ML21201A144

From kanterella
Revision as of 19:42, 18 January 2022 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
9 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Control
ML21201A144
Person / Time
Site: Millstone  Dominion icon.png
Issue date: 06/24/2021
From:
Dominion Energy Nuclear Connecticut
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21201A164 List:
References
21-211
Download: ML21201A144 (284)


Text

Millstone Power Station Unit 2 Safety Analysis Report Chapter 7: Instrumentation and Control

Table of Contents tion Title Page INTRODUCTION ............................................................................................... 7.1-1 1 Identification of Safety Related Equipment................................................ 7.1-2 1.1 Protective Systems ...................................................................................... 7.1-2 1.2 Safe Shutdown Systems.............................................................................. 7.1-3 1.3 Safety-Related Display Instrumentation ..................................................... 7.1-3 1.4 Other Safety-Related Systems .................................................................... 7.1-3 1.5 Control Systems .......................................................................................... 7.1-3 2 Identification of Safety Criteria .................................................................. 7.1-4 REACTOR PROTECTIVE SYSTEM................................................................. 7.2-1 1 Design Basis ............................................................................................... 7.2-1 1.1 Functional Requirements ............................................................................ 7.2-1 1.2 Design Criteria ............................................................................................ 7.2-2 2 Discussion ................................................................................................... 7.2-3 3 System Description ..................................................................................... 7.2-4 3.1 General........................................................................................................ 7.2-4 3.2 System Components ................................................................................... 7.2-5 3.2.1 Signal Generation ....................................................................................... 7.2-5 3.2.2 Logic ........................................................................................................... 7.2-6 3.3 System Operation........................................................................................ 7.2-7 3.3.1 Reactor Coolant Pump Under-Speed .......................................................... 7.2-7 3.3.2 High Power Level ....................................................................................... 7.2-7 3.3.3 Low Reactor Coolant Flow......................................................................... 7.2-8 3.3.4 Low Steam Generator Water Level ............................................................ 7.2-9 3.3.5 Low Steam Generator Pressure................................................................... 7.2-9 3.3.6 High Pressurizer Pressure ......................................................................... 7.2-10 3.3.7 Thermal Margin/Low-Pressure Trip ......................................................... 7.2-10 3.3.8 Loss of Turbine ......................................................................................... 7.2-12 3.3.9 High Containment Pressure ...................................................................... 7.2-12 3.3.10 High Local Power Density Trip................................................................ 7.2-13

tion Title Page 3.3.11 Manual Trip .............................................................................................. 7.2-13 3.3.12 Bypass Operation ...................................................................................... 7.2-13 4 Testing ...................................................................................................... 7.2-14 5 System Evaluation .................................................................................... 7.2-15 5.1 General...................................................................................................... 7.2-15 5.2 Analog Portion of the System ................................................................... 7.2-17 5.3 Logic Portion of the Circuit ...................................................................... 7.2-17 6 System Reliability and Availability .......................................................... 7.2-18 6.1 Power Supply ............................................................................................ 7.2-18 6.2 Environment Capability ............................................................................ 7.2-18 6.3 Seismic Capability .................................................................................... 7.2-19 6.4 Physical Separation................................................................................... 7.2-19 6.5 Bistable Trip Unit Drift............................................................................. 7.2-19 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM...................... 7.3-1 1 Design Bases............................................................................................... 7.3-1 1.1 Functional Requirements ............................................................................ 7.3-1 1.2 Design Criteria ............................................................................................ 7.3-1 1.2.1 Single Failure, Redundancy and Independence .......................................... 7.3-1 1.2.2 Modular Design .......................................................................................... 7.3-2 1.2.3 Module Withdrawal and Bypass................................................................. 7.3-2 1.2.4 Environment................................................................................................ 7.3-2 1.2.5 Seismic Requirements................................................................................. 7.3-3 1.2.6 Codes and Standards ................................................................................... 7.3-3 1.2.7 Testability ................................................................................................... 7.3-4 1.2.8 Response Time............................................................................................ 7.3-4 2 System Description ..................................................................................... 7.3-4 2.1 General........................................................................................................ 7.3-4 2.2 Sensor Channels.......................................................................................... 7.3-5 2.3 Actuation Channels..................................................................................... 7.3-8 2.4 Actuation Interface ..................................................................................... 7.3-9

tion Title Page 2.5 Channel Trips............................................................................................ 7.3-10 2.6 Manual Initiation....................................................................................... 7.3-10 2.7 Manual Reset ............................................................................................ 7.3-10 2.8 Automatic Sequencer ................................................................................ 7.3-10 2.9 Annunciation............................................................................................. 7.3-11 2.10 Cabinets .................................................................................................... 7.3-12 2.11 Analog Bistables ....................................................................................... 7.3-12 2.12 Power Supply ............................................................................................ 7.3-13 2.13 System Interface ....................................................................................... 7.3-13 3 System Operation...................................................................................... 7.3-15 3.1 Operational Bypasses................................................................................ 7.3-15 3.2 Bistable Trip Bypass ................................................................................. 7.3-16 4 Availability and Reliability....................................................................... 7.3-16 4.1 Special Features ........................................................................................ 7.3-16 4.1.1 Sensor Channel Surveillance .................................................................... 7.3-16 4.1.2 Actuation Channel Surveillance ............................................................... 7.3-17 4.1.3 System Test Surveillance.......................................................................... 7.3-17 4.2 Tests and Inspection.................................................................................. 7.3-17 4.2.1 Testing ...................................................................................................... 7.3-17 4.2.2 Testing Features ........................................................................................ 7.3-17 4.2.3 System Reliability..................................................................................... 7.3-18 REGULATING SYSTEMS................................................................................. 7.4-1 1 Reactor Regulating System......................................................................... 7.4-1 1.1 Design Bases............................................................................................... 7.4-1 1.2 System Description ..................................................................................... 7.4-1 1.3 System Operation........................................................................................ 7.4-2 2 Control Element Drive System ................................................................... 7.4-2 2.1 Design Basis ............................................................................................... 7.4-2 2.2 Design Criteria ............................................................................................ 7.4-3 2.3 System Description ..................................................................................... 7.4-3

tion Title Page 2.4 System Operation........................................................................................ 7.4-5 2.5 Consequences of Single Failures ................................................................ 7.4-6 3 Reactor Coolant Pressure Regulating System ............................................ 7.4-8 3.1 Design Bases............................................................................................... 7.4-8 3.2 System Description ..................................................................................... 7.4-9 3.3 System Operation........................................................................................ 7.4-9 3.4 System Evaluation ...................................................................................... 7.4-9 4 Pressurizer Level Regulating System ......................................................... 7.4-9 4.1 Design Bases............................................................................................... 7.4-9 4.2 System Description ................................................................................... 7.4-10 4.3 System Operation...................................................................................... 7.4-10 4.4 System Evaluation .................................................................................... 7.4-10 5 Steam Dump and Turbine Bypass Systems .............................................. 7.4-11 5.1 Design Bases............................................................................................. 7.4-11 5.1.1 Functional Requirements .......................................................................... 7.4-11 5.1.2 Design Criteria .......................................................................................... 7.4-11 5.2 System Description ................................................................................... 7.4-11 5.3 System Operation...................................................................................... 7.4-12 6 Turbine Generator Control System........................................................... 7.4-13 6.1 Design Basis ............................................................................................. 7.4-13 6.1.1 Functional Requirements .......................................................................... 7.4-13 6.1.2 Design Criteria .......................................................................................... 7.4-13 6.2 System Description ................................................................................... 7.4-13 6.2.1 System....................................................................................................... 7.4-13 6.3 System Operation...................................................................................... 7.4-14 6.3.1 Startup ....................................................................................................... 7.4-14 6.3.2 Normal Operation ..................................................................................... 7.4-15 6.3.3 Abnormal Operation ................................................................................. 7.4-15 6.4 Availability and Reliability....................................................................... 7.4-15 7 Feedwater Regulating System and Feedwater Pump Speed Control........ 7.4-16 7.1 Design Bases............................................................................................. 7.4-16

tion Title Page 7.1.1 Functional Requirements .......................................................................... 7.4-16 7.1.2 Design Criteria .......................................................................................... 7.4-16 7.2 System Description ................................................................................... 7.4-17 7.2.1 System....................................................................................................... 7.4-17 7.2.2 Components .............................................................................................. 7.4-20 7.3 System Operation...................................................................................... 7.4-20 7.4 Availability and Reliability....................................................................... 7.4-21 8 Reactor Coolant System Low Temperature Overpressurization Protection (LTOP) System ......................................................................................... 7.4-21 8.1 Design Bases............................................................................................. 7.4-21 8.2 System Description ................................................................................... 7.4-22 8.3 System Operation...................................................................................... 7.4-23 INSTRUMENTATION SYSTEM ...................................................................... 7.5-1 1 Process Instrumentation .............................................................................. 7.5-1 1.1 Design Bases............................................................................................... 7.5-1 1.1.1 Functional Requirements ............................................................................ 7.5-1 1.1.2 Design Criteria ............................................................................................ 7.5-1 1.2 System Description ..................................................................................... 7.5-2 1.2.1 System......................................................................................................... 7.5-2 1.2.2 Components ................................................................................................ 7.5-5 1.3 System Operation........................................................................................ 7.5-5 1.4 Post-accident Monitoring............................................................................ 7.5-5 2 Nuclear Instrumentation ............................................................................. 7.5-6 2.1 Design Bases............................................................................................... 7.5-6 2.2 Design Criteria ............................................................................................ 7.5-6 2.3 System Description ..................................................................................... 7.5-7 2.4 System Components ................................................................................... 7.5-8 2.4.1 Wide-Range Logarithmic Channel Description ......................................... 7.5-8 2.4.2 Power-Range Safety Channel Description ............................................... 7.5-10 2.4.3 Power-Range Control Channel Description ............................................. 7.5-11 2.4.4 System Component Location.................................................................... 7.5-11

tion Title Page 3 Control Element Assemblies Position Instrumentation ............................ 7.5-11 3.1 Design Bases............................................................................................. 7.5-11 3.2 Design Criteria .......................................................................................... 7.5-11 3.3 System Description ................................................................................... 7.5-12 3.4 System Components ................................................................................. 7.5-12 3.4.1 Pulse-Counting Control Element Assemblies Position Indication System De-scription .................................................................................................... 7.5-12 3.4.2 Reed Switch Control Element Assemblies Position Display System Description 7.5-12 3.4.3 Core Mimic Control Element Assemblies Position Indication................. 7.5-12 4 In-Core Instrumentation............................................................................ 7.5-13 4.1 Design Bases............................................................................................. 7.5-13 4.2 Design Criteria .......................................................................................... 7.5-13 4.3 In-Core Instrumentation System Description ........................................... 7.5-13 4.4 Inadequate Core Cooling (ICC) System Description ............................... 7.5-14 4.4.1 Inadequate Core Cooling System Software .............................................. 7.5-15 5 Plant Computer System ............................................................................ 7.5-18 5.1 Summary Description ............................................................................... 7.5-18 5.2 Functional Objectives ............................................................................... 7.5-18 5.3 System Description ................................................................................... 7.5-19 5.4 Functional Description.............................................................................. 7.5-20 5.5 Safety Parameter Display System............................................................. 7.5-22 6 Radioactivity Monitoring.......................................................................... 7.5-23 6.1 Area Radiation Monitoring System .......................................................... 7.5-23 6.1.1 Design Bases............................................................................................. 7.5-23 6.1.2 System Description ................................................................................... 7.5-23 6.1.3 System Operation...................................................................................... 7.5-24 6.1.4 Availability and Reliability....................................................................... 7.5-25 6.2 Liquid Radiation Monitoring System ....................................................... 7.5-25 6.2.1 Design Bases............................................................................................. 7.5-25 6.2.2 System Description ................................................................................... 7.5-25

tion Title Page 6.2.3 System Operation...................................................................................... 7.5-27 6.2.4 Availability and Reliability....................................................................... 7.5-27 6.3 Airborne and Steam Radioactivity Monitoring ........................................ 7.5-27 6.3.1 Design Basis ............................................................................................. 7.5-27 6.3.2 System Description ................................................................................... 7.5-28 6.3.3 System Operation...................................................................................... 7.5-31 6.3.4 Availability and Reliability....................................................................... 7.5-32 7 Loose Parts Monitoring ............................................................................ 7.5-32 7.1 Design Bases............................................................................................. 7.5-32 7.1.1 Functional Requirements .......................................................................... 7.5-32 7.2 Design Criteria .......................................................................................... 7.5-32 7.3 System Description ................................................................................... 7.5-33 7.4 System Operation...................................................................................... 7.5-33 7.5 Emergency Operation ............................................................................... 7.5-34 7.6 Availability and Reliability....................................................................... 7.5-34 8 Chlorine Monitoring System (System Deleted)........................................ 7.5-35 9 Secondary Side Safety Relief Valve Position Indication.......................... 7.5-35 10 Reactor Coolant Pump Vibration Monitoring System.............................. 7.5-35 10.1 Design Basis ............................................................................................. 7.5-35 10.1.1 Functional Requirements .......................................................................... 7.5-35 10.2 Design Criteria .......................................................................................... 7.5-35 10.3 System Description ................................................................................... 7.5-35 10.4 System Operation...................................................................................... 7.5-36 10.5 Emergency Operation ............................................................................... 7.5-36 10.6 Availability and Reliability....................................................................... 7.5-36 OPERATING CONTROL STATIONS............................................................... 7.6-1 1 Control Room ............................................................................................. 7.6-1 1.1 Design Bases............................................................................................... 7.6-1 1.1.1 Functional Requirements ............................................................................ 7.6-1 1.1.2 Design Criteria ............................................................................................ 7.6-1

tion Title Page 1.2 Description.................................................................................................. 7.6-1 2 Main Control Boards .................................................................................. 7.6-2 2.1 Design Bases............................................................................................... 7.6-2 2.1.1 Functional Requirements ............................................................................ 7.6-2 2.1.2 Design Criteria ............................................................................................ 7.6-2 2.2 System Description ..................................................................................... 7.6-3 2.2.1 System......................................................................................................... 7.6-3 2.2.2 Components ................................................................................................ 7.6-3 2.3 System Operation........................................................................................ 7.6-5 2.4 Availability and Reliability......................................................................... 7.6-5 2.4.1 Special Features .......................................................................................... 7.6-5 2.4.2 Tests and Inspections .................................................................................. 7.6-6 3 Radioactive Waste Processing System Panels............................................ 7.6-7 3.1 Design Bases............................................................................................... 7.6-7 3.1.1 Functional Requirements ............................................................................ 7.6-7 3.1.2 Design Criteria ............................................................................................ 7.6-7 3.2 System Description ..................................................................................... 7.6-7 3.2.1 System......................................................................................................... 7.6-7 3.2.2 Components ................................................................................................ 7.6-8 3.3 System Operation........................................................................................ 7.6-8 3.4 Availability and Reliability......................................................................... 7.6-8 3.4.1 Test and Inspection ..................................................................................... 7.6-8 4 Hot Shutdown Panel ................................................................................... 7.6-8 4.1 Design Bases............................................................................................... 7.6-8 4.1.1 Functional Requirements ............................................................................ 7.6-8 4.1.2 Design Criteria ............................................................................................ 7.6-9 4.2 System Description ..................................................................................... 7.6-9 4.2.1 System......................................................................................................... 7.6-9 4.2.2 Components .............................................................................................. 7.6-10 4.3 System Operation...................................................................................... 7.6-10 4.4 Availability and Reliability....................................................................... 7.6-11

tion Title Page 4.4.1 Special Features ........................................................................................ 7.6-11 4.4.2 Tests and Inspections ................................................................................ 7.6-11 5 Fire Shutdown System Panels................................................................... 7.6-11 5.1 Design Basis ............................................................................................. 7.6-11 5.1.1 Functional Requirements .......................................................................... 7.6-11 5.1.2 Design Criteria .......................................................................................... 7.6-11 5.2 System Description ................................................................................... 7.6-12 5.2.1 Bottle-Up Panels (C70A, C70B) .............................................................. 7.6-12 5.2.2 Fire Shutdown Panels (C9, C10) .............................................................. 7.6-13 5.3 System Operation...................................................................................... 7.6-14 5.4 Availability and Reliability....................................................................... 7.6-15 5.4.1 Special Features ........................................................................................ 7.6-15 5.4.2 Tests and Inspections ................................................................................ 7.6-15 6 Miscellaneous Local Control Panels......................................................... 7.6-15 6.1 Design Bases............................................................................................. 7.6-15 6.1.1 Functional Requirements .......................................................................... 7.6-15 CONTROL ROOM ANNUNCIATION.............................................................. 7.7-1 1 Design Bases............................................................................................... 7.7-1 1.1 Functional Requirements ............................................................................ 7.7-1 1.2 Design Criteria ............................................................................................ 7.7-1 2 Systems Description ................................................................................... 7.7-1 2.1 System......................................................................................................... 7.7-1 3 Operation .................................................................................................... 7.7-2 COMMUNICATION SYSTEMS........................................................................ 7.8-1 1 Design Bases............................................................................................... 7.8-1 1.1 Functional Requirements ............................................................................ 7.8-1 1.2 Design Criteria ............................................................................................ 7.8-1 2 System Description ..................................................................................... 7.8-1 2.1 Systems ....................................................................................................... 7.8-1 2.2 Components ................................................................................................ 7.8-1

tion Title Page 3 System Operation........................................................................................ 7.8-4 3.1 Normal Operation ....................................................................................... 7.8-4 4 Availability and Reliability....................................................................... 7.8-12 4.1 Special Features ........................................................................................ 7.8-12 4.2 Design Evaluation..................................................................................... 7.8-12 4.3 Testing and Inspection .............................................................................. 7.8-13 ANTICIPATED TRANSIENTS WITHOUT SCRAM CIRCUITRY ................ 7.9-1 1 Design Bases............................................................................................... 7.9-1 1.1 Functional Requirements ............................................................................ 7.9-1 2 Discussion ................................................................................................... 7.9-1 3 Design Criteria ............................................................................................ 7.9-2 3.1 General........................................................................................................ 7.9-2 3.2 Electrical Independence .............................................................................. 7.9-3 3.3 Environmental Qualification....................................................................... 7.9-3 3.4 Seismic Qualification.................................................................................. 7.9-4 3.5 Annunciation and Display .......................................................................... 7.9-4 3.6 Testability ................................................................................................... 7.9-4 3.7 Diversity...................................................................................................... 7.9-4 4 System Description ..................................................................................... 7.9-5 4.1 Diverse Scram System ................................................................................ 7.9-5 4.2 Diverse Auxiliary Feedwater Actuating System ........................................ 7.9-5 4.3 Diverse Turbine Trip .................................................................................. 7.9-5 5 System Components ................................................................................... 7.9-6 5.1 System Hardware and Interface .................................................................. 7.9-6 5.2 Pressurizer Pressure Channels .................................................................... 7.9-6 5.3 Neutron Monitoring Channels .................................................................... 7.9-6 5.4 Diverse SCRAM Matrix ............................................................................. 7.9-6 5.5 Auxiliary Feedwater Initiation.................................................................... 7.9-7 5.6 Motor Generator Contactors ....................................................................... 7.9-7 5.7 Power Supply .............................................................................................. 7.9-7

tion Title Page 6 System Operation........................................................................................ 7.9-8 6.1 Bypasses...................................................................................................... 7.9-8 6.2 Annunciation and Display .......................................................................... 7.9-8 6.3 Inadvertent Actuation ................................................................................. 7.9-8 AUXILIARY STEAM LINE BREAK DETECTION/ISOLATION SYSTEM 7.10-1

.1 Design Bases............................................................................................. 7.10-1

.1.1 Functional Requirements .......................................................................... 7.10-1

.2 Discussion ................................................................................................. 7.10-1

.3 Design Criteria .......................................................................................... 7.10-2

.3.1 General...................................................................................................... 7.10-2

.3.2 Electrical Independence ............................................................................ 7.10-2

.3.3 Environmental Qualification..................................................................... 7.10-3

.3.4 Seismic Qualification................................................................................ 7.10-3

.3.5 Annunciation and Display ........................................................................ 7.10-3

.3.6 Testability ................................................................................................. 7.10-3

.4 System Description ................................................................................... 7.10-3 ENVIRONMENTAL QUALIFICATION OF ELECTRICAL EQUIPMENT IMPORTANT TO SAFETY.............................................................................. 7.11-1

List of Tables mber Title 1 Reactor Trip and Pretrip Set Points 1.1-I Parameters Affecting Fuel Design Limit 1.1-II Pertinent NSSS parameters and Monitored Variables 1.1-III Trip Functions 1.1-IV Trip Variable Monitored 2.2-1 ESAS Failure Mode Analysis for Containment Pressure Channels 1 Prohibits on CEAs 1 Major Process Instrumentation 2 Omitted 3 Regulatory Guide 1.97 (Rev. 2) Accident Monitoring Instrumentation 4 Area Radiation Monitors 5 Liquid Process/Effluent Radiation Monitors 6 Airborne Process/Effluent Radiation Monitors 6A Process Radiation Monitors (Steam) 7 CEA Position Light Matrix 1 Major Equipment Normally Used for Hot Shutdown 2 Major Equipment Normally Used for Cold Shutdown

List of Figures mber Title 1 Reactor Protective System Block Diagram 2 Reactor Protective System Functional Diagram 3 Nuclear Instrumentation System Functional Diagram 4 Low Flow Protective System Functional Diagram 5 Low Steam Generator Pressure Reactor Trip Bypass Functional Diagram 6 Block Diagram Core Protection Trips 7 Neutron Flux Monitoring System Logarithmic Range Channels 8 Neutron Flux Monitoring System Power Range Channels

-9 Not Used 10 Reactor Coolant Pump Underspeed Block Diagram 11 Variable High Power Trip Operation 12 Thermal Margin Trip 13 DT Power Calculation 14 Local Power Density Trip 1 Engineered Safety Logic 2A Engineered Safety Logic Actuated Equipment Tabulation 2B Engineered Safety Logic Actuated Equipment Tabulation 2C Engineered Safety Logic Actuated Equipment Tabulation 2D Engineered Safety Logic Actuated Equipment Tabulation 3 Engineered Safety Logic Sequencer & Channel 5 Output 4 Engineered Safety Logic 1 Deleted by FSARCR 05-MP2-026 2 CEA Position Setpoints 3 CEDS Functional Block Diagram 4 Pressure Control Program 5 Steam Dump to Condensers and Turbine Bypass System

List of Figures (Continued) mber Title 6 Feedwater Control System (Sheet 1) 7 Feedwater Regulating System Block Power Distribution 8 Reactivity Control System 9 Motion Inhibit Circuit Interconnection Simplified Diagram 1 Pressurizer Pressure Measurement Channel Functional Diagram 2 Out-Of-Core Nuclear Detector Location 3 In-Core Nuclear Detector Assembly 4 In-Core Detector/Core Exit Thermocouple and RVLM Sensor Locations 5 Process Radiation Monitor Schematic 6 Heated Junction Thermocouple Probe Assembly 7 ICCMS Functional Block Diagram 8 ICCMS Data Processing 9 ICCMS Display Hierarchy 1 General Arrangement Control Room Plan Elevation 35 feet 6 inches 2 C01, CRP, Front View Arrangement Safeguards Section (Sheet 1) 3 CRP Front View Arrangements (Sheet 1) 4 C04 CRP, Front View Arrangement Reactivity Control System (Sheet 1) 5 C05, CRP, Front View Arrangement Steam Generator & Feedwater Control (Sheet 1) 6 C06, CRP. Front View Arrangement Plant Auxiliary (Sheet 1) 7 C07, Control Room Panel, Front View Arrangement Turbine-Generator (Sheet 1) 8 C08, CRP Front View Arrangement Station Service Electric (Sheet 1) 9 Local Control Panels (C60) & (C61) 10 Local Control Panels (C63) & (C21) 11 Engineered Safety Equipment Status Panel Layout (C01X)

-12 Condensate Demineralizer Waste Treating Panel CDX

-13 Condensate Demineralizer Waste Treating Panel CDX

-14 Condensate Demineralizer Waste Treating Panel CDX

List of Figures (Continued) mber Title 15 Condensate Demineralizer Waste Treating Panel CDX 1 Logic Diagram - Anticipated Transient Without Scram 2 Block Diagram Diverse SCRAM System (ATWS) 3 Schematic Diagram Diverse SCRAM System ATWS

-1 Piping and Instrumentation Diagram Auxiliary Steam and Condensate

INTRODUCTION plant systems are instrumented to provide information on plant conditions at selected tions, to protect equipment and personnel from undesirable conditions and to control the plant ng startup, operation, and shutdown. The principal control station for the plant is in the trol room located in the reactor auxiliary building.

plant is started up and shut down under remote manual control. Annunciators, indicators and rding devices will alert the operator and provide data on plant conditions.

rumentation and controls essential to plant safety are located in the control room. The rumentation is arranged in groups on the control boards so that when corrective action is uired, all pertinent indicators, recorders and controllers are within easy reach and view of the rator. The control board is a duplex benchboard. Visible and audible alarms located in the top ion of the main control board annunciate and identify abnormal operating conditions.

phone systems provide both in-plant and external communication. The control room and puter room are kept at a controlled temperature which is well within the design temperature uirements of the instruments.

ensure reliability, components of established quality are selected and used in the rumentation and control equipment. The protection instrumentation consists of four ependent channels to permit system testing without reducing the degree of protection vided. Reliable sources of electrical power are provided to ensure safe and reliable plant ration (see Chapter 8).

operation of the reactor within established limits is achieved by its inherent characteristics, rumentation and control systems, by operational procedures and administrative controls.

artures from these limits are audibly and visibly annunciated in the control room. A reactor ective system is designed to initiate reactor trips to protect the core and the reactor coolant em pressure boundary.

engineered safety features actuation system instrumentation provides the equipment essary to initiate the required safety features functions. This system also monitors the power rces acting to assure the availability of emergency power for operation of at least the minimum ineered safety features (see Chapters 6 and 8). This system is provided with the necessary undant circuitry and physical isolation so that a single failure within the system would not vent the proper system action when required. This system is provided with test facilities and ms to alert the operator when certain components trip or malfunction, or are inoperable. The trols are designed to automatically provide the sequence of operations required to initiate ineered safety features system operation with or without off-site power available.

se instruments which have been classified Seismic Class I have been type tested or validated omputation to ensure operability.

fs (NRC Docket Numbers 50-317 and 50-318 through Amendment 19) except for the difications mentioned below.

eactor coolant pump underspeed trip has been added (Section 7.2.3.3.1). This trip is not ited to provide protection during any accident analysis event.

omatic axial flux tilt protection has been added through the addition of a Local Power Density (Section 7.2.3.3.10) and modification of the Thermal Margin/Low Pressure Trip ction 7.2.3.3.7).

High Power Trip has been modified to use a variable setpoint (Section 7.2.3.3.2).

trip logic matrix relay power supplies have been split so that each matrix power supply plies only two relays, thus preventing a single power supply failure from causing a spurious tor trip (Figure 7.2-2).

range of the Tcold channel inputs to the RPS has been changed in support of the modification he Thermal Margin/Low Pressure Trip (Section 7.2.3.3.7) from 515°F to 615°F to 465°F to

°F. This was to assure the existence of a valid T power signal during transients involving ificant decreases in core inlet temperature.

function of the Zero Power Mode Bypass (Section 7.2.3.3.12) has been expanded to include oving the T power component of the power signal Q in order to allow for special physics tups when system temperatures are below the operation range. In addition, the Zero Power de deletes the RCP underspeed trip.

Low Reactor Coolant Flow Trip (Section 7.2.3.3.3) acts on a P signal.

Power Trip Test Interlock (Section 7.2.4) has been expanded to provide protection against the lear Instrumentation Test Select switch being left in an off-normal position after testing.

Control Element Drive System (Section 7.4.2) has been modified to include a CEA Motion bit.

Reactor Regulating System (Section 7.4.1) has been modified to delete the automatic mode EA movement.

1 IDENTIFICATION OF SAFETY RELATED EQUIPMENT 1.1 Protective Systems tective Systems encompass electrical and mechanical devices and circuitry from sensors ugh actuation devices.

