC 71855 X64R0 h.Failure impact of MU-23-FY5-3 and MU-23-FY7-4 on MU-23-dpt5, dpt6, dpt7, dpt8 indication in control room

i. Failure impact of MU-23-FY5-3 and MU-23-FY7-4 on RECALL system
j. Failure impact of existing (not installed by EC71855) RCS pressure transmitters RC-3A-PT3 and RC-3B-PT3 on auto actuation of FCS by ICCM and on SPDS
k. Failure impact of existing (not installed by EC71855) HPI low range flow transmitters MU-23-dpt5, dpt6, dpt7, dpt8, dpt9, dptlO, dpt11, dpt12 on auto actuation of FCS by ICCM and on SPDS Components Evaluated The fast cooldown components evaluated for failure modes and the impact of those failure modes are listed in the FMEA worksheet and include the following types of components:

Components installed by FCS system with EC 71855 evaluated in FMEA worksheets:

Valve Actuators Valve I/P converters Valve pneumatic positioners Batteries Battery Disconnect Switches Battery Chargers Fuses Test Switches DC to DC Converters (DC voltage regulators)

Auctioneering Diodes Pressure Controllers Pressure Transmitters Analog Isolators Actuation (Transfer) Relays Alarm Relays Remote Shutdown Transfer Relays Limit Switches Existing Interface Components not installed by EC 71855 evaluated in FMEA worksheets.

Additionally, existing components that are not being installed with EC71855 that are evaluated in FMEA worksheets are:

RCS pressure transmitters (RC-3A-PT3, RC-3B-PT3, RC-147-PT, RC-148-PT) that provide ICCM input (EC 76340) for auto actuation of FCS and input to SPDS for determining adequate HPI flow per the HPI required flow curve.

Page 3 of 70

EC 71855 X64R0 HPI low range differential pressure transmitters (MU-23-dpt5, dpt6, dpt7, dpt8, dpt9, dptl0, dptl, and dpt12) that provide ICCM input (EC 76340) for auto actuation of FCS and input to SPDS for determining adequate HPI flow per the HPI required flow curve.

Instrument air system- This system normally supply control air for the ADVs. Failure evaluation is based on total loss of all air compressors in a LOOP or SBO event The interface with EFIC Aux. Equipment cabinets are evaluated only from the impact that a transfer relay contact failure will have on the EFIC signal demand to the ADVs and for the isolation function of the Aux. Equipment Cabinet V/I and I/V modules to protect any relay failure from migrating into the EFIC cabinets or into the VBDP power supply to the EFIC Aux. Equipment Cabinets. This evaluation is documented under the transfer relay failure modes.

The list of failure modes for each component are denoted with the component in the FMEA worksheets and utilize the guidelines of Attachment 1 of EGR-NGGC-0154.

The impact of component failures is evaluated as appropriate for each of the following system operation modes:

1. Fast Cooldown System Automatic Actuation
2. Fast Cooldown System Manual Actuation
3. EFIC Auto Pressure Control of ADV
4. Main Control Board (MCB) Manual Control of ADV position (through MCB Hand/Auto station control which goes through EFIC Control Module
5. Remote Shutdown Panel (RSP) Manual control of ADV position (through RSP Hand/Auto Station control which goes through EFIC Control Module
6. Manual local handwheel positioning of ADV The impact of component failures whether fast cooldown system has been actuated automatically through the ICCM cabinets or manually with selector switch is identical since both modes must utilize the DC bus voltage supply and utilize the fast cooldown transfer relay and the fast cooldown pressure control circuitry. The only difference is whether one actuation is provided by the ICCM and one is provided by operator manual action using the control board selector switch. Failure of the control board selector switch contacts is included in the FMEA worksheets. Failure of an ICCM cabinet to actuate fast cooldown would be bounded by the impact of a failed transfer relay that would not energize and which is included in the FMEA worksheets.

Page 4 of 70

EC 71855 X64R0 The impact of component failures in the fast cooldown system is identical for the three various sources of ADV demand signal when not selected for fast cooldown control (i.e. whether EFIC is providing auto pressure control, or whether MCB Hand/Auto station is in manual control for generating ADV demand signal, or whether the Remote Shutdown Panel is providing the ADV demand signal). These three methods of producing an ADV demand signal all are routed to the ADV through the existing EFIC control module, through the existing Foxboro isolation modules and through the same set of contacts of the new fast cooldown transfer relay. Any failure of the fast cooldown transfer relay will affect all three sources of demand signal identically.

Impact of failures for manual local handwheel positioning of the ADV is included in the worksheet in the mechanical failures of valve fails to stroke due to valve binding/damage. For all other failures of ADV demand signal, or DC bus voltage, or fast cooldown pressure controller, the ADV could be operated with local handwheel after isolating air supply. The ability to stroke the valve with the manual local handwheel is added to the table as an inherent compensating provision for many of the failures.

FMEA boundary Drawings Drawings used for identifying the boundaries and interfaces of the FMEA are as follows:

302-011, sh.001 302-271, sh. 001 302-753, sh. 003 308-129 308-130 205-039, MS-010 205-039, MS-011 208-039, MS-021 208-039. MS-022 208-082, RS-002 208-082, RS-006 209-023, DP-029 209-039, DP-030 209-041, MU-052 205-041. MU-01 205-041, MU-02 205-041, MU-03 205-041, MU-04 These drawings are attached to FMEA and marked up for FMEA boundary Page 5 of 70

EC 71855 X64R0 Ground Rules and Assumptions

1. Loss of offsite power will have no impact on operability or failure modes of components being installed by the fast cooldown system since they are powered from separate independent DC buses backed by fast cooldown system battery banks with the exception of the two relays being installed in the Remote Shutdown Aux. Equipment Cabinets. In the case of these two relays being installed in the Remote Shutdown Aux. Equipment Cabinets, these are powered by VBDP sources that are diesel and station battery backed and will not lose power in a LOOP.
2. The fire dampers supplying and exhausting control complex HVAC ventilation air to the battery rooms and battery charger rooms are fusible link dampers. The fusible links design function is to hold the dampers open during non-fire conditions and to melt/fail only with high temperatures that would occur in a fire event. For these dampers to fail closed and block hydrogen purging from battery rooms and block HVAC cooling from battery rooms and battery charger rooms, the fusible links would have structurally break/fail in a non-fire condition. DBD92 definition of a passive failure is as follows: "A passive failure is a failure of an electrical or mechanical component to maintain its structural integrity or stability or the blockage of a process flow path such that it cannot provide its intended safety function upon demand ..... Single passive failures of mechanical components (e.g. pipe breaks, separation of a valve disc from its stem, etc.) are not part of CR-3 design basis and are not assumed in the design of fluid mechanical systems at CR-3." The fusible link fire dampers meet several criteria of this definition. Failure of fusible link fire dampers are evaluated as passive failures in this FMEA.
3. The control complex HVAC provides cooling and ventilation purging of hydrogen from the battery rooms. The control complex HVAC is being evaluated since the station batteries that provide DC power for diesel flashing and switchgear closure for diesel and HPI pumps are in the same control complex rooms as the fast cooldown batteries. The HVAC failures are evaluated to insure that a single failure will not create one inoperable HPI train simultaneous with one FCS channel.

Control Complex HVAC Failures are not evaluated in the FMEA worksheets but are evaluated in this section as follows:

a. Fire dampers in battery room supply and return/exhaust duct These are fusible link dampers. The failure that could (if credible) affect both DC power for HPI and DC power for fast cooldown would be a failure such that the damper would fail closed and block HVAC flow for battery room cooling and hydrogen purging. As noted above, this would be a passive mechanical failure. This failure is not applicable or credible for evaluation per CR3 design basis. Even though the failure of the fusible link dampers is evaluated as not a credible failure as per CR3 design basis, such a failure would be detectable. Each battery room has a low flow switch on its exhaust damper that will provide control room annunciator alarms if exhaust flow from the room has failed. Evaluation of calculation M92-0008 with FCS and station batteries installed and during maximum charging current conditions are such that without HVAC ventilation, the battery rooms would reach 1% hydrogen concentration (25% of the 4% explosive limit) in 15.56 hours6.481481e-4 days <br />0.0156 hours <br />9.259259e-5 weeks <br />2.1308e-5 months <br />. Evaluation in calculation H97-0004 for several case events denotes that with loss of HVAC supply to the battery rooms due to specific fire locations, it would take a time period of a little less than Page 6 of 70

EC 71855 X64R0 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (without any doors opened for cooling) for either of the battery room temperatures to reach 97F° on loss of HVAC to the battery rooms during certain fire events.

CR3 design basis does not postulate an accident concurrent with Appendix R fire. However, the H907-0004 gives a calculated time period that the batteries rooms would take to heat up with loss of (non-credible) fire damper. The fast cooldown batteries are operable for up to 120F'. Thus, there is adequate time of operator response to the non-credible fusible link damper failure.

b. Control Complex HVAC fans and chillers in normal plant conditions as well as LOOP or LOCA The existing control complex HVAC fans and chillers have redundant components that are diesel backed. Failure of one fan or chiller will not inhibit control complex cooling and ventilation. The normal duty supply fans, return fans, and chillers will have to be restarted on a LOOP. In the case of a single diesel failure or DC train failure that will not allow diesel to flash field or close breaker, there will be a redundant set of fans and chillers available for cooling the control complex rooms and for purging hydrogen from the battery rooms.

Annunciator alarms will indicate fan trip or failure on low duct flow. In the case of a LOCA in which RMA-5 trips on radiation release outside containment building, the emergency duty fans and return fans and control complex chillers will be available to start/restart.

c. Control Complex HVAC during SBO CR3 design basis does not postulate an accident concurrent with an SBO event and thus fast cooldown is not required in an SBO event. However, if fast cooldown batteries were required during SBO, which they are not, the following evaluation shows the fast cooldown batteries would be operable in a SBO.

There would be no control complex HVAC during SBO to cool the battery rooms or purge hydrogen. However, the CR3 design basis for an SBO is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. There would be no battery charging occurring (which is when hydrogen would be released from batteries) during the SBO so any hydrogen buildup would be significantly more than the above mentioned 15.56 hours6.481481e-4 days <br />0.0156 hours <br />9.259259e-5 weeks <br />2.1308e-5 months <br /> for loss of ventilation flow to the battery rooms. Revised calculations E89-0084 and E89-0085 with FCS batteries and station batteries installed in the battery rooms denote TDAC temperatures of 106.45F0 and 106.65F0 for battery rooms A and B respectively for SBO conditions with no control complex HVAC.

Additionally, the FMEA assumes that appropriate operator action would occur in response to a Battery Room Loss of HVAC. Fast cooldown batteries are operable for up to 120FO and well above the temperature which would result from a temporary loss of HVAC.

4. The intermediate building supply and exhaust fans are powered from diesel backed ES MCC 3A1 and ES MCC3B2 are would be operable during a LOOP. Their associated pneumatic dampers AHD-67, 68, 69, 70 have accumulators that provide air in the event of loss of instrument air to ensure operability of intermediate building dampers in a LOOP. (Reference DBD 627, Appendix B) In the event of a SBO, the ADV components are rated for temperatures higher than the calculated TDAC temperature of the intermediate building.

Page 7 of 70

EC 71855 X64R0

5. The instrument analog isolators installed by the fast cooldown system that provide new RECALL points for the MU-23-dpt5, dpt6, dpt7, and dpt8 instrument loops will retain power during a LOOP since they are powered by the fast cooldown DC bus. The instrument loop power will be retained since the instrument loop power is supplied by the Remote Shutdown Aux. Equipment Cabinets which are powered by VBDP sources that are diesel and station battery backed and will not lose power in a LOOP.
6. This FMEA assumes no failures due to operator error or mispositioning of selector or test switches. However, the impact of the selector switch or test switch contacts mechanically failing open or closed (the same as if mispositioned by operator error) is included in the FMEA worksheets.
7. This FMEA assumes no failures due to maintenance error in calibration or setup of instrumentation since calibration data sheets are provided.
8. This FMEA assumes no failures due to maintenance error in surveillance testing and mispositioning of test switches during testing since surveillance procedures are being developed.
9. This FMEA assumes no failures due to maintenance error in equipment component maintenance since procedures are being developed.
10. It is also noted that if any operator error or maintenance error occurring from testing or maintenance of the fast cooldown system, that error would not affect the operability or flow capability of the HPI pumps due to the independent design of the fast cooldown system that is separate from the remainder of the station DC and VBDP power.
11. Cascading failure resulting from the effects of a single failure are evaluated where applicable in the FMEA worksheets. Cascading failures are evaluated as loss of system function where applicable. For instance a failure of test switch contacts at the input to the pressure controller has been evaluated with (where appropriate) loss of fast cooldown system capability for that ADV.
12. Panel status lights and dropping resistors that provide only indication are not within the FMEA scope as per EGR-NGGC-0154 section 9.3.5.
13. CR3 licensing commitments are such that Chapter 14 accidents are not postulated concurrent with a SBO or an Appendix R fire. The fast cooldown system is designed only to mitigate a SBLOCA, LSCM, and Inadequate HPI flow accident/event. Therefore, fast cooldown system component failures (except for remote shutdown relays for Appendix R fire) are not evaluated for operability during an SBO or Appendix R fire event. However, since the ADV is assumed operable during an SBO, its components have been evaluated in EC 71855, Section 6.6 Environmental Conditions for operability at SBO temperatures.
14. As per EGR-NGGC-0154,Section XXX, FMEA does not include environmental qualification evaluation. However, all of the fast cooldown battery, electrical, and instrument components have been designed/selected for temperature ratings in excess of the control complex or intermediate building temperatures for a LOCA as per the CR3 EQQPD.
15. The failure modes of the and Instrument Air support system interface are based on total loss of system function in a LOOP or SBO since the instrument air compressors have redundant components except during a LOOP or SBO. Additionally, for the ADV control air components, Page 8 of 70

EC 71855 X64R0 these components have also been selected for temperature ratings in excess of the TOAC temperatures during an SBO.

16. As noted above for the main steam piping, failure due to pipe breaks is not evaluated in this FMEA. As per DBD Section 1.2 Definitions- Passive Failure- ..."Single passive failure of mechanical components (e.g. pipe breaks, separation of valve disc from its stem, etc) are not part of CR-3 design basis and are not assumed in the design of fluid mechanical systems at CR-3."

Conclusion This FMEA evaluation reveals that there is no creditable single failure of any fast cooldown component that will result in the failure of a channel of fast cooldown pressure control or an ADV and at the same time result in degradation of HPI injection line flow. Thus the capability to mitigate a SBLOCA and LSCM with a single failure of either fast cooldown system components or HPI pump, power, control, or valve components at 100% reactor power of 3014 MWth is available. This conclusion is based on the operations response to a battery room low flow annunciator alarm and the assumption that a fusible link fire damper failure is not a creditable failure event due to the fire dampers being passive components and are not evaluated for failure at CR3.

This FMEA evaluation reveals that there is no failure of fast cooldown component that will migrate into the EFIC Cabinets and degrade their design capability for EF actuation, MSLI, MFWI, or FOGG.

The FMEA evaluation reveals that while there are some failures that could result in the one ADV not being available for control from the EFIC Cabinet, the redundant ADV is available and is 100% redundant for all EFIC (not fast cooldown) control events.

The FMEA reveals that while there are some failures that could result in one ADV spuriously opening, this main steam line break type event is bounded by MSLI evaluation if the spurious failure occurs during normal plant operation. If an ADV fails fully open with no pressure control during a SBLOCA, evaluation by AREVA safety analysis personnel have revealed that fuel clad temperatures will remain acceptable but that some ROTSG tube damage may occur. This would be a very low probability since a specific failure to a few (ADV I/P, ADV positioner, EFIC control module, or EFIC pressure transmitter) components at a specific accident would have to occur.

It should also be noted that present design is such that potentially the ADV could spuriously open due to a component failing a high signal.

Page 9 of 70

EC 71855 X64R0 EC 71855 FMEA Worksheet Notes:

1. Evaluation is based on single failure criteria of safety related redundant trains/systems. With the Fast Cooldown system, two operable ADVs and associated DC power and pressure control circuits perform as functionally redundant system to a single HPI train in the event of a SBLOCA. With single failure of an HPI train, two operable ADVS and associated DC power and pressure control circuits must be operable. With a failure of either ADV or ADV Fast Cooldown circuitry including pressure control circuitry, DC power source and transfer relay, the FMEA evaluates/verifies no impact on an HPI pump, HPI motor power, or UPI or diesel switchgear control power. In the event of a failure of an ADV or associated Fast Cooldown system, two HPI trains must be operable.
2. For those circuits that provide safety functions or are safety related, line circuit failures due to shorts to ground or open circuits are evaluated for impact. Circuits that provide alarm functions only are not evaluated in this FMEA.
3. Failure of an ADV during a Steam Generator Tube Rupture (SGTR) is not evaluated in this FMEA since LAR 309 and CR3 licensing does not postulate a single component failure concurrent with a SGTR event.

Number Name Failure Mode Cause Symptoms and Local Effects Method of Detection Inherent Compensating Effect on ECCS Remarks and Other Provision Effects 1.0 MSV-25 Valve fails to stroke Mechanical failure of MSV-25 will not be operable for plant 24 month surveillance test Other ADV still functional One ADV is inoperable for Fast Very low probability valve internal trip or accident includingnot operable Valve stroke test using AOV Cooldown.

components usinghandwheel. diagnostics Both HPI pumps will remain operable and HPI system is capable of mitigating SB LOCA and LSCM T. . I MSV-25 actuator Actuator fails with valve Mechanical failure MSV-25 will remain closed and will 24 month surveillance test Other ADV still functional One ADV is inoperable for Fast Very low probability in closed position not be operable for plant trip or Valve stroke test using AOV Depending on failure of Cooldoswn.

accident diagnostics actuator, valve may be capable Both HPI pumps will remain ofbeing stroked open with operable and HPI system is handwwheel. capable of mitigating SBLOCA and LSCM 1.1.2 MSV-25 actuator Actuator fails with valve Mechanical failure MSV-25 will spuriously open and I. ROTSG pressure Other ADV still functional. Both HPI pumps will remain For failure duringa in open position OTSG "A" will blow down to zero indication on control EFIC will respond with EF operable and HPI system is SBLOCA. this is very low psig pressure. MSV-25 will not be board and RECALL actuation. MSLI, MFWl and capable ofmitigating SBLOCA probability ofa specific operable for plant trip or accident, points FOGG logic to isolate main and LSCM component failure

2. ADV valve not feedwaterand emergency EFIC will actuate on lowOTSG happeningduring a closed annunciator feedwateron "faulted" pressure for EF actuation, MSLI, specific unrelated accident alarm ROTSG MFWI, and FOGG logic, event in which the
3. Rooftop camera Depending on failure of Transientwill be boundedby accident would not create indication actuator, valve may be capable main steam line break analysis if the component failure.
4. EFICactuationsof of being stroked closed with failure does not occur duringa This is not a new failure EF. MSLI, MFWI handwheel. SBLOCA or LSCM event, mode as this could occur Evaluation of valve failing open with existing l/P, during a SBLOCAor LSCM positioner, actuator, EFIC event has not been specifically control module or EFIC modeled for all EPU changes. pressure transmitter.