Engineered Safety Features Actuation System (Section 7.3)

Auxiliary Feedwater Automatic Initiation System (Section 7.3)

Protective System Power Supply (Section 8) 1.2 Safe Shutdown Systems Reactor Protective System will safely bring the Reactor to a hot standby condition if any of input parameters deviates from its preselected operating range or upon manual initiation by operator. The equipment normally used to maintain the plant in hot shutdown is listed in le 7.6-1. Additional equipment normally used to bring the plant to cold shutdown conditions is d in Table 7.6-2.

1.3 Safety-Related Display Instrumentation Reactor Protective System input parameter indication. (Section 7.2, 7.5)

Engineered Safety Features Actuation System input parameter indication. (Section 7.3, 7.5.1)

Engineered Safety Features monitoring instrumentation. (Section 6) 1.4 Other Safety-Related Systems Shutdown Cooling Interlocks (Section 9.3)

Refueling Interlocks (Section 9.8)

Auxiliary Steam Detection and Isolation System (Sections 7.10 and 9.13) 1.5 Control Systems systems listed below are not required for safety. Protective system action ensures that design ts are not exceeded.

Reactor Coolant Pressure Regulating Systems (Section 7.4.3)

Pressurizer Level Regulating Systems (Section 7.4.4)

Reactor Regulating Systems (Section 7.4.1)

design bases, criteria, safety guides, information guides, standards, and other documents lemented in the design of systems listed in Section 7.1.1 are stated in the corresponding criptive sections of the FSAR.

following guides referenced in Section 7.0 of the Standard Format and Content of Safety lysis Reports for Nuclear Power Plants. February 1972 were not available at the time of issue he Millstone Unit Number 2 construction permit (December 11, 1970) and were therefore not uded in the design or installation criteria used during construction. However, these guides are renced in applicable description sections of the FSAR where the equipment provided meets general guide requirements.

E Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating tems, dated June 3, 1971.

E Standard 308-1971, Criteria for Class IE Electric Systems for Nuclear Power Generating ions, dated September 16, 1971.

E Standard 323-1971, General Guide for Qualifying Class I Electric Equipment for Nuclear er Generating Stations, dated April 1971.

E Standard 336-1971, Installation, Inspection, and Testing Requirements for Instrumentation Electric Equipment during the Construction of Nuclear Power Generating Stations, dated tember 16, 1971.

E 338-1971, Periodic Testing of Nuclear Power Generating Station Protection Systems, d September 16, 1971.

E 344-1971, Seismic Qualifications of Class I Electric Equipment for Nuclear Power erating Stations, dated September 16, 1971.

ety Guide 22, Periodic Testing of Protection System Actuation Functions, dated February 1972.

escription of the quality assurance procedures to be used during equipment fabrication, ment, field storage, field installation, system and component checkout, and the records aining to each of these is contained in Sections 1.7, Appendix 1.B (located in the original R dated August 1972), and 13.

hould be noted that the Local Power Density Trip is not a new trip but rather a modified ion of the Axial Flux Offset trip described in the Calvert Cliffs FSAR. The name has been nged relative to the Calvert Cliffs FSAR in order to more accurately describe its function. The

1. Providing additional input to the trips, and
2. Providing additional processing equipment for the trips.

Modifications were made to increase the operating flexibility over that provided by the ivalent trips described in the Calvert Cliffs FSAR.

le 7.2.1.1-I shows the NSSS parameters that affect the acceptable fuel design limits tioned above. Table 7.2.1.1-II shows what variables are monitored on both Calvert Cliffs and lstone Unit 2, to determine the state of the NSSS parameters that affect the fuel design limits.

hould be noted that the radial peaking factor is inferred from the core power measurement.

s indirect measurement is accomplished through the Power Dependent CEA Insertion Limits ILS) given in the Technical Specifications. Also, the azimuthal tilt magnitude is not directly sured. The protective system set points are developed to: 1) take into account the worst core al peaking factor that can result at any power level from CEAs full out up to CEAs inserted to r insertion limit, and 2) take into account an azimuthal tilt at its Technical Specification limit.

le 7.2.1.1-III gives a comparison of the specific function of the subject trips, on Calvert Cliffs Millstone Unit 2, with respect to the fuel design limits. The low flow trip is included in le 7.2.1.1-III for completeness purposes only. Table 7.2.1.1-IV gives a comparison of the ables monitored, on Calvert Cliffs and Millstone Unit 2, for the trips listed in Table 7.2.1.1-rmal Margin Trip Modification:

function of the Thermal Margin trip is the same on Millstone Unit 2 and Calvert Cliffs (see le 7.2.1.1-III). The modification to the thermal margin trip consists of adding the axial flux et as a measured input and the processing equipment needed to relate axial offset to thermal gin limits (see Table 7.2.1.1-IV). On Calvert Cliffs the combination of thermal margin and l flux offset trip provides DNB and void fraction protection. This is accomplished by using axial offset trip to limit the axial power distribution that can occur at any power level. This ting distribution is then related to the thermal margin limit at that power level when erating the set points, since the thermal margin trip on Calvert Cliffs does not monitor the l offset. The approach used on Calvert Cliffs does not allow credit to be taken for operation h axial offsets that are more favorable in terms of thermal margin than the offset that exists at trip limit. Direct measurement of the axial offset in the thermal margin trip in Millstone Unit 2 ws this credit to be taken when it exists; thereby, 1) increasing margin to trip and improving rating flexibility, where 2) providing the same degree of protection as on Calvert Cliffs.

al Flux Offset Trip Modification (i.e., Local Power Density Trip):

function of the axial flux offset trip on Calvert Cliffs is twofold:

2. limit the axial power distribution that can exist at any power level to that which was assumed in generating the thermal margin trip set points, as explained above.

modifications made to the axial offset trip in Calvert Cliffs are:

1. a power dependent radial peaking penalty function has been included, and
2. the auctioneered higher of the T and neutron flux power is used as the power input to generate the trip limits.

shown in Table 7.2.1.1-I the radial peaking factor is one parameter that offsets the kw/ft of ch the plant is operating. Table 7.2.1.1-II shows that this effect is inferred from the sensed er level. In Calvert Cliffs the axial offset trip setpoints are determined in a manner that is sistent with the worst core CEA insertion (radial peaking) that can occur at any power level.

trip functions to limit the axial peaking factor consistent with the assumed worst radial and sured power level such that the specified kw/ft limit is not exceeded. By generating trip oints in this manner, any change in CEA insertion limits during operation requires setpoints to regenerated. The modification provided on Millstone Unit 2 is done to facilitate the neration of setpoints in the event that CEA insertion limits are modified.

enerating trip system setpoints, one must consider all measurement errors and uncertainties can occur during anticipated operational occurrences. On Calvert Cliffs, the neutron flux er is used as the power input to the axial offset trip. One factor that is considered in generating setpoints is how much can this signal be distorted (i.e., uncertain) during transients that uire this trip. Two major phenomena that result in neutron flux power measurement error are:

1. CEA shadowing: This effect results from the distortion of the radial power distribution. The out-of-core detectors see the fast neutron flux escaping from the peripheral fuel bundles. As CEAs are inserted or removed the power produced in the peripheral fuel bundles will vary relative to the core average power. The result is that the out-of-core detectors may indicate a power level different from the core average power.
2. Inlet Temperature Shadowing: This effect results from a change in density of the cold leg coolant which passes between the peripheral fuel bundles and the out-of-core detectors. The result is that as cold leg temperature decreases, from that value at which the out-of-core detectors had last been calibrated, the detectors will indicate a power level below the core average power. This is due to the fact that the incident neutron flux at the detectors will be decreased due to the increased coolant density.

T power, obtained from a calculation of hot and cold RTD measurements, is not influenced hese two phenomena. The use of the auctioneered higher of the T power and neutron flux

modifications made to the Calvert Cliffs axial flux offset trip on Millstone Unit 2 (local er density trip) provide 1) increased operating margin and increased system flexibility, while till satisfying the same criteria (i.e., kw/ft protection) and providing the same degree of ection.

h Power Level Trip Modification:

function of the high power trip on Calvert Cliffs is to provide 1) a maximum upper load limit he NSSS, and 2) a reactor trip to assist the engineered safety system in the event of an ejected A accident. The function of the high power trip on Millstone Unit 2 is to provide:

1. an upper load limit on the NSS that is always a given percent of rated power above the steady-state operating power, and
2. assistance during an ejected CEA accident.

he Calvert Cliffs design, the combination of the thermal margin and axial flux offset trips re the integrity of the fuel design limits. If during a power excursion an axial flux offset or mal margin trip does not occur, in which case neither would be required, a high power trip ntually results if the indicated power reaches 106.5% of rated.

mentioned previously, the thermal margin and axial offset trip setpoints are generated by ming that worst case radial peaks can occur at various power levels. This analysis must take consideration the possibility of carrying-up high radial peaks to high power levels. This ct may occur when CEAs are in manual control and a power excursion ensues and must be ommodated up to the point of the high power trip at 106.5% or rated power. The high power then essentially provides a mechanism by which to limit the radial peaking that must be med in generating the thermal margin and axial offset trip setpoints. The modification to the h power trip on Millstone Unit 2 provides a means of limiting any power excursion to roximately 10% increase above the initial power level. The trip then provides a means of ting the radial peaking that can be carried-up during a power excursion starting below

% power. When the initial power level is 100% of rated, the 110% high power trip setpoint vides this assurance. Since the maximum power excursion is always limited by a set amount, it can be taken for the reduced radial peak that may be carried-up. This credit is reflected in generation of the thermal margin and local power density trip setpoints and results in eased operating margins. The modification of using the auctioneered high of the T and tron flux power as the trip variable for the high power trip is provided to increase system uracy as explained previously.

design criteria for the thermal margin, local power density and high power level trip are ussed in Section 7.2.1.2.

1 DESIGN BASIS 1.1 Functional Requirements reactor protective system (RPS) consists of the sensors, amplifiers, logic, and other ipment necessary to monitor selected nuclear steam supply system (NSSS) conditions and to ct reliable and rapid reactor shutdown if any one or a combination of conditions deviates from reselected operating range. The system functions to protect the core and reactor coolant sure boundary (RCPB). The Millstone Unit 2 Protective System is functionally identical to provided for Calvert Cliffs (NRC Docket Numbers 50-317, 50-318 through Amendment 19),

ept for the following modifications:

actor coolant pump (RCP) underspeed trip has been added (Section 7.2.3.3.1). This trip is not ited to provide protection during any accident analysis event.

omatic axial flux tilt protection has been added through the addition of a Local Power Density D) Trip (Section 7.2.3.3.10) and modification of the Thermal Margin/Low Pressure (TM/LP)

(Section 7.2.3.3.7).

High Power Trip has been modified to use a variable setpoint (Section 7.2.3.3.2).

trip logic matrix relay power supplies have been split so that each matrix power supply plies only two relays, thus preventing a single power supply failure from causing a spurious tor trip (Figure 7.2-2).

range of the Tcold channel inputs to the RPS has been changed in support of the modification he TM/LP Trip (Section 7.2.3.3.7) from 515°F to 615°F to 465°F to 615°F. This was to assure existence of a valid T power signal during transients involving significant decreases in core t temperature.

function of the Zero Power Mode Bypass (Section 7.2.3.3.12) has been expanded to include oving the T power component of the power signal Q in order to allow for special physics tups when system temperatures are below the operating range.

Low Reactor Coolant Flow Trip (Section 7.2.3.3.3 acts on a P signal.

nal Commons between Nuclear Instrumentation Channels have been isolated to prevent nnel interaction. (Section 7.2.3.2.1)

Power Trip Test Interlock (Section 7.2.4) has been expanded to provide protection against the lear Instrumentation Test Select switch being left in an off-normal position after testing.

function of the RPS on all Combustion Engineering (CE) supplied plants has always been efold:

2. To assist the engineered safety system in mitigating the consequences of accidents (e.g., loss-of-coolant accident (LOCA)), and
3. To assure that acceptable fuel design limits are not exceeded during anticipated operational occurrences.

RPS supplied with Millstone Unit 2 is, in this sense, functionally identical with that supplied Calvert Cliffs.

assurance that the protective system fulfills its threefold function is provided by choosing a plement of trips that monitor pertinent parameters that: 1) are related to specified limits, and hat are affected during accidents which may lead to a violation of these specified limits.

particular trips under discussion (i.e., Thermal Margin, LPD and High Power) have as their me function the assurance that acceptable fuel design limits are not exceeded during cipated operational occurrences. Anticipated operational occurrences are defined in General ign Criteria (GDC), Appendix A of 10 CFR 50 as ...those conditions of normal operation ch are expected to occur one or more times during the life of the nuclear power unit....

eptable fuel design limits are described in Section 3.2.3.

1.2 Design Criteria RPS is designed to the following bases to assure adequate protection for the core:

a. Instrumentation conforms to the provisions of the Institute of Electrical and Electronic Engineers (IEEE), Criteria for Nuclear Power Plant Protection Systems (IEEE 279-1971).
b. No single component failure can prevent safety action.
c. Four independent measurement channels are provided for each parameter that can initiate safety action.
d. Channel independence is assured by separate connection of the sensors to the process systems and of the channels to vital instrument buses.
e. The four measurement channels provide trip signals to six independent logic matrices, arranged to effect a two-out-of-four coincidence logic having outputs to four independent trip paths.
f. A trip signal from any two-out-of-four protective channels on the same parameter causes a reactor trip.

out of service channel.

h. The protective system AC power is supplied from four separate vital instrument buses.
i. Open circuiting, or loss of power supply for the channel logic, initiates an alarm and a channel trip.
j. The trip logic matrices assume the nonconducting state to provide a tripping function.
k. The RPS can be tested with the reactor in operation or shut down.
l. The manual trip system is independent of the automatic trip system.
m. Trip signals are preceded by pretrip alarms to alert the operator of undesirable operating conditions in cases where operator action can correct the abnormal condition and avoid a reactor trip.
n. The RPS components are independent of control systems.
o. All equipment, including panels, and cables associated with the RPS, are marked with colored markers or nameplates in order to facilitate identification.
p. Electrical circuit isolation is provided between the RPS, annunciators, and the plant computer.
q. There are no RPS instrumentation transmitters for which the trip set points are within 5 percent of the high or low end of the calibrated range, or within 5 percent of the overall instrument design range.

2 DISCUSSION RPS meets the general requirements of the applicable sections of the below listed guides ough they were not available at this time the construction permit for Millstone Unit Number 2 issued. (December 11, 1970).

E Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating ions, dated June 3, 1971.

E Standard 336-1971, Installation, Inspection and Testing Requirements for Instrumentation Electric Equipment during the construction of Nuclear Power Generating Stations, dated tember 1971.

ulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions, (Safety de 22) dated February 17, 1972.

mbustion Engineering Topical Report CENPD-11 Reactor Protection System Diversity, W.

Coppersmith, C. I. Kling, A. T. Shesler, and B. M. Tashjian CENPD, February 1971) onstrates that functional diversity has been incorporated in the protective system design.

3 SYSTEM DESCRIPTION 3.1 General shown in Figures 7.2-1 and 7.2-2, the RPS consists of four trip paths operating through the cidence logic matrices to maintain power to, or remove it from, the control element drive hanisms (CEDM). Four independent measurement channels normally monitor each plant meter which can initiate a reactor trip. Individual channel trips occur when the measurement hes a preselected value. The channel trips are combined in six two-out-of-two logic matrices.

h two-out-of-two logic matrix provides trip signals to four one-out-of-six logic units, each of ch causes a trip of the reactor trip switchgear in the AC supply to the CEDM power supplies.

h CEDM power supply source is separated into two branches.

ctor trip is accomplished by deenergizing the CEDM coils allowing the shutdown and ulating CEAs to drop into the core by gravity. Reactor trip is initiated by the conditions cribed in Section 7.2.3.3; the reactor trip and pretrip alarm set points are listed in Table 7.2-1.

protective systems that actuate reactor trip and engineered safety features (ESF) components form to the regulation in effect at the time of procurement including relevant sections of the C, Appendix A to 10 CFR 50.

cabinets of the RPS are appropriately tagged A, B, C, D to distinguish between channels. The S is distinguished from nonsafety related equipment by the use of colored nameplates. At ination points the incoming and outgoing cables of the RPS are appropriately tagged to tify the channel and to distinguish between channels.

sical separation between channels is accomplished by feeding each of the four independent al inputs into a separate cabinet. The four cabinets are separated from each other by fireproof iers. Logic matrix and other interconnections between the four cabinets are made by running rconnecting wiring through rigid metallic conduits penetrating the barrier between each of the inets. All barrier penetrations are sealed with fireproof material.

ability of the RPS to protect the core and the RCPB has been established by the analysis ussed in Chapter 14. The analyses show that the plant and fuel design limits are not exceeded ng anticipated operational occurrences such as loss of load or inadvertent withdrawal of ulating control element assembly (CEA) groups. The provision of more restrictive set points to

ystems.

er is not used for cooling any part of the RPS.

3.2 System Components 3.2.1 Signal Generation r independent instrument channels are used to generate the signals necessary to initiate the matic reactor trip action. The signal cable routing and readout drawer locations are separated isolated to provide channel independence.

ation Assemblies provide independence and separation of signal common references through h impedance isolation of signals and reduction of common mode signals within FET repeating lifiers. Isolation of signal common between channels prevents channel interaction. Isolation ignal common for signals originating outside the RPS cabinet prevents noise pick up.

3.2.1.1 Wide-Range Logarithmic Channels four wide range logarithmic channels each obtain signals from two high sensitivity fission mbers. The fission chambers are grouped axially and located on the reactor cavity wall around reactor. The output from the fission chambers are conditioned and amplified in the cable vault lifier assemblies and transmitted to the signal processing drawers in the control room. The al processing drawers further process the detector signal into signals that represent the source ge logarithm of count rate and the rate of change of count rate, and the wide range logarithm of tor power and the rate of change of reactor power (see Figure 7.2-7).

3.2.1.2 Power-Range Safety Channels signals for each of the four power range safety channels are obtained from one of the four ctor assemblies located on the reactor cavity wall around the reactor. Each assembly consists wo uncompensated ion chambers stacked vertically to monitor the full length of the core. The current signals from each set of ion chambers are fed separately and directly to the power ge safety channel drawer assemblies located in the control room. The ion chambers cover the ge from 0.1 percent to 200 percent power (see Figure 7.2-8).

3.2.1.3 Flow, Water Level, Pressure Temperature and Reactor Coolant Pump Speed flow, water level, pressure temperature and RCP speed signals are each generated by separate of transmitters. Flow is measured by monitoring the pressure difference between the hot leg ng and the steam generator outlet plenum. Steam generator water level and pressure are nitored in each steam generator. The reactor coolant system (RCS) pressure is measured in the surizer. Temperature measurements are taken from the reactor inlet and outlet piping in each p.

able trip modules.

3.2.2 Logic er to Figure 7.2-2 for the following discussion.

h measurement channel which can initiate protective action operates a channel trip unit; each unit includes three sealed, electromagnetically actuated relays and associated contacts. Four units are provided for each trip condition, e.g., high pressurizer pressure.

relays in each trip unit are numbered one, two, and three. The normally open contacts from Number 1 relay group of Channel A are connected into a two-out-of-two logic matrix with nnel B relay contacts. (The normally open contacts are used for the logic ladders so that the ys are energized and the contacts closed under operating conditions).

Number 2 and Number 3 relay contacts are similarly connected into two other two-out-of-logic matrices with Channel C and Channel D relay contacts. With the number 2 and number lay contacts of Channels, B, C, and D similarly arranged in BC, BD and CD combinations of

-out-of-two logic matrices, there is a total of six two-out-of-two logic matrices, forming a

-out- of-four coincidence logic with respect to the input channels.

the output of each of the six trip logic matrices is a set of four sealed, electromagnetically ated relays. These sets are designated the AB, AC, AD, BC, BD, and CD logic trips. The tacts from one relay of the logic trip set from each logic matrix output are placed in series with esponding contacts from the remaining sets in each of the four trip paths. Each of these paths e power supply line to one of the trip breaker control relays, K1 through K4, whose contacts vide actuation of under voltage and shunt trips on the trip circuit breakers, thus interrupting the power to the CEDMs. Deenergizing of any one trip breaker control relay interrupts (opens) trip path and trips the two breakers controlled by that trip path. Deenergizing any set of four c trip relays causes an interruption of all trip paths which results in a reactor trip. This logic is wn on the RPS Block Diagram, Figure 7.2-1.

CEDMs are separated into two groups. The CEDM power supplies in each group are supplied arallel, with three-phase AC power from the motor-generator sets. Two full-capacity motor-erator sets, each with a one-second ride through capability, are provided. The loss of either set s not cause a release of the CEAs. Each power supply source is separated into two branches.

h side of each branch line passes through two trip circuit breakers (each actuated by a separate path) in series so that, although both sides of the branch lines must be deenergized to release CEAs, there are two separate means of interrupting each side of line. This arrangement vides means for the testing of the protective system.

ne of the trip units is to be removed for maintenance, the logic matrices may be changed from wo-out-of-four trip to a two-out-of-three trip by the operation of the logic bypass switch wn on the output of the trip module, Figure 7.2-2). One key-operated switch is provided for

operation of the key-operated switch to bypass the trip function of a single bistable trip unit is cated by a light on the face of the bistable trip unit and an annunciator on the main control rd. This meets the requirements of paragraph 4.13 in IEEE-279 in that it provides continuous cation of the bypass in the control room.

ere the trip is to be allowed only in selected power ranges, a neutron flux signal is utilized to bit the action of the trip units. A manually actuated inhibit action may, under administrative trol, be applied to the low reactor coolant flow, thermal margin and low steam generator sure trips for zero power testing. The inhibits on reactor coolant flow and thermal margin are matically removed above a preset power. The inhibit on steam generator pressure is matically removed above a preset pressure. An additional feature of this zero power inhibit is emove the T power component of the power signal Q which is described in Section 7.2.3.3.7.

s prevents RCS temperature which would cause false trips on high power and LPD during low er testing. Protective system criteria are met by this use of neutron flux signals to provide tiple independent inhibit or reset signals.

3.3 System Operation 3.3.1 Reactor Coolant Pump Under-Speed trip is not credited in any accident analysis event. It is provided to improve response to a low-lant-flow condition resulting from loss of supplied power to the RCPs.

P shaft speed is sensed by a magnetic sensor which transmits a signal to a frequency-voltage portional transmitter. The voltage signal, which is proportional to pump shaft speed is then lied to a bistable trip unit. (See Figure 7.2-10). The trip is initiated by two-out-of-four cidence logic from the four channels.

h of the four RCPs is equipped with an independent speed sensing system, with each channel ating independently.

zero power mode bypass switch allows the trip to be bypassed below 10-4 percent power. The bypass is automatically removed prior to increasing reactor power to 10-4 percent power.

3.3.2 High Power Level actor trip in power level Q (see Section 7.2.3.3.7) is provided to trip the reactor in the event of activity excursion too rapid to result in a high pressure trip and to help prevent violation of the A position vs. power level assumed in the Thermal Margin and LPD trips. The high power trip oint can be set no more than a predetermined amount above the indicated plant power.

rator action is required to increase the setpoint as plant power is increased. The setpoint is matically decreased as power decreases.

ure 7.2-11 shows the operation of the system. If Q decreases, the setpoint QTR follows it, aining above Q by a fixed, adjustable bias Qb. If Q now increases, the setpoint remains at the imum value of Q + Qb last achieved, until reset by the operator.

system must be capable of holding the setpoint QTR at the previous minimum of Q + Qb efinitely. This requirement precludes storing QTR by purely analog means. For this reason, the al is stored as a digital word.

reset circuit is designed to apply a momentary signal to the appropriate terminal of the digital age device when a pushbutton is pressed. This causes QTR to achieve the current value of Q +

The reset circuit is buffered to permit locating the pushbutton outside the RPS.

signal QTR is limited so that, regardless of the logic described above, it cannot go above or w limits set by potentiometers.

er circuits generate a pretrip limit for the bistable trip unit, as well as a contact closure to alert operator when power increases after reaching a minimum. The pretrip alarm provides audible visual annunciation in addition to CEA withdrawal prohibit signals.

nd QTR are processed and buffered for remote display on the main control board. Q is also n to the Control Element Drive System (CEDS) and the Plant Computer for use in the power endent insertion limit calculation.

3.3.3 Low Reactor Coolant Flow s reactor trip is provided to protect the core against DNB in the event of a coolant flow rease.

flow measurement signals are provided by measuring the differential pressure across each of two steam generators. Each steam generator differential pressure signal is proportional to the are of the steam generator mass flow rate. These signals are summed to provide a signal that is portional to the square of the reactor vessel mass flow rate. The measured signal is compared pre-determined trip setpoint in the reactor protection system trip bistable. This configuration hown in Figure 7.2-4, and is repeated in each of four redundant channels. A reactor trip is ated when the measured value falls below the bistable trip setting in two-out-of-four cident channels.

trip alarms are similarly provided to warn of decreased coolant flow conditions.

DMs. The trip bypass is automatically removed prior to increasing reactor power to 10-4 ent power.

ctor coolant pump operating requirements and surveillance requirements are defined by hnical Specifications.

3.3.4 Low Steam Generator Water Level abnormally low steam generator water level indicates a loss of steam generator secondary er inventory. If not corrected, this would result in a loss of capability for removal of heat from RCS.

low steam generator water level reactor trip protects against the loss of feedwater flow dent (see Section 14.2.7) and assures that the design pressure of the RCS will not be eeded. The trip set point specified in Table 7.2-1 assures that sufficient water inventory will be he steam generator at the time of trip such that steam generator dryout does not occur before auxiliary feedwater (AF) delivers sufficient flow to remove decay heat and recover steam erator water level.

eactor trip signal is initiated by two-out-of-four logic from four independent channels. Each nnel actuates on the lower of two signals from two downcomer level differential pressure smitters, one on each steam generator. Audible and visual pretrip alarms are actuated to vide for annunciation of the approach to reactor trip conditions.

3.3.5 Low Steam Generator Pressure abnormally high steam flow from one of the steam generators (e.g., that which would occur as result of a steam line break (SLB)) would be accompanied by a marked decrease in steam sure. To protect against an excessive rate of heat extraction from the steam generators and sequent cooldown of the reactor coolant following an SLB, a reactor trip is initiated by low m generator pressure.

eactor trip signal is initiated by two-out-of-four logic from four independent channels. Each nnel actuates on the lower of two signals from two pressure transmitters: one on each steam erator. Audible and visual pretrip alarms are actuated to provide for annunciation of approach eactor trip conditions.

nals from these pressure transmitters initiate closure of the main steam isolation valves IV) on a two-out-of-four coincidence of low pressure in either steam generator.

ypass is provided for the low steam generator pressure trip to allow performance of zero er physics testing. Bypass is accomplished manually by means of a key-operated switch in h channel. The manual bypass is enabled only below a preset steam pressure and is matically removed above this set point. Figure 7.2-5 is a functional diagram of this circuit.

erator pressures exceeds a predetermined set point. When the manual switch is in the Off ition, there is no bypass of the low steam generator pressure trip function.

setting and testing the bistable device by use of the trip tester, a TEST SELECT switch is vided to disconnect the signal not being tested. This can only be done if the manual bypass tch is in the OFF position.

contact testing system consists of two pushbuttons, one for auto bypass removal test and one manual bypass removal test. The purpose of these tests is to check the status of the bypass uit contacts. These tests do not alter or change the contacts from either an open or closed ition.

ssing the AUTO TEST pushbutton completes a path through a contact to the light; thus the t being on indicates that bypass is allowed by the automatic removal circuit. Pressing the N TEST pushbutton similarly tests the manual contact. Pressing both pushbuttons energizes light regardless of bypass status; this tests the light. The light is also on for both the manual automatic contacts closed, i.e., when the trip bypass is in effect.

reactor trip set point of 691 psia (Table 7.2-1) is sufficiently below the full load operating sure so as not to interfere with normal operation, but still high enough to provide the required ection in the event of excessively high steam flow.

3.3.6 High Pressurizer Pressure actor trip for high pressurizer pressure is provided to prevent excessive blowdown of the RCS elief action through the pressurizer safety valves. A reactor trip is initiated by two-out-of- four cidence logic from the four independent measuring channels if the pressurizer exceeds 2397

. This signal simultaneously opens the power-operated relief valves (PORV).

trip signals are provided by four independent narrow range pressure transducers measuring pressurizer pressure. Pretrip alarms are initiated if the pressurizer pressure exceeds 2350 psia ndication of the approach to reactor trip conditions.

3.3.7 Thermal Margin/Low-Pressure Trip TM/LP trip is provided for two purposes. The thermal margin portion of the trip, in junction with the low reactor coolant flow trip, is designed to prevent the reactor core safety t on DNB from being violated during anticipated operational occurrences. The low surizer pressure portion of the trip functions to trip the reactor in the event of a LOCA.

eactor trip is initiated whenever the RCS pressure signal drops below either 1865 psia or a puted value as described below, whichever is higher. The computed value is a function of the her of T power or neutron power, reactor inlet temperature, the number of RCPs operating the axial offset. Consistent with the Technical Specifications, the minimum value of reactor

uencing in accordance with the Technical Specifications is assumed. Finally, the maximum rtion of CEA banks which can occur during any anticipated operational occurrence prior to a h Power Level trip is assumed.

ure 7.2-6 and 7.2-11 describe the operation of this trip system. The higher of the two inlet peratures is used in the TM/LP calculation.

ure 7.2-13 shows a block diagram of the thermal power calculation.

calculation begins with the generation, by temperature transmitters, of currents representing cold and hot leg temperatures in each loop. By forcing these currents through precision stors and utilizing the resulting voltage drops, voltages representing cold leg temperatures (Tc1 Tc2) and hot leg temperature (Th) are sent to the calculator. The latter signal is the average Th the two loops.

he calculator, the higher cold leg temperature signal is selected and subtracted from the hot leg perature signal to determine the temperature rise. The calculator generates terms proportional he first and second powers of the temperature rise and to the product of temperature rise and leg temperature. These three terms represent thermal power for four pump operation and dy state conditions, accounting for coolant density, specific heat, and flow rate variations with perature and power.

sum of these terms represents the core power for four-pump operation under steady state or d transient conditions.

coefficient of the term proportional to the temperature rise (K) is set by the potentiometer led T Power Calibrate on the Reactor Protective System Calibration and Indication Panel SCIP) front panel. This factor is adjusted to make the thermal power calculation agree with plant calorimetric calculation.

thermal power (B) is subtracted from the nuclear power (), generated by the NI Channel, the difference is displayed on a meter with a range of -10 percent to +10 percent of full power.

meter has adjustable upper and lower setpoints. The contacts energize a local light when the iation goes outside the range defined by the setpoints.

make the nuclear power signal agree with the thermal power and/or the plant calorimetric ulation, a potentiometer labeled Nuclear Power Calibrate is provided. This potentiometer sts the gain of the NI Channel from 0.8 to 1.33. An auctioneering circuit selects the higher of lear power or thermal power for use in the remainder of the system.

signal Q, the maximum of nuclear or thermal power, is modified by a CEA position function.

resulting signal is then augmented by an axial factor which is generated in the LPD Trip

ed QDNB.

ressure setpoint Pvar is calculated as a linear function QDNB and of the modified inlet perature described above.

auctioneering circuit selects the maximum of this calculated pressure setpoint and a constant sure Pmin, and sends the resulting signal to the trip unit as a downscale trip setpoint. Trip will ur if the primary pressure drops below the calculated setpoint or below 1865 psia, whichever is er. A pretrip setpoint, 75 psi above the trip point, is also generated.

trip signal is initiated by a two-out-of-four coincidence logic from four independent safety nnels, and audible and visual pretrip alarms are actuated to provide for annunciation on roach to reactor trip conditions. The pretrip action also initiates a CEA withdrawal prohibit.

zero power mode bypass switch allows this trip to be bypassed for low power testing. The trip ass is automatically removed prior to increasing reactor power to 10-4 percent power.

Thermal Margin trip setpoint is processed and buffered for remote display on the main trol board in four dual indicators which compare the trip setpoint with indicated pressurizer sure.

3.3.8 Loss of Turbine trip for loss of turbine is an equipment protective trip and is not required for reactor ection. (Refer to Chapter 14).

s trip is initiated above a preset power level, by actuation of 2 of 4 low hydraulic fluid pressure tches associated with the turbine-generator control systems. Its purpose is to help avoid the ng of the steam generator safety valves during the system transient after a turbine trip, thus nding the service life of these valves. Since credit has not been taken for the equipment ective trips in the Safety Analysis of the plant, they do not fall within the scope of IEEE 279.

he case of the Millstone Unit Number 2 RPS, the design criteria listed in Section 7.2.1.2 ich includes IEEE 279) apply to all trip functions including the equipment protective trips.

3.3.9 High Containment Pressure rip is provided on high containment pressure in order to assure that the reactor is tripped current with safety injection actuation.

r pressure measurement channels provide analog signals to bistable trip units which are nected in a two-out-of-four coincidence logic to initiate the protective action if the tainment pressure exceeds a preselected value.

minimum power level required to produce centerline melt in Zircaloy clad uranium fuel rods efined as the Fuel Centerline Melt Linear Heat Rate (FCMLHR) limit and is expressed in KW/

his FCMLHR is determined using the methodology of XN-NF-82-06(P)(A) Revision 1 and plements 2, 4 and 5 (Qualification of Exxon Nuclear Fuel for Extended Burnup, Exxon lear Company, October 1986.) The high LPD trip is provided to prevent the peak LPD in the from exceeding the FCMLHR limit during anticipated operational occurrences thereby ring that the melting point of the UO2 fuel will not be reached.

actor trip is initiated whenever the axial offset exceeds either a high or low calculated setpoint escribed below. The axial offset is calculated from upper and lower ex-core neutron detector nnels. The calculated setpoints are generated as a function of the core power level with the A group position being inferred from the core power. The trip is automatically bypassed below ercent power.

sistent with the Technical Specifications, the maximum azimuthal tilt and the maximum CEA iation permitted for continuous operation are assumed in generation of the setpoints. In ition, CEA group sequencing in accordance with Technical Specification is assumed. Finally, maximum insertion of CEA banks which can occur during any anticipated operational urrence prior to a High Power Level Trip is assumed.

ure 7.2-13 shows a block diagram of a typical channel. Circuits in the Power Range Safety nnel generate signals proportional to the sum of and the difference between the upper and er detector outputs. An axial offset signal is formed as a linear function of the ratio of the erence to the sum and compared with upper and lower limits generated from a modified power al described in Section 7.2.3.3.8. The offset signal is also used in the Thermal Margin Trip as viously described.

e axial offset exceeds either calculated limit, a contact in the calculator opens and deenergizes trip relays in an auxiliary trip unit. The pretrip relay is similarly released if a narrower elope is exceeded.

3.3.11 Manual Trip manual reactor trip is provided to permit the operator to trip the reactor. Depressing two hbutton switches on the control panel causes interruption of the AC power to the CEDM er supplies. The manual trip function is testable during reactor operation.

3.3.12 Bypass Operation trips are normally cleared before startup. (The loss-of-turbine trip is automatically bypassed w 15 percent power.) For some operations, it may be desirable to perform a reactor startup h some reactor parameters at values which would normally cause a trip. For these special rations, zero power mode bypass switches may be used to bypass the low flow, RCP erspeed, and the low TM/LP trip functions. Four bypass key switches are provided. Each

se bypasses are automatically removed above 10-4 percent power. A manual bypass is vided to allow startup with a low steam generator pressure.

4 TESTING E 338-1971, Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station tection Systems, September 1971, provides guidance for development of procedures, ipment and documentation of periodic testing. The bases for and the scope and means of ing are described in this section. Test intervals and their bases are included in the Technical cifications. The organization for testing and for documentation is described in Chapter 13.

ce operation of the protective system will be infrequent, the system is periodically and inely tested to verify its operability. A complete channel can be individually tested without ating a reactor trip or violating the single failure criterion, and without inhibiting the operation he RPS.

RPS is capable of being checked from the trip unit input through the power supply circuit kers of the CEDMs. The majority of the components in the protective system can be tested ng reactor operation. The remainder of the components can be checked by comparison with ilar channels or channels that involve related information. These components, which are not ed during reactor operation, will be tested during scheduled reactor shutdown to assure that are capable of performing the necessary functions. Minimum frequencies for checks, bration and testing of the RPS instrumentation are given in Section 4 of the Technical cifications. Overlap in the checking and testing is provided to assure that the entire channel is ctional. The use of individual trip and ground detection lights, in conjunction with those vided at the supply bus, assure that possible grounds or shorts to another source of voltage may etected.

ing reactor operation the measuring channels are checked by comparing the outputs of similar nnels and cross-checking with related measurements. The trip units are tested by inserting a meter in the circuit, noting the signal level, initiating a test input and noting signal level uired to effect trip action. This provides the necessary overlap in the testing process and also bles the test to establish that the trip can be effected within the required tolerances. The test al is provided by a test signal generator which is connected to the trip module at the signal ut terminals. With the test signal generator connected, the desired signal is selected and then rted into the trip unit by depressing the manual test switch. The test circuit permits various s of change of signal input to be used. Trip action (opening) of each of the trip unit relays is cated by individual lights on the front of the trip unit. The pretrip alarm action is indicated by parate light.

sets of logic trip relays at the output of each logic matrix are tested one at a time. The test uits in the logic permit only one logic ladder to be opened and one set of relays to be held at a e; the application of hold power to one set denies the power source to the other sets. In testing gic trip set (e.g., AB) a holding current is initiated in the test coils of the logic trip relays by ing the matrix relay trip test switch to off and depressing the matrix logic AB test

relays may be deenergized one at a time (by rotating the matrix relay trip test switch) to open associated trip breakers. Indicator lights on the trip status panel provide verification that coil ration and trip breaker actuation conditions have occurred.

response time from an input signal to the protection system trip units through the opening of trip circuit breakers is verified by measurement in accordance with the Technical cifications and the Technical Requirements Manual.

odic testing can be carried out from the control room to ensure the continuity of the surement loop. A supplementary signal is introduced into the measurement loop that is assed and the response to this signal is indicated on a meter in the protection system. This fies the continuity of the loop and insures its operability.

RPS is manufactured under strict engineering and quality control specifications. These cifications require that the equipment be inspected for workmanship, proper materials and nnel separation as required by IEEE-279-1968. Furthermore, all intra- and inter-connection ng is tested for continuity and an insulation test is performed between each conductor and ssis ground and between each individual pair of connectors. An operational test is performed he system during which time input signals are simulated to ensure that the protective system is able of producing the proper trip signals.

ower Trip Test Interlock feature is provided to assure protection against the consequences of ain signal selection switches being left in off-normal positions at the completion of testing.

position of these switches, the Test Select switch in conjunction with the Test Enable switch he Power Range Nuclear Instrumentation and the T Power Calculator Test Switch in the CIP, may be changed during testing without causing a trip by bypassing the High Power, TM/

and LPD Trips. If these switch positions should be changed during normal operation or if any hese channels that have been bypassed for testing should be returned to normal prior to rning the switches to normal, trips will occur on the affected channels.

reactor trip circuit breakers are provided with the capability of disabling the shunt trip coils time response testing of the undervoltage trip coils. This feature is provided by means of a dswitch located on the trip breaker switchgear. These handswitch contacts are shown in ure 7.2-1 and 7.2-2. During this testing process, no more than one handswitch should be ed in the test position at the same time and annunciation is provided on C04 that warns the rator that the shunt trip coil is disabled.

5 SYSTEM EVALUATION 5.1 General RPS is designed to limit reactor power and coolant conditions to levels within the design ability of the reactor core. Instrument performance characteristics, response time, and uracy are selected for compatibility with and adequacy for the particular function. Trip

pump starting times are considered in establishing the margin between the trip setpoints and safety limits. The time response of the sensors and protective systems are evaluated for ormal conditions.

ce all uncertainty factors are considered as cumulative for the derivation of these times, the al response time may be more rapid. However, even at the maximum times, which are added he CEA drop time, the system provides conservative protection.

wiring in the protective system is grouped so that no single fault or failure, including either an n or shorted circuit, will negate protective system operation. Signal conductors are protected routed independently.

s of or damage to any one path will not prevent the protective action. Sensors are piped so that kage or failure of any one connection does not prevent protective system action. The process sducers located in the containment building are specified and rated for the intended service.

se components which must operate in the LOCA environment are rated for the LOCA perature, pressure and humidity conditions. Results of type test are used to verify these ngs. In the control room the nuclear instrumentation and protective system trip paths are ted in four compartments. Mechanical and thermal barriers between these compartments uce the possibility of common event failure. Outputs from the components in this area to the trol boards are buffered so that shorting, grounding, or the application of the highest available l voltage does not cause channel malfunction. Where signals originating in the RPS feed the puter, buffering is used to ensure circuit isolation; where the RPS is feeding annunciators, ation is ensured through the use of relay contacts.

protective system is designed such that the deenergized state initiates a channel trip. This ure ensures that if channel continuity is lost, that channel will fail in a safe condition. Module hdrawal is indicated by lights on the RPS panel and annunciators and alarms above the main sole. The modules are not interlocked to prevent withdrawal but are set up such that hdrawal of one module causes a channel trip and withdrawal of a second module causes full

. If a channel is in the bypassed condition, withdrawal of any other two modules of that meter will cause a full trip since the system is in the two-out-of-three trip mode. Only one set keys is available to the plant operator allowing only one of the four channels of any one meter to be bypassed at any one time. Strict administrative control ensures that this uirement is not violated. Indication of test and bypass conditions or removal of any channel m service is given by lights on the protection system front panel and an audible/visible alarm unciator. If a protection system channel is removed from service either by a failure in that nnel or by deenergization for maintenance purposes, then that channel will go to the tripped dition which is indicated and alarmed. Bypasses are alarmed and indicated on the main control el. Automatic removal of a bypass is also indicated by the main control panel annunciator.

protective system is designed and arranged to be able to perform its function with a single ure of any component. Some of the faults and their effects are described below.

a. A loss of signal in a measurement channel initiates protective channel trip action for those parameters which normally trip on a decreasing input. These include Low RCP Speed, Low Reactor Coolant Flow, Low Steam Generator Water Level, Low Steam Generator Pressure, and Thermal Margin/Low Pressure pressure input.

Parameters which trip on an increasing input, including high power level, high pressurizer pressure and high containment pressure, will not trip on a loss of input signal.

b. Shorting of the signal leads to each other has the same effect as a loss of signal.

Shorting a lead to a voltage has no effect since the signal circuit is ungrounded.

Periodic testing will determine if grounds or applications of potential to the signal circuit exist.

c. Single grounds of the signal circuit have no effect. Periodic checking of the system will assure that the circuit remains ungrounded.
d. Open circuit of the signal leads causes a channel trip signal.

5.3 Logic Portion of the Circuit

a. Inadvertent operation of the relay contacts in the matrices will be identified by the indicating lights.
b. Shorting of the pairs of contact in the matrices will prevent the trip relay sets from being released. Such shorts are detectable in the testing process by observing that the trip relay sets cannot be dropped out. Testing is accomplished by successive opening of the logic matrix contact pairs.
c. Shorting of the matrices to an external voltage has no effect since the matrix is ungrounded. The testing process will indicate accidental application of potential to the matrix. Equipment is provided to detect grounds on the matrices.
d. The logic matrices will each be supplied by two power sources. Loss of a single power source has no effect on operation. Loss of power to a logic matrix initiates a trip condition.
e. Failure of a logic trip relay set to actuate has no effect since there are six sets in series in the trip action and any one set initiating trip action will cause the action to be completed.
f. The failure of one trip breaker control relay in a trip breaker circuit has no effect since there are two trip breakers in series, either of which will provide the necessary action.

accidental ground.

h. The AC circuit supplying power to the trip breaker control relay coil is fed from an isolation transformer. The circuit has a local ground detection system. Each of the four trip paths are fed from a separate 120 VAC vital instrument bus.
i. The CEDM power supply circuits operate ungrounded so that single grounds have no effect. A ground detection system is provided. The CEDMs are supplied in two groups by separate pairs of power supplies to further reduce the possibility of a CEA being improperly held. The CEDM load requirements are such that the application of any other local available voltage would not prevent CEA release.

6 SYSTEM RELIABILITY AND AVAILABILITY 6.1 Power Supply power for the protective system is supplied from four separate and independent vital 120 volt buses. Each vital bus is supplied from one of the two station battery systems through separate rters (as shown in Figure 8.5-1). During normal operation, the battery chargers maintain a ting charge on each battery while at the same time, supply power to the vital inverters. Upon of auxiliary AC power, the batteries provide the power for inverter operation. In the event of of vital bus, the protective channel associated with the bus goes into a trip condition. Each l bus also has automatic rapid transfer to a regulated instrument ac supply used as a backup.

distribution circuits from the vital buses are provided with fuses and circuit breaker ection to assure that individual circuit faults are isolated close to the fault.

6.2 Environment Capability components were specified for environmental conditions existing in the area of the plant in ch the components are installed.

iation design criteria for RPS components located within normally radioactive areas are cified at a gamma level of 1R/hour for 10 years, except for the main coolant resistance perature detectors (RTDs), which are specified at 10R/hour for 40 years. Protective system ipment not located in normally radioactive areas or located in areas of very low activity has n specified accordingly. Periodic tests and calibration will assure detection of gradual ipment deterioration and will assure capability of the system to operate as required by the inal design bases.

design criteria for all electrical cable are that the cable shall not fail when subjected to any dent conditions after the long-term normal operating conditions. Cable details are specified in pter 8.

specification for each RPS component or assembly includes the seismic requirements for that ipment.

se components are qualified by either of the two following methods.

most cases, the supplier is required to qualify his equipment by calculation or testing, or a bination of both. This qualification is formally documented and submitted for approval prior fficial acceptance of the equipment by Quality Control.

ther cases, tests or calculations are performed by independent consultants or laboratories who mit a formal report. Acceptance of the equipment from the supplier is contingent upon the of of suitability as established by the results of those tests or calculations.

choice of the analytical or experimental qualification procedure is determined by the size, pe and structural or functional complexity of the equipment in accordance with the criteria ined in IEEE 344 Guide for Seismic Qualification of Class I Electric Equipment for Nuclear er Generating Stations. Racks, panels or other supporting structures are generally qualified analysis, while bistable trip units and other modules are generally qualified through testing.

ts and calculations are performed following the guidelines of IEEE 344, 1971.

e testing is the preferred qualification method in accordance with IEEE-323, 1971, General de for Qualifying Class I Electric Equipment for Nuclear Power Generating Station. A report he qualification of the RPS panels, racks, and equipment including the results of type tests, submitted by CE in December of 1972 in the form of a topical report, CENPD-61, Seismic lification of Category I Electric Equipment for Nuclear Steam Supply Systems.

6.4 Physical Separation locations of the sensors and the points at which the sensing lines are connected to the process p have been selected to provide physical separation of the channels, thereby precluding a ation in which a single event could remove or negate a protective function. Process smitters located inside the containment and required for short term operation following a CA are rated for the intended service in the LOCA environment. The routing of cables from e transmitters is arranged so that the cables are separated from each other and from power ling to minimize the likelihood of common event failures. This includes separation at the tainment penetration areas. In the control room, the four nuclear instrumentation and ective system trip channels are located in individual compartments. Mechanical and thermal iers between these compartments minimize the possibility of common event failure. Outputs m the components in this area to the control boards are buffered so that shorting, grounding, or application of the highest available local voltages do not cause channel malfunction.

6.5 Bistable Trip Unit Drift bistable trip units have been specified and designed for a maximum drift of 32 mv.

TABLE 7.2-1 REACTOR TRIP AND PRETRIP SET POINTS Pretrip Alarm

o. Reactor Trip Set Point Trip Set Point Reactor Coolant Pump Underspeed * (not N.A. 830 rpm credited)

High Power Level 2% below trip 10% above setpoint measured power Q

Low Reactor Coolant Flow

  • 4-Pump N.A. 91.7 Operation, %

Low Steam Generator Water Level, % 54 48.5 (Auctioneered low of SG #1, SG #2)

Low Steam Generator Pressure **, psia 780 691 (Auctioneered low of SG #1, SG #2)

High Pressurizer Pressure, psia 2350 2397 Thermal Margin/Low-Pressure

  • 75 psia above trip Variable trip set set point point with minimum of 1865 psia Loss of Turbine *** (Low Hydraulic Fluid N.A. 500 Pressure) psig High Containment Pressure, psig N.A. 4.42

. Manual Trip (Push Buttons) N.A. N.A.

. Local Power Density < FCMLHR FCMLHR Manual inhibit permitted below 10-4 percent power: automatically removed prior to increasing reactor power to 10-4 percent power.

Manual inhibit permitted below 800 psia: automatically removed above 800 psia.

Inhibited below 15% power.

TABLE 7.2.1.1-I PARAMETERS AFFECTING FUEL DESIGN LIMIT I. DNBR and Void Fraction

1) Core Power
2) Core Inlet Temperature
3) Axial Power Distribution
4) Radial Peaking Factor
5) Primary System Pressure
6) Core Mass Flow Rate
7) Azimuthal Tilt Magnitude II. Fuel Temperature (or Equivalent kw/ft)
1) Core Power
2) Axial Power Distribution
3) Radial Peaking Factor
4) Azimuthal Tilt Magnitude

NSSS Parameter Monitored Variable re Power Neutron Flux Power/T Power re Inlet Temperature Cold Leg Temperature imary System Pressure Pressurizer Pressure ial Power Distribution Axial Flux Offset dial Peaking Factor (Inferred from Neutron Flux Power/DT Power and Technical Specifications PDILS) re Mass Flow Rate Steam Generator Differential Pressures imuthal Tilt Magnitude Value assumed consistent with Technical Specifications Limit

cceptable Fuel Design Limit Calvert Cliffs Millstone Unit 2 NBR & Void Fraction Thermal Margin Trip Axial Thermal Margin Trip Flux Offset Trip High Power Trip Low Flow Trip Low Flow Trip w/Ft (Fuel Temperature) Axial Flux Offset Trip Local Power Density Trip High Power Trip

Trip Calvert Cliffs Millstone Unit 2 ermal Margin Pressurizer Pressure Neutron Pressurizer Pressure Neutron Flux Flux Power/T Power Power/ Power re Inlet Temperature Core Inlet Temperature Core Inlet Temperature ial Flux Offset Neutron Flux Power Axial Flux Offset cal Power Density Neutron Flux Power/T Power Axial Flux Offset gh Power Neutron Flux Power Neutron Flux Power/ Power w Flow Steam Generator Differential Steam Generator Differential Pressure Pressure

ision 3906/30/21 MPS-2 FSAR 7.2-25 figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

FUNCTIONAL DIAGRAM ision 3906/30/21 MPS-2 FSAR 7.2-30 CHANNELS CHANNELS figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ision 3906/30/21 MPS-2 FSAR 7.2-34 ision 3906/30/21 MPS-2 FSAR 7.2-35 ision 3906/30/21 MPS-2 FSAR 7.2-36 ision 3906/30/21 MPS-2 FSAR 7.2-37 ision 3906/30/21 MPS-2 FSAR 7.2-38 1 DESIGN BASES plant protection system consists of a sense and command design features involved in erating the signals used for reactor trip and engineered safety features actuations. The plant ection system consists of the Reactor Protection System (RPS) and the Engineered Safety tures Actuation System (ESFAS). The ESFAS is that portion of the plant protection system d to automatically and manually initiate the operation of the engineered safety features (ESF) ems and essential auxiliary supporting (EAS).

Millstone Unit 2, the ESFAS is comprised of: (1) the Engineered Safeguards Actuation System AS) and (2) the Auxiliary Feedwater Automatic Initiation System (AFAIS).

1.1 Functional Requirements Engineered Safety Features Actuation System (ESFAS) is designed to detect accident ditions and initiate the operation of systems and components important to safety. The ESFAS esigned for high functional reliability and in-service testability commensurate with the safety ctions it performs.

1.2 Design Criteria 1.2.1 Single Failure, Redundancy and Independence ESAS and AFAIS are designed with sufficient redundancy and independence to assure that no single failure results in loss of protective function and (2) removal from service of any ponent of a channel does not result in loss of the required minimum redundancy unless the eptable reliability of operation of the protection system can be otherwise demonstrated.

ESFAS is designed and constructed in accordance with Institute of Electrical and Electronics ineers (IEEE) Standard 279, Criteria for Nuclear Generating Station Protection Systems,

1. Emphasis has been placed on the single-failure criteria, which requires that no single failure l prevent the system from initiating the safety feature functions when true initiating conditions t.

system functions are implemented by means of redundant sensors, instrument loops, logic actuation devices.

ependence is provided between redundant elements to preclude any interactions between nnels during maintenance or in the event of channel malfunction.

undant elements are electrically isolated from each other such that events affecting one ment are not reflected in any other redundant element.

sical separation is in accordance with Section 8.7.

1.2.2 Modular Design rchangeability without preselection is provided for all corresponding Engineered Safeguards uation System (ESAS) modules or components with the exception of keys. All ESAS items ovable from the equipment such as assemblies, subassemblies, electrical parts, modules and dware are replaceable physically and electrically with corresponding items. The replacement arts, when accomplished in a manner prescribed by the ESAS manufacturer, will not cause the ipment to depart from the original specified performance.

Auxiliary Feedwater Automatic Initiation System (ASAIS) utilizes modular Foxboro ipment for the signal conditioning, bistable, and coincidence logic functions.

1.2.3 Module Withdrawal and Bypass hdrawal of any ESAS subunit or module in any of the sensor channels results in a trip of the cted channel and annunciation of the tripped channel. Means are provided by interchangeable key-operated switches to manually bypass any single analog channel bistable module of a four-channel parameter. Annunciation of ESAS channel bypass is provided.

removal of an AFAIS module may not result in a trip as AFAIS is an energize to actuate gn. Each AFAIS actuation channel contains provisions to bypass the sensor channel input to actuation channels coincidence logic by means of a key-operated switch. Annunciation of nnel bypass is provided.

h the exception of auxiliary feedwater automatic initiation control, loss of power to a sensor nnel of the ESFAS will result in a trip of the sensor channel affected. A trip of the ESAS nnel is annunciated. A trip of an AFAIS sensor channel is indicated by status lamps on C517 C518.

system is designed such that routine servicing and preventive maintenance can be performed hout affecting operation or availability. Normal maintenance does not reduce performance w the minimum safety level.

1.2.4 Environment ESAS cabinets are installed in the control room which is normally air conditioned and able for computers or computer-grade equipment. However, the equipment installed in the AS cabinets is designed to function continuously at temperatures ranging from 40°F to 140°F at a relative humidity of 95 percent. Additionally, the following control room equipment in SPEC 200 cabinets is environmentally qualified for a temperature range of 40°F to 120°F and lative humidity of 10 percent to 95 percent (with an 86°F maximum wet bulb): (a) plant

1.2.5 Seismic Requirements ESFAS has been designed to function before, during and after a design basis earthquake E). The ESFAS has been demonstrated to be seismically qualified by type tests and analysis.

original ESAS cabinet was evaluated by Consolidated Controls Corporation as documented ngineering Reports No. 832 and NBR 863. The type tests and analysis on the remaining AS equipment conform to the guidance of the IEEE standards governing seismic qualification cribed in Section 7.3.1.2.6 below.

1.2.6 Codes and Standards ESFAS and component parts conform to the requirements of the following IEEE standards Nuclear Regulatory Commission (NRC) Regulatory Guide.

auxiliary feedwater (AF) automatic initiation system and component parts and in tainment mounted sensors conform to the 1974 edition of IEEE 323 and the 1975 edition of E 344 and the standards listed below. The containment mounted sensors conform to the 1975 ion of IEEE 344 and the standards listed below.

IEEE 279 1971 Criteria for Protection Systems for Nuclear Power Generating Stations IEEE 308 1970 IEEE Standard Criteria for Class IE Electrical Systems for Nuclear Power Generating Stations IEEE 323 1971 General Guide for Qualifying Class I Electrical Equipment for Nuclear Power Generating Stations IEEE 344 1971Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations IEEE 336 1971 Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations IEEE 338 1971 Periodic Testing of Nuclear Power Generating Station Protection Systems Regulatory Guide 1.22 Periodic Testing of Protection System Actuation Functions IE Bulletin No. 80-06 Engineered Safety Features Reset Controls

ESAS system is designed to permit testing up to and including the actuation module during er operation.

ESAS system has an automatic testing system. This system is described in Section 7.3.4.

1.2.8 Response Time response time of the ESAS system from the sensor input to the trip device output terminals is than or equal to 500 milliseconds. This response time is inclusive to the overall component onse time requirements of ESFAS as described in the Millstone Unit 2 Technical uirements Manual.