However, evaluation of ARE VA SB LOCA analysis performed Page 10 of 70

EC 71855 X64R0 including ADV failing open during SB LOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

1.2 MSV-25A-FL Fusible ball valve fails Mechanical failure MSV-25 will become inoperable after I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability MSV-25B-FL closed to isolate air from air downstream of valve bleeds off surveillance test of Valve will be capable of being Cooldown. With fusible link, this is a valve air supply due to control air I/P and positioner valve stroke using EFIC stroked open with handwheel. Both HPI pumps will remain mechanical component normal air usage and then remain or Fast Cooldown operable and HPI system is and a passive component closed and will not be operable for demand signal capable of mitigating SBLOCA and failure is not within plant trip or accident except with 2. Supply air pressure and LSCM CR3 design basis manual handwheel gauge on Positioner would read zero psig 1.3 MSV-25C-FL Fusible ball valve fails Mechanical Failure MSV-25 will remain closed and will 1. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability MSV-25D-FL and ports air off valve not be operable for plant trip or surveillance test ofl Valve will be capable of being Cooldown. With fusible link, this is a air supply accident except with manual valve stroke using stroked open with handwheel Both HPI pumps will remain mechanical component handwheel EFIC or Fast operable and HPI system is and a passive component Cooldown demand capable of mitigating SBLOCA and failure is not within signal and LSCM CR3 design basis

2. Positioner supply air pressure gauge would read low abnormal psig
3. Normal operator building walkdown may detect air blowdown Page 11 of 70

EC 71855 X64R0 MSV-25 will spuriously open and I I. ROTSG pressure Other ADV still functional. I Both HPI pumps will remain For failure duringa 1.4.1 MSV-25-1/P I/P tails high Mechanical tailure OTSG "A7 will blow down to zero indication on control EFIC will respond with EF operable and HPI system is SBLOCA, this is very low psig pressure. MSV-25 will not be board and RECALL actuation, MSLI, MFWI and capable of mitigating SBLOCA probability of a specific operable for plant trip or accident. points FOGG logic to isolate main and LSCM. component failure

2. ADV valve not feed water and emergency EFIC will actuate on lowOTSG happening during a closed annunciator feedwateron "faulted" OTSG pressure for EF actuation, MSLI, specific unrelated accident alarm Valve will be capable of being MFWI, and FOGG logic. event in which the
3. Rooftop camera stroked closed with manual Transient will be bounded by accident would not create indication handwheel after control air is main steam line break analysis if the component failure.
4. EFIC actuations of isolated. failure does not occur during a This is not a new failure EF, MSLI, MFWI SBLOCA or LSCM event. mode asthis could occur Evaluation of valve failing open with existing VP.

during a SBLOCA or LSCM positioner actuator, or event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of AREVA SB LOCA analysis performed including ADV failingopen during SB LOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

1.4.2 MSV-25-I/P I/P fails low Mechanical failure or MSV-25 will fail closed and cannot I. 24 month Other ADV still functional One ADV is inoperable for Fast Lowprobability Electrical failure open other than manual handwheel. surveillance test of Valve will be capable of being Cooldown. This is not a new failure MSV-25 will not be operable for plant valve stroke using stroked open with manual Both HPI pumps will remain mode as this could occur trip or accident EFIC or Fast handwheel operable and HPI system is with existing UP.

Cooldown demand capable of mitigating SB LOCA signal and LSCM

2. Periodic calibration of /P 1.5.1 MSV-25-FRI Regulator fails high Mechanical failure If instrument air is over 85 psig, relief I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability valve MSV-189/190 will lift and surveillance test of Valve will be capable of being Cooldown if instrument air blowdown air. MSV-25 will not be valve stroke using stroked with manual supply is over 100 psig operable for plant trip or accident EFIC or Fast handwheel after control air is Both HPI pumps will remain Cooldown demand isolated. operable and HPI system is signal capable of mitigating SB LOCA
2. With relief valves and LSCM Page 12 of 70

EC 71855 X64R0 MSV-1 89/190 open, the positioner supply air pressure gauge would read abnormally low.

3. Periodic calibration of filter regulator 1.5.2 MSV-25-FRI Regulatorfails low Mechanical failure MSV-25 will fail closed and cannot I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability open other than manual handwheel surveillance test of Valve will be capable of being Cooldosn. This is not a new failure MSV-25 will not be operable for plant valve stroke using stroked open with manual Both HPI pumps will remain mode asthis could occur trip or accident EFIC or Fast handwheel. operable and HPI system is with existing pressure Cooldown demand capable of mitigating SBLOCA regulator.

signal and LSCM

2. Positioner supply air pressure gauge wouldread abnormally low
3. Periodic calibration of filter regulator 1.6.1 MSV-25 Limit switch contacts Mechanical failure ADV open annunciator alarm will ADV open annunciator alarm Both ADV still functional No impact on Fast Cooldown Low probability Limit switch A-B fails in closed alarm when valve is closed, for valve NOT CLOSED will capability or ADV operability position Annunciator alarm will not alarm annunciate with valve closed Both HPI pumps will remain when valve opens. TBV bias may be operable and HPI system is applied when ADV is not closed, capable of mitigating SBLOCA May add bias to TBV control setpoint and LSCM with ADV partially open.

1.6.2 MSV-25 Limit switch contacts Mechanical failure Annunciator alarm will not alarm I. 24 month Both ADV still functional No impact on Fast Cooldown Lowprobability Limit switch A-B fails in open when valve opens. surveillance test of capability or ADV operability position valve stroke Both HPI pumps will remain

2. Intermediate Building operable and HPI system is Rooftop camera will capable of mitigating SBLOCA indicate valve not and LSCM closed with steam flow indication

.7.1I MSV-25 Limit switch contacts Mechanical failure TBV bias will be applied when ADV Turbine bypass valve control Both ADV still functional No impact on Fast Cooldown Lowprobability Limit switch C-D fails in closed is not closed. Will add bias to TBV setpoint for steam pressure capability or ADV operability position control setpoint with ADV partially will be incorrect Both HPI pumps will remain open. operable and HPI system is capable of mitigating SBLOCA and LSCM 1.7.2 MSV-25 Limit contacts C-D fail Mechanical failure TBV bias will not be applied when Both ADV still functional No impact on Fast Cooldown Lowprobability Limit switch in open position ADV is closed. Will not add bias to Turbine bypass valve control capability or ADV operability TBV setpoint when TBVs and ADVs setpoint for steam pressure Both HPI pumps will remain are closed will be incorrect operable and HPI system is capable of mitigating SBLOCA and LSCM 1.8.1 MSV-25-POS Positioner fails to low Mechanical Failure MSV-25 will fail closed and cannot 24 month surveillance test of Other ADV still functional One ADV is inoperable for Fast Low probability pressure output open other than manual handwheel. valve stroke using EFIC or Valve will be capable of being Cooldowa. This is not a new failure MSV-25 will not be operable for plant Fast Cooldown demand signal stroked open with manual Both HPI pumps will remain mode as this could occur trip or accident handwheel. operable and HPI system is with existing positione2.

capable of mitigating SBLOCA and LSCM 1.8.2 MSV-25-POS Positioner fails to high Mechanical Failure MSV-25 will fail open and blow 1. ROTSG pressure Other ADV still functional. Both HPI pumps will remain For failure during a pressure output down associated ROTSG to zero psig. indication on control EFIC will respond with EF operable and HPI system is SBLOCA, this is very low Page 13 of 70

EC 71855 X64R0 board and RECALL actuation, MSLI, MFWI and capable of mitigating SBLOCA probability of a specific points FOGG logic to isolate main and LSCM. component failure

2. ADV valve not feedwater and emergency EFIC will actuate on lowOTSG happening during a closed annunciator feedwater on "faulted" OTSG pressure for EF actuation. MSLI, specific unrelated accident alarm Valve will be capable of being MFWI, and FOGG logic. event in which the
3. Rooftop camera stroked with manual Transientwill be bounded by accident would not create indication handwheel afier control air is main steam line break analysis if the component failure.
4. EFICactuationsof isolated. failure does not occur duringa This is not a new failure EF, MSLI, MFWI SBLOCA or LSCM event. mode as this could occur Evaluntion of valve failing open with existing lIP, during a SBLOCA or LSCM positioner actuator, or event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of AREVA SBLOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally. Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

1.9 MSS62 Short circuit or open Electrical Failure MSV-25 or MSV-26 ADV control 24 month surveillance test of One ADV is available for One ADV is inoperable for Fast MSS66 circuits circuit signal fails to zero valve stroke using EFIC or redundant functions of plant Cooldown control.

Fast Cooldown trip or shutdown from EFIC. Wiring does not affect HPI power or controls.

Both HPI pumps will remain operable and HPI system is capable of mitigating SBLOCA and LSCM 1.10.1 MSV-25-FR2 Regulatorfails high Mechanical Failure Supply pressure to I/P fails much I. ROTSG pressure Other ADV still functional. Both HPI pumps will remain For failure duringa higher than design supply air pressure indication on EFIC will respond with EF operable and HPI system is SBLOCA, this is very low for L/Pcontrol. MSV-25-1/P is control board actuation, MSLI. MFWland capable of mitigating SBLOCA probability ofa specific inoperable, and RECALL FOGG logic to isolate main and LSCM. component failure MSV-25-1/P cannot maintain 3 psig points feedwater and emergency EFIC will actuate on low OTSG happening during a closed signal. ADV will open. 2. ADV valve not feedwater on "faulted" OTSG pressure for EF actuation, MSLI, specific unrelated accident Conservative assumption is that ADV closed Valve will be capable of being MFWI, and FOGG logic, event in which the will fully open. annunciator stroked with manual Transient will be bounded by accident ,ould not create alarm handwheel after control air is main steam line break analysis if the component failure.

Page 14 of 70

EC 71855 X64R0

3. Rooftop camera isolated. failure does not occur during a This is not a new failure indication SBLOCA or LSCM event. mode as this could occur
4. EFIC actuations Evaluation of valve failing open with existing UP, ofEF, MSLI, during a SBLOCA or LSCM positioner actuator, or MFWI event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of ARE VA SBLOCA analysis performed including ADV failingopen during SB LOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-000515OF for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

1.10.2 MSV-25-FR2 Regulator fails low Mechanical Failure Supply pressure to I/P fails low. I/P I. 24 month One ADV is available for One ADV is inoperable for Fast output to positioned will fail low. surveillance test of redundant finctions of plant Cooldown control.

MSV-25 will fail closed, valve stroke using trip or shutdown from EFIC. Both HPI pumps will remain EFIC or Fast operable and HPI system is Cooldown capable of mitigating SBLOCA

2. Periodic calibration and LSCM of filter regulator 2.0 MSV-26 Valve fails to stroke Mechanical failure of MSV-25 will not be operable for plant 24 month surveillance test Other ADV still functional Very lowprobability valve internal trip or accident including not operable Valve stroke test using AOV components using handwheel. diagnostics 2.1.1 MSV-26 actuator Actuator fails with valve Mechanical failure MSV-26 will remain closed and will 24month surveillance test Other ADV still functional One ADV is inoperable for Fast Very low probability in closed position not be operable for plant trip or Valve stroke test using AOV Depending on failure of Cooldown.

accident diagnostics actuator, valve may be capable Both HPI pumps will remain ofbeing stroked open with operable and HPI system is handwheel. capable of mitigating SBLOCA and LSCM 2.1.2 MSV-26 actuator Actuator fails with valve Mechanical failure MSV-26 will spuriously open and I. ROTSG pressure Other ADV still functional. Both HPI pumps will remain For failure during a in open position OTSG "B" will blow down to zero indication on control EFIC will respond with EF operable and I-WIsystem is SBLOCA, this is very low psig pressure. MSV-26 will not be board and RECALL actuationMSLI. MFWland capable ofmitigating SBLOCA probability ofa specific operable for plant trip or accident, points FOGG logic to isolate main and LSCM component failure

2. ADV valve not feedwaterand emergency EFIC will actuate on low OTSG happening during a closed annunciator feedwater on "faulted" OTSG pressure for EF actuation. MSLI, specific unrelated accident alarm Depending on failure of MFWI, and FOGG logic, event in which the
3. Rooftop camera actuator, valve may be capable Transient will be bounded by accident would not create indication ofbeing stroked closed with main steam line break analysis if the component failure.

Page 15 of 70

EC 71855 X64R0 handwheel. failure does not occur during a This is not a new failure SBLOCA or LSCM event. mode as this could occur Evaluation of valve failing open with existing l/P, during a SBLOCA or LSCM positioner actuator, or event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of ARE VA SBLOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

2.2 MSV-26A-FL Fusible ball valve fails Mechanical failure MSV-26 will become inoperable after I. 24 month Other ADV still functional One ADV is inoperable for Fast Very lowprobability MSV-26B-FL closed to isolate air from air downstream of valve bleeds offdue surveillance test of Valve will be capable of being Cooldown With fusible link, this is a valve air supply to control air UIPand positioner normal valve stroke suing stroked open with handwheel. Both HPI pumps will remain mechanical component air usage MSV-26 will then remain EFIC or Fast operable and HPI system is and a passive component closed and will not be operable for Cooldown demand capable of mitigating SBLOCA and failure is not within plant trip or accident except with signal and LSCM CR3 design basis manual handwheel 2. Positionersupplyair pressure gauge would show zero psig 2.3 MSV-26C-FL Fusible ball valve fails Mechanical failure MSV-26 will remainclosed and will I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability MSV-26D-FL open and ports air off not be operable for plant trip or surveillance test of Cooldown With fusible link, this is a valve air supply accident except with manual valve stroke using Both HPI pumps will remain mechanical component handwheel EFIC or Fast operable and HPI system is and a passive component Cooldown demand capable of mitigating SB LOCA and failure is not within signal and LSCM CR3 design basis

2. Positioner supply air pressure gauge would showlow abnormal psig
3. Normal operator building walkdown may detect air blowdown Page 16 of 7O

EC 71855 X64R0 2.4.1 MSV-26-1/P I/P fails high Mechanical failure MSV-26 will spuriously open and I. ROTSG pressure Other ADV still functional Both HPI pumps will remain For failure during a blow down OTSG "B" to low indication on control EFIC will respond on MFWI operable and HPI system is SBLOCA, this is very low pressure. MSV-26 will not be operable board and RECALL and FOGG logic to isolate capable of mitigating SBLOCA probability ofa specific for plant trip or accident. points main feedwater and emergency and LSCM. component failure

2. ADVvalvenot feedwater on "faulted" OTSG EFIC will actuate on low OTSG happening during a closed annunciator After control air is isolated, pressure for EF actuation, MSLI, specific unrelated accident alarm valve will be capable ofbeing MFWI, and FOGG logic. event in which the
3. Rooftop camera stroked closed with manual Transient will be bounded by accident would not create indication handwheel main steam line break analysis if the component failure.
4. EFIC actuations of failure does not occur during a This is not a new failure EF, MSLI, MFWI SBLOCA or LSCM event. mode as this could occur Evaluation of valve failing open with existing lI/P, during a SBLOCA or LSCM positioner actuator, or event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of AREVA SB LOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

2.4.2 MSV-26-I/P /P fails low Mechanical failure MSV-26 will fail close and will not I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability open without manual bandwheel. surveillance test of valve will be capable of being Cooldown This is not a new failure valve stroke using stroked open with manual Both HPI pumps will remain mode as this could occur EFIC or Fast handwheel operable with existing ADV UP, Cooldown demand ADV positioner, EFIC signal control module or EFIC

2. Periodic calibration pressure controller.

of L/P 2.5.1 MSV-26-FRI Regulator fails high Mechanical failure If instrument air is over 85 psig. relief I. 24 month Other ADV still functional One ADV is inoperable for Fast Very low probability valve MSV-189/190 will lift and surveillance test of Valve will be capable of being Cooldown if instrument air blowdown air. MSV-25 will not be valve stroke using stroked with manual supply is over 100 psig operable for plant trip or accident EFIC or handwheel after control air is Both HPI pumps will remain Fast Cooldown isolated, operable and HPI system is demand signal capable of mitigating SB LOCA

2. With relief valves and LSCM Page 17 of 70

EC 71855 X64R0 MSV-1 89/190 open, the positioner supply air pressure gauge would read abnormally low.

3. Periodic calibration offilter regulator 2.5.2 MSV-26-FRI Regulator fails low Mechanical failure MSV-26 will fail closed and cannot I. 24 month Other ADV still finctional One ADV is inoperable for Fast Very low probability open without manual handwheel. surveillance test of Valve will be capable of being Cooldown MSV-26 will not be operable for plant valve stroke using stroked open with manual Both HPI pumps must remain trip or accident EFIC or Fast handwheel. operational Cooldown demand signal
2. Positioner supply air pressure gauge wouldread abnormally low
3. Periodic calibration offilter regulator 2.6.1 MSV-26 Limit switch contacts Mechanical failure ADV open annunciator alarm will ADV open annunciator alarm Both ADV still functional No impact on Fast Cooldown Low probability Limit switch A-B fails in closed alarm when valve is closed, for valve NOT CLOSED will capability or ADV operability position Annunciator alarm will not alarm annunciate with valve closed Both HPI pumps will remain when valve opens. TBV bias maybe operable and HPI system is applied when ADV is not closed, capable of mitigating SBLOCA May add bias to TBV control setpoint and LSCM with ADV partiallyopen.

2.6.2 MSV-26 Limit switch contacts Mechanical failure Annunciator alarm will not alarm I. 24 month Both ADV still functional No impact on Fast Cooldown Lowprobability Limit switch A-B fails in open when valve opens. surveillance test of capability or ADV operability position valve stroke Both HPI pumps will remain

2. Intermediate Building operable and HPI system is rooftop camera will capable of mitigating SB LOCA indicate valve not and LSCM closed with steam indication 2.7.1 MSV-26 Limit switch contacts Mechanical failure TBV bias will be applied when ADV Turbine bypass valve control Both ADV still functional No inpact on Fast Cooldown Lowprobability Limit switch C-D fails in closed is not closed. Will add bias to TBV setpoint for steam pressure capability or ADV operability position control setpoint with ADV partially will be incorrect Both HPI pumps will remain open. operable and HPI system is capable of mitigating SB LOCA and LSCM 2.7.2 MSV-26 Limit contacts C-D fail Mechanical failure . TBV bias will not be applied when Both ADV still functional No impact on Fast Cooldown Low probability Limit switch in open position ADV is closed. Will not add bias to Turbine bypass valve control capability or ADV operability TBV setpoint when TBVs and ADVs setpoint for steam pressure Both HPI pumps will remain are closed will be incorrect operable and HPI system is capable of mitigating SBLOCA and LSCM 2.8.1 MSV-26-POS Positioner fails low Mechanical Failure MSV-26 will fail closed and cannot 24 month surveillance test of Other ADV still functional One ADV is inoperable for Fast Very low probability pressure output open other than manual handwheel. valve stroke using EFIC or Valve will be capable of being Cooldown This is not a new failure MSV-26 will not be operable for plant Fast Cooldown Pressure stroked open with manual Both HPI pumps will remain mode as this could occur trip or accident Control demand signal handwheel operable and HPI system is with existing positioned.

capable of mitigating SBLOCA and LSCM 2.8.2 MSV-26-POS Positioner fails high Mechanical Failure MSV-26 will fail open and blow 1. ROTSG pressure Other ADV still functional. Both HPI pumps will remain For failure during a pressure output down associated ROTSG to zero psig. indication on control EFIC will respond with EF operable and HPI system is SBLOCA, this is very low Sboard and RECALL actuation MSLI, MFWI and capable of mitigating SBLOCA probability ofa specific Page 18 of 70

EC 71855 X64R0 points FOGG logic to isolate main and LSCM. I component failure

2. ADV valve not feedwater and emergency EFIC will actuate on lowOTSG happening during a closed annunciator feedwateron "faulted" OTSG pressure for EF actuation, MSLI. specific unrelated accident alarm Valve will be capable of being MFWI, and FOGG logic. event in which the accident
3. Rooftop camera stroked closed with manual Transient will be bounded by would not create the indication handwheel after air is isolated main steam line break analysis if component failure. This is
4. EFIC actuations of failure does not occur during a not a new failure mode as EF, MSLI. MFWl SBLOCA or LSCM event. this could occur with Evaluation of valve failing open existing UIP,positioner during a SBLOCA or LSCM actuator, or EFIC control event has not been specifically module or EFIC pressure modeled for all EPU changes. transmitter.

However, evaluation of ARE VA SBLOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally, Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

2.9. I MSV-26-FR2 Regulator tails high Mechanical Failure Supply pressure to I/P fails much I .ROTSG pressure indication Other ADV still functional. Both HPI pumps will remain For failure duringa higher than design supply air pressure on control board and EFIC will respond with EF operable and HPI system is SBLOCA, this is very low for I/P control. MSV-26-1/P is RECALL points actuationMSLI, MFWI and capable of mitigating SBLOCA probability of a specific inoperable. valve not closed annunciator FOGG logic to isolate main and LSCM. component failure MSV-26-1/P cannot maintain 3 psig alarm feedwaterand emergency EFIC will actuate on low OTSG happening during a closed signal. ADV will open. 3. Rooftop camera feedwateron "faulted" OTSG pressure for EF actuation, MSLI, specific unrelated accident Conservative assumption is that ADV indication Valve will be capable of being MFWI, and FOGG logic. event in which the will fully open. 4. EFIC actuations of stroked with manual Transient will be bounded by accident would not create EF, MSLI. MFWI handwheel after control air is main steam line break analysis if the component failure.

isolated. failure does not occur during a This is not a new failure SBLOCA or LSCM event. mode as this could occur Evaluation of valve failing open with existing I/P, during a SBLOCA or LSCM positioner actuator, or event has not been specifically EFIC control module or modeled for all EPU changes. EFIC pressure transmitter.