2 SYSTEM DESCRIPTION 2.1 General ESFAS detects accident conditions and initiates the safety features systems which are gned to localize, control, mitigate, and terminate such incidents. The ESAS was designed and structed by Consolidated Controls Corp. in Bethel, Connecticut. The AFAIS equipment was plied by the Foxboro Company. The engineered safety features actuation system is divided four sensor channels (A, B, C, D), two actuation channels and actuation logic channels.

h of the two ESAS actuation and logic channels includes an automatic load sequencer for uentially loading the emergency diesel generators (DG) following a loss of normal power. A arate third channel is incorporated into the ESAS to actuate equipment that can be energized ither of the two electrical divisions.

process variables are transmitted as analog signals. Loss of voltage on the 4.16 kV emergency is detected through the potential transformers by the ESFAS undervoltage modules.

r essential or vital power sources are provided for the ESFAS. Two emergency DGs are vided to supply power to the actuated equipment of the protective systems in case of loss of ite power.

ffsite power is available, the engineered safety features (ESF) equipment starts directly. If ite power is not available, load shedding and sequencing are required for sequential loading of DGs.

a result of IE Bulletin Number 80-06, Engineered Safety Feature Reset Controls, the ESF et Controls have been modified so that ESF actuated equipment remains in its emergency, uated, mode following reset of an ESFAS until deliberate operator action is taken.

instrument channels monitor redundant and independent process variables and initiate a sor channel trip when the variable or condition deviates beyond a set limit. Each of the ation channels receives a signal from the following variables: (See Figures 7.3-1, 2, 7.3-3, 4.)

a. Pressurizer Pressure Low pressurizer pressure during power operation is indicative of a loss-of-coolant accident (LOCA). It is measured with four redundant pressure transmitters. A pressure loss below 1714 psia on any two of four bistables in the ESF system will initiate a simultaneous safety injection actuation signal (SIAS), containment isolation activation signal (CIAS), and enclosure building filtration actuation signal (EBFAS). These signals will isolate all unnecessary lines at the containment penetration, initiate safety injection system (SIS) operation, and start the enclosure building filtration system (EBFS). The four pressure transmitters are also used for input signals to the RPS.
b. Containment Pressure High containment pressure during power operation is indicative of a LOCA or main steam line break. It is measured with four pressure transmitters. An increase in containment pressure to 4.42 psig on any two of four bistables in the ESF system will initiate a simultaneous SIAS, CIAS, EBFAS, and MSIAS.

Measurement of containment high pressure is a diverse means of sensing a loss of coolant condition. The transmitters are reverse acting type (increasing input gives a decreasing output signal) to permit fail safe operation.

With regard to power requirements, loss of instrument power results in a tripped bistable which would require only one more of the three remaining bistables to trip in order to get an actuation.

A failure mode analysis for loss of onsite instrument power is shown in Table 7.3.2.2-1.

A further increase in containment pressure to 9.48 psig will initiate a containment spray actuation signal (CSAS) which will start two containment spray pumps and open their respective discharge motor operated valves (MOV) to start spraying.

c. Containment Gaseous and Particulate Radiation Two gaseous and two particulate monitors are used to detect the release of radioactive fission products to the containment atmosphere. If these monitors were to fail or were unavailable, grab samples are taken or portable continuous air monitoring equipment is used. The ESFAS logic will initiate containment purge

handling accident analyses.

d. Steam Generator Pressure Each steam generator pressure is sensed by four pressure transmitters. A drop in pressure to 572 psia on any two out of the four sensor channels on either steam generator will actuate a main steam isolation actuation signal (MSIAS) which automatically closes both MSIVs. The four pressure transmitters are also used for input signals to the RPS.
e. Fuel Handling Area Radiation Fuel handling area high radiation is sensed by four redundant area radiation monitors located on walls adjacent to the spent fuel pool. Upon detection of high radiation due to a fuel handling accident from any two of the four monitors, an auxiliary exhaust actuation signal (AEAS) is generated which stops the spent fuel pool area outside air supply fan and diverts the exhaust to the EBFS.
f. Refueling Water Storage Tank Level The safety injection pumps initially take suction from the refueling water storage tank (RWST). After the tank level has decreased to 46 inches as measured by two of four level sensing channels, a sump recirculation actuation signal (SRAS) transfers the safety injection pump suction to the containment sump for long-term recirculation.
g. Emergency Bus Undervoltage The undervoltage protection provided for the emergency buses consists of two independent schemes, one for each 4,160 volt emergency bus, 24C(A3) and 24D(A4). Each scheme employs redundant design features and consists of two levels of protection. The Level 1 undervoltage protection (loss of voltage) is designed to detect a loss of voltage on the emergency buses. The Level 1 undervoltage logic isolates the emergency buss from all sources, initiates automatic loading shedding, and provides a start signal for the diesel generator associated with the emergency bus. The Level 2 undervoltage protection (degraded voltage) is designed to protect the safety-related equipment from operation under sustained low (degraded) voltage conditions. The Level 2 undervoltage logic provides a trip signal to the reserve station service transformer (RSST) supply breaker of the associated bus. Figure 7.3-1 illustrates the emergency bus undervoltage protection logic (see also FSAR Section 8.2).

Potential transformers on 4,160-volt emergency buses 24C(A3) and 24D(A4) provide voltage inputs to the ESAS undervoltage sensor logic. In the ESAS sensor

with bus 24C(A3) are connected to the ESAS Facility 1 actuation logic cabinet.

The Level 1 and Level 2 trip outputs associated with bus 24D(A4) are connected to the ESAS Facility 2 actuation logic cabinet.

The trip setpoints and associated time delays for the Level 1 and Level 2 undervoltage protection are defined in the Technical Specifications and are as follows:

Level 1 2,912 volts with a time delay of 2 seconds Level 2 3,700 volts with a time delay of 8 seconds The time delay for the Level 1 undervoltage setpoint was chosen to:

1. allow sufficient time for protective relaying schemes to detect and clear system and station faults that cause bus voltages to drop below the Level 1 undervoltage setpoint and
2. ensure that the Level 1 undervoltage actuation functions occur in a time frame that is consistent with the MP2 safety analysis for design basis accidents.

The time delay for the Level 2 undervoltage setpoint was chosen to be:

1. sufficiently long as to prevent unnecessary trips of the circuit breaker connecting the emergency bus with the RSST source during voltage transient conditions (e.g., the starting of large motors) and
2. sufficiently short as to (a) prevent damage to safety-related AC loads and (b) ensure that the Level 1 undervoltage actuation functions occur in a time frame that is consistent with the MP2 safety analysis for design basis accidents.
h. Steam-Generator Level Level in each of the two steam generators is sensed by four common and redundant differential pressure transmitters. (Each steam generator level transmitter also provides an isolated signal to the RPS for input to the low steam generator water level reactor trip as described in Section 7.2.) AF is initiated automatically on low steam generator level by a 2 out of 4 logic matrix from the four independent bistable channels. The level input signals from both steam generators are auctioneered at the channel level, so that each auto AF bistable channel receives the lower of the input signals from two level transmitters (one from each steam generator). If any two of the four (total), measurement channels
  • a three (3) minute, twenty-five (25) second (nominal) time delay begins timing out
  • and a control room alarm annunciates the automatic AF initiation signal.

Following the time delay, automatic AF start indication is provided on C05 and C21 and two auxililary relays per facility are energized. The auxiliary relays send a start signal to the respective facility motor driven AF pump and open signals to both AF regulating valves.

2.3 Actuation Channels two redundant and independent actuation channels monitor the sensor channel trips and by ns of coincidence logic determine whether a protective action is required. The following ation channels are initiated by the ESFASs: (See Figure 7.3-1, 7.3-3 and 7.3-4.)

a. SIAS under the condition: low-low pressurizer pressure 2-out-of-4 (or 2-out-of-3) or high containment pressure 2-out-of-4 (or 2-out-of-3) or manual SIAS (main control board pushbutton).
b. CSAS under the following conditions: SIAS (manual or automatic) and high-high containment pressure 2-out-of-4 (or 2-out-of-3) or manual CSAS (main control board pushbutton).
c. CIAS for automatic containment isolation valves under the conditions: low-low pressurizer pressure 2-out-of-4 (or 2-out-of-3) or high containment pressure 2-out-of-4 (or 2-out-of-3) or manual SIAS or CIAS (main control board pushbuttons).
d. EBFAS under the following conditions: low-low pressurizer pressure 2/4 (or 2-out-of-3) or high containment pressure 2-out-of-4 (or 2-out-of-3) or manual EBFAS or SIAS (main control board pushbuttons).
e. Containment purge valves close signal (CPVIS) under the following conditions:

high containment radiation 1-out-of-4.

f. Containment hydrogen purge valves close signal under the following conditions:

CIAS. In addition, two high range gamma-sensitive ion chambers are used to detect post-accident radiation levels in the containment. The ESAS CIAS logic in conjunction with the logic from the post-accident radiation monitors is combined together in an OR logic to initiate closure of the containment hydrogen purge valves. The containment hydrogen purge valve closure is generated either by one-

g. MSIAS upon low steam generator pressure 2-out-of-4 (or 2-out-of-3) or high containment pressure 2-out-of-4 (or 2/3) or manual MSIAS (main control board push buttons).
h. SRAS for the following conditions: low-low RWST level 2-out-of-4 (or 2-out-of-
3) or manual SRAS (main control board pushbutton).
i. AEAS for the following conditions: high radiation in the fuel handling area 2-out-of-4(or 2-out-of-3) or manual AEAS (main control board pushbutton or local pushbutton) in the absence of EBFAS.
j. Emergency bus load shed for the following conditions: Level 1 emergency bus undervoltage (loss of voltage), 2-out-of-4 (or 2-out-of-3) channels. FSAR Section 8.2 discusses the automatic load shedding of the emergency buses.
k. Emergency DG start for the following conditions: Level 1 emergency bus undervoltage (loss of voltage), 2-out-of-4 (or 2-out-of-3) channels or on a SIAS.

FSAR Section 8.3 discusses the automatic start of the emergency DGs.

l. Trip of the RSST supply breaker to the associated 4160 Volt emergency bus for the following conditions: Level 2 emergency bus undervoltage (degraded voltage), 2-out-of-4 (or 2-out-of-3 channels).
m. Auxiliary feedwater automatic initiation system (AFAIS) signal under the following conditions: Steam Generator water level low, 26.8%, 2-out-of-4 (or 2-out-of-3).

2.4 Actuation Interface each of the groups in each ESAS actuation channel, separate interfacing logic and coincident c are provided such that any isolated actuation of one group will not produce actuation of any he others. The ESAS actuation interface modules ensure that the signals provided by the ation logic are distributed to the safety equipment. The ESAS actuation modules provide als to the final ESAS relays for the control of safety equipment.

ESAS actuation signals produced in the logic modules are separated and test groupings have n selected to permit equipment actuation without upsetting normal plant operation.

AFAIS actuation is arranged in two redundant actuation channels. The actuation outputs are nged such that actuation of either of the two redundant actuation channels will result in ation of both auxiliary feedwater valves. Each of the two redundant channels will actuate its ciated motor-driven auxiliary feedwater pump.

en an actuation channel trips, due to unit conditions or manual initiation, its logic seals in its ped state until it is manually reset.

2.6 Manual Initiation h actuation channel (1 or 2) of each of the following actuation signals can be initiated by a hbutton located on the main control board: SIAS, CSAS, CIAS, EBFAS, SRAS, MSIAS, and AS. Each pushbutton initiates all actuation groups of the associated signal within its respective ation channel.

manual actuation switches located on the main control board are designated HS on ures 7.3-1 and 7.3-4.

h train (A or B) of the auxiliary feedwater system (AFWS) may be manually initiated utilizing mal system manual controls.

2.7 Manual Reset h actuation channel (1 or 2) of each of the actuation signals described in Section 7.3.2.3 has an pendent momentary contact pushbutton located on the ESAS cabinets for manual reset of the ation signals. The reset switch has no effect as long as a trip condition input to the logic rix exists. Each pushbutton resets all actuation groups of the associated signal within actuation nnels 1 or 2.

nual reset of the AF automatic initiation circuitry is accomplished by positioning the ective train control switch to the reset (momentary) position. The reset switch has no effect as g as a trip condition input to the logic matrix exists.

2.8 Automatic Sequencer ffsite power is available, the equipment actuated by ESFAS signals is started as soon as the ation signal is developed by the coincidence logic. When offsite power is not available, the ipment is started by a sequencer. Emergency DGs are provided for supplying power to ESFs in of loss of offsite power. The load shedding and sequential actuation system initially blocks, then unblocks in programmed steps, the actuation channels for the equipment requiring power erform its intended function. The undervoltage system contains four redundant sensors. The outputs are delayed and, by means of two-out-of-four coincidence logic, load shed and diesel t are initiated.

diesel load sequencers (1/channel) provide 10 independent (5/sequencer), time-separated ing signals as detailed in Figures 7.3-2A through 7.3-2D, and Tables 8.3-2 and 8.3-3.

d 8.3-3.

ans for testing of the sequencers are provided.

cators located in the appropriate cabinet will show the state of each sequencer time step.

2.9 Annunciation ESFAS provides contact outputs to indicate status in the control room. The outputs are ated so that faults occurring external to the actuation system cabinets will in no way degrade protective function of the system.

contacts provided are summarized, as follows:

a. Bistables A contact for each of the 52 ESAS sensor channel trip bistables, to indicate bistable trip, for use on individual windows of the main control board annunciation system.

A contact for each of the four ESAS sensor channel parameters to indicate bistable bypass and conversion from 2-out-of-4 to 2-out-of-3 logic.

A contact from each of the redundant AFAIS actuation logic trains to annunciate a channel in bypass and that an actuation train is converted from a 2-out-of-4 to a 2-out-of-3 logic.

AFAIS bistable status is indicated by lamps on the status panel for each actuation channel on C517 and C518. Each panel has 4 status lamps, one for each of the four bistable inputs to the actuation channel. The panel for each actuation channel also indicates the failed/not failed status of the actuation channel microprocessor.

b. ESFAS Actuation A contact for each of the two channels for the following actuation signals to indicate an actuation trip. The actuation signals alarmed are SIAS, CIAS, CSAS, EBFAS, MSIAS, SRAS, AEAS and AFAIS. A contact for each of the actuation channels for the pressurizer low-low pressure, mainsteam isolation to and AFAIS to indicate manual blocking of the channel.

A contact for each of the actuation channels for both the pressurizer low-low pressure and main steam isolation to indicate permission to block the actuation channel.

One contact per sequencer for indication of the automatic sequencing in progress.

One contact per sequencer for indication of sequencer malfunction.

2.10 Cabinets

a. The ESAS cabinets are located in the main control room behind the main control board (see Figure 7.6-1).
b. The AFAIS circuitry is located in cabinets C517, C518 and SPEC 200 Racks, RC-30A, B, C, D, A-1, B-1 in the main control room behind the main control board (see Figure 7.6-1).
c. The ESAS cabinets have hinged rear doors and open fronts with semiflush mounted devices.
d. Cabinets RC-30A, B, C, D, A-1, B-1 have hinged front and rear doors, removable side panels with nest-mounted modules. C-517 and 518 contain channel status lamps and key-operated channel bypass switches.
e. Any adjustment required for routine calibration is accessible from the cabinet front. Adjustments for routine calibration do not require removal of equipment from its housing. Adjustment controls have keyless locking mechanisms and/or they are recessed in the cabinet or applicable chassis.
f. Nameplates are used to identify all cabinets, channels, and assemblies. Individual channels are identified by color code throughout the system.

2.11 Analog Bistables ESAS analog comparator bistables are designed to meet the following specifications:

a. The trip-point adjustment of the analog channel bistables covers the input signal range from 0 through 100 percent. The adjustment is by means of a calibrated dial.

The resolution of adjustment is +/- 0.25 percent when suitable external measuring equipment is used in connection with setting the trip point.

b. The deadband or hysteresis of the bistable is internally adjustable.
c. The noise appearing in the system, such as power supply noise, switching transients, or noise included in wiring entering or leaving the cabinets, will not induce false outputs nor prevent true actuation.

supply voltage and frequency variations.

e. The bistables automatically reset when trip conditions no longer exist.

AFAIS bistable is a Foxboro Spec 200 module with an adjustable setpoint.

2.12 Power Supply ESFAS and RC-30A, B, C, D, A-1 and B-1 cabinets are powered from four vital DC-AC rters which are supplied from two vital 125 volt DC batteries. Each battery supplies two rters. The four inverters supply power to the four sensor channels. Redundant power for the actuation channels is supplied from the two redundant 125 volt DC batteries.

h ESAS sensor cabinet is provided with a backup 120 volt vital AC source via isolation sformers internal to each sensor cabinet. Sensor Cabinet A is backed up by vital AC supplied m Sensor Cabinet D and vice versa. Sensor Cabinet B is backed up by vital AC supplied from sor Cabinet C and vice versa.

C 200 Instrumentation Cabinets RC30A, B, C, and D, which provide most of the signal inputs SAS, are not provided with backup AC power. Loss of a vital DC bus with no credit of the

-vital Turbine battery results in loss of two inverters. The ESAS Sensor Cabinets would ain energized, and the associated SPEC 200 cabinets would de-energize. Loss of two inverters ld result in all ESAS signals with the exception of LNP and SRAS.

ower supply interruption of up to 35 milliseconds or a voltage dip of 20 percent for up to 30 onds will not produce actuation of a ESAS sensor channel bistable.

availability of DC relay power for the ESAS is constantly monitored by the automatic test rtion (ATI) portion of the system. In the event of loss of DC power supply in either actuation nnel, the ATI fault annunciation will sound. In addition, the power supply monitor lamp on the ation cabinet front panel will extinguish.

er to Section 8.6 and Figure 8.5-1 for more detail on the vital instrument power supply em.

2.13 System Interface following redundant process variable signals are input to the ESFAS:

a. Pressurizer pressure Range (psia) 1500-2500 Input (volts, DC) 1-5

Range (psig) 60-0 Input (ma, DC) 4-20

c. Steam generator pressure Range (psia) 0-1000 Input (volts, DC) 1-5
d. Fuel handling area radiation Range .1 mr/hr to 104 mr/hr logarithmic Input (volts, DC) 5-1
e. Refueling water storage tank level Range (%) 0-100 1 Input (ma, DC) 10-50
f. Emergency bus voltage Range (vac) 0-120 Input (vac) 0-120
g. Steam generator water level Calibrated range (inches of water column)174.5-42.3 Input (ma, DC) 4-20
h. Containment radiation (Gaseous and particulate)

Range 10 cpm to 106 cpm Input (volts, DC) 5-1 ated DC outputs from each sensor of items b and e above are provided for main control board cations.

Note: Due to physical instrument tap locations, RWST level cannot be monitored below roximately 4%.

system has output relays that provide electrically isolated contacts for actuation of equipment abulated on Figures 7.3-2A through 7.3-2D.

3 SYSTEM OPERATION 3.1 Operational Bypasses ans are provided for the operator to block actuation of the SIAS while the RCS is undergoing ressurization. Blocking is effected as follows:

a. Permitted only when the pressurizer pressure is less than 1850 psia on three out of four analog sensor channels.
b. Initiated independently for channels 1 and 2 by momentary contact closure switches on the main control panel.
c. Removed automatically when the pressurizer pressure exceeds the 1850 psia block permit pressure on two out of four analog sensor channels.
d. Block only the output of the 1714 psia pressurizer pressure trip 2/4 matrices.
e. Permission to block and any block initiations are annunciated on the main control board.

ans are provided for the operator to block actuation of the MSIAS during startup or shutdown.

cking is effected as follows:

a. Permitted only when the steam generator pressure is below 700 psia on three out of four analog sensor channels.
b. Initiated independently for channels 1 and 2 by momentary contact closure switches on the main control panel.
c. Removed automatically when the steam generator pressure exceeds the 700 psia block permit pressure on two out of four of the analog sensor channels.
d. Block only the output of the 572 psia steam generator pressure trip 2/4 matrices.

The High Containment Pressure MSIAS trip function is not blocked.

e. Permission to block and any block initiations are annunciated on the main control board.

ans are provided for the operator to block actuation of the AFAIS at any time. Blocking is cted as follows:

panel.

b. Any block initiations are annunciated on the main control board.

3.2 Bistable Trip Bypass means of a key lock switch, any one of four redundant ESAS channel bistables can be assed such that trip signals in two of the remaining three channels are required to initiate an ation channel output. The key is retained when the switch is in the bypassed position. Each up of four sensor channel bistables has a single noninterchangeable key with a registered bination such that only one sensor channel of a group is capable of being bypassed at any one

e. An alarm is annunciated if any bypass is actuated.

the AFAIS, the coincidence logic inputs associated with any one of the four redundant nnel bistables can be bypassed by means of two key lock switches; one for Train A and one for n B. In this condition, trip signals in two of the remaining three channels are required to ate an AFAIS actuation. The keys are retained when the switches are in the bypassed position.

bypass keys are administratively controlled such that only one AFAIS trip channel can be assed in both trains of actuation logic at any one time. Train-specific alarms are annunciated if bypass is actuated.

4 AVAILABILITY AND RELIABILITY 4.1 Special Features ans for continuously monitoring and indicating the ESFAS status are provided by indicating ts on the front of the cabinets. All indicating lights have features for manually checking bulb ction.

ans for monitoring the status of the AFAIS is provided by indicating lights on the main control rd, RC-517, 518 and hot shutdown control panel and annunciators on the main control board.

4.1.1 Sensor Channel Surveillance functions indicated by a lighted bulb are as follows:

a. Bistable tripped
b. Power supply failure the AFAIS, the functions indicated by a main control board annunciator are as follows:
a. Sensor channel bypassed

ESAS functions indicated by a lighted bulb are as follows:

a. Tripped actuation subchannel
b. Sequential actuation system blocking
c. Sequencer tripped the AFAIS, the functions indicated by a lighted bulb are as follows:
a. Blocked actuation train
b. Actuation train - power available
c. Actuation train - initiated
d. SPEC 200 micro failure functions indicated by main control board annunciation are as follows:
a. Actuation train initiated
b. Actuation train blocked
c. Sensor channel bypassed 4.1.3 System Test Surveillance ddition to the indicating lights, a matrix of indicating lights is furnished as part of the ESAS to locate failures.

4.2 Tests and Inspection 4.2.1 Testing AS and AFAIS are tested in accordance with plant procedures and Technical Specification uirements. These tests confirm the operability of the ESFAS, final actuated equipment, and all porting subsystems and power supplies.

4.2.2 Testing Features ESFAS incorporates the following testing features:

a. Bistable trip test

operation. Means are provided for indication of proper return to normal operation following completion of test.

b. Actuation channel trip test Each ESAS coincidence 2-out-of-4 matrix is provided with independent test switches. Operation of the test switches will cause an output of the associated coincidence matrix and trips the related actuation channel logic. The overlapping testing procedure and the arrangement of the matrix ensure that a protective action will occur if any combination of two sensor channels simultaneously trip.

The AFAIS actuation channel trip test is performed by producing an output from the logic matrix which trips the related actuation channel logic.

c. Automatic Test Feature The ESAS is provided with an automatic test feature which tests all combinations of two of four bistable trip conditions for each parameter. The automatic test feature automatically indicates and identifies logic faults and verifies bistable availability approximately every twenty-seven seconds. Each bistable is tested to check that the bistable trip setpoint is functioning properly, and will process a trip signal. This is accomplished by inserting two test pulses one after the other above and below the trip setpoints. After each test pulse, the output of the bistable is compared to the input by the ATI. A fault is indicated by lamps on the ATI panel and an annunciation on the main control board panel CO1. The time duration of the test pulses are sufficiently short to prevent picking up the output actuation relay. The ATI monitor is automatically turned off during any undervoltage trip condition.

4.2.3 System Reliability mponents and modules used in the manufacture of the actuation system exhibit a quality sistent with the nuclear power plant 40 year design life objective and with minimum ntenance requirements and low failure rates. ESAS reliability (failure rate) has been specified qual to or better than 1 x 10-4 with manual testing on a 30 day schedule.

ision 3906/30/21 lated Failure Failure Mode Method of Detection Effect on ESAS Remarks one containment Bistable goes to tripped Annunciation from tripped No detrimental effect on System logic becomes channel state bistable system 1-out-of-3 mode.

one 125 volt DC Two inverters loads Annunciation Same as above ith 120 volt regu- transfer to regulated AC source operational source one 125 volt DC. Loss of power to two Annunciation With the exception of Sensor Cabinets ith 120 volt regu- sensor channels and one SRAs and LNP channels, remain energized, but source inoperative actuation channel all 2 out of 4 sensor associated SPEC 200 channels are tripped. Final Instrumentation equipment on the other Cabinets and radiation redundant channel is monitors de-energize.

actuated to its safe state from remaining redundant power source.

one 125 volt DC 1 and 2 above Separate annunciation of 1 above 1 above ith 120 volt regu- each condition.

available coinci-MPS-2 FSAR h a failure of a ent pressure chan-one 125 volt DC 1 and 3 above Same as 4 above 3 above 3 above ith 120 volt regu-not available coin-ith a failure of a ent pressure chan-7.3-19

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TABULATION figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TABULATION figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TABULATION figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TABULATION figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

OUTPUT figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

Reactor Regulating System (RRS), Pressure Regulating System, Pressurizer Level System, Control Element Drive System (CEDS) are functionally identical to those in the Calvert Cliffs nts (AEC Docket Numbers 50-317 and 50-318 through Amendment 19) with the exception of Control Element Assemblies (CEA) motion inhibit which has been added to the CEDS, cribed in Section 7.4.2 and the RRS which does not incorporate the automatic CEA functions.

1 REACTOR REGULATING SYSTEM 1.1 Design Bases RRS does not have any automatic CEA control functions. The RRS consists of subsystems ch provide the reactor operator with indication of Tavg, Tref, and Tref-Tavg deviation alarm.

RRS also provides signal inputs to the pressurizer pressure level program and steam dump gram.

1.2 System Description RRS is comprised of two functional subsystems. The first includes two independent neutron measurement channels and the second subsystem is comprised of various I/O modules nected to a distributed control system (DCS) forming a single fault-tolerant control and cation channel. Two circuits of a non-vital instrument bus provide redundant power to the I/O dules. The system consists of:

a. Steam Dump Program Function Generator;
b. Pressure Level Set Point Function Generator;
c. Tref - Function Generator;
d. Tavg - Tref Calculation; system includes the following inputs:
a. Loop 1 Thot, Loop 2 Thot signals;
b. Loop 1 Tcold, Loop 2 Tcold signals;
c. Two first-stage turbine pressure signals.

system develops the following outputs:

a. Tref and Tavg signals to recorders;
b. Deviation alarms for Tavg - Tref.
d. Condenser steam dump valve control signal (modulating)
e. Quick Open signal to condenser and atmospheric steam dump valves 1.3 System Operation emperature program calculation establishes the desired reactor coolant average temperature rence (Tref) based on a power reference signal from first-stage turbine pressure. Tref varies arly with power from a nominal temperature of 532°F at hot standby to an adjustable limit of

°F to 580°F at 100 percent power. TAVG varies linearly with power from a nominal perature of 532°F at hot standby to a nominal value of 568.9°F at 100 percent power.

rators may select TAVG to be calculated from the Loop 1 temperature inputs, the Loop 2 perature inputs, or the Loop 1 & Loop 2 temperature inputs combined. A deviation alarm will enerated if the difference between Tref and Tavg exceeds the engineering established limit.

team dump valve position demand signal is calculated as a function of TAVG. In addition, a k opening binary signal is calculated as a function of this valve position demand signal; both hese signals are transmitted to the steam dump valve control system upon the initiation of a ine trip.

ressurizer level setpoint program is calculated as a function of TAVG and transmitted to the surizer level controllers, external to the RRS.

2 CONTROL ELEMENT DRIVE SYSTEM 2.1 Design Basis reactor is controlled by reactivity adjustments with CEAs and with boric acid dissolved in the tor coolant. Rapid changes in reactivity are compensated for or initiated by CEA movement.

g-term variations in reactivity due to fuel burnup and fission product concentration changes controlled by adjusting the boric acid concentration. Since this rate of addition produces slow nges in the reactor power level, operator action suffices to control the boron concentration nge. The shutdown CEA group provides a hot shutdown margin of at least 1 percent reactivity, n if the most reactive CEA is stuck out of the core. Prohibits require that the shutdown CEA up is in the full withdrawn position before other CEAs can be withdrawn, thereby assuring a tdown margin equal to or greater than the required minimum. The CEA motion inhibit and m is provided when further insertion of the regulating group of CEAs would reduce the unt of effective shutdown reactivity in the CEAs below specified limits:

A movement is effected by the Control Element Drive Mechanisms (CEDM) (see Chapter 3).

CEDS transmits manual signals from the CEDS control panel to the Coil Power grammers (CPP), which develop the pulses for magnetic jack operation.

2.2 Design Criteria

a. Racks, panels and associated equipment meet the Electronic Industries Associated Standard RS-310. Standard Nuclear Instrument Modules are utilized as adopted by the United States Nuclear Regulatory Commission (TID-20893).
b. Each switch on the CEDS panel is individually mounted in its own plug-in receptacle to permit fast replacement. The logic in the CEDS logic cabinet is modularized into group and individual CEA modules. All group modules are identical and all individual CEA modules are identical.

2.3 System Description lock diagram of the CEDS is shown in Figure 7.4-3.

CEDS control panel is a selection panel. Three types of selections are made by this panel:

trol mode, CEA group, and the individual CEA within each group. All selections are made by sing the appropriate pushbutton switch. Upon selection the switch will light and remain lit closed until another selection within its scope is made. Eleven selections will always be e: one mode selection, one group selection, and nine individual CEA selections (one in each he nine groups). Electrical interlocks are incorporated in each of these eleven scopes of ction. This permits only one selection to be made in each scope. A new selection within any pe automatically cancels the previous selection.

re are three different modes of control of CEAs: Manual Individual, Manual Group and nual Sequential. Two of these modes, Manual Individual and Manual Group apply to both tdown and Regulating CEAs. Manual Sequential Mode applies only to the regulating CEAs.

following limits are provided by the CEA supervisory function of the plant computer to vent the reactor from reaching undesirable conditions:

a. Upper CEA limit;
b. Lower CEA limit;
c. Upper CEA group stop;
d. Lower CEA group stop.

CEDS and its associated interfaces with the plant computer and CEA Position Display tem (CEA PDS) contain design features that ensure the following actions:

a. Insertion of the regulating CEAs before the shutdown CEAs are inserted;
c. Proper sequential withdrawal of CEAs.

single equipment or operator failure will cause the CEDS to improperly carry out the above d actions to the extent that safety limits as defined in the Technical Specifications are reached.

ee lines of defense are utilized to ensure that safety limits are not exceeded. First, the reactor is rated under strict administrative controls which dictate the proper CEA movement. Second, ms are provided to warn the operator if CEA movement is improper. The third line of defense e functions and design features described below.

plant computer CEA supervisory function operates CEA permissive contacts that feed the DM logic system. This design feature determines which group or groups of CEAs will be ved in the manual sequential mode. The computer also generates alarms if its logic detects an of sequence movement of CEAs, more than two-groups movement of CEAs, improper rtion of shutdown CEAs, withdrawal of regulating CEAs prior to withdrawal of shutdown As, or deviation of individual CEAs from their group.

setpoints of these alarms are chosen such that the operator is given sufficient time to take ective action before a safety limit is reached without alarming for normally occurring ditions.

n equipment failure or operator error should cause any of these alarm conditions to be reached, ther alarm is also received from the Reed Switch Position Indication System described in tion 7.5.3.3. This second system, diverse in nature from the plant computer CEA supervisory ction, provides the operator with continuous indication of the position of each individual CEA provides alarms redundant to those supplied by the plant computer. In addition, this system vides actuation signals to the CEA motion inhibit circuitry which stops all CEA motion when larm set point is reached.

actuator signals are computed from CEA position information from the reed switch position sducers for each CEA and a reactor power signal (for power dependent insertion limit only).

actuation signals are independent of any control system function that would result in CEA ion. The actuation signals are contact openings that fail open upon loss of power. The ation signals are banded together and the composite signal is sent to the lift coil power switch each CEA from contact multiplying relays. The actuation signal to the lift coil power switch stop any power from being applied to the lift coil, so that regardless of CEA control system ion demand, CEA motion is inhibited.

uation of the CEA motion inhibit upon violation of power dependent insertion limits is bled below 10-4 percent power. Power dependent insertion limits are not needed below this er level. The motion inhibit is automatically re-enabled as power increases past 10-4 percent.

le 7.4-1.

A speed is a function of the coil power programmer cycle speed, the CEA control system up speed setting and the mechanical limitations of the magnetic jack mechanism.

coil power programmer that sequences power signals to the magnetic jack coils of an vidual CEA has an upper operating setting of forty inches per minute for regulating CEAs and nty inches per minute for shutdown CEAs. This maximum speed would result only from a tinuous demand for withdrawal from the CEA control system.

ontinuous withdrawal signal from the CEA control system would result only during abnormal rating circumstances. During normal operating conditions a continuous demand for an ease in reactor power will result in a sequenced withdrawal of CEAs within a group. The rage speed of CEAs within the group is determined by the speed setting of the group grammer in the CEA control system. The upper bound of the speed setting of the group grammer is forty inches per minute, but the normal operating speed setting of the group grammer is the same as that of the individual CEA coil power programmer. Maximum CEA ed is determined by the setting of the individual CEA CPP, and this speed cannot be increased ny setting of the group programmer.

absolute maximum speed of withdrawal of any CEA is determined by the magnetic jack hing mechanisms and coil current decay time constants. With the present coil power uencing cycle, the mechanical restraints of latch operating time and coil drop out time allow a imum possible withdrawal speed of 45-50 inches per minute.

2.4 System Operation CEAs are divided into the following groups:

a. Shutdown: two groups;
b. Regulating: seven groups.

h CEA remains stationary except when a raise or lower signal is present. In response to a al, the regulating CEAs move at a speed of up to 40 inches per minute. The shutdown CEAs ve at a fixed speed of 20 inches per minute.

CEA position setpoints are shown on Figure 7.4-2.

shutdown CEAs may be moved with either manual individual or manual group movement. A ctor switch prevents withdrawal of more than one shutdown group at any time. The shutdown ups must be withdrawn above a lower limit before regulating group withdrawal is possible. A t prevents group insertion of shutdown CEAs unless the regulating groups are fully inserted.

se limits may be bypassed to allow the CEA groups to be withdrawn or inserted out-of-

ulating CEA groups may be moved in manual group or manual sequential mode. Individual As may be moved in the manual individual mode of control. Sequential group movement vides that when the moving group reaches a programmed low (high) position, the next group ins inserting (withdrawing); the initial group stops upon reaching its lower (upper) limit. This cedure, applied successively to all regulating groups, allows a smooth and continuous rate-of-nge of reactivity.

er sequential group control, when the regulating groups reach the prepower dependent rtion alarm point, this condition is annunciated. If sequential group insertion is continued, a wer dependent alarm point limit is reached and a second alarm is initiated. These two grammed limits may be adjusted during the life of the plant and are provided to aid the rator in assuring adequate shutdown margin.

CEAs are prevented from being withdrawn if either a high power or thermal margin/low-sure (TM/LP) pretrip condition exists.

re is provision for manually bypassing the CEA motion inhibit circuitry at the CEDS rators console. The manual bypass requires a minimum of two operator actions to accomplish bypass. The group(s) to be bypassed must be manually selected by the operator by depressing pushbutton for each group. Actuation of any group bypass pushbutton results in an alarm at Main Control Board alerting the operator of the bypass and in the bypass pushbutton minating red. All control pushbuttons on the console illuminate white with the exception of the pushbutton that also inhibits all CEA motion and illuminates red. In addition to selecting the up to be bypassed, the operator must also depress the CEA motion inhibit bypass button to omplish the bypass function. This pushbutton must be held depressed by the operator during bypass operation, as release of this pushbutton will cause the bypass to be removed. Actuation he CEA motion inhibit bypass pushbutton will also cause an alarm at the Main Control rd, alerting the operator of the bypass, and in the pushbutton illuminating red.

2.5 Consequences of Single Failures Reactivity Control System contains two independent and diverse CEA position supervisory control systems.

pulse count system uses pulse counting techniques in the Plant Computer to determine and ntain a current record of the position of each CEA. These CEA positions are used to derive DS control inputs and CEA misalignment alarms. These alarms include regulating group uencing and overlap violations, excessive CEA deviation within any group and excessive rtion of any regulating group below the prepower or power dependent limits. These alarms are ide the normal operation region of the CEDS and warn the operator that the CEAs are in an ormal configuration while they are still well within fuel design limits. Each alarm is unciated separately at the main control board.

ch outputs an analog signal proportional to CEA position. This system provides a continuous lay on the main control board of all CEA positions and monitors the positioning of CEAs to vide the same alarms as detailed in the description of the digital system. The CEAPDS only trol function is to initiate a CEA motion inhibit if any one or combination of these alarm ditions are reached. As with the pulse count system, each alarm is annunciated separately at main control board. The system is designed such that on a loss of electrical power each alarm nnunciated and CEA motion inhibit is initiated, (see Figure 7.4-9).

ingle failure, for this response, has been defined as a component failure in either the active rgized) state or in the inactive (deenergized) state of the component, or a short circuit or open uit in any signal line.

Reactivity Control system is shown in block diagram form in Figure 7.4-8. The system has n separated into five functional blocks.

ctional block number 1 represents the integrated circuit logic elements and associated power plies that determine motion demand for each of 61 CEDMs. The outputs of this block are raise lower contact closure signals to the CPP and contact opening signals for the motion inhibit k circuit.

gle component failures within Figure 7.4-8 functional block number 1 may cause spurious e or lower signals to the CPP timers. This spurious demand signal will cause CEA motion.

s motion is monitored by the Control Element Assemblies Position Display System APDS) (functional block number 4). The CEAPDS monitors CEA deviations (highest to est CEA), out of sequence motion, violation of allowed CEA group overlap, power dependent rtion limits, shutdown group insertion prohibit and regulating group withdrawal permissives.

en the CEAPDS senses motion that is in violation of the above conditions, the calculator will put a contact opening causing the motion inhibit relays to deenergize. When the motion inhibit ys deenergize they open a contact in the control circuit of the lift coil power switch of each DM, preventing the silicon controlled rectifiers from energizing. Deenergizing the lift coil er switch control prevents further motion, either insertion or withdrawal, regardless of and from the CPP or CEDS logic. This inhibit does not affect the reactor trip capability of the As as the reactor trip function will interrupt motive power input to all power switches, causing vity insertion of all tripping CEDMs.

setpoints of the CEAPDS are sufficiently conservative that the fuel design limits will not be hed for motion of any CEA or combinations of CEAs.

ngle failure in functional block number 1 may also cause a spurious off signal to a lift coil er switch. This failure will cause the affected CEA to hold, regardless of motion demand. If ion is demanded of the group containing the affected CEA, the CEAPDS will sense the CEA iation and cause all other CEA motion to be inhibited. The failure within functional block No.

nnot prevent the action of the inhibit circuitry since the circuitry of function block No. 1 is

ingle failure within functional block number. 2 may cause a single CEA to raise or lower or

p. This failure will be sensed by the CEAPDS as a CEA deviation and the CEAPDS will cause CEA motion to be inhibited as detailed above, before fuel design limits are reached.

ngle failure within functional block number. 3 may cause a CEA to be held if it occurs within lift coil power switch or a single failure may cause a single CEA to drop or hold if it occurs in of the other coil power switches. These failures will be sensed by the CEAPDS as a CEA iation and the CEAPDS will cause all CEA motion to be inhibited before fuel design limits are hed.

ingle failure within functional block number 4 may cause a spurious motion inhibit signal ch will block all CEA motion. This failure will not cause fuel design limits to be reached since CEA motion is prevented.

ngle failure within functional block number 4 may also prevent actuation of the motion inhibit al. This failure, however, will not cause fuel design limits to be approached as it cannot cause A motion.

integrity of the CEAPDS will be assured by periodic testing.

ngle failure within function block number 5 may cause the motion of some or all CEAs to be bited spuriously. The CEAPDS will sense this failure as a CEA deviation and cause the ainder of the motion inhibit relays to deenergize, inhibiting the motion of all CEAs before fuel gn limits are reached.

ingle failure within functional block number 5 may also prevent the actuation of the motion bit signal for some or all CEAs. This failure will not cause fuel design limits to be approached t does not affect CEA motion. The integrity of the motion inhibit relays is assured by periodic ing.

ce functional block number 5 is implemented with relay logic, there are no single failures ch can both affect CEA motion and prevent the actuation of the motion inhibit signal.

shown in detail above, no single failure in any of the five functional sections of the reactivity trol system will cause fuel design limits to be reached.

3 REACTOR COOLANT PRESSURE REGULATING SYSTEM 3.1 Design Bases reactor coolant pressure regulating system is functionally identical to that in the Calvert Cliffs nt (NRC Docket Numbers 50-317 and 50-318).

ut to the system.

3.2 System Description igh pressurizer pressure functions to open the pressurizer spray valves on a proportional basis, eby reducing pressure. A low pressurizer pressure functions to energize heaters on a portional or group basis to increase pressure. A high pressurizer water level energizes the kup heaters in anticipation of a low-pressure transient; a low pressurizer water level nergizes all heaters, for heater protection.

o channels of control are provided and the controlling channel is selected by a switch. Manual trol of the heaters and spray may be selected at any time.

3.3 System Operation o pressure channels independent of those in the Reactor Protective System (RPS) provide pressed range (1500 to 2500 psia) signals for control of the pressurizer heaters and spray es. The output of either controller may be manually selected to perform the control function.

ing normal operation, a small group of heaters is proportionally controlled to maintain rating pressure. If the pressure falls below the proportional band all of the heaters are rgized. Above the normal operating range the spray valves are proportionally opened to ease the spray flow rate as pressure rises. A small, continuous spray flow is maintained ugh the spray lines at all times to keep the lines warm to reduce thermal shock when the trol valves open, and to aid in keeping the boric acid concentration in the coolant loops and surizer in equilibrium.

puts from the two pressure control channels are recorded in the control room and provide vidual high and low alarms.

control and alarm pressure setpoints are shown in Figure 7.4-4.

3.4 System Evaluation o individual channels are available for automatically regulating the pressurizer heaters and y valves. Either channel may be used to control the pressure in the system, and the output m both channels is recorded in the control room. Individual high and low pressure alarms are vided.

4 PRESSURIZER LEVEL REGULATING SYSTEM 4.1 Design Bases pressurizer level regulating system is functionally identical to that in the Calvert Cliffs Plant C Docket Numbers 50-317 and 50-318).

vg). A low pressurizer level signal functions to reduce letdown flow proportionally and to start available nonoperating charging pumps. A high level indication functions to increase letdown proportionally by opening the letdown control valves and stopping all but one charging

p. There are two independent automatic control channels with channel selection omplished by means of a manual control switch. Automatic control is normally used during ration but manual control may be utilized at any time.

4.2 System Description o level channels provide pressurizer level signals for control of two specific functions:

a. A low level signal from either channel deenergizes all heaters;
b. A high level deviation signal from the controlling channel energizes the backup heaters and sets the proportional heater control to full power.

4.3 System Operation operating level in the pressurizer is programmed as a function of power to accommodate t load changes and transients to minimize the changes in reactor coolant system (RCS) ume (see Figure 4.3-9).

level programmer establishes a program level which is directly proportional to coolant rage temperature, over the operating range of Tavg. The average temperature signal used by the l programmer is the signal used by the RRS.

level controller compares the measured and programmed level signals and generates a portional signal for regulating the letdown control valves. In addition, the level controller ctions to start or stop additional charging pumps at low or high level set points. The outputs of er of two automatic control channels may be selected by the operator for level control in ition to manual control.

4.4 System Evaluation o level control systems are provided. The controllers are located in the control room. Both matic and manual control of level is provided. Three charging pumps and two letdown trol valves provide redundant means of increasing or decreasing reactor coolant inventory.

variable pressurizer level control program maintains the proper coolant inventory by means ischarge or addition as required during plant load changes.

5.1 Design Bases 5.1.1 Functional Requirements

a. The steam dump to atmosphere systems (one each for the two steam generators) provide means for unit cooldown in the event that the condenser is not available.
b. The turbine bypass system provides a means for removing decay heat and pump heat at no load conditions and a means for unit cooldown.
c. The steam dump to condenser, steam dump to atmosphere, and bypass systems combined provide a means of dissipating excess Nuclear Steam Supply System (NSSS) stored energy and sensible heat following a simultaneous reactor and turbine trip from full load without lifting the secondary safety valves.

5.1.2 Design Criteria steam dump to atmosphere systems will have a minimum combined capacity of 15 percent of load in order to meet the functional requirements of a.

bypass system will have a minimum capacity of 5 percent of full load in order to meet the uirements of b.

total steam dump to condensers, steam dump to atmosphere and turbine bypass system will e a minimum capacity of 55 percent of full load in order to meet the functional requirements steam dump to atmosphere control valves can be controlled from the main control board or hot shutdown panel external to the control room.

steam dump to condenser control system, when in automatic operation, shall be limited in tor coolant cooldown capability.

steam dump to atmosphere system for one steam generator shall be redundant and ependent of that for the other steam generator.

5.2 System Description lock diagram of the steam dump to the condenser and turbine bypass system is shown on ure 7.4-5.

steam dump to condenser and turbine bypass valves can be controlled at their respective trol room stations in either automatic or manual mode.

ilable on the hot shutdown control panel. The steam dump to atmosphere system for steam erator number 1 and steam generator number 2 reside partially on a distributed control system zing common fault tolerant control processors. Pressure sensor and control feedback input als and control output signals are independent of each other.

total steam dump and turbine bypass is sufficient to prevent the lifting of the secondary steam ty valves following a simultaneous reactor and turbine trip at full power. The capacity of each he steam dump to condenser and turbine bypass valves is approximately 10 percent of full load a total of approximately 40 percent of full load. The capacity of the steam dump to each osphere valves is 7.5 percent of full load, each, for a total of 15 percent of full load. The acity of the steam dump to the atmosphere system is sufficient for plant cooldown after a full trip even if for any reason the condenser is not available.

essive cooldown of the RCS by the steam dump to condenser valves, when in automatic ration, is prevented by a narrow range temperature signal which has a minimum output esponding to 532°F. At this point, the steam dump to condenser flow demand will be zero le the bypass valve remains in operation to control header pressure. The turbine bypass system tend to control the steam pressure to 900 psia during hot standby when the condenser is ilable.

5.3 System Operation am is discharged from the main steam lines to the condenser by way of the dump to condenser bypass valves in response to Tavg and secondary pressure signals. Inputs to the system are the g turbine trip signal, main steam line pressure and condenser loss of vacuum.

n receipt of a turbine trip signal the steam dump to condenser controller generates a pressed range signal proportional to the quantity Tavg -532°F. When Tavg is within a determined range, the signal is sent to the steam dump to condenser valves and the turbine ass auctioneering unit via the steam dump to condenser vacuum permissive contacts. The ine bypass pressure controller generates a suppressed range signal proportional to secondary sure over the range of 800 to 1000 psia. The turbine bypass valve receives the higher of the m dump to condenser controller or turbine bypass controller signals through an auctioneering

. When Tavg exceeds the predetermined range, a quick opening signal from the RRS opens the m dump to condenser valves and simultaneously opens the turbine bypass valve. In either

, loss of condenser vacuum will prevent opening of the turbine bypass or steam dump to denser valves.

is necessary to boost the capacity of the bypass system near the end of cooldown, the dump to denser valves may be operated on manual control. The operator may control plant cooldown combined manipulation of the steam dump to condenser and turbine bypass controllers, as uired.

ipped with proportional mode only to give rapid response without reset windup, while ntaining its capability to modulate smoothly. Standard switching procedures on the local panel sfer station allow the operator to control the steam dump to atmosphere manually with an cent pressure indicator for guidance. Either the automatic controller setpoint or the local ion on manual control may be used for cooldown.

6 TURBINE GENERATOR CONTROL SYSTEM 6.1 Design Basis 6.1.1 Functional Requirements turbine generator is supplied with an electrohydraulic control (EHC) system. The EHC em provides speed and acceleration control for startup, load control, load limiting, emergency

, manual trip and valve testing functions.

6.1.2 Design Criteria EHC system is designed to provide dependable and accurate startup, load control and rgency trip functions. Redundant electronic speed sensing for control and high pressure raulic fluid supply systems are incorporated to increase system reliability. A primary tronic overspeed protection system is provided with an independent emergency electrical rspeed protection system.

6.2 System Description 6.2.1 System General Electric Company EHC system consists of electrohydraulically operated turbine trol and stop valves operated from an electronic control cabinet and an operators panel ted on the main control board. The operators panel contains controls for startup, load control, rational testing of valves and overspeed trip system and manual trip. System alarms and cators are provided for monitoring system operation.

EHC system includes the following features:

a. Full arc admission
b. Manual set load limit
c. Initial pressure regulator
d. Chest warming control
e. Load set capability

igh-pressure fluid power unit supplies fluid under 1600 psi pressure for operation of servo e power actuators. The fluid power unit consists of two redundant pumps, coolers and filters nged in parallel.

ctric power for the electronic logic and trip circuits is provided by two redundant battery-ked uninterruptible power supplies. All power supplies are monitored to provide indication of of tolerance voltage.

ee redundant primary speed signals are provided to permit speed and acceleration control g the median of the three speed signal values. An independent set of three redundant rgency speed signals are used for emergency overspeed protection. Failure of a single speed al will result in a system alarm. The turbine will be automatically tripped should a loss of two mary speed signals or a loss of two emergency speed signals occur. Tripping is initiated at inal 109 percent of rated speed. An emergency electrical overspeed trip circuit is provided to the turbine in the unlikely event of a failure of the primary overspeed trip system or during an rspeed trip test. The emergency electrical overspeed trip system is independent from the mary speed control and overspeed protection system and is set to trip at nominal 109.5 percent ated speed.

primary overspeed trip and the emergency overspeed trip systems constitute two separate and pendent means of protecting the turbine against an overspeed.

6.3 System Operation 6.3.1 Startup startup sequence followed by the operator consists mainly of the following steps which are trolled from the turbine generator control panel, CO7:

a. High-pressure turbine chest warming
b. Increase turbine speed to 1800 rpm in discrete steps
c. Perform overspeed trip test
d. Synchronize generator to the line and close the generator breaker
e. Establish initial loading rate
f. Set load limit and initial pressure limit
g. Increase unit loading to final desired value

er normal operating conditions, with no variables out of limit, the EHC system automatically ntains the desired unit load set by the operator. Also see Section 10.2.3.2.

6.3.3 Abnormal Operation turbine is automatically tripped on the following signals:

a. Turbine overspeed (primary or emergency systems)
b. Low condenser vacuum
c. Excessive thrust bearing wear
d. Deleted by FSARCR 05-MP2-023
e. Loss of generator stator coolant
f. Low bearing oil pressure
g. Loss of two primary OR two emergency speed signals
h. Deleted by FSARCR 06-MP2-007
i. High steam generator level
j. Loss of primary and secondary control power
k. Low hydraulic fluid pressure
l. Low shaft pump discharge pressure
m. Main generator and transformer protection system trip
n. Reactor trip
o. Power to Load Unbalance r mechanically and electrically isolated pressure switches are furnished on the EHC hydraulic system to provide four redundant channels to the RPS. The four pressure switches are bined into 2 out of 4 logic in the RPS to trip the reactor on a turbine trip.

6.4 Availability and Reliability EHC system is designed with highly reliable components. Maximum use is made of solid e components in measuring and logic circuits. The EHC control cabinet is completely factory

7 FEEDWATER REGULATING SYSTEM AND FEEDWATER PUMP SPEED CONTROL 7.1 Design Bases 7.1.1 Functional Requirements feedwater regulating system (one for each steam generator) is designed to regulate the flow eedwater to:

a. Maintain an inventory of water in the steam generator as required by the power production rate.
b. Assure a heat sink for the primary system.

feedwater pump speed control is designed to maintain the speed of the feedwater pumps (2) equired by steam demand.

7.1.2 Design Criteria eria for the design of the feedwater regulating system include the following:

a. Provide a means for both manual and automatic operating modes from the main control board.
b. Have proportional and reset control actions.
c. Provide automatic ramping to close the main feedwater regulating valves on turbine trip.
d. The control room portion of the system is to be factory wired and tested and shipped as a unit (one for each generator).
e. Provide recorder and computer display of steam generator level, steam flow and feedwater flow.
f. Provide a means for locking main the feedwater regulating valves in their last position on air and controller signal failure.

eria for the design of the feedwater pump speed control include the following:

a. Provide a means for both manual and automatic operating modes from the main control board on an individual pump basis.

7.2 System Description 7.2.1 System feedwater regulating system inputs are steam generator level, steam flow, and feedwater flow.

h of these parameters is measured with differential pressure type instrumentation.

Feedwater Control System for the Millstone Nuclear Generating Station - Unit 2 is based on zing SPEC 200 a simplified package for electronic control. SPEC 200 provides a highly able complement of control room instrumentation.

ddition, the SPEC 200 control equipment is type-tested for qualification per IEEE Standards

-1974 and IEEE 344-1975. These type-tests establish that the equipment can properly tinue to perform its safety related functions before, during, and after specified design basis nts. Such events include seismic disturbances that are considered by Foxboro to represent the t severe that would be anticipated at most nuclear power plant locations, as well as postulated nges to environmental conditions at the equipment site, both normal and abnormal.

SPEC 200 Feedwater Control System has been configured to control the flow of feedwater the steam generators, thus maintaining the water level within the desired range during all ses of plant operation. The control system includes both single and three element control to ntain steam generator level by positioning of the feedwater regulating valves.

SPEC 200 analog instrumentation has been configured to meet the following functions:

Single Element Control Three Element Control Main Feed Valve and Bypass Valve Control Process Measurement ajor consideration in meeting the above functions is to eliminate inadvertent plant trips due to Feedwater Control System. Specifically, the effects due to transmitter failure, power supply uption and operator error are taken into account and minimized.

instrumentation is mounted in a total of two (2) SPEC 200 Racks, each rack will contain the e instrumentation with one (1) rack for each of the two Feedwater Control Elements.

instrumentation is Class II (seismic only) as applicable to a Nuclear Power Plant.

GLE-ELEMENT LEVEL CONTROL

nction of the difference between these signals. The rate and magnitude of the output signal nge is determined by the control function. The single-element control also has an input from RCS cold leg temperature to provide dynamic compensation for steam generator level nges at a low power level.

s control unit maintains steam generator level at a manually set value when steam flow is less 15 percent.

single-element control units output will track the output of the three element control never the system is on three element control.

s tracking feature is accomplished by forcing or switching both the high and low limits of the troller to be equal to the three element controller output.