However, evaluation of AREVA SBLOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such Page 19 of 70

EC 71855 X64R0 that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

(References 32-9078876-002 and BAW-2374)

Additionally. Progress Energy Calculations S09-0004159F-B79 and S09-0005150F for SBLOCA and MSLB events occurring concurrently, reveal that tube stresses due to Tube to Shell differential temperature (TSDT) remain acceptable and do not challenge tube design. For tube stresses, the MSLB event bounds an ADV failing open.

2.9.2 MSV-26-FR2 Regulator fails low Mechanical Failure Supply pressure to I/P fails low. I/P I. 24 month One ADV is available for One ADV is inoperable for Fast output to positioned will fail low, surveillance test of redundant functions of plant Cooldown control.

MSV-25 will fail closed, valve stroke using trip or shutdown from EFIC. Both HPI pumps will remain EFIC or Fast operable and HPI system is Cooldowvn capable of mitigating SBLOCA

2. Periodic calibration and LSCM of filter regulator 3.0 IAV-663 Regulator fails high Mechanical failure Reliefvalves IAV-1084 and IAV- 1. SP-300 surveillance Redundant MSV-26 will be One ADV not operable in SBO Lowprobability 1085 will open to protect system Operator logs available in SBO or LOOP or LOOP.

components. MSV-25 will lose its back-up air system Both HPI pumps will remain backup air supply and not be operable pressure low on IA- operable and HPI system is in a SBO or LOOP 195-PI capable of mitigating SBLOCA

2. Normal operator and LSCM.

walkdown may For SBO or other design detect air blowdown function, redundant MSV-26 will be operable.

MSV-25 will be operable with handwheel in an Appendix R fire 3.1 IAV-663 Regulator fails low Mechanical failure MSV-25 will lose its backup air SP-300 surveillance Redundant MSV-26 will be One ADV not operable in SBO Lowprobability supplyand not be operable in a SBO Operator logs backup air available in SBO or LOOP or LOOP or LOOP system pressure low on IA- Both HPI pumps will remain 196-PI operable and HPI system is capable of mitigating SBLOCA and LSCM.

For SBO or other design function, redundant MSV-26 will be operable.

MSV-25 will be operable with handwheel in an Appendix R fire 3.2 IAV-672 Regulator fails high Mechanical failure Reliefvalves IAV-1088 and IAV- I. SP-300 surveillance Redundant MSV-25 will be One ADV not operable in SBO Lowprobability 1089 will open to protect system Operator logs back-up air available in SBO or LOOP or LOOP components. MSV-26 will lose its system pressure lowon IA- Both HPI pumps will remain back-up air supply and not be operable 197-PI operable and HPI system is in a SBO or LOOP 2. Normal operator capable of mitigating SBLOCA walkdown may and LSCM.

detect air blowdown. For SBO or other design function, redundant MSV-25 Page 20 of 70

EC 71855 X64R0 will be operable.

MSV-26 will be operable with handwheel in an Appendix R fire 3.3 IAV-672 Regulator fails low Mechanical failure MSV-26 will lose its backup air SP-300 surveillance Redundant MSV-25 will be One ADV not operable in SBO Lowprobability supply and not be operable in a SBO Operator logs backup air available in SBO or LOOP or LOOP or LOOP system pressure low on IA- Both HPI pumps will remain 198-PI operable and HPI system is capable of mitigating SBLOCA and LSCM.

For SBO or other design function, redundant MSV-25wilI be operable.

MSV-26 will be operable with handwheel in an Appendix R fire 3.4 IAV-662 Relief Valves fail open Mechanical failure Per DBD 92 criteria, this is a passive Although not a credible This would impact onlyone of Both HPI pumps will remain IAV-671 failure and outside CR3 design basis, failure per CR3 design basis, two ADV backup air supplies operable and HPI system is If credible it would bleed and deplete this failure would be detected and not impactany HPI capable ofmitigating SBLOCA back-up air bottle bank by [A-I97-PI or IA-195-PI operability, and LSCM.

with SP-300 For SBO or other design Normal operator walkdown function, redundantADV will be may detect air blowdown operable.

Both ADVs will be operable with handwheel in an Appendix R fire 3.5 IAV-1084 ReliefValves fail open Mechanical failure Per DBD92 criteria, this is a passive Although not a credible This would impact only one of Both HPI pumps will remain IAV-1085 failure and outside CR3 design basis. failure per CR3 design basis, two ADV backup air supplies operable and HPI system is IAV-1088 If credible it would bleed and deplete this failure would be detected and not impact any HPI capable of mitigating SBLOCA IAV-1089 backup air bottle bank by IA-196-PI or IA-198-PI operability, and LSCM.

with SP-300 For SBO or other design Normal operator walkdown function, redundant ADV will be may detect air blowdown operable.

Both ADVs will be operable with handwheel in an Appendix R fire 3.6 MSV-189 ReliefValves fail open Mechanical failure Per DBD92 criteria, this is a passive Although not a credible This would impact operability Both HPI pumps will remain MSV-190 failure and outside CR3 design basis, failure per CR3 design basis, ofone oftwo ADV backup air operable and HPI system is If credible it would bleed and deplete this failure could be detected supplies and not impact any capable of mitigating SBLOCA backup air bottle bank in the event of by any one of several periodic HPI operability, and LSCM.

a LOOP or SBO air line leak test methods. For SBO or other design Normal operator walkdown function, redundant ADV will be may detect air blowdown operable.

Both ADVs will be operable with handwheel in an Appendix R fire 4.1 MSV-25-TRI Contact set 6-5 fails Mechanical failure EFIC demand for one ADV will be I. Two year interval Redundant ADV will be One ADV is inoperable for EFIC This is low probability MSV-26-TRI open for normal EFIC isolated from associated ADV. ADV periodic test using available and is sized control of ADV. created by mechanical demand to ADV I/P will remain closed in normal operation EFIC demand to adequately for all events in Redundant ADV design (for damage to relay. This with no impact on normal plant stroke ADV which EFIC valve demand is events that do Cooldown) not requireto Fast is degraded single would not be new failure operation. One ADV will not be 2. Valve does not open used for ADVs. ADV. CR3 could cooldown with mode as an existing operable for plant trip or accident on plant abnormal one ADV with 1025 psig electronic component mitigation that uses EFIC control of response to control ADV is operable with setpoint or with manual control. (low) failure would have ADV steam pressure at handwheel for Appendix R No effect on HPI system. Both identical effect and event HPI pump/trains will remain operable for mitigation of Page 21 of 70

EC 71855 X64R0 1025 psig SBLOCA and LSCM. method of detection Fast Cooldown system for both ADVs is operable if only contacts 6-5 are defective and no other contract sets of relay.

4.2 MSV-25-TRI Relay contacts 6-7 fail Mechanical failure EFIC demand for one ADV will be I. Two year interval Redundant ADV will be One ADV is inoperable for This is low probability MSV-26-TRI closed during EFIC isolated from ADV. ADV will remain periodic test using available and is sized EFIC control of ADV. created by mechanical control of ADV closed in normal operation with no EFIC demand to adequately for all events in Redundant ADV design (for damage to relay. This impact on normal plant operation. One stroke ADV which EFIC control valve events that do not require Fast would not be new failure ADV will not be operable for plant demand is used. Cooldown) is degraded to one mode as an existing trip or accident mitigation 2. Valve does not open ADV is operable with ADV. electronic component There will be no current from Foxbor on plant abnormal handwheel for Appendix R Redundant ADV design (for (low) failure would have V/I module since contacts 9-10 will response to control event events that do not require Fast identical effect and open. steam pressure at Cooldown) is degraded to single method of detection 1025 psig ADV.

CR3 could cooldown with one ADV with 1025 psigsetpoint or with manual control.

No effect on HPI system. Both HPI pumap/trains will remain operable for mitigation of SBLOCA and LSCM.

Fast Cooldown system for both ADVs is operable if only contacts 6-5 are defective and no other contract sets of relay.

4.3 MSV-25-TRI Relay contacts 6-7 fail Mechanical failure EFIC demand will produce no current If only this contact fails in this Fast Cooldown system is Fast Cooldown system control is This is low probability MSV-26-TR I open during Fast for "feedback" circuit since circuit is mode, no impact on EFIC or operable. Both HPI pumps will operable for both ADVs created by mechanical Cooldown energization open. Fast Cooldown operability is not Fast Cooldown demand signal remain operable for Fast assuming no other relay contact damage to relay.

of relay affected. to ADV operability. Cooldown failures.

Two year periodic testing of HPI pump/trains are not affected valve stroke using both EFIC by this transfer relay. Both HPI and Fast Cooldown detmand pump/trains are operable for signals sequentially will mitigation of SBLOCA and detect any operability issues. LSCM.

4.4 MSV-25-TRI Contact set 8-9 fails Mechanical failure EFIC signal return will be interpreted 1. Two year interval Redundant ADV will be One ADV is inoperable from This is low probability MSV-26-TRI open for normal EFIC and current loop will be open with no periodic test using available and is sized EFIC Control. Redundant ADV created by mechanical current loop return from current to ADV 1/P.One ADV will EFIC demand to adequately for all events in design (for events that do not damage to relay. This ADV I/P remain closed in normal operation stroke ADV which EFIC control valve require Fast Cooldown) is would not be new failure with no impact on normal plant demand is used degraded to one ADV. mode as an existing operation. One ADV will not be 2. Valve does not open CR3 could cooldown with one electronic component Page 22 of 70

EC 71855 X64R0 operable for plant trip or accident on plant abnormal ADV with 1025 psig setpoint or (low) failure would have mitigation response to control with manual control, identical effect and There will be no current from Foxboro steam pressure at Relay failure does not affect HPI method of detection V/I module since contacts 8-9 will be 1025 psig system. Both HPI pump/trains open. will remain operable for mitigation of SBLOCA and LSCM.

4.5 MSV-25-TR I Relay contacts 9-10 fail Mechanical failure EFIC demand for ADV will be open I. Two year interval Redundant ADV will be Fast Cooldown system is This is low probability MSV-26-TRI closed during EFIC circuit with no current to ADV. One periodic test using available and is sized operable for both ADVs created by mechanical control of ADV ADV will remain closed in normal EFIC demand to adequately for events in which assuming no other relay contact damage to relay. This operation with no impact on normal stroke ADV EFIC control valve demand is failures. Redundant ADV design would not be new failure plant operation. One ADV will not be 1 Valve does not open used (for events that do not require mode as an existing operable for plant trip or accident o" Fast Cooldown) is degraded to electronic component mitigation from EFIC on plant abnormal one ADV. (low) failure would have There will be no current from Foxhoro response to control CR3 could cooldown with one identical effect and V/I module since contacts 8-9 will be steam pressure at ADV with 1025 psig setpoint or method of detection open while contacts 6-5 are closed. 1025 psig with manual control.

Relay failure does not affect HPI system. Both HPI pump/trains will remain operable for mitigation of SBLOCA and LSCM 4.6 MSV-25-TRI Relay contacts 9-10 fail Mechanical failure EFIC demand will produce no current If onlythis contact fails in No impact on Fast Cooldown Fast Cooldown system is This is low probability MSV-26-TRI open during Fast for "feedback" circuit since circuit is this mode, no impact on EFIC system operability. operable for both ADVs created by mechanical Cooldown energization open. Fast Cooldown operability is not or Fast Cooldowo demand Fast Cooldown system is assuming no other contact damage to relay.

of relay affected, signal to ADV operability, operable for both ADVs failures on relay. Relay failure Two year periodic testing of assuming no other contact has no effect on HPI system valve stroke using both EFIC failures on relay. Both HPI Both HPI pump/trains will and Fast Cooldowndemand pumps will remain operable remain operable for mitigation signals sequentially will for Fast Cooldown ofSBLOCA and LSCM.

detect any operability issues 4.7 MSV-25-TRI Contact set 12-13 does Mechanical failure FCS controller signal demand will be Periodic testing of Fast This single failure would not Fast Cooldown function for one This is low probability MSV-26-TR I not close (fails open) in interrupted and current loop will be Cooldowo system on refuel affect the HPI pump motor ADV is not operable, created by mechanical Fast Cooldown demand open. interval using Fast Cooldown poswer or switchgear control This single failure is limited to damage to relay.

to ADV upon relay This single failure would result in demand signal to stroke valve power sources. It would not relay and ADV. It does not affect energization either MSV-25 or 26 Fast Cooldown affect HPI pump flow HPI pump or HPI motor voltage capability being inoperable, injection trains or any or HPI or diesel switchgear DC One ADV will remain closed with 125VDC plant station control voltage control. Both HPI EFIC current loop transferred (from power buses for HPI pump pump/trains are operable for relay energization) and FCS switchgear or associated train mitigation of SBLOCA and controller current loop open and not diesel.. LSCM.

available for MSV-25 or MSV-26 control.

4.8 MSV-25-TRI Contact set 12-I1 does Mechanical failure FCS controller signal demand will be Periodic testing of Fast This single failure would not Fast Cooldown function for one This is low probability MSV-26-TRI not open (fails closed) in interrupted and current loop will be Cooldowo system on refuel affect the HPI pump motor ADV is not operable. created by mechanical Fast Cooldown demand open. interval using Fast Cooldown power or switchgear control This single failure is limited to damage to relay.

to ADV upon relay I This single failure would result in demand signal to stroke valve power sources. It would not relay and ADV. It does not affect Page 23 of 70

EC 71855 X64R0 energization either MSV-25 or 26 Fast Cooldown affect HPI pump flow HPI pump or HPI motor voltage capability being inoperable, injection trains or any or HPI or diesel switchgear DC One ADV will remain closed with 125VDC plant station control voltage control. Both HPI EFIC current loop transferred (from power buses for HPI pump pump/trains are operable for relay energization) and FCS switchgear or associated train mitigation of SB LOCA and controller current loop open and not diesel.. LSCM.

available for MSV-25 or MSV-26 control.

4.9 MSV-25-TRI Contactset 12-1l fails Mechanicalfailure FCScontrollerfeedbackloopwillnot Ifonlythiscontactfailsinthis Thissingle failurewouldaffect Thissinglefailurewouldnot Thisis lowprobability MSV-26-TRI open with relay de- produce current loop since loop is mode, no impact on EFIC or only the Fast Cooldown affect the HPI pump motor created by mechanical energized open circuit. Fast Cooldown demand signal "feedback" loop This single power or switchgear control damage to relay.

Normal EFIC control is not affected, to ADV operability, failure does not affect the power sources. Two HPI Two year periodic testing of EFIC signal to ADV. pump/trains are operable for valve stroke using both EFIC SBLOCA and LSCM and Fast Cooldown demand mitigation.

signals sequentially will detect any operability issues 4.10 MSV-25-TR I Contact set 15-16 does Mechanical failure FCS controller current loop signal Periodic testing of Fast This single failure would not Fast Cooldown function for one This is low probability MSV-26-TRI not close (fails open) in return is open and current loop will be Cooldown system on refuel affect the HPI pump motor ADV is not operable. created by mechanical Fast Cooldown demand open. interval using Fast Cooldown power or switchgear control This single failure is limited to damage to relay.

to ADV upon relay This single failure would result in demand signal to stroke valve power sources. It would not relay and ADV. It does not affect energization either MSV-25 or 26 Fast Cooldown affect HPI pump flow HPI pump or HPI motor voltage capability being inoperable, injection trains or any or HPI or diesel switchgear DC One ADV will remain closed with 125VDC plant station control voltage control. Two HPI EFIC current loop transferred power buses for HPI pump pump/trains are operable for (from relay energization) and FCS switchgearor associated train mitigation of SBLOCA and controller current loop open and not diesel.. LSCM.

available for MSV-25 or MSV-26 control.

4.11 MSV-25-TRI Contact set 15-14 does Mechanical failure FCS controller current loop signal Periodic testing of Fast This single failure would not Fast Cooldown function for one This is low probability MSV-26-TRI not open (fails closed) in return is open and current loop will be Cooldown system on refuel affect the HPI pump motor ADVis not operable. created by mechanical Fast Cooldown demand open. interval using Fast Cooldown power or switchgear control This single failure is limited to damage to relay.

to ADV upon relay This single failure would result in demand signal to stroke valve power sources. It would not relay and ADV. It does not affect energization either MSV-25 or 26 Fast Cooldown affect HPI pump flow HPI pump or HPI motor voltage capability being inoperable, injection trains or any or HPI or diesel switchgear DC One ADV will remain closed with 125VDC plant station control voltage control. Two HPI EFIC current loop transferred power buses for HPI pump pump/trains are operable for (from relay energization) and FCS switchgear or associated train mitigation of SBLOCA and controller current loop open and not diesel.. LSCM.

available for MSV-25 or MSV-26 control.

4.12 MSV-25-TR I Contact set 15-14 fails Mechanical failure FCS controller feedback loop will not If only this contact fails in This single failure would affect This single failure would not This is lowprobability MSV-26-TRI open with relay de- produce current loop since loop is this mode, no impact on EFIC only the Fast Cooldown affect the HPI pump motor created by mechanical energized open circuit on return loop to or Fast Cooldown demand "feedback" loop This single power or switchgear control damage to relay.

controller, signal to ADV operability, failure does not affect the power sources. Two HPI Normal EFIC control is not affected. Two year periodic testing of EFIC signal to ADV. pump/trains are operable to valve stroke using both EFIC mitigate SBLOCA and LSCM.

and Fast Cooldown demand signals sequentially will detect any operability issues 4.13 MSV-25-TRI Contact 12-13 fails Mechanical failure Fast Cooldown system demand and Periodic testing of Fast . This is low probability MSV-26-TR I closed during EFIC EFIC demand from Foxboro V/I Cooldown system using EFIC Redundant opposite train ADV Redundant ADV for non Fast created by mechanical control of ADV isolator will be connected, demand signal and will be available and is sized Cooldown functions is operable, damage to relay.

Fast Cooldown controller current loop sequentially Fast Cooldown adequately for all events in This single failure is limited to is powered by 36 VDC and Foxboro demand signal to stroke ADV which EFIC control valve relay and failure of Fast V/I isolation module current loops are demand is used Cooldown/EFIC interface. It Page 24 of 70

EC 71855 X64R0 controlled at nominal 24 VDC. These does not affect HPI pump or HPI loops are semi-connected. With design of Foxboro V/l, motor voltage or control circuit.

With contact 12-13 (only) closed, there Fast Cooldown signal cannot Two HPI punrp/trains are is no return current loop path for Fast propagate back into EFIC operable for SBLOCA and Cooldown pressure controller demand control module. Field bus fuse LSCM mitigation.

signal back to controller since contacts is 1/4 amp for Foxboro 15-16 are open. There is no current controller so impact on VBDP produced by FCS controller since power for Foxboro controller Foxboro module and FCS controller is negligible.

return circuitry are not grounded and are not connected. Impact on EFIC demand signal from Foxboro isolation module is indeterminate but current from Foxboro module is limited to 59.7 ma by 402 ohm resistors and Foxboro module has 1/4 amp fuse so VBDP power source for module is protected from adverse effect. (see 2AO-VAI document in VTMA 01283-000) 4.14 MSV-25-TRI Contact 15-16 fails Mechanical ailaure Fast Cooldown system signal return Periodic testing of Fast Redundant opposite train ADV One ADV is not operable for This is low probability MSV-26-TRI closed during EFIC and EFIC signal return to Foxboro V/I Cooldown system using EFIC will be available and is sized EFIC control. Redundant ADV created by mechanical control ofADV isolator will be connected. Fast demand signal and adequately for all events in for all events in which EFIC damage to relay.

Cooldown controller current loop is sequentially Fast Cooldown which EFIC control valve control valve demand is used is powered by 36 VDC and Foxboro V/1 demand signal to stroke ADV demand is used operable. This single failure is isolation module current loops are With design of Foxboro V/I, limited to relay and failure of controlled at nominal 24 VDC. These Fast Cooldown signal cannot Fast Cooldown/EFIC interface.

loops are semi-connected. With propagate back into EFIC It does not affect HPI pump or contact 15-16 (only) closed, there is control module. Field bus fuse HPI motor voltage or control no current loop path for controller is 1/4amp for Foxboro circuit.

demand signal since contacts 12-13 are controller so impact on VBDP Two HPI pump/trains are open and since Foxboro module and power for Foxboro controller operable for SBLOCA and FCS controller return circuitry are is negligible. LSCM mitigation.

grounded and are not connected, Impact on EFIC demand signal from Foxboro isolation module is indeterminate but current from Foxboro module is limited to 59.7 ma by 402 ohm resistors and Foxboro module has A amp fuse so VBDP power source for module is protected from adverse effect (see 2AO-VAI document in VTMA 01283-000) 4.15 MSV-25-TRI Contact 6-5 fails closed Mechanical failure Fast Cooldown system demand and Two year interval periodic With design of Foxboro V/I, Relay degradation may affect This is low probability MSV-26-TR1 (does not open) during EFIC demand from Foxboro V/I test using EFIC demand Fast Cooldown signal cannot one channel of Fast Cooldown created by mechanical relay energization and isolator will be connected. Fast signal and sequentially Fast propagate back into EFIC pressure control for one ADV. damage to relay.