REE-ELEMENT FEEDWATER CONTROL s is a three-element system in which the primary or level control unit functions to trim level the secondary or feedwater control unit functions to maintain the balance between feedwater steam flow.

dwater flow demand is set by steam flow with corrections added for changes in level. An ease in steam flow automatically increases the demand for feedwater flow. To compensate for nges in level due to shrink and swell, blow down or any other cause, the level control unit s the feedwater setpoint signal in such a manner that the steam generator level is always rned to its setpoint.

level control unit compares a measurement of level with its manually adjusted setpoint to elop an output signal. This signal is fed to one input of the computing unit where it is bined with 50 percent bias. When level is at the setpoint, output from the control unit will le at about 50 percent to combine with the computing unit bias. Whenever the level is not at control setpoint, the level control unit will alter the feedwater control unit setpoint to trim the of feedwater to the steam generator. Trimming action will continue until the level returns to control setpoint.

feedwater control unit compares a measurement of feedwater flow with the trimmed steam signal to develop an output signal to regulate the feedwater valve. Any change in steam or water flow is immediately sensed as a discrepancy in the actual feedwater/steam flow tionship by the level control unit. This control unit, tuned to the response of the feedwater p, will correct the feedwater flow to restore the feedwater/steam flow relationship.

measurement input to the feedwater control unit is fed to the reset circuit of the level control to prevent reset windup of the primary control unit when the control station is in manual trol, or when the level control unit cannot follow its setpoint.

sured feedwater flow and steam generator level setpoint error compensated steam flow. The m generator level setpoint error signal is added to the measured steam flow value in such a ner as to reduce steam generator level setpoint errors to a minimum amount. This system does require an upset in steam generator level for the feedwater control to be modified. Note that never measured steam flow changes, there is an immediate change in feedwater flow, thereby biting the steam generator level upset.

e that measured steam flow is an input into the three element feedwater control system. Steam ands placed on the main feedwater system by steam generator blowdown, atmospheric dump es (ADVs), and steam generator relief valves are not direct inputs into this mass balance ation. The slight steam generator level error caused by the continuous steam generator wdown is compensated for by the steam generator level setpoint error signal. Large steam ands placed on the system by ADVs or relief valves opening cannot be adequately pensated for in this system. These conditions will result in significant steam generator level tuations and possible trips due to low steam generator water level. The main feedwater control em was designed to respond to routine plant transients and feedwater perturbations. This em was not designed to ameliorate accidents or respond to all off-normal events.

transfer between three element and single element control will be accomplished matically. The transfer from single-element to three-element occurs at 15 percent load, 0,000 lb/hr.) increasing. A 4 percent deadband is provided for stability which means the sfer back from three-element to single-element will occur at 11 percent load, (660,000 lb/hr.)

reasing. A tracking network is provided for bumpless/balanceless transfer between three-ment and single-element control. The tracking is accomplished by switching the high and low ts to the output of the single-element controller.

a security feature, the feedwater control system is provided with redundant differential sure transmitters for feed and steam flows. One transmitter is arbitrarily designated as a ain and the other as a ALT. Failure of either redundant transmitter will be indicated on the n control board. Failure is a signal greater than 102 percent or less than minus 2 percent of full e.

rder to minimize the impact on the feedwater control system of a transmitter failure, the rage of the steam flow signal and the average of the feed flow signal will be calculated and d for control purposes. The operator has the ability to select either the Main, Alt, or th transmitters on a main control board mounted selector switch. Selecting the Both ition on the selector switch will average the signals.

with steam and feedwater flow, the steam generator level measurement is redundant; a Main Alt. When the selector switch is in the Both position the SPEC 200 control circuitry will matically select the low steam generator level signal to provide the most conservative level surement signal to the control system. A transmitter failure will be indicated on the main trol board.

trol board controller to the valve positioner. These features are independent on the control ems for each of the steam generators.

chematic and block diagram of the control system is shown in Figures 7.4-6 and 7.4-7.

feedwater pump speed control system sets feedwater pump speed based on steam flow. The ed setpoint is high selected with a discharge pressure setpoint to ensure a minimum discharge sure is maintained. The control system also features a high discharge pressure limiter.

7.2.2 Components feedwater regulating systems consists of differential pressure measuring devices for the m generator level, steam flow and feedwater flow.

main control room components, with the exception of display and switching devices, are tained in a factory wired, tested and packaged system. The system for each steam generator is pendent from the system for the other generator.

parameters of steam flow and feedwater flow are recorded on a recorder on the main control rd. The steam generator level is recorded on a recorder on the main control board.

ontrol station for each generator includes provision for manual-automatic bumpless transfer tching and display of the generator level signal and is mounted on the main control board. This troller includes the steam generator level setpoint mechanism and displays a continuous cation of the output signal to the feedwater control valve.

feedwater pump speed control system consists of measuring devices for pump speed, suction

, suction pressure, and discharge pressure. Each controller is mounted in a separate cabinet ch also houses a two-line display panel. The control panel for the feedwater pump speed trol system is mounted on the main control board. It allows for auto/manual transfer, speed stment, and indication of major pump parameters. A hydraulic actuator is used to manipulate SGFPT steam admission valves.

7.3 System Operation feedwater regulating system for each of the steam generators has a level control station titled m generator level controller. The operator has provisions for automatic or manual level trol with appropriate bumpless transfer switching and display of the generator level signal and controller output signal to the respective feedwater control valve.

h of the parameters of steam generator level, steam flow and feedwater flow is recorded on the n control board for operator guidance.

er and speed raise buttons to the main control board.

7.4 Availability and Reliability he feedwater regulating system all equipment is designed with highly reliable components.

ximum use of solid state components in the electronic instruments and, where possible piston-rated valves are employed to fail locked (as-is) on loss of air or power.

instrumentation and controls, where practical, are installed outside of the containment cture and in locations accessible for inspection and maintenance.

mentioned, the feedwater valves can be placed on manual control from the main panel.

dwater valve bypass valve can also be actuated from the main panel.

feedwater pump speed control system uses three isolated control modules, each with its own er supply, processor, and input/output cards. The software coordinates data exchange between dules to support double and triple redundant processing. This design of the feedwater pump ed control system is highly reliable as it provides a high level of fault tolerance and detection.

h the provision for manual operation from the main control board, it is possible to remove the ority of the electronic circuitry for repair or replacement. Operation on manual control is ivalent to having fixed speed turbines in this service.

8 REACTOR COOLANT SYSTEM LOW TEMPERATURE OVERPRESSURIZATION PROTECTION (LTOP) SYSTEM 8.1 Design Bases LTOP system consists of two redundant relief trains each with a power operated relief valve RV) and associated relief piping. This system is controlled through a series of pressure and perature actuated devices and hand controlled switches in the main control board and it is ered by independent and redundant power supplies. The LTOP system when operated as cribed below, ensures that the limiting mass addition transients due to an inadvertent start of a h pressure safety injection (HPSI) and/or a charging pump or the limiting energy addition sient associated with the start of a reactor coolant pump (RCP) do not result in peak surizer pressures in excess of the 10 CFR 50, Appendix G beltline limits (normal operation) eloped for up to 54 EFPY. The LTOP system is required to be operable and capable of gating RCS pressure transients whenever the RCS cold leg temperature is 275°F, which eeds the recommended temperature provided by Branch Technical Position RSB 5-2, unless RCS is properly vented with a vent size 2.2 in2. Under normal conditions, the LTOP system es on the two pressurizer PORVs with a setpoint of 400 psig.

LTOP system utilizes a combination of automatic activation devices, manual handswitches, control board alarms to alert the operators and to automatically open the power operated relief es in the event of an overpressure transient. An alarm which is set sufficiently lower than the RV setpoint will provide operator warning of an ongoing RCS pressure increase prior to PORV ning.

evaluations performed to demonstrate that the flow relieving capability of the PORVs is quate to mitigate the corresponding design bases transients include system corrections. These ections include the valve overshoot resulting from the PORV stroke time and system process y time, fluid conditions at the valve inlet, RCS hydraulic effects resulting from RCS flow and ation differences in addition to the PORV loop instrument uncertainties. These corrections ure that the 10 CFR 50, Appendix G limits are not exceeded during the following pressure sients:

a. Energy Addition - The transient is caused by the start of an RCP with a maximum secondary to primary side temperature differential of 50°F. Since the expansion of the primary coolant resulting from the heat addition varies with the RCS pressure and temperature conditions, a maximum RCS pressure of 340 psia and a maximum RCS temperature of 275°F were chosen to ensure that the entire LTOP temperature range is bounded by the analysis.

The first RCP is not allowed to start unless a pressurizer bubble of 900 cubic feet is established to ensure that adequate RCS volume is available to accommodate any potential primary coolant expansion without resulting in water solid conditions. The 340 psia was chosen since this is the maximum expected RCS pressure when the Shutdown Cooling (SDC) System relief valves are aligned to the RCS. Since the calculated peak RCS pressure was less than the Appendix G allowable pressure, no credit was taken for the PORVs to mitigate the energy addition transient.

b. Mass Addition - This transient results from the inadvertent start of a HPSI and/or a charging pump during RCS water solid conditions. The maximum flow from the allowed pump combinations was assumed to occur concurrent with the loss of decay heat removal capabilities and the energizing of the pressurizer heaters.

These conservative assumptions in combination with the pump restrictions discussed below, resulted in system peak pressures which are lower than the allowable 10 CFR 50 Appendix G limits:

1. A maximum of one HPSI and two charging pumps may be capable of injecting into the RCS when the RCS cold leg temperature (Tc) is 190°F <

Tc 275°F or when Tc is < 190°F when the RCS is vented through a 2.2 in2 passive vent.

one charging pump may be capable of injecting into the RCS when Tc 190°F.

8.3 System Operation ing plant cooldown, the Appendix G pressure/temperature limit curves are used to decrease RCS pressure and temperature down to 300°F and 400 psig. Prior to cooling the RCS below

°F, normal operating procedures require the activation of the PORV Low setpoint at 400 by resetting the hand switches to the Low position. To assure that the PORVs are reset to Low set point prior to cooling the RCS to <275°F, an alarm (reset to low) is activated when RCS temperature approaches 280°F. Upon resetting a PORV handswitch to low (i.e., LTOP de), the respective motor operated block valve (2-RC-403 or 2-RC-405) upstream of the RV receives an open signal. This ensures that the PORVs have not been isolated and are able of performing their function. While the PORV Low setpoint is at 400 psig, the rpressure transient alarm is activated when the RCS temperature is below a preselected value 275°F and the RCS pressure exceeds a preselected value of 360 psig. The purpose of this rpressure transient alarm is to alert the operator that pressure is increasing, and action to trol pressure should be taken to preclude PORV actuation.

ing plant heatup, normal operating procedures require the RCS pressure be maintained below psig until the RCS temperature is greater than 275°F to preclude coolant discharge through PORVs. When the RCS temperature exceeds 275°F, normal operating procedures require the rator to reset the PORVs to the High setpoint relief of approximately 2385 psig. The low perature transient alarm is also deenergized at this time. After the PORVs are reset to the gh setpoint of approximately 2385 psig, normal plant heatup continues accordingly.

start of an RCP significantly changes the flow characteristics in the RCS from one of stagnant ow flow conditions to that of forced/high flow conditions. When no RCPs are in operation and C is in service, the vessel inlet temperature is best represented by the temperature reading of SDC return line water temperature since little mixing may occur between the hotter RCS lant and the colder SDC coolant. However, once the first RCP is started, the vessel inlet perature is best represented by the RCS cold leg temperature readings since the SDC flow es with the remainder of the reactor coolant.

start of the first RCP may result in a step temperature increase which may be further lified by the increase in RCS energy resulting from the added RCP heat input. To minimize temperature differential between the SDC return coolant temperature and the RCS cold leg lant temperature, it may be desirable to reduce the SDC heat removal rate which may result in mall RCS temperature increase. Since the accumulation of residual heat in the RCS may also lt in increased RCS pressure, the energy addition evaluations assumed that no decay heat ld be removed from the RCS for a period of up to 5 minutes following the start of an RCP.

s bounding assumption will allow the operators to reestablish the required SDC flow owing the start of an RCP without exceeding the allowable pressure/temperature limits.

TABLE 7.4-1 PROHIBITS ON CEAS hdrawal Prohibit Condition Pretrip Overpower Thermal Margin / Low-Pressure Pretrip tion Inhibit condition Group out of sequence movement Individual CEA deviation More than two Regulating group movement Withdrawal of Regulating groups prior to complete withdrawal of all Shutdown groups Insertion of Shutdown groups prior to insertion of all Regulating groups ut signal sources for the withdrawal prohibits:

Reactor Protective System: Pretrip Overpower Thermal Margin /Low-Pressure Pretrip ut signal source for CEA motion inhibit:

Reed switch CEA Position Display System (CEAPDS)

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

1 PROCESS INSTRUMENTATION 1.1 Design Bases 1.1.1 Functional Requirements

-nuclear process instrumentation devices are designed to perform one or more of the owing functions:

Measurement Display Recording Set Point Generation Generation of Corrective Signal Conditioning of Signal se devices when connected together in a process instrument loop will monitor and control the cess and alert the operator in the event the process variable exceeds beyond the allowable ts.

1.1.2 Design Criteria following criteria have been implemented in the design of the process instrumentation:

The process instrumentation shall measure and control temperature, pressure, flows, and level in all processes as required per 10 CFR 50, Appendix A, Criterion 13.

a. Alternate indicators and controls shall be located at other locations than the control room to allow reactor shutdown should the control room have to be evacuated.

This provision is made in accordance with 10 CFR 50, Appendix A, Criterion 19.

b. Independent measurement channels shall be provided to monitor each process parameter required for the reactor protective system (RPS) and the engineered safety features actuation system (ESFAS) to meet the single-failure criterion per IEEE-279-1971.

1.2.1 System cess instrumentation provided for reactor coolant temperature, pressure, level, and flow as l as the monitors for containment temperature, pressure, and radiation are described below.

or process instrumentation for the balance of the plant is tabulated in Table 7.5-1.

1.2.1.1 Reactor Coolant System

a. Temperature The temperature measurements are made with precision resistance temperature detectors (RTD) which provide a signal to the remote temperature indicating control and safety devices. The following is a brief description of each of the temperature measurement channels.

Hot leg temperature: Each hot leg contains five temperature measurement channels. Four of these channels provide a hot leg temperature signal to the thermal margin/low-pressure (TM/LP) trip circuits. The other hot leg temperature measurement channel provides a signal to the loop Tavg computer in the reactor regulating system (RRS), to the Inadequate Core Cooling Monitoring System (ICCMS), and to a recorder. The five hot leg temperatures are indicated on the control panel.

Cold leg temperature: Each cold leg branch contains three temperature measurement channels. Two of the channels in each branch provide a cold leg temperature signal to the TM/LP trip circuits. These channels also provide cold leg temperature indications on the control panel. The third cold leg temperature measurement channel in two branches provides a signal to the loop Tavg computers and to the feedwater control system. This channel also provides a high alarm. The third channel in the other two branches provides an input to the ICCMS and Low Temperature Overpressurization Protection (LTOP) circuitry, and is recorded on the control panel.

Loop average temperature: The RRS receives a hot leg and cold leg temperature reading from both loops. The Tavg calculation receives hot and cold leg temperatures from Loop 1, Loop 2, or Loops 1 and 2 and provides average temperature outputs to a recorder. The temperature recorder is equipped with two channels. One channel records the average temperature and the other channel records the programmed reference temperature signal (Tref), corresponding to turbine load (first-stage pressure).

b. Pressure

instrument. The DC current outputs are used to provide signals to the remote pressure-indicating, control and safety devices.

The following is a brief description of the pressure measurement channels:

Pressurizer pressure (protective action): Four pressurizer pressure transmitters provide independent, narrow range, pressure signals. These four independent pressure channels provide the signals for the RPS high pressure and TM/LP trips (see Section 7.2). The channels also provide the low-low pressure signal to initiate safety injection (see Section 7.3). All four pressure channels are indicated in the control room and RPS high pressure and TM/LP trip, associated RPS pretrip, and low-low trip alarms are annunciated. Figure 7.5-1 is a functional diagram of one of these channels.

Pressurizer pressure control (control action): Two pressure channels provide narrow-range signals for control of the pressurizer heaters and spray valves as described in Section 7.4. Outputs from the two pressure control channels are recorded in the control room and provide individual high and low alarms.

Pressurizer pressure (Low Range): Two pressure channels provide independent and redundant pressure signals to the shutdown cooling suction isolation valves and the power-operated relief valve (PORV). (See Sections 4.3.8.2.3 and 7.4.8.)

These channels also provide an input to control room and hot shutdown panel indicators, computer and one signal to the subcooling margin monitor (see Section 9.3.4.1).

c. Pressurizer Level Level is sensed by transmitters which measure the pressure difference between a reference column of water and the pressurizer water level. This pressure difference is converted to a DC current signal proportional to the level of water in the pressurizer. The DC current output of the level transmitters provides signals to the remote level indicating and control devices.

Two pressurizer level transmitters provide signals to the chemical and volume control charging and letdown system. In addition, signals are provided for pressurizer heater override control. These level transmitters are calibrated for steam and water densities existing at normal pressurizer operating conditions.

The selected pressurizer level control channel provides a signal for a level recorder in the control room. This recorder is a two channel recorder, with one channel recording actual level as sensed by the level control channel and the other channel recording the programmed level set point signal from the RRS. For additional details see Section 7.4.4.

An indication of reactor coolant flow is obtained by measuring the pressure drop between the hot leg piping and the outlet plenum of each steam generator. The pressure drop is sensed by differential pressure transmitters which convert the pressure difference to direct currents. The direct currents provide a signal to the remote flow indicating and safety devices.

Four independent differential pressure transmitters are provided in each reactor coolant loop to measure the pressure drop across the steam generators. The outputs of corresponding transmitters in each loop are summed by pairs to provide four independent signals representative of flow through the reactor core. These signals are indicated and supplied to the RPS for loss-of-flow determination. The differential pressure sensed by each transmitter is indicated in the control room.

For additional details, see Section 7.2.

e. Subcooled Margin See Section 7.5.4.4 for a description of the ICC System which provides subcooling information.

1.2.1.2 Containment tainment temperature monitoring provisions include eight resistance temperature detectors in arate locations for measuring containment air temperatures. These RTDs have resistance-to-ent transmitters which provide temperature signals to the plant computer for logging and for out in the control room through an eight position selector switch. The RTD and cables are cified for continuous operation in the containment. The temperature transmitters are located ide the containment.

capability of continuously monitoring pressure over the full range of postulated accidents is vided by four safeguards containment pressure transmitters which are located outside the tainment. Dual redundant wide range containment pressure transmitters provide pressure nitoring beyond the range of the safeguards containment pressure transmitters. The wide range smitters were procured and installed to the same criteria as the safeguards transmitters. These smitters have sufficient range to measure between the normal operating conditions and the dicted peak pressure, due to either a LOCA or SLBA.

l-redundant containment level monitors are installed to measure water accumulation in the tainment sump. These transmitters can monitor water depth up to seven feet above the sump proximately 6x105 gallons).

tainment radiation monitoring includes two gaseous and two particulate monitors of the types cribed in Section 7.5.6.3. The gaseous and particulate monitors are available except when the tainment isolation actuation signal (CIAS) automatically closes valves in the sampling system.

o containment high range area radiation monitors are located in the containment on the outside he biological shield wall in the vicinity of the east and west electrical penetration areas. Each nitor has a range sufficiently wide to indicate activity levels following a serious accident. Each nitor is qualified to withstand the elevated pressures and temperatures and chemical spray ciated with the LOCA or SLBA.

ddition, provisions for obtaining grab samples of containment atmosphere are included in the tainment hydrogen monitoring sampling system.

1.2.2 Components ndard commercially available instrumentation devices of high, proven quality have been used all non-nuclear process loops. With the exception of a few multipoint recorders, all other lay instruments are of the miniature type using the 10 to 50 ma, 4 to 20 ma, or 3 to 15 psig als. All safety related instruments are designed to function in the most severe post-accident ironmental condition to which they may be exposed.

1.3 System Operation h instrument loop is designed to display and/or control a certain process. Detailed description major instrumentation systems are given in Section 7.5.1.2.1 and other appropriate sections re instrumentation is heavily involved in the processes.

ddition to the instrument channels listed in Table 7.5-1, the operator is provided with valve ition lights, motor status lights, and alarms for the control of valves, circuit breakers and ps required for the ESFASs. Additional ammeters are provided for motors of 250 horsepower above.

1.4 Post-accident Monitoring rumentation systems are provided for remote monitoring of system conditions during and owing an accident to assure adequate public safety. While many parameters are available to operator in the control room, those which would normally be used by the operator following ccident are those which: (1) aid in determining the nature of the accident, (2) can be used to ow the course of the accident and to aid in predicting its future course, (3) assure that the tor trip systems (RTS) and engineered safety features (ESF) systems are functioning properly that the plant is responding properly to these systems, (4) provide information for manual on by the operator.

le 7.5-3 is a summary of the Regulatory Guide 1.97 (Rev. 2) information on file, that uments which instruments are credited with monitoring the associated variables. These cations of plant variables are required during accident situations to:

b. Determine whether the RPS, ESF, and other systems important to safety are performing their intended function.
c. Provide information to the operator that will enable them to determine the potential for causing a gross breach of the barriers to radioactivity release, and to determine if a gross breach of a barrier has occurred.

providing the instruments listed in this table, adequate instrumentation is provided for the rator to determine the nature of an accident, to follow the course of the accident, to determine t action is required to mitigate the consequences of an accident, and to determine the results duced by operator action.

2 NUCLEAR INSTRUMENTATION 2.1 Design Bases nuclear instrumentation monitors neutron flux over a range greater than ten decades with four pendent and redundant channels.

h of four wide range logarithmic channels provides: a) signals for power level and startup rate cation, b) a signal to the enabling circuitry of the RPS Zero Power Mode Bypass function, and signal to the circuitry in the CEA Position Display System that blocks the CEA motion inhibit als when reactor power is less than 10 E-4% power.

r power range channels monitor neutron flux over the power range and provide four undant, proportional signals to the RPS. These same four power range channels also are used etect a dropped CEA by monitoring changes in reactor power.

ependent of the four wide range logarithmic channels and the four power range channels, the lear instrumentation system also includes two power-range channels that provide signals to the ctivity Regulating System.

2.2 Design Criteria system is designed in accordance with the criteria of IEEE 279, 1971. In areas not covered or cifically identified by the criteria, the following criteria are used:

a. The nuclear instrumentation sensors are located so as to detect representative core flux conditions;
b. Four independent channels are used in each flux range;
d. Power is supplied to the system from four separate AC buses. Loss of one bus deenergizes one power-range safety channel and one wide range logarithmic channel;
e. Loss of power to channel logic results in a channel trip;
f. All channel outputs are buffered so that accidental connection to 120 volts AC, or to channel supply voltage, or shorting individual outputs has no effect on any of the other outputs.

2.3 System Description channels of instrumentation are provided to monitor the neutron flux. The system consists of e range logarithmic channels, power range safety and power range control channels. Each nnel is complete with separate detectors, power supplies, amplifiers, and bistables to provide pendent operation. The operating capability of the ten monitoring channels is greater than ten ades of neutron flux and is adequate to monitor the reactor power from shutdown through tup to greater than 125 percent of full power.

r wide range logarithmic channels monitor the flux from source level to above full power. The signals, obtained from fission chambers, are conditioned and amplified in the cable vault lifier assemblies and then transmitted to the signal processing drawers in the control room.

signal processing drawers further process the detector signal into signals that represent the rce range logarithm of count rate and the rate of change of count rate, and the wide range rithm of reactor power and the rate of change of reactor power. Audible count rate signals are ilable in the control room.

r channels are designated as power range safety channels and provide signal outputs to the S. These channels operate from 0.1 to 200 percent of full power. Power level signals from e channels are supplied to the protective system. These four channels contain detectors posed of dual section ion chambers which monitor the full axial length of the reactor core at circumferential positions equally spaced around the core. This arrangement enables detection ower tilts and imbalance.

o separate power range control channels provide reactor power signals to the RRS cabinets.

channel output is a signal directly proportional to reactor power from 0.1 to 125 percent. The er signal is combined with the average coolant temperature, first stage turbine pressure, and surizer pressure signals as the control parameters to the RRS.

gain of each channel is adjustable to provide a means for calibrating the output against a plant t balance. Each control channel provides signals to remote indicators and the Anticipated nsients Without Scram (ATWS) Circuitry.

normal azimuthal flux tilt condition. The comparator average is located in the rear of the RPS inet. It receives inputs from each of the four linear power range nuclear instrument channels setpoints from the power ratio calculator. These setpoints are called High and High-High iation and are generated as a function of the average power sensed by all four power range ty channels. They represent a deviation band (absolute magnitude of deviation) that is allowed ween the neutron flux measured by each channel and the average of all channels. The ability is provided for the operator to obtain two independently set alarms (High and h-High) representing different absolute magnitudes of deviation, in order to achieve a high ree of system flexibility to conform to changing operating conditions. The comparator rager measures the deviation between each channel and the average of the channels and then pares the measured deviations to the calculated allowable deviations represented by the oints. If the measured deviation exceeds the first setpoint, the High alarm is given. If the iation continues to increase, the second setpoint may be reached, in which case the High-High m would be given. A High and High-High deviation alarm is provided for each channel.

ector Cooling ced air cooling is provided for the eight neutron detectors and two spare detector wells which located within the annular space between the reactor vessel and cavity wall. The remaining detectors which are embedded in the cavity wall are not subjected to elevated temperatures therefore do not require cooling.

ling air is provided by the containment air recirculation and cooling system (Section 6.5) to t the maximum detector temperature below 200°F. Cooling air is supplied at 91°F to the base he detector wells. The air is heated sensibly and discharged at 190°F through openings at the of the detector wells.

owever, a loss of air flow occurs, detector temperature would rise from 190°F to 260°F before ining thermal equilibrium. The out of core detectors are designed to operate satisfactorily at a perature of 300°F with no appreciable error. Therefore, even with loss of air flow, this value is exceeded.

2.4 System Components 2.4.1 Wide-Range Logarithmic Channel Description wide range logarithmic channels are designed to provide to the operator the measure of the tron flux level at the detector assembly and the measure of the rate of change of neutron flux l from source level (shutdown) to 200% of full power reactor operation.

signal from the detector is composed of a series of charge pulses. The pulses result from a decay of the uranium coating in the detector, from gamma photon interaction with material he electrodes of the detector, and from the fissioning of uranium atoms when a neutron is

ion chambers are used to detect the neutron flux because of their proven high reliability in a h environment and because of their ability to operate in a high gamma flux without damage without loss of sensitivity.

cable and interconnection assemblies between the detector and the amplifier are designed to vide protection against electromagnetic and electrostatic noise interference, and to provide unity to the postulated environment in the containment during a design basis event (main m line break or loss of coolant accident).

amplifier assembly contains the signal conditioning circuitry, DC power supplies, and the h voltage detector excitation supply. The signal processor assembly provides the circuitry to her process the detector signal into signals which are a measure of the logarithm of countrate, rate of change of countrate, the logarithm of reactor power and the rate of change of reactor er, and it provides outputs for each of these signals. Full scale and bias scaling adjustments to n the outputs to the full reactor power are all made in the signal processor.

signal processor outputs isolated source range pulses to the audible countrate drawer. The ible countrate drawer provides an audible sound corresponding to the source range pulse puts. A switch on the front panel allows you to select each of the four channels. Another tch allows you to divide the signal by 1, 10, 100, 1000, or 10000, in order to hear individual s at any shutdown countrate. There is also a volume control on the front panel for the local aker as well as an on/off switch and volume control for a remote speaker. The audible ntrate drawer is considered non-class 1E, however, it has been qualified not to damage cent class 1E equipment during a seismic event.

number of neutron pulses per unit time from the detector is proportional to the magnitude of neutron flux at the detector. The magnitude of the neutron flux in the reactor core is portional to the fission power being generated in the reactor. If the magnitude of the neutron at the detector is proportional to the magnitude of the neutron flux in the reactor core, then pulse rate from the detector is proportional to reactor power.

neutron flux monitor measures the number of pulses per unit time from the detector over the ge from source level to the level where the error from countrate loss due to coincident pulses omes unacceptable. From about two decades below the upper end of the countrate range to full tor power, the neutron flux monitor measures the mean square value of the time variant signal m the detector. This mean square value is proportional to the average rate of neutron pulses and ot dependent on the pulses being individually identifiable. It provides good discrimination inst alpha and gamma signal.

derivative of the logarithm of reactor power provides a measurement that is proportional to change in reactor power per unit time. The signals are displayed on the RATE meters in ades per minute (DPM).

magnitude of the high voltage supply in the amplifier is low, or the channel in test (CH IN T) switch is in the ON position.

second bistable is used by the RPS to remove the zero power mode bypass above 10-4 percent er. The zero power manually actuated bypass allows CEA drop testing, or CEA withdrawal other tests during shutdown. The trips bypassed are low flow, Reactor Coolant Pump erspeed and TM/LP. These trips are automatically reset by the wide range logarithmic nnels prior to increasing reactor power to 10-4 percent power.

third bistable is used by the CEA Position Display System to block the CEA Motion Inhibit Power Dependent Insertion Limit Violation when reactor power is less than 10-4% power. A th bistable enables the extended range mode of operation of the wide range Logarithmic nnel at very low power levels.

2.4.2 Power-Range Safety Channel Description four power-range safety channels are capable of measuring flux linearly over the range of 0.1 ent to 200 percent of full power. The detector assembly consists of two uncompensated ion mbers for each channel. One detector extends axially along the lower half of the core while the r, which is located directly above it, monitors flux from the upper half of the core. The upper lower sections have a total active length of approximately 12 feet. Integral shielded cable is d in the region of high neutron and gamma flux.

DC current signals from both the upper and lower uncompensated ion chambers are fed ctly to the rear of the linear power range monitors located in the RPS cabinets in the control

m. The power range monitor houses the electronics that conditions the detector signals for t panel display, RPS inputs and bistable trips. Nuclear Power (upper + lower over 2) and channel deviation (upper-lower) signals are generated and output to the Reactor Protection tem.

Nuclear Power signal is also monitored by the rod drop circuit for a fast negative change in litude. Time delay and comparator circuits are used to generate a rod drop alarm whenever a ative change in the output signal level occurs in a corresponding period of time. This alarm dition is an indication that a rod had dropped from its proper position. Actuation of this alarm minates a LED on the front of the power range safety channel drawer, and actuates an alarm dow on the main control board.

h power range channel contains two bistables. One is used by the RPS to disable the Loss of bine and High Local Power Density trips below 15% power. The other bistable initiates an m when either the magnitude of the low voltage or high-voltage power supplies is degraded, he TEST SELECT switch is not in the OFF position and the TEST ENABLE switch is in T ENABLE. The condition of each bistable is shown by a front panel LED.

two power range control channels are capable of measuring flux linearly over the range of 0.1 ent to 200 percent of full power. The detector assembly consists of two uncompensated ion mbers for each channel. One detector extends axially along the lower half of the core while the r, which is located directly above it, monitors flux from the upper half of the core. The upper lower sections have a total active length of approximately 12 feet. Integral shielded cable is d in the region of high neutron and gamma flux. The DC current signals from both the upper lower uncompensated ion chambers are fed directly to the rear of the linear power range trol monitors located in the RRS cabinets in the control room. The power range control nnels are connected with the RRS and provide outputs to remote indicators and the ATWS uitry.

2.4.4 System Component Location nuclear instrumentation safety signal processing equipment is located in the RPS cabinet in control room. Four cabinets designated as A, B, C and D each house one channel and one wide ge logarithmic channel. Mechanical and thermal barriers between the cabinets reduce the sibility of common event failure. The detector cables are routed separately from each other.

s includes separation at the containment penetration areas. The location of the neutron ctors is shown in Figure 7.5-2.

nuclear instrumentation control signal processing equipment is located in the RRS cabinets.

3 CONTROL ELEMENT ASSEMBLIES POSITION INSTRUMENTATION 3.1 Design Bases principal purpose of the CEA position indication system is to provide the operator with able, comprehensible and timely information on CEA position.

3.2 Design Criteria

a. Position readouts of all CEAs may be obtained;
b. Continuous position readouts of any selected CEA in a group are available;
c. A means of alerting the operator to deviation of CEAs within a group is provided;
d. A permanent record may be made of position of any or all CEAs. The operator may obtain a record at any other desired time;
e. Separate full-in and full-out indication is provided for each CEA;
f. Redundant and diverse means of indicating CEA position is provided.

ee different display systems of CEA position are provided for the operator on the main control rd. The pulse-counting CEA position indication system is one of the outputs of the CEA ervisory function of the plant computer. The reed switch CEA position display system vides continuous indication to the operator of the position of all CEAs in a bar chart form on a o display and numeric information of selected groups. The core mimic display CEA position cating system provides CEA travel limit information to the operator.

3.4 System Components 3.4.1 Pulse-Counting Control Element Assemblies Position Indication System Description pulse-counting CEA position indication system infers the position of each CEA maintaining cord of the raise and lower control pulses sent to each magnetic jack mechanism. The plant puter counts these pulses to determine changes in CEA position. The bottom most reed switch nput to the process computer as indication of a fully inserted or dropped rod independent of e counts. The resulting inferred position of CEA is available for display on any plant process puter workstation. A printout is available, on operator demand, of the inferred position of all As or of those CEAs within a given group. The plant computer also provides deviation rmation. If the deviation in position between the highest and the lowest CEA in any group eeds a preset amount, the computer provides an alarm. The plant computer provides position rmation for CEA group position alarms.

3.4.2 Reed Switch Control Element Assemblies Position Display System Description reed switch CEA position display system (CEAPDS) utilizes a series of magnetically ated reed switches, spaced at 1.5 inch intervals along the CEA housing and arranged with ision resistors in a voltage divider network, to provide voltage signals proportional to CEA ition. The signals are displayed in bar chart form on a touchscreen monitor on the main control rd. The touchscreen allows navigation to various display page information. The display and rlock functions are generated by the CEAPDS software. The distributed control system logic vides redundant CEA malposition indication and alarm functions which are used as input to CEA motion inhibit circuitry. A CEA position backup readout display is available to provide ition of all CEAs.

3.4.3 Core Mimic Control Element Assemblies Position Indication roup of 61 light displays, arranged in a shape corresponding to the CEA distribution, is located he main control board. Each display, which represents one control element drive mechanism DM), contains four colored lights providing the information listed in Table 7.5-7.

4.1 Design Bases primary function of the in-core instrumentation is to provide measured data which may be d in evaluating the gross core power distribution in the reactor core as an aid to reactor rations. This data may be used to evaluate thermal margins and to estimate local fuel burnup.

credit is taken for this system in the accident analysis of Chapter 14. The in-core detectors will used to periodically calibrate the out-of-core detectors as defined in the Technical cifications.

4.2 Design Criteria

a. Detector assemblies are installed in the reactor core at selected locations to measure core neutron flux and coolant temperature information during reactor operation in the power range;
b. Flux detectors of the self-powered type, with proven capabilities for in-core service, are used;
c. The information obtained from the detector assemblies may be used for fuel management purposes and to assess the core performance. It will not be used for automatic protective or control functions;
d. The output signal of the flux detectors will be adjusted for changes in sensitivity due to emitter material burnup and for undesirable background signals;
e. Each detector assembly is comprised of four local neutron flux detectors stacked vertically for axial monitoring, and one thermocouple at the assembly outlet;
f. Axial spacing of the detectors in each assembly and radial spacing of the assemblies permit an evaluation of the gross core power distribution through the use of In-Core Analysis Computer Program.
g. In accordance with the guidance of NUREG-0737 and Regulatory Guide 1.97 the Core Exit Thermocouples from each train are distributed such that all four quadrants of the reactor vessel can be monitored during and after a design basis accident following the loss of a single train.

4.3 In-Core Instrumentation System Description in-core instrumentation (ICI) system consists of 43 fixed in-core detector assemblies inserted selected fuel assemblies. Each assembly contains four 40 cm long rhodium detectors, and one Al thermocouple. The detector assembly is illustrated in Figure 7.5-3. Outputs are fed to the t computer in the control room for processing and logging.

d guide tube and instrument thimble assembly. A Grayloc seal forms a pressure boundary for h assembly at the instrument nozzle. The locations of the in-core detectors in the core are wn in Figure 7.5-4.

neutron detectors produce a current proportional to neutron flux by a neutron-beta reaction in detector wire. The emitter, which is the central conductor in the coaxial detector, is made of dium and has a high thermal neutron capture cross section. The useful life of the rhodium ctors is expected to be about three years at full power, after which the detector assemblies will eplaced by new units.

data from the detectors are read out by the plant computer which scans all assemblies, cesses and prints out the data periodically or on demand. The computer periodically computes grated flux at each detector to update detector sensitivity factors to compensate for detector nout.

4.4 Inadequate Core Cooling (ICC) System Description Inadequate Core Cooling Monitoring System (ICCMS) integrates the processing and display

1. Subcooled/Superheat
2. Core Exit Thermocouples (CETs)

Note: The CETs are part of the ICIs.

3. Reactor Vessel Level Monitoring System (RVLMS) Heated Junction Thermocouple (HJTC) System for inventory tracking.

information provided by this system allows the plant operators to monitor reactor coolant us during normal and abnormal plant conditions. The operator uses this information to take ective action as needed and/or confirm that actions taken produce the desired result. Thus, the roach to, existence of, and recovery from ICC conditions can be monitored consistent with the visions of NUREG-0737,Section II.F.2. The Millstone Unit Number 2 ICC system is designed Category I (Class 1E) with redundant trains (train A and train B). Each train contains stand-e processing electronics and displays, which monitor and alarm ICC as shown in Figure 7.5-ICCMS CET channel assignments are shown on Figure 7.5-4. The core exit thermocouples m each train are distributed such that all four quadrants of the reactor core can be monitored ng and after an accident following loss of a single train. Data received from both channels of MS are combined and displayed on the non-Class 1E plant process computer (PPC).

perature or pressure. The calculations are based upon the most conservative input temperature pressures.

e: Temperatures are input from the CETs, Unheated Thermocouples (UHTCs), and RCS hot and cold leg RTDs.

Ts, HJTCs, and UHTCs are provided with required reference junction temperature mocouple compensation. All CETs, HJTCs, and UHTCs can be displayed on a touchscreen phic local display unit and the PPC.

RVLM module monitors coolant inventory in the region above the core. Redundant strings of Cs are arranged in the reactor vessel head area to provide indication of conditions at eight rete levels. The system is a two-channel system each consisting of a string of eight sensors.

detector assembly is illustrated in Figure 7.5-6.

primary means of displaying the ICC information is provided via the non-Class 1E plant cess computer (PPC). The PPC receives ICC data transmitted via optical isolation provided by ICCMS.

ICCMS local display provides backup IE display of ICC information. Each ICCMS cabinet in A and B), which is located adjacent to the Control Room, has a qualified class 1E hscreen graphic display that provides the following ICC information.

1. Subcooled/superheat in °F (300°F subcooling to 45°F superheat).*
2. CETs (200°F to 2300°F).
3. Percentage level (0 to 100%) in the vessel above the core.
  • Minimum displayed range s ICC information is provided on the local ICCMS displays by means of display pages which selected via touchscreen. The hierarchy of the display pages is shown in Figure 7.5-9.

rms are provided on main control boards from the ICC cabinets. There are four alarms:

uration Trouble alarm, CET High alarm, Reactor Level Low alarm, and ICCMS Trouble

m. Alarm status touchscreen buttons also are provided on all ICCMS display pages.

4.4.1 Inadequate Core Cooling System Software objective of the ICC monitor is to provide the operator with a simple indication of core ling conditions. This objective is achieved by monitoring a number of reactor system meters, performing certain calculations using these parameters in a digital computer, and

ut Variables measured quantities used as input variables for the ICC monitor are RCS pressure, RCS hot cold leg temperatures, CETs, HJTCs and UHTCs.

culations umber of different calculations are performed using the input variables to generate output rmation for the operator's use. These calculations are characterized below:

1. All input values are converted to engineering units; °F for temperatures and psia for pressures. All engineering unit values are checked for sensor range limits and quality tags assigned before being used in calculations. CET, HJTC, and UHTC thermocouple processing, including reference junction temperature compensation, is also performed.
2. The HJTC Processing module calculates reactor vessel level based on eight incremental sensor pair locations, with each pair having heated and unheated thermocouples. A Reactor Level Low alarm will be generated if the calculated level exceeds the setpoint. HJTC heater control also is performed. Power to each of the eight heaters is individually controlled (on/off).

The calculation includes provisions for the bypass of failed sensors and substitution of available, valid sensors for determining reactor level.

3. The CET processing module validates CET inputs used in the calculations and calculates the highest and second highest CET temperature (each quadrant and overall) from the validated set. This information is displayed on the applicable pages and is used in the Saturation Margin module. A CET High alarm is generated if the second highest (overall) CET temperature exceeds the setpoint.
4. The saturation margin module performs a number of calculations using all available, valid temperature and pressure inputs. The saturation temperature is calculated and then four temperature saturation margins are calculated. A saturation pressure margin is then calculated, and a Saturation Trouble alarm is generated if the saturation temperature margin exceeds the specified margin setpoint. (Adapted versions of the subroutines built by McClintock and Silverstri for the American Society of Mechanical Engineers (ASME) steam table are used for saturation calculations.)
5. Other calculations are performed which support various maintenance, diagnostic and test features of the ICCMS.

ICC monitor, once the initial startup is accomplished, is self sustaining. All program rations, from input through calculations to output, including periodic testing, are performed uentially. Analog input points may be bypassed via touchscreen on the Signal and HJTC lay pages, provided the Test Mode/Bypass keyswitch is enabled.

tem Diagnostics online diagnostic function performs mathematical and Boolean logic checks and monitors the MS application tasks for proper execution sequence. Resulting errors are logged, and a warm art and ICCMS Trouble alarm will result if these checks fail.

er on-line diagnostics include Input Processing range and quality checks, Plant Process puter and Remote Terminal data link health, cabinet temperature monitoring and Uniform perature Reference monitoring. Errors of this type are logged to the System Errors page, and CCMS Trouble alarm initiated. Cabinet temperature and reference temperature monitoring is ormed as apart of the normal scan/alarm processing of the ICCMS.

tem and Handler Software ased software performs the necessary ICC functions of data validation and conversion, ction of limiting pressures and temperatures, calculation of temperature and pressure margins, ntaining tabular and formatted data files, maintaining tabular and formatted system status s, and controlling communications.

tem software is based on a real time, multitasking operating system. Applications gramming uses the C language and utilities.

applications program has two major divisions: one handling process calculations and the r handling input/output operations. Refer to Figure 7.5-8 for the following:

a Acquisition a acquisition is performed by the Input Processing module. It provides the data validation cess. The data is checked for bypassed, open, shorted, or out of range conditions. A different r code is stored in an array for each input depending upon the error. The data then is converted ngineering units according to standard temperature (or pressure) conversions.

cess Calculations process calculations include CET, HJTC, HJTC Heater Control, and Saturation Margin dules.

mmunications

ta is broadcast (one way) to the PPC via fiber optic modem approximately every 3 seconds.

handshaking, either hardware or software, occurs. This eliminates the potential for cceptable interaction between the 1E ICCMS and the non-Class 1E PPC. All acquired and ulated data are transmitted.

ICCMS display communicates with the ICCMS processor via a serial connection.

mmunication is two way; i.e., both the ICCMS processor and display send and receive data ractively. The display and processor are both class 1E.

maintenance diagnostic terminal serial connection also is provided. Specific file data are vided in response to a specific file request by a requesting terminal. The terminal is connected y during maintenance.

5 PLANT COMPUTER SYSTEM 5.1 Summary Description The plant computer is an online digital computer designed to perform a variety of data acquisition and information processing output functions. The computer presents information to the plant operational and technical personnel on printers, main control board color monitors, man-machine interface workstations, and recorders.

h. In fulfilling the overall data acquisition requirements of the computer, selected process instrumentation inputs are used.
i. In addition to the output of operational and technical information, the computer operates digital output latched contacts, some of which are used for control and supervision of CEAs.

5.2 Functional Objectives objectives of the plant computer system are as follows:

a. To assist the plant operational and technical personnel in monitoring the performance and operation of the plant equipment;
b. To provide for the acquisition and logging of process data which are available during unusual plant conditions;
c. To monitor all CEA movements and to control CEA group sequencing in the automatic and manual sequential modes and display CEA position;
e. To assist plant personnel in performing certain periodic surveillance tests;
f. To relieve the plant operational personnel of routine plant logging functions.

5.3 System Description major equipment associated with the plant computer system is located in the computer room.

s equipment consists of:

a. Processors, in a redundant host configuration.
b. Disk drive cabinets (Storage Area Network (SAN)).
c. Cabinets for process input/output interface equipment, consisting of digital input, digital output, analog input and analog output cards.
d. Cabinets for peripheral and communication equipment.
e. Network hubs for connections between the processor, MMI workstations, printers and digital plant equipment.

ipment is also available in the computer room for specific reactor engineering and plant ormance applications. This equipment includes MMI workstations and printers. A Data Diode ts between the Millstone Unit Number 2 PPC network and Millstone Site Data Network DN) which isolates traffic and provides access to PPC data on the MSDN.

put information from the computer is displayed in the main control room for use by the plant rating personnel. The central section of the main control board is designed to provide the rator with overall surveillance of all computer initiated data displays. Two two-channel rders and three color monitors are provided on the vertical panels of this section.

inimum of four MMI workstations are located in the Main Control Room and serve as the

/machine interface for the plant operators. These workstations provide the plant operators h access to numerous computer system data display functions.

dcopy printout capability is provided in the Main Control Room, readily accessible to plant rators. Print output is provided to more than one printer such that the capability to produce ortant reports is not lost if a single printer fails. Most reports can also be directed to the uesting workstation for local file viewing in lieu of printed output. Simulated printer output is available at control room workstations for alarm messages.

power to operate the computer equipment is normally supplied by a 75 kVA three phase erter. The inverter is normally supplied by a 480 volt station service AC power source through

ery, which has a 90 minute computer full load capacity, is separate from the station service eries and is used only to supply the computer system loads. A second station service 480-120/

Y regulated supply provides for computer system loads during periods of inverter, battery rger or rectifier maintenance.

5.4 Functional Description ctional objectives of the computer system are accomplished automatically, via computer gramming and, on demand, via request through MMI workstations. Four basic types of ctions are possible via the MMI workstations:

a. Printout request functions
b. Trend-display control functions
c. Data entry functions
d. Special operation functions tout requests enable the plant operator to demand a variety of printed logs such as a core map ET temperatures, a post-trip review log, or a sequence of events log. Trend display control ctions give the plant operator the ability to select and control the inputs to the recorders, and I workstations. Preset groupings of analog inputs or calculated values may be trended at rval multiples of one second using real-time data. Data entry functions give the operator the ity to modify stored data such as constants or assign temporary process alarm limit setpoints.

mputer functions which are performed automatically are as follows:

a. Analog and digital scanning
b. Sequence of events status checking and message logging
c. Alarming process out of limits and alarm message logging
d. Analog input averaging and engineering unit conversion
e. Selected nuclear and plant performance calculations
f. Video alarm message display
g. Video point display
h. CEA position pulse counting
j. Pre-post-trip review logging
k. Hourly plant data logging
l. Process variable pulse counting
m. CEA procedural limit alarming
n. CEA sequencing supervision
o. Hourly excore detector readout data logging
p. Daily excore detector readout data logging
q. Daily reactor coolant system (RCS) leakage data logging
r. Daily pump/fan motor run times
s. Updating incore correction factors
t. Incore detector reasonability checks
u. SPDS Screen (Section 7.5.5.5) following functions are automatic and are initiated by operator or reactor engineer MMI kstation requests.
a. Process value digital video display
b. Recorder trending
c. Archive recording
d. Certain periodic surveillance test logging foreground/background capability of the redundant processor pair will permit the use of the computers for online modification and/or addition of programs. This will increase system ilability by greatly reducing the need to take the computer out of service for program ntenance.

S mid-loop level hot leg number 1 (L-112) and hot leg number 2 (L-122) are displayed on the cess computer.

Millstone 2 Safety Parameter Display System (SPDS) is a computer based system that serves n aid to the operating crew during normal and emergency operating conditions. The SPDS gn addresses the guidelines of Supplement 1 to NUREG-0737, Requirements for Emergency ponse Capability and is based on the Emergency Operating Procedure (EOP) Safety Function us Checks (SFSCs). It is not a Category 1 system and is not a replacement or substitute for ty instrumentation.

primary purpose of the SPDS is to help the operating crew monitor the safety status of the

t. It does this by providing a concentrated and organized source of plant data that allows the s to compare existing plant conditions with the safety function limits listed in the EOPs to rmine if the limits are violated. The safety functions monitored by the SFSCs include ctivity Control, Vital Auxiliaries, Reactor Coolant System (RCS) Inventory Control, RCS ssure Control, Core Heat Removal, RCS Heat Removal, Containment Isolation, and tainment Temperature and Pressure Control. The SPDS performs signal validation on undant sensor data and displays quality tags for sensor data and calculated values.

SPDS displays are divided into three-tier hierarchies that readily support the evaluation of the Cs. The three-tier hierarchies consist of a single Overview Display (top level), one or more lays for each safety function (mid-level), and one or more sensor data displays for each safety ction display (data level). In addition to the hierarchical displays, displays of trends and graphs support the evaluation of the safety status of the plant are accessible from menus and/or mand buttons.

dedicated display terminal in the control room is designated to continuously display the rview display of critical plant variables. The SPDS Overview provides a continuous concise lay of the critical plant parameters and the parameter values are color coded. It has EOP cific acceptance criteria on the parameters to alert the operators that a safety function may not met. The parameter values change color and blink when they exceed the EOP acceptance eria. Selection of specific EOP zzcan be achieved manually by authorized operators and oints for each safety function parameters will automatically change according to the selected P. Colored boxes at the bottom of the display will indicate EOP Critical Safety Function (CSF) us, (green - limits not exceeded, red - limits exceeded) for specific EOP selected (with the eption being EOP 2525). Upon a reactor trip, the Overview is automatically displayed with P 2525s, Standard Post Trip Action, setpoints.

S displays can be accessed through the sites computer network at various locations.

sonnel outside of the control room cannot influence the analysis performed by the SPDS, that hey cannot enter manual inputs, change setpoints, or change the EOP/mode that has been cted from within the control room.

6.1 Area Radiation Monitoring System 6.1.1 Design Bases 6.1.1.1 Functional Requirements basic purpose of the area radiation monitoring equipment is to provide information for the ection of plant personnel from radiation.

6.1.1.2 Design Criteria area radiation monitors are sensitive to gamma radiation. Audible radiation alarm signals are ated on the main control board and at the detector location whenever an abnormal increase in ation levels occur. Exception: The Containment High Range Radiation Monitors, RM-8240 8241, do not have audible alarms at the detector locations. The alarm setpoint for each area ation monitor is variable and is set at a level sufficiently above the normal ambient kground radiation level in the respective area to avoid spurious alarming. Table 7.5-4 shows range, for each area monitor.

a minimum, the area radiation monitors have a dynamic range of at least one decade above the mal expected level.

6.1.2 System Description 6.1.2.1 Location a radiation monitors are located as follows:

a. Containment personnel access hatch (elevation 38 feet, six inches)
b. Containment refueling machine service platform (elevation 38 feet, six inches)
c. Auxiliary building drumming and decontamination area (elevation 14 feet, six inches)
d. Control room (elevation 38 feet, six inches)
e. Auxiliary building - charging pump area (elevation 25 feet, six inches)
f. Sampling room - auxiliary building (elevation (+) 14 feet, six inches)
g. Radioactive waste processing area (elevation (-) 25 feet, six inches)
h. Radioactive waste processing area (elevation (-) 45 feet, six inches) (2)
j. Containment high range (elevation 14 feet, six inches) (2) 6.1.2.2 Components h area radiation monitoring system consists of a gamma sensitive detector located in the area e monitored. Most also consist of a local indicator/alarm module, located in or adjacent to the being monitored (except the containment high range) and a remote readout module in the trol room.

6.1.3 System Operation a radiation monitors are calibrated on a periodic basis.

ibration of the area radiation monitor is accomplished by placing the detector assembly in a oducible, fixed geometry configuration and exposing the detector to a calibrated radioactive rce.

er for the area radiation monitoring system is provided by either the 120 volt regulated or the l AC distribution system.

loss of power/channel failure and/or high radiation is monitored for each area radiation nitoring channel, with common annunciation in the control room.

nnel performance and test is available to the operator. An electronic signal is used to verify performance of the control readout instrumentation.

rm settings are normally based on desired level above background.

o containment high-range area radiation monitors are located in the containment on the outside he biological shield wall in the vicinity of the electrical penetration area, elevation 14 feet, six es. Each monitor has a range sufficiently wide to indicate activity levels following a serious dent. Each monitor is qualified to withstand the elevated temperatures and pressures and mical spray associated with the LOCA or SLBA. Both monitors provide continuous indication both channels provide signals for recording. Local indication and alarm functions are not uded for these monitors.

he event of high containment radiation, the high range monitors will actuate the automatic ure of the containment hydrogen purge isolation valves.

r area monitors in the Spent Fuel Pool area furnish a -5 to -1 volt output signal to the ineered safeguards system to initiate operation of the auxiliary exhaust actuation system AS).

a radiation monitoring equipment is designed for continuous operation during the 40 year life he plant. High quality, commercial grade components are used throughout the system.

vicing of the electrical system is simplified by the use of plug-in components.

6.2 Liquid Radiation Monitoring System 6.2.1 Design Bases 6.2.1.1 Functional Requirement uid radiation monitors are used with alarms and indicators to give warning of abnormal oactivity in process piping and to prevent releases in excess of allowable limits.

onjunction with control circuit components, liquid radiation monitors initiate valve action to the release of liquid waste, upon detection of high radioactivity.

6.2.1.2 Design Criteria uid radiation monitors are designed to detect radioactivity in process lines.

uid radiation monitors are also designed to detect radioactivity in liquids prior to their release he environment. In conjunction with control circuit components, selected radiation monitors ate closure of valves to prevent the release of radioactivity to uncontrolled areas in excess of wable limits.

6.2.2 System Description 6.2.2.1 Systems uid radiation monitor systems are provided for the following:

a. Steam generator blowdown sample
b. Reactor building closed cooling water (RBCCW)
c. Clean liquid waste discharge
d. Aerated liquid waste discharge
e. Condensate recovery tank
f. Deleted
g. Condensate polishing facility - waste neutralization sump discharge

components used for each liquid monitor are as follows:

1. A liquid sample chamber.
2. A gamma sensitive scintillation detector positioned on the outside surface of the sample chamber.
3. Lead shielding for the sample chamber and detector to reduce the effect of background sources of radioactivity.
4. Local indication with audio and visual alarm.
5. Control room indication and alarm for the monitors. (Control room alarm annunciator only for condensate polishing facility-waste neutralization sump discharge monitor.)
6. Recorders for continuous records.

6.2.2.2.1 Steam-Generator Blowdown Sample Monitor steam-generator blowdown sample monitor supplies high radiation/instrument failure signal he control logic to initiate closure of: blowdown line isolation valves from steam generators 1 2, blowdown quench tank discharge valve, blowdown tank discharge valve, and steam erators 1 and 2 sample valves. It serves as the final effluent monitor for liquid blowdown ases. It may provide indication of gross primary to secondary leakage.

6.2.2.2.2 Reactor Building Closed Cooling Water Monitor RBCCW system continuously circulates water in a closed loop which could become oactive in the event of inleakage from the components handling radioactive materials. The harge from the RBCCW pump is continuously monitored for high radioactivity. High activity nstrument failure is alarmed.

6.2.2.2.3 Clean Liquid Waste Discharge Monitor s monitor is provided to measure radioactivity in clean liquid waste being discharged to the ulating water. It is a final effluent monitor. High radioactivity, low sample flow, or instrument ure will initiate closure of valves in the discharge line and will actuate alarms.

6.2.2.2.4 Aerated Liquid Waste Discharge Monitor s monitor measures the radioactivity in the aerated waste discharge line. It is a final effluent nitor. High radioactivity, low sample flow, or instrument failure will initiate closure of valves he discharge line and actuate alarms.

s monitor looks for the presence of radioactivity in the auxiliary condensate system by nitoring the discharge from the condensate recovery tank. On a high radiation or instrument ure alarm it will automatically terminate flow from the condensate recovery tank.

6.2.2.2.6 Failed Fuel Monitor eted 6.2.2.2.7 Condensate Polishing Facility - Waste Neutralization Sump Discharge s monitor measures the radioactivity in the effluent from the Condensate Polishing Facility -

ste Neutralization Sump. It is a final effluent monitor. High or low flow is alarmed. It matically isolates discharge upon a high radiation or instrument failure alarm.

6.2.3 System Operation uid radiation monitors will be checked and calibrated on a periodic schedule using radioactive rces.

6.2.4 Availability and Reliability uid radiation monitoring equipment is designed for operation over long periods with minimum ervice. Spare sample chambers are available to replace contaminated chambers.

h-quality, commercial-grade components are used throughout the system. Servicing of the trical system is simplified by the use of plug-in components.

6.3 Airborne and Steam Radioactivity Monitoring 6.3.1 Design Basis 6.3.1.1 Functional Requirements airborne (including steam) radioactivity monitoring system is provided to detect and measure levels of airborne radioactivity at various locations, both within the plant and in plant uents, to satisfy the requirements of 10 CFR, Part 20 including Sections 1301 and 1302 and endix B, Table 2, and Part 50, including the general design criteria (GDC) of Appendix A.

system will indicate the plant areas in which increases in radioactivity have occurred so that cause can be determined and corrected to ensure on site and off site safety during all plant rations.

rumentation is also included to provide a record of the level of radioactivity for the points nitored. (Except Control Room Inlet Monitors)

criteria which determines the type of airborne radiation monitoring equipment selected for h application is as follows:

1. The nature of the radioactive release.
2. The sensitivity and range requirements to monitor normal operating or potential accident radioactive levels.
3. The response requirements to alert and warn personnel of the radioactive hazard so that protective measures may be taken.