Fast Cooldown control Cooldown controllercurrent loop is Cooldown demand signal to control module. Field bus fuse Redundant ADV is not affected.

of ADV powered by 36 VDC and Foxboro V/I stroke ADV is 1/4 amp for Foxboro This single failure of transfer Page 25 of 70

EC 71855 X64R0 isolation module current loops are controller so impact on VBDP relay contacts does not affect controlled at nominal 24 VDC. These for Foxboro controller is HPI system. With single failure loops are semi-connected. With negligible, criteria, two HPI pumps/trains contact 5-6 (only) closed, there is no This single failure would not are operable to mitigate return current loop path for EFIC affect the functionally SBLOCA and LSCM.

demand to Foxboro V/I since contacts redundant two HPI pump 9-8 will be open. There is no current motor power sources or HPI produced by Foxboro module since pump flow injection trains or Foxboro module and FCS controller any 125VDC plant station return circuitry are not grounded and control power buses for HPI are not connected. Impact on FCS pump switchgear or associated pressure controller is indeterminate but train diesel..

currentdraw is limited to l amp from controller fusing (VTMA 02681-000, Attachment X76 ofEC 71855)

EFIC demand for ADV is inoperable 4.16 MSV-25-TRI Contact 9-8 fails closed Mechanical failure Fast Cooldown system signal return Two year interval periodic Potential relay degradation Relay This is low probability MSV-26-TR I (does not open)during and EFIC signal return from Foxboro test using EFIC demand With design of Foxboro V/I, degradation may affect one created by mechanical relay energization and V/I isolator will be connected. Fast signal and sequentially Fast Fast Cooldownsignal cannot channel of Fast Cooldown damage to relay.

Fast Cooldown control Cooldown controller current loop is Cooldown demand signal to propagate back into EFIC pressure control for one ADV.

of ADV powered by 36 VDC and Foxboro V/I stroke ADV control module. Field bus fuse Redundant ADV is not affected.

isolation module current loops are is 1/4 amp for Foxboro This single failure of transfer controlled at nominal 24 VDC. These controller so impact on VBDP relay contacts does not affect loops are semi-connected. With for Foxboro controller is HPI system. With single failure contact 9-8 (only) closed, there is no negligible, criteria, two HPI pumps/trains completed current loop path for EFIC are operable to mitigate demand to Foxboro V/1 since contacts This single failure would not SBLOCA and LSCM 6-5 will be open. No current will be affect the functionally produced by Foxboro module since redundant two HPI pump Foxboro module and FCS controller motorpowersourcesor HPI return circuitry are not grounded and pump flow injection trains or are not connected. EFIC demand for any 125VDC plant station ADV is inoperable control power buses for HPI Impact on FCS pressure controller is pump switchgear or associated indeterminate but current draw is train diesel.

limited to I amp from controller fusing (VTMA 02681-000, Attachment X76 of EC 71855) 4.17 MSV-25-TRI Contacts arc between Mechanical Defect IFthis occurred, potentially EFIC Two year interval periodic Two Foxboro modules provide Single channel ofFast Cooldown This is not considereda MSV-26-TRI separated contact blocks and/or Fast Cooldown pressure control testing using EFIC demand isolation ofrelay from EFIC system and EFIC control ofone credible event since the or between contact and/or Fast Cooldown actuation of signal and sequentially Fast control module which in turn ADV is inoperable. Tyco dielectric strength is blocks and coil ADVs would become inoperable Cooldown demand signal to has a D/A converter at its ADV With single failure criteria, two listed at 500 Vrms dependingon location of arcing inside stroke ADV signal output so design protects HPI trains are functionally (equivalent to 500VDC) relay, against nigrationof failure into redundant to one HPI and both with Fast Cooldown Current from Foxboro module is EFIC Cabinet and protects FCS channels, system voltage at limited to 59.7 ma by 402 ohm against adverse impact on EFIC Two punup/trains of HPI system controller is resistors and Foxboro module has %. Cabinet functions. This single are operable for SBLOCA and approximately 36VDC, amp fuse so VBDP power source for failure would not affect the LSCM mitigation. Fast Cooldown actuation module is protected from adverse functionally redundant two HPI voltage at nominal 25 effect, pump VDC. And Foxboro motor power sources or HPI regulated power set at pump flow injection trains or 24VDC., Circuitry is used any 125VDC plant station in a low energy 4-20 ma control power buses for HPI circuit and a 25VDC pump switchgear or associated circuit for coil actuation.

Page 26 of 70

EC 71855 X64R0 train diesel.. Note that Foxboro module has a current limiting resistor of402 ohm which will limit output current to 24/403 = 59.6 m. The Fast Cooldown pressure controller has I amp fusing.

Contact ratings are I ma to 3 amps with highest contact amnperage loadings at 136 ma for seal-in contacts.

4.18 MSV-25-TRI Relay fails to energized Mechanical Failure Initial Demand to one ADV would be I. ROTSG pressure EFIC capability to actuate No impact on HPI system. Two The open contact sets 5-6 MSV-25-TRI state. Contact sets 12-13 20 rna and ADV valve initially would indication on control MSLI, MFWI, or FOGG logic pump/trains of HPI are available and 8-9 willisolatethe and 15-16 go closed spuriously open to full open. board and RECALL is operable. for mitigation of SBLOCA. Fast Cooldown pressure during plant normal Associated ROTSG would blow down points Two Foxboro isolation modules One ADV will be controlled by controller signal from operation or during to 325 psig and Fast Cooldown would 2. ADV valve not (I/V and V/I) with design of Fast Cooldown pressure control EFIC demand signal.

EFIC control of ADVs control affected OTSG to 325 psig. closed annunciator transformers, rectifiers, and circuit and open one ADV to full Additionally, The Foxboro EFIC would actuate EF. MSLI, alarm buffer amplifiers will isolate open until ROTSG pressure is module isolation design MFWI, and FOGG. 3. Rooftop camera transfer relay signals from decreased to 325 psig and then with the transfer relay indication EFIC modules. Failure cannot control main steam pressure at and Fast Cooldo wn

4. EFIC actuations of propagate to affect EFIC. affected ROTSG to 325 psig. interface downstream of EF. MSLI, MFWI Would create EFIC actuation of the Foxboro modules low OTSG pressure, MS LI, would prevent any IEEE MFWI. and FOGG logic. Both 279, Section 4.7.3 single EFIC A and B would be capable random failure of relay or of mitigation as per design for Fast Cooldown controller main steam line break event. from affecting EFIC If this occurred during normal design/capability to plant operation, this would be mitigate main steam line bounded in accident analysis by break.

Turbine Bypass Valve full open failure and by Main Steam Line Break.

Per discussion with AREVA safety analysis personnel, evaluation of calculation 32-9129593-000 reveals that ifthis failure occurred during SB LOCA and LSCM, failure would be beneficial to mitigation and cooldown on primary RCS system.

4.19 MSV-25-TR I Relay fails to energize Electrical Failure ADV control remains from EFIC I.Periodic testing of relay Failure is limited to relay only. Single channel of Fast Cooldown MSV-26-TRI Coil leads shorted or control at 1025 psig. transfer and using Fast This single failure of relay to system is inoperable.

open fuse blown Fast Cooldown system for affected Cooldown demand signal to energize would not affect the With single failure criteria, two ADV is inoperable. stroke ADV functionally redundant two HPI train flow is operable for 2, actuation annunciator alarm HPI pump motor power SBLOCA mitigation.

is not activated. 3. OTSG sources or HPI pump flow main steam pressure injection trains or any indication reveals that OTSG 125VDC plant station control is not being depressurized. power buses for HPI pump switchgear or associated train diesel.

Page 27 of 70

EC 71855 X64R0 4.20 MSV-25-TR I Relay fails to energize DC power fuse to relay ADV control remains from EFIC I.Periodic testing of relay Failure is limited to relay only. Single channel of Fast Cooldown MSV-26-TRI failed open/blown control at 1025 psig. transfer and using Fast This single failure of relay to system is inoperable.

Fast Cooldown system for affected Cooldown demand signal to energize would not affect the With single failure criteria, two ADV is inoperable, stroke ADV functionally redundant two HPI train flow is operable for 2, actuation annunciator alarm HPI pump motor power SBLOCA mitigation.

is not activated. 3. OTSG sources or HPI pump flow main steam pressure injection trains or any indication reveals that OTSG 125VDC plant station control is not being depressurized.. power buses for HPI pump switchgear or associated train diesel.

4.21 MSV-25-TRI Relay fails to energize Electrical Failure MSV-25-TRI I. FCS (common) With Fast Cooldown DC Single channel of Fast Cooldown MSV-26-TRI DC Bus supply voltage MSV-26-TRI Trouble alarms power being totally separate system is inoperable fails low actuate due to from station DC power and With single failure criteria, two undervoltage alarms VBDP power. this single HPI train flow is operable for at DPCP-IE or failure would not affect the SBLOCA mitigation.

DPCP-IF or low functionally redundant two process signal at HPI pump motor power MSV-25-PC2 (or sourcesor HP[ pump flow MSV-26-PC2) injection trains or any

2. Periodic testing of 125VDC plant station control relay transfer and power buses for HPI pump using Fast Cooldown switchgear or associated train demand signal to diesel.

stroke ADV 3.OTSG main steam pressure indication reveals that OTSG is not being depressurized 4.22 MSV-25-TR I Relay chatters upon Electrical or ADV control could cycle between I. Periodic testing of Impact is limited to Fast Fast Cooldown for affected MSV-26-TR I relay energization with Mechanical EFIC control at 1025 psig to fast cool relay actuation and Cooldown DC power minor ADV is inoperable and normal contacts not completing Failure down control at 325 psig. ADV could using Fast Cooldown surges and to cyclingof EFIC control ofone ADV is transfer oscillate in position. Fast Cooldown demand signal to control signal to ADV between inoperable.

for affected ADV is inoperable, stroke ADV, EFIC and Fast Cooldown ROTSG pressure will oscillate as Current from Foxboro module is 2. ROTSG pressure pressure controller. With Fast ADV cycles.

limited to 59.7 ma by 402 ohm indication on control Cooldown DC power totally With relay chatter, pressure may resistors and Foxboro module has 1/4 board and RECALL separate from station DC not degrade to 600 psig for amp fuse so VBDP power source for points may be power and VBDP power, this affected ROTSG.

Foxboro module is protected from oscillating single failure would not affect If pressure degrades to below adverse effect, significantly the functionally redundant two 600 psig, EFIC will actuate EF, HPI pump motor power MSLI, MFWI, and FOGG.

sources or HPI pump flow injection trains or any 125VDC This single failure would be plant station control power bounded in safety analysis by buses for HPI pump failure of turbine bypass valve switchgear or associated train and by main steam line break as diesel, to steam release mass flow.

If this occurred during HPI mitigation of SBLOCA and LSCM, it would likely be beneficial in cooldown of RCS.

(See failure 4.18 above)

With single failure criteria, two Page 28 of 70

EC 71855 X64R0 HPI train flow is operable for SBLOCA mitigation.

4 I- 4 4 - ---- 4. - 4.. . - 4....

4.23 MSV-25-TRI Relay chatters upon Electrical Failure ADV control could cycle between I. Periodic testing of Impact is limited to Fast No impact on HPI systemnTwo This is not considered a MSV-26-TRI relay energizalion due to Long term Relay EFIC control at 1025 psig to Fast relay actuation and Cooldown DC power minor pump/trains of HPI are available credible failure due to EMF or RFI degradation Cooldown control at 325 psig. ADV using Fast Cooldown surges and to cycling of for mitigation of SBLOCA. relay being qualified to could oscillate in position. Fast demand signal to control signal to ADV between Fast Cooldown for affected IEEE 323 EMF standards Cooldown for affected ADV is stroke ADV, EFIC and Fast Cooldown ADV is inoperable and normal and due to relay mounted inoperable and normal EFIC control of 2. ROTSG pressure pressure controller. With Fast EFIC control of one ADV is in steel enclosure with one ADV is inoperable indication on control board Cooldown DC power totally inoperable. wiring installed in conduit.

Current from Foxboro module is and RECALL points may be separate from station DC ROTSG pressure will oscillate as limited to 59.7 ma by 402 ohm oscillating significantly power and VBDP power, ADV cycles.

resistors and Foxboro module has V. this single failure would not With relay chatter, pressure may amp fuse so VBDP power source for affect the functionally not degrade to 600 psig for Foxboro module is protected from redundant two HPI pump affected ROTSG.

adverse effect motor power sources or HPI If pressure degrades to below pump flow injection trains or 600 psig, EFIC will actuate EF, any 125VDC plant station MSLI. MFWI, and FOGG.

control power buses for HPI pump switchgear or associated This single failure would be train diesel. bounded in safety analysis by failure of turbine bypass valve and by main steam line break as to steam release mass flow.

If this occurred during HPI mitigation of SBLOCA and LSCM, it would likely be beneficial in cooldown of RCS.

(See failure 4.18 above)

With single failure criteria, two HPI train flow is operable for SBLOCA mitigation.

4.24 MSV-25-TRI Contacts 18-17 fail Mechanical Failure Main Control Board FCS Actuation Periodic Testing For failure ofthese contacts This affects only one main MSV-26-TRI closed Status Light would not indicate on an Annunciator alarm would only, the annunciator and SER control board FCS actuation FCS actuation actuate if actuation occurred alarms for FCS actuation are status light. It does not affect operable from MSV-25-ARI Fast Cooldown actuation or Fast or MSV-26-AR I relay Cooldown pressure control..

Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability ofHPI pumps, power, or controls. Two trains of HPI are operable to mitigate SB LOCA.

4.25 MSV-25-TRI Contacts 18-17 fail open Mechanical Failure No impact on alarms or actuations N/A No impact on alarms or This does not affect Fast MSV-26-TRI actuations Cooldown actuation or Fast Cooldown pressure control..

Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability ofHPl pumps, power, or controls. Two Page 29 of 70

EC 71855 X64R0 trains of HPI are operable to mitigate SBLOCA.

4.26 MSV-25-TRI Contacts 18-19 fail open MechanicalFailure MainControlBoardFCSActuation I. Periodic Testing For failure of these contacts Thisaffectsonlyonemain MSV-26-TRI upon relay energization Status Light would not indicate on an including status light only, the annunciator and SER control board FCS actuation FCS actuation indication alarms for FCS actuation are status light. It does not affect

2. Annunciatoralarm operable from MSV-25-ARI Fast Cooldowsactuation or Fast would actuate if or MSV-26-AR I relay Cooldown pressure control..

actuation occurred Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability of HPI pumps, power, or controls.. Two trains of HPI are operable to mitigate SBLOCA 4.27 MSV-25-TR I Contacts 18-19 fail Mechanical Failure Main Control Board FCS Actuation Status Light will illuminate For failure ofthese contacts This affects only one main MSV-26-TRI closed Status Light will spuriously illuminate only, the annunciator and SER control board FCS actuation to give false indication of alarms will not be in alarm status light. It does not affect FCS train/channel actuation state. This would give Fast Cooldown actuation or Fast indication of failure/abnormal Cooldown pressure control..

circuit condition. Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability of HPI pumps, power, or controls.. Two trains of HPI are operable to mitigate SB LOCA 4.28 MSV-25-TRI Contacts 21-20 fail Mechanical Failure This is seal-incontactset for FCS PeriodicTestingof relay ICCM has a three channel, two Thisfailuredoesnotaffectany MSV-26-TRI closed on relay auto actuation. If auto actuation transfer with fast cooldown train actuation design. Both operability of HPI pumps, energization occurred from the ICCM cabinettrain selector switch in "auto" and a ICCM train actuations would power. or control to mitigate a actuation relay contacts and then auto momentary closure or have to fail for auto actuation SBLOCA and LSCM.

actuation relay cleared/de-energized, jumpering of contacts across of FCS to fail when needed. Two trains of HPI are operable FCS actuation would drop out if this TB5-11 and TB5-12 to mitigate SB LOCA contact set failed closed.

4.29 MSV-25-TRI Contacts 21-20 fail open Mechanical Failure No impact ifcontacts2l-22 will close N/A No impact ifcontacts 21-22 Failure does not affect any MSV-26-TR I (see below) will close operability of HPI pumps, (see below) power, or controls to mitigate a SBLOCA and LSCM..

4.30 MSV-25-TRI Contacts21-22 failopen MechanicalFailure This is seal-in contact set for FCS auto PeriodicTestingofrelay ICCM has a three channel, two Thisfailuredoesnotaffectany MSV-26-TRI (will not close on relay actuation. If auto actuation occurred transfer with fast cooldown train actuation design. Both operability of HPI pumps, energization) from the ICCM cabinet train actuation selector switch in "auto" and a ICCM train actuations would power. or control to mitigate a relay contacts and then auto actuation momentary closure or have to fail for auto actuation SBLOCA and LSCM.. Two relay cleared/de-energized, FCS j umpering of contacts across ofFCS to fail when needed trains of HPI are operable to actuation would drop out if this TB5-1 I and TB5-12 mitigate SBLOCA contact set did not close 4.31 MSV-25-TRI Contacts 21-22 fail Mechanical Failure This would create a spurious FCS I. ROTSG pressure Redundant ADV is operable. No impact on HPI system. Two MSV-26-TRI closed actuation on one oftwo FCS indication on control EFIC is operable and would pump/trains ofHPI are available trains/channelsandblowdownthe board and RECALL actuateEF, MSLI, MFWI, for mitigationof SBLOCA.

affected ROTSG to 325 psig. points FOGG. One ADV will be controlled by

2. ADV valve not Fast Cooldown pressure control closed annunciator circuit and open one ADV to full alarm open until ROTSG pressure is
3. Rooftop camera decreased to 325 psig and then indication control main steam pressure at
4. EFIC actuations of affected ROTSG to 325 psig.

Page 30 of 70

EC 71855 X64R0 EF, MSLI, MFWI Would create EFIC actuation of low OTSG pressure, MSLI, MFWI, and FOGG logic. Both EFIC A and B would be capable of mitigation as per design for main steam line break event.

If this occurred during nornml plant operation, this would be bounded in accident analysis by Turbine Bypass Valve full open failure and by Main Steam Line Break.

Per discussion with AREVA safety analysis personnel, evaluation of calculation 32-9129593-000 reveals that if this failure occurred during SBLOCA and LSCM, failure would be beneficial to mitigation and cooldown on primary RC S system.

5.1 MSV-25-ARI Relay fails to energize Electrical or Spurious"FCS Trouble" annunciator "FCS Trouble" Annunciator RECL-127/128 would not None, this relay provides alarm MSV-26-ARI Mechanical alarm will actuate window and associated SER show low pressure indication only. No safety function Failure point will alarm and controller alarm lights would not be illuminated 5.2 MSV-25-ARI Relay contacts 6-7 fail Mechanical Spurious"FCS Trouble" annunciator "FCS Trouble" Annunciator REC L-127/128 would not None, this relay provides alarm MSV-26-ARI open/do not close Failure alarm will actuate window and associated SER show low pressure indication only. No safety function point will alarm and controller alarm lights would not be illuminated 5.3 MSV-25-ARI Relay fails to the Mechanical No common trouble alarm ifpressure Periodic testing of Fast lfprocess signal were lost, None, this provides alarm only.

MSV-26-AR I energized state Failure controller loses process signal Cooldown circuitry to verify RECALL point No safety function relay operability RECL-l 27/128 would show low pressure indication and controller alarm lights illuminate 5.4 MSV-25-AR 1 Relay contacts 6-7 fail Mechanical No "FCS Trouble" alarm if pressure Periodic testing of Fast If process signal were lost, None, this provides alarm only.

MSV-26-ARI closed Failure controller loses process signal Cooldowo circuitry to verify RECALL point No safety function relay operability RECL-t 27/128 would show low pressure indication and controller alarm lights illuminate 6.1 MSV-25-AR2 Relay fails to energize Electrical or No 'FCS actuation" annunciator when Periodic testing of Fast Status light above selector None, this provides alarm only.

MSV-26-AR2 Mechanical FCS is actuated Cooldosvn circuitry switch would light upon FCS No safety function Failure actuation. Also OTSG pressure signal would display decreasing OTSG pressure 6.2 MSV-25-AR2 Relay contacts 6-7 fail Mechanical No "FCSactuation" annunciator when Periodic testing of Fast Status light above selector None, this provides alarm only.

MSV-26-AR2 open/do not close Failure FCS is actuated Cooldown circuitry switch would light upon FCS No safety function actuation. Also OTSG pressure Page 31 of 70

EC 71855 X64R0 signal would display decreasina OTSG uressure 6.3 MSV-25-AR2 Relay fails to the Mechanical Failure Spurious "FCS actuation" alarm when "FCS actuation" window and Status light above selector None, this provides alarm only.

MSV-26-AR2 energized state no actuation has occurred associated SER point alarms switch will not be lighted. No safety function OTSG pressure indications will not decrease 6.4 MSV-25-AR2 Relay contacts6-7 fail Mechanical Failure Spurious "FCS actuation" alarm when "FCS actuation" window and Status light above selector None, this provides alarm only.

MSV-26-AR2- closed no actuation has occurred associated SER point alarms switch will not be lighted. No safety function OTSG pressure indications will not decrease 7.1 MSV-25-PC2 Pressure controllerfails Electrical Failure Pressure controller is inoperable and "FCS Trouble" alarmand Failure of Fast Cooldown One channel of Fast Cooldown MSV-26-PC2 low FCS system is inoperable due to a SER point will alarm due to pressure controller does not for one ADV is inoperable.

failed pressure control train, loss of process signal affect any of the power or This failure does not affect any controls of the HPI pumps, HPI system components, valves, or switchgear. HPI With this single failure, two HPI pump flow capability is not pumps and their flowcapability affected, will be operable for SBLOCA Failure does not affect the and LSCM mitigation.

normal EFIC control of ADV 7.2 MSV-25-PC2 Pressure controllerfails Electrical Failure Pressure controlleris inoperable and Periodictesting including Failure ofFast Cooldown With this single failure, two HPI MSV-26-PC2 high FCS system is inoperable due to a proper response of pressure pressure controller does not pumps and their flowcapability failed pressure control train controller to input signal affect any of the power or will be operable for SBLOCA controls of the HPI pumps, and LSCM mitigation valves, or switchgear. HPI pump flow capability is not affected.

Failure does not affect the normal EFIC control of ADV 8.1 MSV-025-FU-O1 Fuse fails open Electrical Failure Pressure controller and pressure "FCS Trouble" alarmon Loss No effect on HPI pump motor One channel of Fast Cooldownis MSV-26-FLU-O1 transmitter have no power. One train of process signal power or control power inoperable. SBLOCA and of Fast Cooldowvn is inoperable. RECL-127 and RECL-128 do LSCM can be mitigated with not channel check, two pump HPI flow 8.2 MSV-025-FU-O I Fuse fails to blow at 3 Electrical failure Degraded short circuit protection for FCS operability would be No impact on HPI system. May adversely affect operability This is not a credible MSV-26-FU-01 amps wiring/circuit that supplies power to determined with periodic of one channel of FCS ifcircuit failure for evaluation since pressure controller. However, short testing of fast cooldown is shorted and does not blow this fuse failure would be a circuit would have to be localized in actuation and pressure control fuse. second failure. It would minimal length of wiringsince circuitry Degraded short circuit protection take a short circuit (first pressure controller has its own I amp may affect current supply failure) to drawcurrent fuse. No impact on wiring since loading capability from the two above 3 amps.

wiring is minimum of 16AWG and redundant DC to DC converters rated for 12.8 amps at 140F wire and two redundant DC buses.

temperature. that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

No impact on HPI system power or control. SBLOCA and LSCM can be mitigated with two pump HPI flowor two trains of Fast Cooldown.

9.1 MSV-025-FU-02 Fuse fails open Electrical Failure MSV-AR I coil will de-energize. FCS "FCS Trouble" alarm will Alarm circuitry only. Does not Both Channelsof Fast Cooldown Page 32 of 70

EC 71855 X64R0 MSV-26-FU-02 Trouble Alarm circuit is opened and actuate with SER point and affect Fast Cooldown are operable.

FCS troublealarm is actuated annunciator operability. SBLOCA can be mitigated with No impact on HPI system. two pump HPI flow or two trains of Fast Cooldown.

9.21. MSV-025-FU-02 Fuse fails to blowat 3 Electrical failure Fuse provides power to MSV-ARI I. Abnormal No impact on HPI system May adversely affect operability This is not a credible MSV-26-FU-02 amps relay coil through MSV-25-PC2 or indications on DC ofone channel of FCS if circuit failure for evaluation since MSV-26-PC2 process controller low bus ammeters DP- is shorted and does not blow this fuse failure would be a process signal alarm contact. 45-11 and DP-47-11 fuse. second failure. It would Degraded short circuit protection. 2. FCS operability Degraded short circuit protection take a short circuit (first However, short circuit would have to would be determined may affect current supply failure) to draw current be localized in minimal length of with periodic testing loading capability from the two above 3 amps.

wiring since alarm contact is in series of pressure control redundant DC to DC converters with 430 ohm relay coil so current is circuitry and alarm and two redundant DC buses.

still limited to 58 ma unless short is functions that supply power to the upstream of relay coil. No impact on pressure controller if there is a wiring since wiring is minimum of "hard short" 16AWG and rated for 12.8 amps at Each DC to DC converter is 140F wire temperature rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

No impact on HPI system power or control Two pump/trains of HPI are available for mitigation of SBLOCA.

10.! MSV-025-FU-03 Fuse fails open Electrical Failure Status Light above Fast Cooldown Periodic testing of fast FCS actuation alarm and No impact on safety function of MSV-26-FU-03 selector switches is inoperable and cooldown system actuation, associated SER point will FCS.FCS is operable to actuate will not light on FCS actuation alarrm ,andindication alarm with power from a and cooldown RCS and mitigate different fuse. SBLOCA and LSCM.

No impact on HPI system Two trainsof HPI are operable to mitigate SBLOCA.

10.2 MSV-025-FU-03 Fuse fails to blow at 3 Electrical failure Fuse provides power for Fast I. Abnormal Does not impact any power or May adversely affect operability This is not a credible MSV-26-FU-03 amps Cooldown actmutioindicator lamp indications on DC controls of HP! system. ofone channel of FCS if circuit failure for evaluation since rated for 28 ma on control board, bus ammeters DP- is shorted and does not blow this fuse failure would be a Degraded short 45-I and DP-47-Il fuse. second failure. It would circuit protection for status light short 2. FCS operability Degraded short circuit protection take a short circuit (first circuit. No impact on wiring since would be determined may affect current supply failure) to draw current wiring is minimum of 14AWG and with periodic testing loading capability from the two above 3 amps.

rated for 17.8 amps at 140F wire ofpressure control redundant DC to DC converters temperature. circuitry and alarm and two redundant DC buses.

functions that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

No impact on HPI system power or control Two pump/trains of HPI are available for mitigation of SBLOCA.

It1. MSV-025-FU-04 Fuse fails open Electrical Failure Transfer relay (TR 1)and actuation Power Available lamp at EFIC control of two ADVs is One channel of FCS is MSV-26-FU-04 alarm relay(AR2)are inoperable main control board goes not affected. HPI pump motor inoperable.

One train of Fast Cooldown is out. power and control power is not Two pump/trainsof HPI are inoperable affected. operable to mitigate SBLOCA, Page 33 of 70

EC 71855 X64R0 Fuse provides powerto coils of MSV- I I. Abnormal I Does not impact any power or May adversely affect operability I This is not a credible 11.2 MSV-025-FU-04 Fuse fails to blow at 3 Electrical failure MSV-26-FU-04 amps 25-TRI and MSV-25-AR2. Coil indications on DC controls ofHPl system of one channel of FCS if circuit failure for evaluation since ratings are for 68 ma each with coil bus anmmeters DP- is shorted and does not blow this fuse failure would be a resistance of minimum of 90% of`430 45-11 and DP-47-11 fuse. second failure. It would ohms (387 ohms) 2. FCS operability Degraded short circuit protection take a short circuit (first Degraded short circuit protection for would be determined may affect current supply failure) to draw current shorted circuit wiring but minimal with periodic testing loading capability from the two above 3 amps.

impact of wiring since minimum of Fast Cooldoswn redundant DC to DC converters wiring size of 16 AWG is rated for Actuation. alarms. and two redundant DC buses.

12.8 amps at 140F wviretemperature. and indication that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

No impact on HPI system power or control Two pump/trainsof HPI are available for mitigation of cooldown.

12.0.1 MSV-025-FU-05 Fuse fails open Electrical Failure Analog Isolator MSV-25-PY3 or Channel check ofRECL-127 EFIC main steam control Both channels of FCS are MSV-26-FU-05 MSV-26-PY3 will de-energize. and RECL-128 board indicationis available operable.

MSV-025-FU-06 RECALL point 127 or 128 will fail to for ROTSG pressure Two trainsof HPI are operable MSV-26-FU-06 zero. to mitigate SBLOCA.

12.0.2 MSV-025-FU-05 Fuse fails to blow at 3 Electrical failure Degraded short circuit protection for I. Abnormal Does not impact any power or May adversely affect operability This is not a credible MSV-26-FU-05 amps shorted circuit wiring but minimal indications on DC controls of HPI system ofone channel of FCS ifcircuit failure for evaluation since MSV-025-FU-06 impact of wiring since minimum bus ammeters DP- is shorted and does not blow this fuse failure would be a MSV-26-FU-06 wiring size of 16 AWG is rated for 45-Il and DP-47-11 fuse. second failure. It would 12.8 amps at 140F. Analog isolators 2. FCS operability Degraded short circuit protection take a shortcircuit (first have fusing for 0.75 amps so internal would be determined may affect current supply failure) to draw current fault would be limited to 0.75 amps with periodic testing loading capability from the two above 3 amps.

and fault would have to occur of Fast Cooldown redundant DC to DC converters "upstream" of supply to analog Actuation, alarms, and two redundant DC buses.

isolators.. and indication that supply power to the

3. pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

No impact on HPI system power or control Two pump/trainsof HPI are available for mitigation of cooldown.

12.1 MSV-25;SEL Contacts Mechanical Failure Failure of Auto actuation of Fast Periodic Fast Cooldown Actuate (manual) position of Single train of Fast Cooldown Low probability of MSV-25ýSEL WH--B I and WH-B2 Cooldown for one ADV actuation, alarm, and switch may be operable, system will be inoperable. mechanical failure.

Fail open indication testing with switch Failure does not affect Mitigation of SBLOCA and Contacts are rated for as in auto position operability oftwo HPI LSCM cam occur with two low as I ma current with injection trains operable HPI trains, evaluated 136 ma as switch load at actuation 12.2 MSV-25;SEL Contacts Mechanical Failure Spurious Actuation of one train of 1. "FCS actuation" EFIC will actuate MSLI, No impact on HPI system. Two Very lowprobability MSV-25:SEL BL-B I and BL-B2 I FCS windowand MFWI, and FOGG logic as pump/trains ofHPI are available Page 34 of 70

EC 71855 X64R0 Fail closed One ADV will spuriously open and associated SER compensating actions. for mitigation of SB LOCA_

blowdown one OTSG and actuate point alarms Switch may be positioned to One ADV will be controlled by EFIC functions "BYPASS" Fast Cooldown pressure control

2. ROTSG pressure Failure does not affect HPI circuit and open one ADV to full indication on system. open until ROTSG pressure is control board and decreased to 325 psig and then RECALL points control main steam pressure at
3. ADV valve not affected ROTSG to 325 psig.

closed annunciator Would create EFIC actuation of alarm low OTSG pressure, MSLI,

4. Rooftop camera MFWI, and FOGG logic. Both indication EFIC A and B would be capable
5. EFICactuationsof of mitigation as per design for EF, MSLI, MFWI main steam line break event.

If this occurred during normal plant operation, this would be bounded in accident analysis by Turbine Bypass Valve full open failure and by Main Steam Line Break.

Per discussion with AREVA safety analysis personnel, evaluation of calculation 32-9129593-000 reveals that if this failure occurred during SB LOCA and LSCM, failure would be beneficial to mitigation and cooldownon primary RCS system.

12.3 MSV-25;SEL Contacts B L-B I and Mechanical No manual capability for Fast Periodic testing ofFast Auto actuation may be Mitigation of SB LOCA and Lowprobability MSV-26;SEL BL-B2 fail open (do not Failure Cooldown actuation Cooldown actuation, alarm, operable through different set LSCM cam occur with two close on switch and indication testing with of contacts. operable HPI trains.

positioning) switch in actuate position Failure does not affect HPI pump operability 12.4 MSV-25;SEL Contacts Mechanical Failure "FCS BYPASS" alarm in spuriously "FCS BYPASS" alarm These contacts provide alarm Both channels of Fast Cooldown Lowprobability MSV-25;SEL WH-AI and WH-A2 actuated, actuates function only. are operable. Mitigation of Fail closed SBLOCA and LSCM cam occur with two operable HPI trains..

12.5 MSV-25;SEL ContactsWH-AI and Mechanical Failure FCS BYPASS" alarm will not Periodic testingofFast None, this set ofcontacts Both channelsofFast Cooldown Lowprobability MSV-26:SEL WH-A2 fail open (do actuate. Cooldown actuation, alarm. provide alarm function only are operable. Mitigation of not close on switch and indication testing with SBLOCA and LSCM cam positioning) switch in actuate occur with two operable HPI trains..

13.1 MSV-25:TSS Normally closed Mechanical Failure Fast Cooldown Pressure controller "FCS Trouble" alarm on loss One oftwo ADVs is operable. One channel ofFCS is MSV-26jTSS contacts at signal to inoperable of process signal will provide Does not affect EFIC control inoperable.

controller input fail open annunciator alarm. ofADV. .SBLOCA and LSCM Failure does not affect HPI mitigation is available from two motor power or controls HPI pump trains.

power. Does not affect EFIC control of either ADV 13.2 MSV-25:TSS Normally open contacts Mechanical Failure Fast Cooldown Pressure controller "FCS Trouble" alarm on loss One of two ADVs is operable. One channel of FCS is MSV-26:TSS to test resistor R2 fail input signal is degraded/incorrect of process signal. RECALL Does not affect EFIC control inoperable.

closed point RECL-127 and RECL- of ADV. SBLOCAand LSCM mitigation 128 do not correctly channel Failure does not affect HPI is available from two HPI pump check motor power or controls trains.

Page 35 of 70

EC 71855 X64R0 power.. Does not affect EFIC control of either ADV 13.3 MSV-25:TSS Normally open contacts Mechanical Failure Fast Cooldown Pressure controller "FCS Trouble" alarm on loss One of two ADVs is operable. One channel of FCS is MSV-26;TSS to test resistor R I fail input signal is degraded/incorrect of process signal. Does not affect EFIC control inoperable.

closed Fast Cooldown system is inoperable RECALL point RECL- 127 of ADV. \SBLOCA and LSCM and RECL-128 do not Failure does not affect HPI mitigation is available from two correctly channel check motor power or controls HPI pump trains.

power. Does not affect EFIC control of either ADV 13.4 MSV-25:TSS Normally open contacts Mechanical Failure Pressure controller test circuitry is Periodic testing of pressure No impact on Fast Cooldown Both channels of Fast Cooldown MSV-26;TSS to test resistor R2 fail inoperable but Fast Cooldown control circuitry including capability. Failure does not are operable..

open on test switch capability is not affected simulating input to pressure affect HPI motor power or SBLOCA and LSCM mitigation selection controller controls power. is available from two HPI pump trains Does not affect EFIC control of either ADV 13,5 MSV-25:TSS Normally open contacts Mechanical Failure Pressure controller test circuitry is Periodic testing ofpressure No impact on Fast Cooldown Both channels of Fast Cooldown MSV-26;TSS to test resistor R I fail inoperable but Fast Cooldown control circuitry including capability. Failure does not are operable..

open on test switch capability is not affected simulating input to pressure affect HPI motor power or SBLOCA and LSCM mitigation selection controller controls power. is available from two HPI pump trains Does not affect EFIC control of either ADV 14.1 DPI3A-IE I Battery cell fails open Electrical Failure/ Low Battery Bank Voltage Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown DPI3A-IE2 Manufacture Defect batuery voltage using DPCP- redundant bank capable of control remains operable.

DPBA-IFI ]E test switchesTS3 and TS6 equal voltage and amperage Both channels of Fast Cooldown DP13A-IF2 and DP-46-EI and DP-48-EI supply. The associated DC for SBLOCA mitigationremain bus has auctioneering design operable.

Two trains of HPI are operable to mitigate SB LOCA.

14.2 DPI3A-IEI Battery cell shorts Electrical Failure/ Low BatteryBank Voltage Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown DPI3A-IE2 Manufacture Defect battery voltage using DPCP- redundant bank capable of control remains operable.

DPI3A-IFI IE test switches TS3 and TS6 equal voltage and amperage Both channels of Fast Cooldown DPI3A-I F2 and DP-46-El and DP.48-EI supplyThe associatedtDCbus for SBLOCA mitigation remain has auctioneering design operable.

Two trainsof HPI are operable to mitigate SB LOCA.

14.3 DPl3A-I El Battery casing has Mechanical Failure Low electrolyte level and degraded Visual Surveillance inspection Each battery hank has a DC supply for Fast Cooldown DPI3A- IE2 leakage battery of battery condition redundant bank capable of control remains operable.

DPBA-IFl equal voltage and amperage Both channels of Fast Cooldown DPBA-lF2 supplyThe associated DC bus for SBLOCA mitigation remain has auctioneering design operable.

Two trains of HPI are operable to mitigate SBLOCA.

14.4 DPI3A-IE I Output voltage fails low Electrical Failure Low BatteryBank Voltage Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown DPB3A-IE2 Battery voltage using DPCP- redundant bank capable of control remains operable.

DPBA-IFI IE test switchesTS3 andTS6 equal voltage and amperage Both channels of Fast Cooldown DPBA-IF2 and DP-46-EI and DP-48-EI supply. The associated DC for SBLOCA mitigationremain bus has auctioneering design operable.

Two trains of HPI are operable to mitigate SBLOCA.

14.5 DPI3A-IEI Output voltage fails high Electrical Failure Battery Bank Voltage High Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown This failure is not DPI3A-I E2 Battery voltage using DPCP- redundant bank capable of control remains operable. considered a credible DPitA-1FI IE test switches TS3 and TS6 equal voltage and amperage Both channels ofFast Cooldown failure DPBA-IF2 and DP-46-EI and DP-48-EI supply. The DC to DC for SBLOCA mitigation remain Page 36 of 70

EC 71855 X64R0 converter has an input design operable.

capability for 9-36 VDC Two trainsof HPI are operable to mitigate SBLOCA.

14.6 DPBA-I El Battery Explosion from Mechanical Failure Loss of Fast Cooldown Batteries Surveillance Procedures for Inherent Battery Design is This is not considered a credible Inherent battery design DPBA-1 E2 Fast Cooldown Batteries Loss of Station Batteries Battery Voltage such that bridging across plates failure. Attachment X65 of EC and normal maintenance DPBA-IFI damages Station is prevented. 71855 evaluates the credibility practices are such that this DPBA-I F2 Batteries or Battery Normal Maintenance Practices of this event by vendor. is not considered as a Explosion from Station monitor battery fluid levels, If this were to occur this would credible event.

Batteries damage Fast battery cell voltages, battery be a single failure that could Cooldown Batteries. cell resistances, battery casing prevent control power for one and mechanical conditions HPI train and control power for one Fast Cooldown channel.

15.1 DPBA- I EI-DS Battery Bank Mechanical failure One of two redundant battery banks Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown Very low probability.

DPBA-IE2-DS Disconnect switch fails will be inoperable Battery voltage using DPCP- redundant bank capable of control remains operable. Fusing will limit battery DPBA-IFI-DS open I E test switchesTS3 and TS6 equal voltage and amperage Both channels of Fast Cooldown charger supply to battery DPBA-IF2-DS and DP-46-EI and DP-48-EI supply and has auctioneering for SBLOCA mitigation remain at 8 amps and current limit design operable. will limit charger supply Two trains ofHPI are operable to 6 amps. Disconnect to mitigate SBLOCA. switch is rated for 30 amps.

15.2 DPBA-I EI-DS Battery Bank Fusing Failure in One oftwo redundant battery banks Surveillance Procedure for Each battery bank has a DC supply for Fast Cooldown Very low probability.

DPBA-I E2-DS Disconnect switch fails Disconnect Switch will be inoperable Battery voltage using DPCP- redundant bank capable of control remains operable. Fusing will limit battery DPBA-IFI-DS open I E test switchesTS3 and TS6 equal voltage and amperage Both channels of Fast Cooldown charger supply to battery DPBA-IF2-DS and DP-46-EI and DP-48-EI supply and has auctioneering for SBLOCA mitigationremain at 8 amps and current limit design operable, will limit charger supply Two trains ofHPI are operable to 6 amps. Disconnect to mitigateSBLOCA. switch is rated for 30 amps and fused for 15 amps.

16.1 DPBC-1K I Battery charger loss of Mechanical or Battery charger fails to provide float Daily SP-300 check of battery Each FCS channel has a Both channels of Fast Cooldown DPBC-1K2 current output Electrical Failure charge to battery bank. Battery bank charger and DC bus redundant battery bank capable system are operable.

DPBC-ILI will begin to discharge until its DC amperage. ofequal voltage and amperage Two HPI trains are operable to DPBC-IL,2 bus is lower than the redundant DC NCA (No charge alarm light) supply and has auctioneering mitigate SBLOCA and LSCM bus will illuminate on battery design to supply adequate event charger. current for Fast Cooldown operability.

Redundant battery charger and battery bank is operable for affected FCS channel.

16.2 DPBC-IKI Battery charger loss of Loss ofAC power from Battery charger fails to provide float NCA (No charge alarm light) Each FCS channel has a Both channels ofFast Cooldown DPBC-IK2 current output ACDP-10 charge to batterybank. Battery bank will illuminate on battery redundant batterybank capable system are operable.

DPBC-ILI will begin to discharge until its DC charger. of equal voltage and amperage Two HPI trains are operable to DPBC-IL2 bus is lower than the redundant DC -FCS trouble" annunciation supply and has auctioneering mitigate SBLOCA and LSCM bus will alarm on battery charger design to supply adequate event low voltage alarm current for Fast Cooldown operability Redundant battery charger and battery bank is operable for affected FCS channel 16.3 DPBC-IKI Output voltage fails high Electrical Failure Output voltage to battery bank and to "FCS trouble" annunciation DC to DC converter is Both trains of Fast Cooldown DPBC-IK2 DC bus is higher than design. will alarm on battery charger designed for up to 36VDC system are operable DPBC-I LI Battery Bank will start to charge to high voltage alarmn input and can maintain 25VDC Two HPI trains are operable to DPBC-IL2 higher voltage. Ifoutput voltage reaches output. BatteryCharger mitigate SBLOCA and LSCM 30VDC, battery charger will 3OVDC shutdown design will event trip/shutdown protect Battery Banks.

High voltage alarm light will Redundant battery bank and Page 37 of 70

EC 71855 X64R0 be on batterycharger DC bus for affected FCS channel is operable 16.4 DPBC-IKI Output voltage fails low Electrical Failure Output voltage to battery bank and to -FCS trouble" annunciation DC to DC converter is Both trains of Fast Cooldown DPBC-IK2 DC bus is lower than design. Battery will alarm on battery charger designed for down to 9VDC system are operable DPBC-ILI Bank may not be charged to float lowvoltagealarm inputandcan maintain25VDC Two HPI trains are operable to DPBC-IL2 voltage setting. Battery Bank Low voltage alarm light will output, mitigate SBLOCA and LSCM be on battery charger Redundant battery bank and event DC bus for affected DC bus is operable.

17.1 DPCP-IE-FUI Battery Bank Fuses fail Electrical Failure A single battery bank is inoperable. Surveillance Procedure for Each FCS channel has a DC supply for Fast Cooldown Very Low probability.

DPCP-t E-FU2 open Non-safety battery charger can carry Battery voltage using DPCP- redundant battery bank capable control remains operable. Battery Charger is set for 6 DPCP-IE-FU3 amperage load for one bank of DPCP- I E test switchesTS3 and TS6 of equal voltage and amperage Both channelsof Fast Cooldown amp current limit, battery DPCP-I E-FU4 IE or DPCP-IF but is not qualified for and DP-46-El and DP-48-El supply and has auctioneering for SBLOCA mitigation remain charger fusing is set for 8 DPCP-IF-FUI accident mitigationso one bank of design operable. amps.

DPCP-I F-FU2 DPCP-tEor DPCP-IFis inoperable No impact on HPI system.

DPCP-IF-FU3 Two HPI trains are operable to DPCP-IF-FU4 mitigate SBLOCA and LSCM event 17.2 DPCP-IE-FUl Battery Bank Fuses do Electrical Short circuit protection for internal Abnormal indication on DC to DC converter will limit Each FCS channel has a This is not a credible DPCP-IE-FU2 not open at 10 amps (do Failure wiring will be increased to 15 amps battery charger to bus output to input of auctioneers redundant battery bank capable failure for evaluation since DPCP-IE-FU3 not blow) from the disconnect switch fusing and ammeters DP-45-11 and DP- to 2.2 18 amps of equal voltage and amperage this fuse failure would be a DPCP-I E-FU4 8 amps from the battery chargers. 47-Il Each FCS channel has a supply and has auctioneering second failure. It would DPCP-IF-FUI Wiring is 8AWG and rated at 39.1 redundant battery bank capable design take a short circuit (first DPCP-I F-FU2 amps at 140F wire temperature. of equal voltage and amperage If this batterybank wiring is failure) to drawcurrent DPCP-t F-FU3 supply and has auctioneering shorted, then the redundant above 10 amps.

DPCP-I F-FU4 design battery bank can supply DC power. DC power supply for Fast Cooldown affected channel remains operable.

Both channels of Fast Cooldown for SBLOCA mitigation remain operable unless shoot circuit occurs.

No impact on HPI system.

Two HPI trains are operable to mitigate SBLOCA and LSCM event.

18.1 DPCP-IE-FU5 Battery Charger Supply Electrical Failure Associated battery bank will begin to FCS trouble" annunciation Each FCS channel has a DC supply for Fast Cooldown Low probability. Battery DPCP-IE-FU6 fuses to DC bus fail discharge and battery bank voltage alarm on loss ofcurrent on redundant battery bank capable control remains operable. Charger is set for 6 amp DPCP-IE-FU7 open will degrade/decrease and could batterycharger. Daily SP-300 ofequal voltage and amperage Both channelsof Fast Cooldown current limit.

DPCP-I E-FU8 become inoperable if failure not readings on battery charger supply and has auctioneering for SBLOCA mitigation remain DPCP-IF-FU5 detected, ammeter, DC bus ammeter, design operable.

DPCP-IF-FU6 and DC bus voltmeters Two HPI trains are operable to DPCP-I F-FU7 mitigate SBLOCA and LSCM DPCP-I F-FU8 event 18.2 DPCP-IE-FU5 Battery Charger Supply Electrical Failure Short circuit protection for battery Abnormal indication on This failure will not affect the Each FCS channel has a This is non credible since DPCP-IE-FU6 fuses to DC bus do not bank is compromised from design battery charger to bus IE/non IE isolation for the redundant batterybank and batterycharger current DPCP-IE-FU7 open at 8 amps (do not intent and I E/non 1E isolation function ammeters DP-45-II and DP- redundant battery bank and battery charger capable of equal limit is 6 amps and it DPCP-IE-FU8 blow) has failed. Single bank of batteries is 47-11 redundant DC bus supply. voltage and amperage supply would take a second DPCP-t F-FU5 operable but degraded due to failure of Redundant bus is isolated from and has auctioneering design failure of the battery DPCP-I F-FU6 IE/nontE fuse isolation any fault with the DC-DC If this battery bank wiring is charger for 8 amps to be DPCP-IF-FU7 converters and the shorted, then the redundant reached.

DPCP-IF-FU8 auctioneering diodes. battery bank can supply DC Additionally, the battery power.

chargers will be limited to the DC supply for Fast Cooldown 6 amps current limiting setting affected channel remains Page 38 of 70

EC 71855 X64R0 Internal wiring is sninimumof operable.

16 AWG with current rating of Both channels of Fast Cooldown 18amps for SBLOCA mitigation remain operable. No effect on HPI pump flow capability to mitigate SBLOCA and LSCM event Two HPI trains are operable to mitigate SB LOCA and LSCM event

19. t DPCP-I E-FU09 Fusing to DC bus Electrical Failure Local DC bus voltmeter for one bus Periodic surveillance of DC This is failure of voltage This failure does not affect or Low probability.

DPCP-I E-FU t0 voltmeters fail open will not indicate, bus voltmeters indication only and does not degrade capacity of either of the Voltmeter has internal DPCP- 1E-FU I1 affect DC bus output. Battery two redundant DC buses. Of impedance of 1Megohm DPCP-1E-FUI2 charger voltmeter in associated each FCS channel that would li mit any DPCP-IE-FU09 DC bus gives redundant Both channels of Fast Cooldown current going through OPCP-IE-FUIO voltage indication in normal for SBLOCA mitigation remain voltmeter to 26 DPCP-I E-FUI I operation operable. microamp DPCP-IE-FUI2 Two HPI trains are operable to mitigate SBLOCA and LSCM event 19.2 DPCP-IE-FU09 One ampere fusing to Electrical Failure Short circuit protection for voltmeter Surveillance checks of Each FCS channel has a Each FCS channel has a This is not a credible DPCP- I E-FU I0 voltmeter does not open circuit is not limited to I ampere. amperage checks at associated redundant DC bus capable of redundant battery bank and failure for evaluation since DPCP-I E-FUI I at I amp (does not blow) Short circuit could drawdown battery charger and DC bus equal voltage and amperage battery charger capable of equal this fuse failure would be a DPCP-IE-FUI2 amperage provided by battery charger will be abnormally high if supply and has auctioneering voltage and amperage supply second failure. It would DPCP-1 E-FU09 or batteries. more than I amp is shorting to design. and has auctioneering design take a short circuit (first DPCP-I E-FU t0 ground. Redundant DC bus would be If this battery bank wiring is failure) to drawcurrent DPCP-I E-FU I I operable for affected FCS shorted, then the redundant above 10 amps.. Voltmeter DPCP-I E-FU 12 channel. batterybank can supply DC has internal impedance of power. I Megohm that would limit DC supply for Fast Cooldown any current going through affected channel remains voltmeter to 26 operable. microamp so any short to Both channels of Fast ground would have to be Cooldown for SBLOCA between voltmeter and mitigation remain operable. No fusing in limited number effect on HPI pump flow of potential wiring and capability to mitigate SBLOCA termination locations and LSCM event Two HPI trains are operable to mitigate SBLOCA and LSCM event 20.1 DPCP-] E-FU 14 Fusing to overvoltage or Electrical Failure Overvoltage or undervoltage relay and Periodic testing of This failure would only affect This failure would not affect Low probability. Relay DPCP-IE-FUI5 undervoltage relay coil alarm for one oftwo DC buses is overvoltage or undervoltage DC bus undervoltage or operability of either of the two coils have maximum DPCP-IE-FUI7 fails open inoperable. alarms overvoltage alarm from one DC buses since it is a non-safety power consumption of I DPCP-IE-FUI8 DC bus. alarm, watt so with 25 VDC, DPCP-I E-FU20 This failure would have no effect currentthrough coil is DPCP-IE-FU2I on HPI flow capability. normally limited to 40 ma DPCP-I E-FU23 tIPCP- IE-FU24 DPCP- IF-FU 14 DPCP-IF-FUI5 DPCP-IF-FUI7 DPCP-IF-FUI8 DPCP-I F-FU20 DPCP-IF-FU21 DPCP-IF-FU23 DPCP-IF-FU24 Page 39 of 70

EC 71855 X64R0 20.2 DPCP-I E-FUI4 Fusing to overvoltage or Electrical F'ailure Short circuit protection for Surveillance checks of Each FCS channel has a If fusing failure was on This is not a credible DPCP-IE-FUI5 undervoltage relay fails overvoltage or undervoltage relay is amperage checks at associated redundant DC bus capable of "common" side of F15. F18, failure since short circuit DPCP-IE-FUI7 to open at I amp (does not limited to I ampere. battery charger and DC bus equal voltage and amperage F21, or F24, it could adversely condition would be first DPCP-I E-FU 18 not blow) Short circuit could draw down will be abnormally high if supply and has auctioneering affect DC bus supply to pressure failure to create a current DPCP-I E-FU20 amperage provided by battery charger more than I amp is shorting to design. control circuitry in the event of a draw above I amp.

DPCP-I E-FU21 or batteries. ground Redundant DC bus would be wiring short that could short DC DPCP-I E-FU23 operable for affected FCS supply amperage to ground. Short would have to be DPCP-I E-FU24 channel. Short circuit could create an "upstream of coils" since DPCP-I F-FUI4 inoperable FCS channel if short relaycoilshave maximum DPCP-I F-FUI5 circuit was high enough to draw power consumption oft DPCP-IF-FUI7 3 amp supply current from each watt so with 25 VDC, DPCP-IF-FUI8 DC to DC converter. current through coil is DPCP-IF-FU20 normally limited to 40 ma.

DPCP-IF-FU21 Any short to ground would DPCP-IF-FU23 No effect on HPI pump flow have to be between relay DPCP-I F-FU24 capability to mitigate SB LOCA and fusingin a limited and LSCM event number of potential wiring Two HPI trains are operable te and termination locations mitigate SBLOCA and LSCM event 21.1 DPCP-I E-FU 13 Fusing to overvoltage or Electrical Failure Overvoltage or undervoltage local Periodic testing of This failure would only affect Both channels of Fast Cooldown Low probability.

DPCP-I E-FU 16 undervoltage relay status light at DPCP-I E or DPCP-I F undervoltage and overvoltage local indication of DC bus DC supply for both MSV-25 and Indicating light circuit DPCP-IE-FUI9 indicating light fails will not indicate overvoltage or alarm undervoltage or overvoltage MSV-26 are operable, normally is open with no DPCP-IE-FU22 open undervoltage condition. alarm from one DC bus. This failure would have no effect current flow.

DPCP-I F-FU 13 Common "FCS" trouble alarm on HPI flow capability. Indicating light impedance DPCP-IF-FUI6 at SER point and annunciator Two HPI trains are operable to will limit amperage to DPCP-IF-FUI9 is operable to indicate any mitigate SBLOCA and LSCM significantlylessthan I DPCP- IF-FU22 abnormal voltage condition. event ampere in an alarm condition.

21.2 DPCP-IE-FUI3 Fusing to overvoltage or Electrical Failure Short circuit protection for Surveillance checks of Two redundant busesuand two Potentially both banks of DC bus Very low probability.

DPCP-I E-FU 16 undervoltage relay overvoltage or undervoltage status amperage checks at associated auctioneers are available to to one affected FCS channel Indicating lamp will limit DPCP-IE-FUI9 indicating light fails to light is not limited to I ampere. battery charger(s) and DC provide power/current to each could be degraded with a currentthrough indicating DPCP-IE-FU22 open at l amp (does not With a very specific, very limited bus(es)) will be abnormally FCS channel. specific, limited location of short lamp to much less than I DPCP-IF-FUI3 blow) locationofshort circuitbetween highifmorethan I amp is Fuse failure to blowat I amp circuitsincethis fuseis on amp Any short to ground DPCP-IF-FU16 fusing and indicating lamp, short shorting to ground on a short circuit would have common supply for Fast would have to be between DPCP-IF-FUI9 circuit could affect common DC bus to carry in excess of 3 amps to Cooldown pressure circuit DC lamp and fusing in a DPCP-IF-FU22 supply to MSV-25 or MSV-26 degrade FCS channel, supply.. limited number of pressure control circuitry Lamp resistance would limit Short circuit could create an potential wiring and Shortcircuitcoulddrawdown current to less than I amp if inoperableFCSchannelifshort terminationlocations amperage provided by batterycharger shortcircuit circuit was high enough to draw This is not a credible or batteries. 3 amp supply current from each failure since short circuit DC to DC converter, condition would be first failure to create a current Potentially one channel of FCS drawabove I amp.

circuitry could be degraded due to DC bus voltage short.. Fusing would have to This failure would have no effect carry more than 3 amps to on HPI flow capability. Two HPI degrade FCS channel trains are operable to mitigate SBLOCAand LSCM event 22.1 DP-41-VRG DC to DC converter Electrical Failure One oftwo redundant buses for DC Surveillance checks of Redundant DC bus and Both channels (MSV-25 and DP-42-VRG (DC voltage regulator) supplyto MSV-25 or MSV-26 amperage checks at associated redundant DC to DC converter MSV-26) of Fast Cooldown DP-43-VRG fails to produce pressure control circuitry is inoperable battery charger(s) and DC is sized to supply adequate pressure control are operable.

DP-44-VRG adequate current bus(es) will be abnormally amperage to pressure control This failure would have no effect low or zero amperes. circuitry on HPI flow capability. Two HPI trains are operable to mtitigate Page 40 of 70

EC 71855 X64R0 SBLOCA and LSCM event 22.2 DP-4 1-VRG DC to DC converter Electrical Failure One oftwo redundant buses for DC Common trouble alarm at Redundant DC bus and Both channels (MSV-25 and DP-42-VRG (DC voltage regulator) supply to MSV-25 or MSV-26 SER point and annunciator redundant DC to DC converter MSV-26) of Fast Cooldown DP-43-VRG fails to produce pressure control circuitryis inoperable window will alarm. Local is sized to supply adequate pressure control are operable.

DP-44-VRG adequate voltage undervoltage relay light will amperage to pressure control This failure would have no effect illuminate. Surveillance circuitry on HPI flowcapability. no effect checks of voltage at on HPI flow capability. Two HPI associated battery charger(s) trains are operable to mitigate and DC bus(es) will be SBLOCA and LSCM event abnormally low.

22.3 DP-4 1-VRG DC to DC converter Electrical Failure DC supply voltage to MSV-25 or Common trouble alarm at However, this failure has no One channel of Fast Cooldown DP-42-VRG (DC voltage regulator) MSV-26 pressure control circuitry SER point and annunciator effect on HPI flowcapability pressurecontrol maybe DP-43-VRG voltage regulation fails may exceed voltage ratings of window will alarm. Local degraded and inoperable.

DP-44-VRG high instrument components. overvoltage relay light will This failure has no effect on HPI illuminate. Surveillance flow capability.

checksofvoltageat Two HPI trains are operable to associated battery charger(s) mitigate SBLOCA and LSCM and DC bus(es) will be event.

abnormally high 23.1 DPCP-I E-27A Undervoltage or Electrical Failure Relay would not alarm an abnormal Periodic testing of Failure affects loss of alarm Both Fast Cooldown DPCP-IE-27B overvoltage relay coil voltage is one occurred. Failure would overvoltage or undervoltage function only. Doesnot affect channels/trains are operable for DPCP-I E-59A fails to energize defeat single bus undervoltage or alarms operability of DC bus or mitigation of SBLOCA and DPCP-IE-59B undervoltage alarm portion of the FCS voltage supply to pressure LSCM.

DPCP-1E-27A Trouble alarm only and would not control circuitry components Failure has no effect on DPCP-IE-27B give local status light indication of operability of HPI pumps, DPCP-t E-59A overvoltage or undervoltage for that valves, motors, AC power, or DPCP-I E-59B bus.. No impact on Fast Cooldown DC control power. Two HPI trains bus capability to supply adequate are operable to mitigate voltage and current to Fast Cooldown SBLOCA and LSCM event pressure control circuitry 23.2 DPCP-IE-27A Undervoltageor Mechanical Failure Relay would produce a spurious, false Annunciator alarm. SER Affects alarm function only. Both Fast Cooldown DPCP- IE-27B overvoltage relay coil undervoltage or overvoltage alarm on alarm, and local alarm will Does not affect operability of channels/trains are operable for DPCP-I E-59A fails to the energized the FCS Trouble alarm. Relaywould indicate condition DC bus or voltage supply to mitigation ofSBLOCA and DPCP-t E-59B state produce a spurious local indicationof pressure control circuitry LSCM.

DPCP-I E-27A undervoltage or overvoltage. components Failure has no effect on DPCP-1E-27B operability of HPI pumps, DPCP-l E-59A valves. motors, AC power. or DPCP- I E-59B control power. Two HPI trains are operable to mitigate SB LOCA and LSCM event 23.3 DPCP-IE-27A Alarm contacts 5-6 fail Mechanical Failure Relay contacts would produce a Annunciatorand SER alarm Affects alarm function only. Degradation ofalarmfunction DPCP-IE-27B open (do not close on spurious, false undervoltage or will indicate condition Does not affect operability of only.

DPCP- IE-59A relay energization) overvoltage alarm on the FCS Trouble DC bus or voltage supply to Both Fast Cooldown DPCP-I E-59B alarm for annunciator and SER alarm pressure control circuitry channels/trains are operable for DPCP-I E-27A components mitigation of SBLOCA and DPCP-IE-27B LSCM.

DPCP-IE-59A Failure has no effect on DPCP-IE-59B operability of HPI pumps, valves, motors, AC power, or control power. Two HPI trains are operable to mitigate SBLOCA and LSCM event 23.4 DPCP-IE-27A Alarm contacts 5-6 fail Mechanical Failure Relay contacts would defeat single Periodic testing of Loss ofannunciator and SER Loss ofalarm function only.

DPCP-IE-27B closed bus undervoltage or undervoltage overvoltage and undervoltage alarm function only. For Both Fast Cooldown DPCP-IE-59A alarm portion of the FCS Trouble alarms failure of only the 5-6 contacts, channels/trains are operable for DPCP-IE-59B alarm only for annunciator and SER local status lights would be mitigation ofSBLOCA and Page 41 of 70

EC 71855 X64R0 DPCP-I E-27A alarm, operable for abnormal voltage LSCM.

DPCP-I E-27B condition. Failure has no effect on DPCP-1E-59A operability of HPI pumps, DPCP-IE-59B valves, motors, AC power, or control power. Two HPI trains are operable to mitigate SBLOCAand LSCM event 23.5 DPCP-IE-27A Alarm contacts 3-4 fail Mechanical Failure Failure would defeat single bus Periodic testing of Does not affect operability of Loss of local alarm function DPCP-IE-27B open undervoltage or overvoltage local overvoltage and undervoltage DC bus voltage supply to only.

DPCP-t E-59A status light indication alarms pressure control circuit Both Fast Cooldown DPCP-I E-59B components. Loss oflocal channels/trains are operable for DPCP-IE-27A status light indication of mitigation of SBLOCA and DPCP-I E-27B abnormal bus voltage. For LSCM.

DPCP-IE-59A failure of only the 3-4 contacts. Failure has no effect on DPCP-IE-59B FCS trouble alarm annunciatoi operabilityofHPl pumps, and SER alarms are available valves, motors, AC power, or to alarm an overvoltage or control power. Two HPI trains undervoltage condition are operable to mitigate SB LOCA and LSCM event 23.6 DPCP-IE-27A Alarm contacts 3-4 fail Mechanical Failure Relay contacts would produce a Local status light will indicate Does not affect operability of Both Fast Cooldown DPCP- IE-27B closed spurious, false local status light condition DC bus voltage supply to channels/trains are operable for DPCP-l E-59A indication of abnormal voltage for a pressure control circuit mitigation of SB LOCA and DPCP-I E-59B single DC bus components. Affects local LSCM.

DPCP-I E-27A abnormal voltage alarm Failure has no effect on DPCP-I E-27B indication function only operability of HPI pumps, DPCP-IE-59A "FCS trouble" alarm does not valves, motors, AC power, or DPCP-IE-59B annunciate. DC bus voltmeters controlpower. Two HPI trains show normal voltage, are operable to mitigate SBLOCA and LSCM event 24.1 DPCP-I E Bus Current output fails low Electrical Failure One oftwo redundant DC buses to Abnormal Battery charger Each FCS channel has a Both MSV-25 and MSV-26 Fast Auctioneering Diode Diode fails open supplycurrent to MSV-25 or MSV-26 current supply to DC buses as redundant DC bus capable of Cooldown pressure control DPCP-ID Bus pressure control circuitry is inoperable indicated on DP-45-11 and equal voltage and amperage circuits are operable and capable Auctioneering Diode DP-47-11 supply and has auctioneering of mitigating SB LOCA and design. LSCM' Redundant DC bus would be HPI system operabilityand flow operable for affected FCS capacity is not affected and is channel, capable of mitigating SBLOCA and LSCM 24.2 Voltage output fails low Electrical Failure One oftwo redundant DC busesto Abnormal Battery charger Each FCS channel has a Both MSV-25 and MSV-26 Fast DPCP-tE Bus Diode fails open supply current to MSV-25 or MSV-26 current supply to DC buses as redundant DC bus capable of Cooldown pressure control Auctioneering Diode pressure control circuitry is inoperable indicated on DP-45-11 and equal voltage and amperage circuits are operable and capable DPCP-1F Bus DP-47-ll Bus with open diode supply and has auctioneering ofmitigating SBLOCA and Auctioneering Diode has no current draw design. LSCM' Redundant DC bus would be HPI system operability and flow operable for affected FCS capacity is not affected and is channel, capable of mitigating SB LOCA and LSCM 24.3 DPCP-i E Bus Diodes fails in short Electrical Failure Initially only impact expected would Abnormal Battery charger Redundant Auctioneeron Both MSV-25 and MSV-26 Fast Auctioneering Diode circuit across diode Diode shorts across be unequal current draw from the two current supply to DC buses as redundant DC bus will supply Cooldown pressure control DPCP-1F Bus junctions with no redundant DC buses with higher indicated on DP-45-11 and adequate current iffaulted circuits are expected to be Auctioneering Diode voltage drop across current in the faulted diode bus. DP-47-11 diode fails open operable and capable of diode Diode is rated for up to mitigating SBLOCA and LSCM.

Diode may eventually heat up and fail For a certainty, HPI system open operability and flow capacity is Page 42 of 70

EC 71855 X64R0 not affected and is capable of mitigating SBLOCA and LSCM 25.1 DPCP-IE-TS1 Contact from battery Mechanical Failure One DC bus will drawcurrent from Periodic Surveillance Each FCS channel has a Both MSV-25 and MSV-26 Fast DPCP- IE-TS4 charger fails open battery bank and discharge battery Battery Charger ammeter DP- redundant DC bus capable of Cooldown pressure control DPCP-IF-TS I bank 33-Il or DP-35-11 shows zero equal voltage and amperage circuits are operable and capable DPCP-IF-TS4 current draw supply and has auctioneering of mitigating SBLOCA and DC bus voltmeter is steadily design. LSCM' decreasing Redundant DC bus would be HPI system operability and flow Eventually have undervoltage operable for affected FCS capacity is not affected and is alarm on one DC bus channel. capable of mitigating SBLOCA Redundant DC bus is operable and LSCM for full design evaluated amp hours 25.2 DPCP-IE-TS I Contact to DC bus Mechanical Failure DC bus ammeter will not display Periodic Surveillance of No impact on DC Bus Both MSV-25 and MSV-26 Fast DPCP-IE-TS4 ammeter will not close current battery charger current to DC operability Cooldown pressure control DPCP-I F-TSI This affects ammeter indication only. bus on DP-45-11 and DP-47-11 circuits are operable and capable DPCP-IF-TS4 No impact on battery bank or DC bus will indicate zero oftmitigating SBLOCA and operability LSCM' HPI system operability and flow capacity is not affected and is capable of mitigating SBLOCA and LSCM 26.1 DPCP-IE-TS3 Contacts fail open Mechanical Failure Battery Bank is disconnected from DC Periodic load test of battery Each FCS channel has a Both MSV-25 and MSV-26 Fast DPCP- I E-TS6 Bus. BatteryBank is not being bank redundant DC bus capableof Cooldownpressurecontrol DPCP-I F-TS3 supplied float charge Battery Bank will slowly equal voltage and amperage circuits are operable and capable DPCP- IF-TS6 Battery bank is provided DC power decrease from float voltage supply and has auctioneering of mitigating SB LOCA and from non-safety battery charger only Surveillance testingofDC bus design. LSCM' Battery Bank is inoperable voltage usingTS3 and TS6 Redundant DC bus would be HPI system operability and flow will indicate lowbatterybank operable for affected FCS capacity is not affected and is voltage channel, capable of mitigating SB LOCA Redundant DC bus is operable and LSCM for full design evaluated amp hours 27.1 DPCP-IE-TS2 Contacts to DC to DC Mechanical Failure No DC power available DC to DC DC bus undervoltage alarm Each FCS channel hasa Both MSV-25 and MSV-26 Fast DPCP-IE-TS5 converter fail open converter actuates common Fast redundant DC bus capable of Cooldown pressure control DPCP-IF-TS2 One DC bus is inoperable Cooldown Trouble Alarm in equal voltage and amperage circuits are operable and capable DPCP-1F-TS5 control room supply and has auctioneering of mitigating SBLOCA and design. LSCM' Redundant DC bus would be HPI system operability and flow operable for affected FCS capacity is not affected and is channel, capable of mitigating SBLOCA Redundant DC bus is operable and LSCM for full design evaluated amp hours 27.2 DPCP-I E-TS2 Contacts fail closed to Mechanical Failure No DC power available DC to DC DC bus undervoltage alarm Each FCS channel has a Both MSV-25 and MSV-26 Fast DPCP-I E-TS5 load battery and battery converter actuates common Fast redundant DC bus capable of Cooldown pressure control DPCP- IF-TS2 charger current to load One DC bus is inoperable Cooldown Trouble Alarm in equal voltage and amperage circuits are operable and capable DPCP-IF-TS5 test resistors control room supply and has auctioneering of mitigating SB LOCA and design. LSCM' Redundant DC bus would be HPI system operability and flow operable for affected FCS capacity is not affected and is channel, capable of mitigating SBLOCA Redundant DC bus is operable and LSCM for full design evaluated amp Page 43 of 70

EC 71855 X64R0 hours 28.1I MS-122-PT Transmitter fails high Electrical Failure MSV-25 or MSV-26 Fast Cooldown Channel checkof RECALL HPI system which is a HPI system operability and flow MS-123-PT pressure control circuit is inoperable points RECL-127 and RECL- functionally redundant system capacity is not affected and is 128 for SBLOCA and LSCM is not capable of mitigating SB LOCA Periodic calibration of MS- affected, and LSCM.

122-PT and MS-123-PT Two HPI trains are operable to mitigate SBLOCA and LSCM event 28.2 MS-122-PT Transmitter fails low Electrical Failure MSV-25 or MSV-26 Fast Cooldown FCS trouble alarm will actuate HPI system which is a HPI system operability and flow MS-123-PT pressure control circuit is inoperable on Loss of pressure controller functionally redundant system capacity is not affected and is input signal. Channel check of for SBLOCA and LSCM is not capable of mitigating SBLOCA RECALL points RECL-1 27 affected, and LSCM and RECL-128 Two HPI trains are operable to PeriodiccalibrationofMS- mitigate SBLOCA and LSCM 122-PT and MS-I 23-PT event 29.0 MSV-25 Exhaust ADV exhaust pipe Mechanical Failure due Exhaust pipe is designed to withstand None No impact on ADV operability ADV is fully operable for pipe to tomado wind load tornado winds (without missile since exhaust pipe is designed mitigation of accidents and MSV-26 Exhaust impact) with no degradation to break away without normal cooldown pipe Exhaust pipe is designed to break crimping HPI system operability and flow away without crimping pipe with capacity is not affected and is missile impact capable of mitigating SBLOCA and LSCM 30.0 MSV-93 Instrumentation root Mechanical Failure MSV-25 or MSV-26 Fast Cooldown Channel checks This failure does not affect Iffailure occurred, two EFIC This is an existing manual MSV-502 valve fails closed (not considered as pressure control circuit is inoperable Tracking and trending HPI actuation or control. Two Cabinets as well as one train of isolation valve that is (MS-122-PT root (existi ng valve for EFIC credible failure for Two EFIC Cabinets are inoperable for ROTSG pressures would HPI pumps will be available Fast Cooldown as well as one normally open and valves) and heat balance CR3 -see remarks ROTSG A or ROTSG B functions of "straight line" at all power for SBLOCA mitigation. channel of 100% power heat remains open during plant MSV-95 transmitters) section) EF actuation, MSLI, MFWI, and levels and during startup and Two EFIC Cabinets would be balance would be inoperable operation. For valve to fail MSV-506 FOGG shutdown unaffected and capable of shut would require disc to (MS- 123-PT root One channel ofheat balance is actuating one train ofEFIC separate from stem which valve) degraded from loss of main steam EF, MSLI, MFWI, and FOGG as per DBD92 is a passive pressure failure and not part of CR3 single failure required criteria. Per EGR-NGGC-0154, a passive component is a component which is not required to respond to a command (i.e. no change of state or negligible mechanical motion) For CR-3 a check valve is a passive component. Thus using EGR-NGGC-0 154. a manual valve that remains in open position is a passive component.

31.1 Circuit wiring Open circuit or Short Electrical Failure FCS pressure control circuit, FCS Trouble" alarm will This cable does not affect any One channel of FCS is MSE129 circuit fault RECALL point RECL-127 or RECL- actuate with SER point and HPI system power or controls, inoperable.

MSE132 fails to 128, and analog isolator for two (of annunciator No impact on HPI system power provide power to four) HPI lowflowcircuit have no RECL 127 or RECLI28 will or control pressure control and power. fail to zero psig Two pump/trains oflHPI are actuation circuitry Two of four LPI low flow available for mitigation of recall points will fail to zero. SBLOCA.

31.2 MSV-25;ENC Open circuit or Short Electrical Failure Loss or power to actuation and control FCS trouble alarm on This wiring does not affect any One channel of FCS is MSV-26:ENC circuit fault components annunciator and/or HPI system power or controls, inoperable.

Page 44 of 70

EC 71855 X64RO Internal circuit wiring Periodic testing of Fast No impact on HPI system power that provides Cooldown actuation and or control actuation or pressure alarms. Periodic testing of Two pump/trains of HPI are control (all safety pressure control circuitry available for mitigation of functions) including RECALL points. SBLOCA.

31.3 Circuit wiring Open circuit or Short Electrical Failure Loss of main steam pressure signal to FCS trouble alarm on low This wiring does not affect any One channel of FCS is MSA95 circuit fault pressure controller process signal HPI system power or controls, inoperable.

MSAI01 RECL-127 and RECL-128 No impact on HPI system power Pressure controller channel check or control input wiring from Two pump/trainsofHPI are pressure transmitters available for mitigation of SBLOCA.

31.4 Circuit wiring Open circuit or Short Electrical Failure Loss of EFIC demand signal to ADV 24 month surveillance testing For EFIC control of ADV Both channels of Fast Cooldown MSA96 circuit fault by stroking ADV using EFIC functions, the other ADV is system are operable.

MSA 102 demand signal redundant. No impact on HPI system power from EFIC Aux. Does not affect Fast Cooldown or control EquipmentCabinets system. Two pump/trains of HPI are to Fast Cooldown available for mitigation of transfer relays SBLOCA.

31.5.1 Circuitwiring Open circuit or short Electrical Failure Open circuit to main control board Power Available lamp at This wiring does not affect any No impact on HPI system power MSC39 circuit to ground Fast Cooldown selector switch for main control board goes HPI system power or controls or control MSC43 auto and manual actuations out. Two pump/trains of HPI are available for mitigation of SBLOCA.

31.5.2 Circuit wiring Conductor to conductor Electrical Failure Bypasses the remote shutdown relay Periodic testing of Remote Does not affect operability of Condition would defeat MSC39 short (-hot short-) contact for FCS actuation circuit Shutdown panel using RSP Fast Cooldown actuation since capability to isolate Fast MSC43 hand/auto stations of MSV-25 the hot short bypasses a Cooldown transfer relay and and MSV-26 normallyclosed relay contact wiring to control room selector switch in the event of an Appendix R fire.

Both Fast Cooldown channels are operable.

No impact on HPI system power or control Two pump/trainsofHPt are available for mitigation of SBLOCAk 31.6.1 Circuit wiring Open circuit or short Electrical Failure Open circuit for one of two ICCM 24 month surveillance testing Each of these circuits has a Fast Cooldown system actuation MSS85 circuit to ground trains to auto actuate Fast Cooldown of ICCM actuation of Fast redundant circuit from ICCM is degraded in redundancy bat MSS86 system Cooldown Train A or Train B both Fast Cooldown system MSS88 channels are operable.

MSS89 No impact on HPI system power or control Two pump/trainsof HPI are available for mitigation of SBLOCA.

31.6.2 Circuit wiring Conductor to conductor Electrical Failure Spurious actuation ofone channel of I. "FCS actuation" Redundant ADV is operable. No impact on HPI system. T wo MSS85 short ("hot short") Fast Cooldown system annunciator and EFIC is operable and would pump/trainsofHPl are available MSS86 associated SER actuate EF, MSLI, MFWI, for mitigation of SBLOCA.

MSS88 point alarms FOGG. One ADV will be controlled by MSS89 2. ROTSGpressure No impact on HPI system. Fast Cooldown pressure control indicationon circuit and openone ADV to full control board and open until ROTSG pressure is RECALL points decreased to 325 psig and then

3. ADV valve not control main steam pressure at closed annunciator affected ROTSG to 325 psig.

Page 45 of 70

EC 71855 X64R0 alarm Would create EFIC actuation of

4. Rooftop camera low OTSG pressure, MS LI, indication MFWI, and FOGG logic. Both
5. EFIC actuationsof EFIC A and B would be capable EF. MSLI, MFWI of mitigation as per design for main steam line break event.

If this occurred during normal plant operation, this would be bounded in accident analysis by Turbine Bypass Valve full open failure and by Main Steam Line Break.

Per discussion with AREVA safety analysis personnel, evaluation ofcalculation 32-9129593-000 reveals that if this failure occurred during SBLOCA and LSCM, failure would be beneficial to mitigation and cooldownon primary RCS system-31.7.1 Circuit wiring Open circuit or short to Electrical Failure Resultfimpact is dependent on which Power Available lamp at Dependingon which Two pump/trainsoftHPI are MSC38 ground conductor has fault. main control board goes conductor has faulted, worst available for mitigation of MSC42 Result could be loss ofability to auto out. case is one FCS channel is SBLOCA.

actuate one channel of Fast Cooldown, inoperable.

or loss of ability to manually actuate Circuit failure has no impact one channel of Fast Cooldown, or loss on normal EFIC control of of Fast Cooldown actuationindicator ADV.

lamp Circuit failure has no impact on HPI system.

31.7.2 Circuitwiring Conductor to conductor Electrical Failure Result/impact is dependent on which Ifspurious actuation then, Redundant ADV is operable. No impact on HPI system. Two MSC38 short ("hot short") conductor has fault. I. "FCS actuation" EFIC is operable and would pump/trains of HPt are available MSC42 Result could be spurious actuation of annunciator and actuate EF, MSLI. MFWI, for mitigation of SBLOCA.

one channel of Fast Cooldown system associated SER FOGG. One ADV will be controlled by orjust inoperable Fast Cooldown point alarms No impacton HPI system. Fast Cooldown pressure control actuation indicator lamp 2. ROTSG pressure circuit and open one ADV to full indication on open until ROTSG pressure is control board and decreased to 325 psig and then RECALL points control main steam pressure at

3. ADV valve not affected ROTSG to 325 psig.

closed annunciator Would create EFIC actuation of alarm low OTSG pressure, MS LI.

4. Rooftop camera MFWI, and FOGG logic. Both indication EFIC A and B would be capable
5. EFIC actuations of of mitigation as per design for EF, MSLI, MFWI main steam line break event.

If this occurred during normal plant operation, this would be bounded in accident analysis by Turbine Bypass Valve full open failure and by Main Steam Line Break.

Per discussion with AREVA safety analysis personnel, evaluation of calculation 32-Page 46 of 70

EC 71855 X64R0 9129593-000 reveals that if this failure occurred during SBLOCA and LSCM, failure would be beneficial to mitigation and cooldown on primary RCS system.

31.8.1 Circuit wiring DPF34 Short circuit between Electrical Failure Resultlimpact is loss ofpower to Channel check oflow range Redundant HPI low range flow No impact on HPI system. Two DPF35 conductors or open analog isolators for HPI low flow HPI flow RECALL points signalsare available for pumrnp/trains ofHPI are available circuit circuit input to RECALL control board indication and for mitigation of SB LOCA One SPDS display curve SPDS display curve for monitoring RCS pressure versus HPI total flow is operable.

31.8.2 Circuit wiring DPF34 Short circuit to ground Electrical Failure Result/impact is 12. Channel check of low No impact on HPI system Each Fast Cooldown channel has DPF35 I. Shorting current for fast range HPI flow RECALL Redundant channel for HPI redundant DC buses with control channel pressure points low range flow is available for auctioneers available to provide controller to ground RECALL and SPDS curve of 3 amps at 25 VDC each and have If short was more than 3.0 + RCS pressure versus HPI total normal 2.218 amp load for Fast (3.0-2.218) = 3.782 amps to flow Cooldown channel, ground, Fast Cooldown If short was more than 3.0 +

channel could be inoperable (3.0-2.218) = 3.782 amps to ground, one Fast Cooldo wn

2. loss of power to analog channel could be inoperable.

isolators for HPI low flowcircuit No impact on HPI system. Two input to RECALL pump/trains of HPI are available for mitigation of SBLOCA 31.9.1 MSV-25;ENC Open circuit fault Electrical Failure Loss ofRECALL point (only) for Channel checkofRECL- 127 Redundant main steam No impact on Fast Cooldown MSV-26;ENC main steam pressure signal for one and RECL-128 pressure indications are system.

Internal circuit wirin FCS pressure controller input signal.. available on main control Both channels of Fast Cooldown that provides signal board and as RECALL points system are operable.

to analog isolator for No impact on HPI system. Two main steam pressure pump/trains of HPI are available RECALL point for mitigation of SB LOCA 31.9.2 MSV-25;ENC Short circuit fault to Electrical Failure Short circuit could result in zero VDC FCS Trouble alarm on No impact on HPI system One channel of Fast Cooldown is MSV-26:ENC ground or between signal into one channel of pressure annunciator due to low inoperable and would keep Internal circuit wiring conductors controller with resultant one channel processsignal into pressure ADV closed ifFast Cooldown that provides signal of fast cooldown inoperable, controller. actuation occurred.

to analog isolator for Channel check of RECL- 127 No impact on HPI system. Two main steam pressure and RECL-128 pump/trains ofHPI are available RECALL point for mitigation ofSBLOCA 31.10.1 MSV-25;ENC Open circuit Electrical Failure Open circuit would create loss of Channel check ofRECL- 127 Redundant main steam No impact on Fast Cooldown MSV-26;ENC power for analog isolator. and RECL-128 pressure indicationsare system.

Internal circuit wiring Loss of RECALL point (only) for availableon main control Both channels of Fast Cooldown that provides power main steam pressure signal for one board and as RECALL points system are operable.

to analog isolator for FCS pressure controller input signal.. No impact on HPI system. Two main steam pressure pump/trainsofHPI are available RECALL point for mitigation of SB LOCA 31.10.2 MSV-25;ENC Short circuit fault to Electrical Failure One of the followingfuses would Loss of power to one analog Redundant main steam With fuse protectionat 3 amps MSV-26;ENC ground or short circuit blow (open) at 3 amps isolator pressure indications are and with redundant DC buses Internal circuit wiring between conductors MSV-025-FU-05 Channel check ofRECL- 127 available on main control with auctioneers available to Page 47 of 70

EC 71855 X64R0 that provides power MSV-025-FU-06 and RECL- 128 board and as RECALL points provide 3 amps at 25 VDC each to analog isolator for MSV-026-FU-05 and with normal 2.218 amp load main steam pressure MSV-026-FU-06 for Fast Cooldown channel, Fast RECALLpoint Cooldown channel would remain operable until and after fuse blow.

Both channels of Fast Cooldown system are operable.

No impact on HPI system. Two pump/trains of HPI are available for mitigation of SB LOCA 31.11.1 Circuit wiring Open circuit Electrical Failure One of two redundant battery banks to 1. Surveillance of DC bus Each Fast Cooldown channel Both channels of Fast Cooldown MSE 127 redundant DC buses for a single FCS voltmeters would indicate has redundant battery banks system are operable.

MSE128 pressure control channel is inoperable abnormal voltage and redundant DC bus supply No impact on HPI system. Two MSE130 2. Periodic surveillance pump/trains of HPI are available MSE131 testing of battery circuits with for mitigation of SB LOCA load test

31. 1.2 Circuitwiring Short circuit to ground Electrical Failure Disconnect fusing will limit fault to 15 1. Surveillance ofDC Each Fast Cooldown channel Both channels of Fast Cooldown MSE127 or between conductors amps bus voltmeters would has redundant battery banks system are operable.

MSE 128 Battery charger fusing for recharging indicate abnormal and redundant DC bus supply No impact on HPI system. Two MSEI30 battery wilt open at 8 amps. voltage pump/trains of HPI are available MSEI31 Affected battery bank will discharge 2. Periodic surveillance for mitigation of SBLOCA and become inoperable testing ofbattery circuits with load test 32.1 RC-3A-PT3 Failure of Pressure Electrical Failure Pressure Transmitter will not actuate 1. Channel Check with ES system utilizes 2 out of 3 ES system is still capable of These are existing RC-3B-PT3 Transmitter - High one channel of ES system. redundant pressure logic, so ES system is still actuating HPI on low RCS components and are not RC-147-PT Signal Pressure Transmitter will not correctly transmitter signal operable. pressure. installed by EC 71855 RC-148-PT provide pressure to one channel of 2. Periodic Calibration ICCM system which provides ICCM can still provide auto FCS but input to ICCM ICCM system and will not actuate one ofpressure auto actuation of FCS utilizes actuation ofboth channelsof and SPDS Existingcomponents channel of ICCM auto actuation since transmitters a 2 out of3 logic and each of FCS.

not installed by EC transmitter reads high and above the two actuation trains actuate SPDS still has one valid and 71855 FCS but input HPI flow acceptable curve and in the each channel ofFCS. operable HPI flow margin curve.

to ICCM and SPDS acceptable region. Failure ofone RCS pressure Pressure Transmitter will not correctly signal to high state will not provide SPDS a RCS pressure versus defeat auto FCS actuation.

HPI flow margin curve or ICCM Newpressure transmitters for display. low and high range RC-223-PT and RC-224-PT are being installed by ICCM EC 76340 for third channel RCS flow capability for ICCM system.

SPDS has redundant display channels. Failure of one RCS pressure signal high will result in incorrect display in one of two SPDS channels but redundant SPDS display channel and ICCM will provide adequate operator indication of inadequate HPI flow for monitoring. Failure of one RCS pressure transmitter will not result in single failure ofSPDS to provide a valid Page 48 of 70

EC 71855 X64R0 HIPI flow iatitin curve 32.2 RC-3A-PT3 Failure of Pressure Electrical Failure Pressure Transmitter will spuriously Channel actuation alarms for ES system utilizes 2 out of3 ES system is still capable of These are existing RC-3B-PT3 Transmitter- Low actuate one channel of ES safeguards. ES safeguards and ICCM. logic, so ES system will not actuating HPI on low RCS components and are not RC-147-PT Signal Transmitter will spuriously actuate one Channel Check with spuriously actuate HPI. pressure. installed by EC 71855 RC-148-PT of three channels of ICCM actuation redundant pressure transmitter ICCM system which provides ICCM can still provide auto FCS but input to ICCM Existing components since transmitter reads low and below signal auto actuation of FCS utilizes actuation of FCS and will not and SPDS not installed by EC the HPI flow acceptable curve and in Will create SPDS alarm status a 2 out of 3 logic and each of spuriously actuate FCS.

71855 FCS but input the unacceptable region. Pressure for one channel of HPl flow two actuation trains actuate SPDS still has one valid and to ICCM and SPDS. Transmitter will not correctly provide margin curve. each FCS. ICCM will not operable HPI flow margin curve SPDS a RCS pressure versus HPI flow spuriously actuate FCS. for monitoringand ICCM will margin curve or ICCM display. SPDS has redundant display have one valid HPI flow nmrgin channels. Failure of one RCS indication.

pressure signal low will result No spurious actuations of ES or in incorrect display in one of FCS will occur.

two SPDS channels.

Redundant SPDS display channel and ICCM will provide adequate operator indicationof HPI flow for monitoring. Failure of pressure transmitter will not result in single failure of SPDS to provide valid HPI flow margin curve.

33.1 MU-23-dpt5. Failure of Differential Electrical Failure Differential Pressure Transmitter will Channel check with redundant ICCM system which provides ICCM can still provide auto These are existing MU-23-dpt6 Pressure Transmitter- not correctly provide flow signal to differential pressure auto actuation of FCS utilizes actuation of both channels of components and are not MU-23-dpt7 High Signal ICCM system for FCS auto actuation transmitter a 2 out of3 logic and each of FCS. installed by EC 71855 MU-23-dpt8 Failure of differential pressure Periodic calibration. two actuation trains actuate SPDS still has one valid and FCS but input to ICCM MU-23-dpt9 transmitter to high signal may not each FCS. Failure of one operable HPI flow margin curve. and SPDS MU-23-dpt10 actuate one channel of ICCM auto HPI flowsignal to high state MU-23-dptl I actuation since transmitter may create a will not inhibit auto FCS MU-23dptI 12 total flowcurve above the HPI flow actuation. New differential Existing components acceptability curve and will make total pressure transmitters MU not installed by EC flow calculation by ICCM higher than dptl3, dptl4, dptl 5, and dpt 16 71855 FCS but input actual flow. are beinginstalled by ICCM to ICCM and SPDS Transmitterwill not correctly provide EC 76340 for ICCM third SPDS a RCS pressureversus HPI flow channel HPI flow capability.

margin curve or ICCM display. SPDS has redundant display channels. Failure of one HPI flow signal high will result in incorrect display in one of two SPDS channel. Redundant SPDS displaychannel and ICCM will provide adequate operator indication of HPI flow signal for monitoring.

Failure ofdifferential pressure transmitter will not result in single failure of SPDS to provide HPI flowmargin curve.

33.2 MU-23.dpt5, MU-23-dpt6 Failure offDifferential Pressure Transmitter-Electrical Failure Differential pressure transmitter may spuriously actuate one ofthree Channelcheckwith redundant differentialpressure ICCM system which provides auto actuation of FCS utilizes ICCM can still provide auto actuation of both channelsof o 1Theseare existing components and are not Page 49 of 70

EC 71855 X64R0 MU-23.dpt7 LowSignal channels of ICCM actuation since transmitter a 2 out of3 logic and each of FCS and will not spuriously installed by EC 71855 MU-23,dpt8 transmitter may create a total flow May create ICCM channel two actuation trains actuate actuate FCS. FCS but input to ICCM MU-23.dpt9 reading belowthe HP! flow actuation alarm each FCS. ICCM will not SPDS still has one valid and and SPDS MU-23,dpttO acceptabilitycurve. May create SPDS alarm statu spuriouslyactuate FCS. SPDS operable HPI flowmargincurve MU-23,dptt I Differential pressure transmitterwill for HPI flow margin curve fo has redundant display for monitoringand ICCM will MU-23.dpt12 not correctly provide SPDS a RCS one channel ofSPDS. channels. Failure ofone HPI have valid HP! flowmargin Existing components pressure versus HPI flow margin flow signal low will result in indication not installed by EC curve or ICCM display. incorrect display in one of two 71855 FCS but input SPDS channels. Redundant to ICCM and SPDS SPDS displaychannel and ICCM will provide correct operator indication of HPI flow for monitoring. Failure of differential pressure transmitter will not result in single failure of SPDS to provide correct HPI flow margin curve.

34.0 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 35.0 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 36.1 ACDP--0 Breaker spuriously trips Electrical Failure Battery Chargers DPBC-l KI and FCS trouble alarm will actuate Each oftwo Battery Banks Failure will not affect HPI pump Brkr 34 open DPBC-IK2 will lose power and not in controlroomon loss ofAC will supply required amperage or valve power or control. Two charge DPBA-IEI and DPBA-IE2 and undervoltage for battery to Fast Cooldownpressure HPI pumps/trains are operable battery banks charger control circuit and HPI flow to mitigate SBLOCA and Local battery charger analog isolator for over 10 LSCM event.

voltmeter indication shows 0 hours each VDC 36.2 ACDP-1O Breaker spuriously trips Electrical Failure Battery Chargers DPBC-l LI and FCS trouble alarm will actuate Each oftwo Battery Banks Failure will not affect HPI pump Brkr 36 open DPBC-1L2 will lose power and not in controlroomon loss of AC will supply required amperage or valve power or control. Two charge DPBA-I FI and DPBA-I F2 and undervoltage for battery to Fast Cooldownpressure HPI pumps/trains are operable battery banks charger control circuit and HPI flow to mitigate SBLOCA and Local battery charger analog isolator for over 10 LSCM event.

voltmeter indication shows 0 hours each VDC 36.3 ACDP-IO Main Breaker spuriously Electrical Failure Battery Chargers DPBC-l KI and Multiple FCS trouble alarm Each oftwo BatteryBanks Failure will not affect HPI pump Brkr tripsopen DPBC-IK2 will lose power and not will actuatein controlroom will supplyrequiredamperage or valve power or control. Two charge DPBA-I EI and DPBA-l E2 on loss of AC and to MSV-25 Fast Cooldown HPI pumps are operable to battery banks undervoltage for battery pressure control circuit and mitigate SBLOCA and LSCM Battery Chargers DPBC-l LI and charger one HP! flowanalog isolator event.

DPBC-1 L2 will lose power and not Four Local batterycharger for over 10hours each for charge DPBA-IF1 and DPBA-1F2 voltmeter indications shows 0 MSV-25 pressure control battery banks VDC circuit Each of two Battery Banks will supply required amperage to MSV-26 Fast Cooldown pressure control circuit and one HP! flow analog isolator for over 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> each for Page 50 of 70

EC 71855 X64R0 MSV-26 pressure control circuit 37.0 FCS "A" remote Relay fails to energize Electrical Failure Loss ofability to inhibit spurious Fast Periodic testing ofRemote With single failure ofone FCS With single failure ofone FCS shutdown relay Cooldowa actuation and control of Shutdown panel using RSP "A" or FCS "B" relay, ROTSG "A" or FCS "B relay and hot FCS "B" remote MSV-25 or MSV-26 due to specific hand/auto stations of MSV-25 blowdown is limited to one short occurs, ROTSG blowdown shutdown relay cable "hot shorts" due to control and MSV-26 after RSP ROTSG is limited to one ROTSG and is complex fire transfer EFIC will actuate MSLI. bounded by Main Steam Line Specific cable "hot shorts" could MFWI. and FOGG at 600 psig Break analysis.

spuriously blowdown ROTSG (s) to nominal ROTSG pressure 325 psig Planned Rev. I to EC 71855 Failure does not affect HPI will install lockout relay to system components, power, or block demand signal to ADV controls.

I/P is compensating design that Two HPI pumps are operable to would close ADVs on a mitigate SBLOCA and LSCM control complex fire. event.

37.1 FCS"A" remote Relay contact fails Electrical Failure Loss ofability to energize one FCS Power Available lamp at main This relay and contact is not One channel of FCS is shutdown relay open transfer relay and thus loss of ability control board goes out. installed in any circuit that inoperable FCS "B' remote to actuate one channel of FCS system affect HPI system. Failure does not affect HPI shutdown relay system components, power, or controls.

Two HPI pumps are operable to mitigate SBLOCA and LSCM event.

38.1 MU-23-FY5-3 Output signals to EM Electrical Failure One set ofTrain A or Train B Channel check of control Opposite Train low range HPI Single failure does not affect MU-23-FY7-4 system (RECALL powered low range HPI signals are board indication and signals supplied by separate capability of HPI pumps or points) fail high inoperable and will give SPDS false RECALL points RECL-I 13, FCS analog isolator and all control to mitigate SBLOCA and display 119,120,121 control board indications of LSCM. Two HPI pumps are HPI low range flow are operable to mitigate SBLOCA operable. and LSCM Opposite train of low range Opposite train of low range HPI HPI signals are available for signals are available for Redundant SPDS curve of Redundant SPDS curve of RCS RCS pressure versus HPI flow. pressure versus HPI flow if needed 38.2 MU-23-FY5-3 Output signals to EM Electrical Failure One set of Train A or Train B Periodic instrument loop Opposite Train low range HPI Single failure does not affect MU-23-FY7-4 system (RECALL powered low range HPI signals are calibration for MU-23..dpt5, signals supplied by separate capability of HPI pumps or points) fail low inoperable and will give SPDS false dpt6, dpt7, dpt8 through FCS analog isolator and all control to mitigate SBLOCA and display for manual initiation of Fast associated RECALL points, control board indications of LSCM. Two HPI pumps are Cooldown RECL-l 13, 119, 120, 121 HPI low range floware operable to mitigate SBLOCA operable. and LSCM Opposite train of low range Opposite train of low range HPI HPI signals are available for signals are available for Redundant SPDS curve of Redundant SPDS curve of RCS RCS pressure versus HPI flow pressure versus HPI flow if needed 38.3 MU-23-FY5-3 Analog Isolator internal Electrical Failure One set of Train A or Train B OppositeTrain low range HPI Single failure does not affect MU-23-FY7-4 fault creates short on powered low range UPI signals are Periodic instrument loop signals supplied by separate capability of HPI pumps or FCS power source inoperable and will give SPDS false calibration for MU-23.dpt5, FCS analog isolator and all control to mitigate SBLOCA and display for manual initiation of Fast dpt6, dpt7, dpt8 through control board indications of LSCM. Two HPI pumps are Cooldown associated RECALL points HPI lowrange floware operable to mitigate SBLOCA operable. and LSCM Analog isolators are fused and protect FCS power source against "hard short Opposite train of low range HPI signals are available for Page 51 of 70

EC 71855 X64R0 Redundant SPDS curve of RCS pressureversus HPI flow 38.4 MU-23-FY5-3 Analog Isolator internal Electrical Failure Could affect one channel of ICCM for Periodic instrument loop Opposite Train low range HPI Single failure does not affect MU-23-FY7.4 fault creates open circuit auto actuation of Fast Cooldown calibration for MU-23-dpt5, signals supplied by separate capability of HPI pumps or on low range HPI system dpt6, dpt7, dpt8 through FCS analog isolator and all control to mitigate SBLOCA and signals and affects associated RECALL points control board indications of LSCM. Two HPI pumps are ICCM monitor for HPI low range flow are operable to mitigate.

current loop operable.

39. 1 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 39.2 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 40.1 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 40.2 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 41.1 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 42.1 Deliberately left blank for potential revision to FMEA (see EGR-NGGC-0154 section 9.3.6) 43.1 Loss of Instrument LOOP or SBO event Annunciator alarms Each ADV has backup safety Both channels of Fast Both of Fast Cooldown pressure Air system supply to related air bottle assembly Cooldown pressure control and control channels are operable ADV with capacity in excess of 4 both ADVs are operable for fro m their independent DC bus hours with 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> evaluated mitigation of SBLOCA and supplies and ADVs are operable as acceptable for SBO or LSCM from safety related backup air ADV mitigation ofSBLOCA bottle assemblies.

and LSCM MSV-25 and MSV-26 will retain operability Page 52 of 70

FLORIDA POWER CORPORATION CRYSTAL RIVER UNIT 3 DOCKET NUMBER 50-302 /LICENSE NUMBER DPR-72 ATTACHMENT B LIST OF REGULATORY COMMITMENTS

U. S. Nuclear Regulatory Commission Attachment B 3F0312-02 Page 1 of 1 List of Regulatory Commitments The following table identifies those actions committed to by Florida Power Corporation (FPC) in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. Please notify the Superintendent, Licensing and Regulatory Programs of any questions regarding this document or any associated regulatory commitments.

Regulatory Commitment Due date/event FPC will provide a failure mode and effects analysis and a November 9, 2012 reliability report, which includes overall availability results, for the Inadequate Core Cooling Mitigation System (ICCMS).

FPC will provide a summary of the test results associated November 9, 2012 with Inadequate Core Cooling Mitigation System EMIIRFI emissions and susceptibility.

FPC will provide an ICCMS testing summary report; February 28, 2013 which includes a summary of the testing results associated with (1) factory acceptance test, (2) seismic qualification, and (3) isolation between nonsafety-related RCP trip circuits and ICCMS.

Retrieved from "https://kanterella.com/w/index.php?title=3F0312-02,_Response_to_Second_Request_for_Additional_Information_to_Support_NRC_Instrumentation_and_Controls_Branch_(Eicb)_Technical_Review_of_the_CR-3_Extended_Power_Uprate_LAR&oldid=2463620"