6.3.2 System Description 6.3.2.1 System location and types of radiation monitors provided are listed in Tables 7.5-6 and 7.5-6A and cribed below.

6.3.2.1.1 Unit 2 Stack Gaseous and Particulate Monitoring presentative sample is continuously extracted from the Unit 2 stack by one of three isokinetic zles. Selection of sample nozzle is automatic, depending on the stack flow rate, as determined he number of fans in operation.

air extracted from the stack is directed through an off line particulate and gaseous monitoring ems with particulate and iodine grab samples for laboratory analysis.

eta scintillation detector placed in the gaseous sample chamber detects and measures the oactivity present in the sample volume passing through the chamber. A beta scintillation ctor measures the radioactivity of the particulate filter.

econd monitoring assembly located at elevation 31 feet, six inches in the switchgear room in turbine building is designed to measure high range post-accident gaseous releases.

itionally, this equipment will sample for particulates and iodine. A required sample flow is d to minimize particulate and iodine buildup. This flow is monitored in a gas sample chamber g two geiger-mueller detectors. Three separate particulate/iodine assemblies are monitored by iger-mueller detector for personnel protection and to ensure capability of laboratory counting.

cartridge assemblies sample in a sequential manner such that when one collects the maximum unt of radioactivity specified, the flow path is then switched to the second cartridge assembly.

cartridge assemblies are removed for laboratory analysis.

high range effluent monitor has both local and remote (control room) indication and control.

corder in the control room continuously records high range effluent radiation levels.

ation of the high range release.

6.3.2.1.2 Containment Gaseous and Particulate Monitoring o redundant off line Seismic Class I particulate and gaseous monitoring and halogen sampling ems are used to monitor the containment atmosphere by extracting representative samples tinuously from the containment atmosphere. Each redundant system consists of a particulate ctor and a gaseous detector, which share some common components such as power supplies microprocessors. The sample first passes through a fixed particulate filter, then passes ugh an iodine filter cartridge and then into a gas chamber before being exhausted back into containment atmosphere. The iodine cartridge is removable for periodic laboratory analysis.

redundant detection systems provide inputs to ESFAS from a total of four detectors, two iculate and two gaseous. High radiation and instrument failure alarm signals from any one of four detectors will cause the ESFAS to initiate the containment purge isolation.

containment isolation actuation signal (CIAS) closes the containment isolation valves for the pling system, trips the sample fan and also closes local sample line isolation valves at each tainment gaseous and particulate radiation monitor. The closed monitor sample line isolation es prevent elevated pressure associated with occurrence of a LOCA or SLBA from affecting containment gaseous and particulate radiation monitors once the containment isolation valves reopened. Reopening the containment isolation valves under this condition will permit post-dent monitoring using the hydrogen analyzer and PASS which share the same sample lines h the containment gaseous and particulate radiation monitors.

er post-accident conditions with the containment isolation valves reopened, the radiation nitor sample line piping system extending beyond the outermost containment isolation valve to including the local monitor sample line isolation valves are considered part of an extended tainment pressure boundary. The ANSI B31.1 (1967) piping system and associated valves ch comprise this section of monitor sample line system are subject to testing and surveillance uirements typically applicable to ANSI B31.7 (1969) Class 2 piping systems and valve ponents. The local monitor sample line isolation valves do not provide a containment ation function.

6.3.2.1.3 Radioactive Waste Ventilation Monitor radioactive waste airborne radioactivity monitoring system consists of four radiation nitors, each capable of continuously monitoring airborne radioactive particulates. One of the r also monitors for gaseous activity. In addition, each monitor contains a replaceable charcoal ridge mounted in series and downstream of the particulate filter. The charcoal cartridge may emoved periodically for laboratory analysis of iodine activity.

combined exhaust from the radioactive waste areas will be vented to the Unit Number 2 stack will be monitored by the stack monitoring system (See Section 7.5.6.3.2.1.1).

condenser air ejector system extracts the non-condensable gases from the condenser and austs to the Millstone stack. The presence of radioactivity in this line would indicate a ary-to-secondary tube leak in the steam generators. An adjacent-to-line gaseous monitoring em is provided to continuously monitor the air ejector vent line for the presence of oactivity in the non-condensable gases. A high radiation or instrument failure alarm on this nitor will automatically isolate steam generator blowdown and effluents. This monitor may provide indication of gross primary to secondary leakage and serves as a backup to the steam erator blowdown sample monitor.

6.3.2.1.5 Control Room Ventilation Gaseous Monitor xed, GM, gaseous monitor is provided to continually monitor the control room atmosphere.

6.3.2.1.6 Filtered Waste Gas Monitor en waste gases are to be released, the allowable radioactivity level of the release is established.

off line gaseous monitor is provided to monitor and record the radioactivity level of these ases. Should releases exceed the established level, the monitor will provide an alarm in the trol room and initiate closure of valves (instrument failure alarm will also initiate valve ure) in the filtered waste gas discharge line.

6.3.2.1.7 Fuel Handling Exhaust Air Gaseous and Particulate Monitor off line airborne particulate and gaseous monitoring system is used to monitor the spent fuel l ventilation exhaust air system.

particulate and gaseous channels are monitored continuously. The monitor provides a rcoal sample for laboratory analysis of the iodine content.

6.3.2.1.8 Main Steam Line Monitors ee monitors are provided to measure potential releases from the main steam lines following a m generator tube rupture. These monitors each include an ion chamber mounted roximately twelve inches from the steam lines (one on each main steam line and one on an ospheric dump line).

ote equipment in the control room includes a six decade meter for each monitor, a multi nnel recorder, alarm lamps for each monitor at the control room auxiliary cabinet, and a mon alarm window at the main control board, which indicates equipment failure and high oactivity.

two unshielded gamma scintillation detectors, one mounted on each main steam line near the tainment penetrations, measure N-16 activity in the main steam lines. A common radiation nitor provides main control board annunciation for N-16 equipment failure. The common

lays, and provides main control board annunciation based on high leak rate. This monitoring em is Non-QA, and is designed to support Millstones Primary to Secondary leak rate ction and monitoring program.

6.3.2.1.9 Control Room Inlet Monitors o redundant GM tubes are located on the inlet duct of the control room outside air supply. A h radiation or instrument failure alarm on either monitor will isolate normal control room tilation and initiate use of the filtered recirculation system.

6.3.2.2 Components en applicable, the various components used in the systems are as follows:

1. Isokinetic nozzles, designed in accordance with American National Standards Institute (ANSI) 13.1-1969, are used for extracting samples from process streams to assure representative sampling of particulates.
2. Sample chambers are fabricated of stainless steel to prevent corrosion and polished to reduce absorption (plate out) of radioactive materials.
3. The sample chambers and detection assemblies utilize lead shielding to prevent background radiation levels from affecting instrument sensitivity.
4. A radioactive check source, controlled from the readout module in the control room, provides a convenient operational check.
5. Readout instrumentation consists of log count ratemeters with wide range (five decade) capability. A failure alarm is provided to indicate loss of signal or power and an alarm is provided for high radiation level. On certain monitors an alert alarm is also provided.
6. Indication with visual and audible alarms are provided locally and on the radiation monitoring panel in the control room.
7. Multi channel recorders are used to record particulate and gaseous radiation levels continuously.

6.3.3 System Operation uld the level of radioactivity exceed the alarm setpoint, an audible/visual alarm will be nded at the local monitor, with the exception of the containment air radiation monitors which e no local alarm facility. In addition a visible and audible alarm will be annunciated on the

gaseous and particulate monitors will be calibrated by using calibrated sources placed in a d geometry.

ministrative procedures established for the operators will ensure that releases will be kept to as as practicable as specified in 10 CFR Part 50.34a and that releases will be less than the limits blished by 10 CFR, Part 20 Sections 1301 and 1302 and Appendix B, Table 2.

he event an audible alarm is sounded by an airborne radiation monitor, the operator will take ropriate action in accordance with plant procedures.

6.3.4 Availability and Reliability eous and particulate monitoring equipment is designed for operation over long periods with a imum of maintenance. The sampling pumps are designed to be cleaned by a simple flushing ration. Filter replacement is a simple operation and the stainless steel sample chamber can be ly decontaminated by air purging and/or chemical flushing.

h-quality commercial-grade components are used throughout the system. Servicing of the trical system is simplified by use of plug-in components.

radiation monitoring panel was seismically qualified as documented in the report, Technical a Report, TDR-4174, Seismic Testing of Millstone Point Unit 2 Radiation Monitoring rumentation dated April 1, 1974.

7 LOOSE PARTS MONITORING 7.1 Design Bases 7.1.1 Functional Requirements Loose Part Monitor (LPM) is designed to provide an indication of free and loose parts within reactor coolant system (RCS). The LPM monitors the outputs of eight accelerometers: four on reactor vessel and two on each of the steam generators. Metal-to-metal impacting within the S causes high-frequency, exponentially-decaying vibrations on the RCS shell which are cted and recorded by the LPM. The LPM provides an alarm in the control room to alert the rator so that further analysis and possible action can be undertaken.

7.2 Design Criteria LPM provides the means for detecting and evaluating metallic loose parts through analysis of sient acoustic signals produced by loose part impacts.

LPM monitors the outputs of eight accelerometers:

b. Two on the upper reactor head.
c. Two on the inlet side of the channel head (one above and one below the tubesheet) of steam generator 1.
d. Two on the inlet side of the channel head (one above and one below the tubesheet) of steam generator 2.

detection and recording circuitry are designed to capture impact data automatically with a imum of operator intervention required.

LPM is adjusted to achieve the maximum sensitivity commensurate with an acceptably low l of false alarms.

7.3 System Description detectors are accelerometers selected for operation in environments of high temperature and h radiation. Two types of cables are used in containment. Near the accelerometers, in areas of h temperature, mineral insulated, stainless steel jacketed cables are used. Beyond this, and to containment penetrations, double insulated, twisted, low noise cables are used. The tainment penetrations are low noise, coaxial type. Junction boxes are provided both inside and ide containment for ease of calibration and testing.

side the containment, eight differential charge amplifiers convert the output of each elerometer to a proportional voltage signal which is routed to the control room electronics.

control room electronics consists of signal conditioners, waveform recorders, an IBM-AT patible computer (in an industrial package), real time displays and indicators, and interface uits. Three cathode-ray tubes, digital voltmeters and light emitting diodes are provided for nitoring the status of the incoming signals. A floppy disc is used for the storage of impact data.

io amplifiers and a headset permit the operator to monitor the sounds from each of the eight ctors.

7.4 System Operation ing normal operation, the LPM is in the standby mode, ready to detect and capture impact data m a loose part.

en an incoming signal(s) exceeds the preset trigger level, the trigger circuit commands the eform recorders to collect the impact data and commands the computer to transfer the rded data to memory and to the on-board floppy disc. The waveform recorders maintain a 10 isecond pre-trigger buffer and can capture pre-trigger, as well as post-trigger data. The alarm uit notifies the operators that an event occurred, and the operators remove the floppy disc taining the captured data for further analysis and possible action.

he event a loose part monitor alarm (annunciator) is sounded, the operator will check the LPM inet to verify the alarm. If the alarm can be attributed to valve testing, CEA movement or other wn transient, the operator will reset the alarms and verify that they do not return immediately.

operator will then monitor all previously alarmed channels, using the headset, to verify that nusual sounds are present. If the above conditions are met, the operator will:

1. Remove the LPM DATA AQ DISK from the A drive.
2. Insert a new (unrecorded) NU LPM DATA AQ DISK.
3. Arm the LPM for monitoring by momentarily toggling the POWER switch to either the RESET or OFF position.
4. Transmit the recorded disk to the engineering department for disposition.

action will be considered complete after engineering department has been informed.

e alarm(s) cannot be attributed to known plant transient conditions, the operator will retrieve floppy disc containing the captured data and will insert a new floppy disc. The floppy disc will dentified and forwarded to engineering department for evaluation. The alarms will then be t, if possible. If the alarms reset, with no further alarms or unusual audible sounds, the rator's action is complete. If the alarms do not reset or if there are unusual audible sounds ent, the operator will contact plant management for resolution.

ed on an evaluation of the nature of the loose part data, engineering department will mmend the appropriate action to protect the nuclear steam supply system.

7.6 Availability and Reliability components are conservatively rated for long life in this application. Accelerometers and eral insulated cables are designed for the high radiation and high temperature environment to ch they are exposed. Two installed spare accelerometers and cabling are provided for the er reactor vessel to reduce future radiation exposure and speed repair in the event of a detector ure.

active components are located outside the containment for ease of accessibility during plant ration. Ready access to all electronic components, channel-to-channel parts interchangeability, availability of a full complement of spare parts will result in high system availability during t operation.

9 SECONDARY SIDE SAFETY RELIEF VALVE POSITION INDICATION Safety Relief Valve (SRV) position indication instrumentation complies with the uirements of Regulatory Guide 1.97, Rev. 2, D-18 variable.

SRV instruments are designed to aid the operating crew in monitoring the status of the SRVs ng normal and accident conditions.

sensor/electronics which are located in a harsh environment comply with the Equipment ironment Qualification (EEQ) requirements of the Regulatory Guide 1.97 and are, therefore, ted as QA Category 1, Components.

instrumentation provides signals to the Main Control Board annunciator and the plant puter to indicate when the SRVs are closed/not closed.

10 REACTOR COOLANT PUMP VIBRATION MONITORING SYSTEM 10.1 Design Basis 10.1.1 Functional Requirements reactor coolant pump (RCP) vibration monitoring system provides the capability to tinuously monitor each RCP. The system has an alarm that is triggered if high vibration is cted. The system records vibration and shaft rotation data periodically and when an alarm is gered.

10.2 Design Criteria RCP vibration monitoring system monitors the RCP pump, shaft and motor casing.

nsducers are selected for vibration characteristics, ability to withstand the containment ironment and maintainability.

tem components are located outside of containment in normally accessible locations when uired or feasible.

10.3 System Description tor vibration is monitored by two velomitor probes mounted near the upper motor bearing, apart, that sense motor casing radial vibration.

ximity probes monitor the RCP shaft. Two probes, mounted 90 degrees apart, sense shaft al vibration. A third probe monitors shaft speed and provides a reference for vibration phase.

probes are mounted above the pump seal housing.

als outside of containment to the RCP vibration monitoring system instrument rack, located in west penetration room. Once in the instrument rack, the signals are digitized and transmitted he RCP vibration monitoring system computer terminal. If high vibration is sensed, an alarm is to the main control board annunciator.

10.4 System Operation ing normal operation the instruments are continuously monitored and periodically recorded.

en high vibration is detected, monitor alarm contacts actuate an alarm on the main board.

knowledge and Silence options are available at the main board for the alarm. The alarm is red via the plant process computer.

10.5 Emergency Operation operating procedure provides instructions for operator response if an alarm is triggered.

10.6 Availability and Reliability mponents were selected and located for long term operability and maintainability. In addition, active electronic components are readily accessible in the west penetration room. Spare parts readily available for system components.

Reactor Coolant System (see Figure 4.1-1)

Protective Control Component Function

  • Function
  • Indicated Recorded Alarmed actor coolant loops Flow X X L Temperature (hot leg) X X X X H Temperature (cold leg) X X X X H S mid-loop level L ssurizer Pressure X X X X H, L, LL Level X X X H, L, LL Temperature Water X Surge Line X L Spray Line X L Relief / Safety X H Discharge X H Steam X ench tank Pressure X H Level X H, L Temperature X H otective sensors and channels are independent of control sensors and channels.

Engineered Safeguards and Containment (see Figure 6.1-1)

Component Indicated Recorded Alarmed w-pressure safety injection Pressure X Flow X Temperature X gh-pressure safety injection Pressure X H Flow X fety injection tanks Pressure X H,L Level X H,L ntainment spray header Pressure Flow X Temperature X Protective Control Component Function

  • Function
  • Indicated Recorded Alarmed fueling water storage tank Level X X H, L Temperature X X H, L ntainment pressure X X H, HH ntainment temperature X H **

ntainment radiation X X X H otective sensors and channels are independent of control sensors and channels.

Plant computer alarm only.

Chemical and Volume Control System (see Figure 9.2-2)

Control Components Function Indicated Recorded Alarmed tdown line Pressure X X H, L Flow X H mperature X X H lume control tank Pressure X H, L Level X X H, L, LL Temperature X H arging line Pressure X Flow X L Temperature X ric acid batching tank Temperature X X ric acid tanks Level X H, L, LL Temperature X X H, L ric acid charging lines Pressure X Flow X X X H, L scellaneous Filter/strainer D/P X Ion exchanger D/P X

Sampling System (see Figure 9.6-1 and 9.6-2)

Components Indicated mpling lines ssure X w X mperature X Spent Fuel Pool Cooling and Purification System (see Figure 9.5-1)

Component Indicated Recorded Alarmed el pool Level X1 H, L Temperature X H at exchanger flow path Pressure X Temperature H Flow X L rification flow path Pressure X Flow X Filter D/P X H Ion exchanger D/P X H Ion exchanger strainer D/P X H otes: 1. Continuous Nonsafety augmented quality wide range level indication is provided remotely in the Cable Vault and East 480V Switchgear Rooms of the Auxiliary Building.

Shutdown Cooling System (see Figure 9.3-1)

Control Components Function Indicated Recorded Alarmed utdown heat exchangers Temperature (out) X scharge lines Pressure X Flow X X Temperature X X turn lines Temperature X Makeup water flow X X X H, L Reactor coolant pump controlled X H, HH bleedoff pressure

Steam and Feedwater System (see Figure 10.3-1 and 10.4-2)

Protective Control Component Function

  • Function
  • Indicated Recorded Alarmed am generator Level (N.R.) X X X X H, L, HH Feedwater inlet temperature X Feedwater flow X X Steam flow X X Outlet Pressure X X X X L Level (W.R.) X ndenser Hot well level X X X H, L Absolute pressure Narrow range X H Wide range X X Conductivity X X H, HH rbine Throttle steam pressure X X First stage pressure X X edwater heaters level X X H, L am generator feedwater pumps Suction pressure X L Discharge pressure X X H Speed X ndensate pumps discharge X X ssure ndensate pump discharge X X al flow xiliary feedwater pumps Discharge pressure X edwater regulator

Steam and Feedwater System (see Figure 10.3-1 and 10.4-2)

Protective Control Component Function

  • Function
  • Indicated Recorded Alarmed Differential pressure X X xiliary feedwater supply Flow X Valve position X isture separator drain tanks - X H, L vel heater drain tank - Level X X H, L ndensate storage tank - Level X H, L, LL scellaneous Main steam pressure X X X Main steam conductivity X X H Auxiliary steam pressure X Condensate makeup X X conductivity otective sensors and channels are independent of control sensors and channels.

Circulating Water System (see Figure 9.7-1)

Control Components Function Indicated Recorded Alarmed ndenser Inlet temperature X Outlet temperature X rvice Water Pumps Discharge pressure X X L

TABLE 7.5-2 OMITTED INSTRUMENTATION egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS A-01 Pressurizer Pressure LR: P-103, 103-1 LR: 0-1600 psia HR: P-102A, B HR: 1500-2500 psia A-02 Deleted A-03 RCS Hot Leg Temperature T- 150-750°F 111X, T-121X A-04 Steam Generator Pressure P- 0-1000 psia 1013A, B P-1023A, B A-05 Steam Generator Level L-1113A, B L-1123A, B 0-100% (top of tube bundles to separators)

L-1114A, B L-1124A, B 0-460 inches (20 inches above tube sheet to top of moisture separators)

A-06 Deleted A-07 Deleted AE-8152, 8154 A-08 Refueling Water Storage Tank 4 to 100%

Level L-3001, L-3002 A-09 RCS Cold Leg Temperature T-115 0° - 750°F

& T-125 B-01 Neutron Flux WR-LOG-A, D (DRWR) 10-8 to 200% FP JI-001, JI-004 (MCB) 10-8 to 100% FP B-02 Control Rod Position Full in or not full in B-03 RCS Soluble Boron Concentration None See Note 5

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS B-04 RCS Cold Leg Temperature T-115 0°-750°F

& T-125 B-05 RCS Hot Leg Temperature T-111X 150°-750°F

& T-121X B-06 RCS Cold Leg Temperature T-115 0°-750°F

& T-125 B-07A RCS Pressure LR: P-103, 103-1 LR: 0-1600 psia HR: P-102A, B HR: 1500-2500 psia B-07B Pressurizer Pressure (Wide Range) 0-3000 psig P-102B-1 B-08 Core Exit Temperature 21 Sensors 200-2300°F per Channel A, 22 Sensors per Channel B B-09 Coolant Level in Reactor HJTC-A, Top of core to top of B vessel B-10 Degree of Subcooling ICCM Z1 & 200°F Subcooling Z2 to 35°F Superheating B-11A RCS Pressure LR: P-103, 103-1 LR: 0-1600 psia HR: P-102A, B HR: 1500-2500 psia B-11B Pressurizer Pressure (Wide Range) 0-3000 psig P-102B-1 B-12A Containment Sump Water Level 0' to 7' 0 to 565,000 See Note 2 (Wide Range) L-8242, 8243 gallons B-12B Containment Sump Water Level 0-100% See Note 3 (Narrow Range) L-9155 (L-9155A Backup)

B-13 Containment Pressure P-8113, 0-60 psig 8114

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS B-14 Containment Isolation Valve Closed-Not closed Position ZS-198, 505, 506, 516, 1060, 1062, 1064, 2525, 4246, 4248, 4250, 4251, 7311, 7312, 7690, 8121, 8122, 8124, 8150, 8151, 8377, 8378, 8379, 8380, 8656, 9015, 9016, 9125, 9126, 9150, 9151, 9230 B-15 Containment Pressure P-8238 & 0-250 psia 8239 C-01 Core Exit Temperature 21 Sensors 200°-2300°F per Channel A, 22 Sensors per Channel B C-02 Radioactivity Concentration or None See Note 5 Radiation Level in Circulating Primary Coolant C-03 Analysis of Primary Coolant None See Note 5 (Gamma Spectrum)

C-04A RCS Pressure Low range: P-103, 103-1 Low range: 0-1600 psia High range: P-102A, B High range: 1500-2500 psia C-04B Pressurizer Pressure (Wide Range) 0-3000 psig P-102B-1 C-05 Containment Pressure P-8238 & 0-250 psia 8239 C-06A Containment Sump Water Level 0 feet to 7 feet, 0 to See Note 2 (Wide Range) L-8242, 8243 565,000 gallons C-06B Containment Sump Water Level 0-100% See Note 3 (Narrow Range) L-9155 (L-9155A Backup)

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS C-07 Containment Area Radiation RM- 100 to 108 R/hr 8240 & 8241 C-08 Effluent Radioactivity-Noble Gas 10-6 Ci/cc to 10-2 Effluent from Condenser Air µCi/cc Removal System Exhaust RM-5099, RR-9373 C-09A RCS Pressure Low range: P-103, 103-1 Low range: 0-1600 psia High range: P-102A, B High range: 1500-2500 psia C-09B Pressurizer Pressure (Wide Range) 0-3000 psig P-102B-1 C-10 Containment Hydrogen 0-10%

Concentration AE-8152, 8154 C-11 Containment Pressure P-8238, 0-250 psia 8239 C-12 Containment Effluent See Variable C-14 Radioactivity-Noble Gases from Identified Release Points-see Variable C-14 C-13 Radiation Exposure Rate (inside Deleted in See Note 6 buildings or areas, which are in Regulatory Guide 1.97, direct contact with primary Rev. 3 containment where penetrations and hatches are located) None C-14 Effluent Radioactivity-Noble 1 x 10-7 to 1 x 105 Gases RM-8168 RM-8132B RM- Ci/cc 8169 D-01 RHR System Flow F-306 0-7000 gpm D-02 RHR Heat Exchanger Outlet T- 0-400°F 303X, Y T-351Y

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS D-03A Accumulator Tank Level L-311, 0-100%

321, 331, 341 D-03B Accumulator Tank Pressure P-311, 0-250 psig 321, 331, 341 D-04 Accumulator Isolation Valve Closed or open Position Z-614, 624, 634, 644 D-05 Boric Acid Charging Flow F-212 0-140 gpm D-06 Flow in HPSI System F-311, 321, 0-300 gpm 331, 341 (Backup variable: Pump Motor Current)

D-07 Flow in LPSI System F-312, 322, 0-2000 gpm 332 & 342 (Backup variable:

Pump Motor Current)

D-08 Refueling Water Storage Tank 4-100%

Level L-3001, 3002 D-09 Reactor Coolant Pump Status 0-600 amps P40A, B, C, D D-10 Primary System Safety Relief Closed-not closed Valve Positions Z-200, 201, 402, 404 D-11 Pressurizer Level L-110X, Y 0-100%

D-12 Pressurizer Heater Status 0-250 amps (Proportional) L105 (AM-B0504),

106 (AM-B0609)

Pressurizer Heater Status (Backup) On-off L101, 102, 103, 104 (Lights)

D-13 Quench Tank Level L-116 0-100%

D-14 Quench Tank Temperature T-116 0-300°F D-15 Quench Tank Pressure P-116 0-100 psig

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS D-16 Steam Generator Level L-1113A, B 0-100% Top of tube bundles to separators B L-1123A, B L-1114A, B 0-460 inches (20 inches above tube sheet to B L-1124A, B separator)

D-17 Steam Generator Pressure P-4223 0-1200 psia

& 4224 D-18 SRV Position FS-4225, 26, 27, 28, Open-closed 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40 D-19 Main Feedwater Flow F-5268A, B 0-63 x 105 lbs/hr F-5269A, B D-20 Auxiliary Feedwater Flow F- 0-600 gpm 5277A, B F-5278A, B D-21 Condensate Storage Tank Level L- 0-100%

5282, LIS-5489, L-5280 D-22 Containment Spray Flow F-3023, 0-5000 gpm 3024 (Backup variable: Pump Motor Current)

D-23 Heat Removal by Containment Fan 0-200°F Heat Removal System T-6082, 6086, 6090, 6093 (Backup variables: Containment Outlet Temp. & Flow) T-6031, 6032, 6033; F-6081, 6085, 6089, 6094)

D-24 Containment Atmosphere 0-350°F Temperature T-8095, 8096, 8097, 8098, 8108, 8109 & 8110 D-25 Containment Sump Water See Note 7 Temperature None

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS D-26 Make Up Flow-In (Charging) F- 0-140 gpm 212 D-27 Letdown Flow-Out F-202 0-140 gpm D-28 Volume Control Tank Level L-226 0-100%

D-29 Component Cooling Water 0-200°F Temperature to ESF System T-6031, 6032, 6033 D-30 Component Cooling Water Flow to 0-10,000 gpm ESF System F-6034, 6035 D-31 High Level Radioactive Liquid 0-100%

Tank Level (PDT) L-9051 D-32 Radioactive Gas Holdup Tank 0-25 psig Pressure P-9128 D-33 Emergency Ventilation Damper Open-closed See Note 8 Position ZS-8000, 8001, 8002, 8003B, 8004, 8005, 8006, 8007, 8009, 8010, 8361, 9506, 9507, 9508 D-34 Status of Standby Power and Other Volts, Amps, See Note 9 Energy Sources Important to Pressures Safety (Hydraulic, Pneumatic)

Various E-01 Containment Area Radiation (High 100 to 108 R/hr Range) RM-8240, 8241 E-02 Radiation Exp. Rate Rm-7890, 1 x 10-1 to 104 mR/

7891, 7892, 7894, 7895, 7896, hr 7897, 7899, 8139, 8142, 8156, 8157 E-03A Common Vent-Noble Gas See See Variable C-14 Variable C-14

egulatory uide 1.97 PARAMETER & INSTRUMENT ARIABLE INSTRUMENT (LOOP) ID RANGE COMMENTS E-03B Plant Vent Flow MP2: F-8412 10 to 105 cfm (MP2)

MP1: F-20-34 0 to 223,000 cfm (MP1)

E-03C Vent from Steam Generator or 10-1 Ci/cc to 103 Steam Dump RM-4299A, B & C Ci/cc E-04 (Particulates and Halogens) All Sampler Particulate & See Note 11 Identified Plant Release Points Iodine filters are used for laboratory analysis RM-8132A/B 1 x 10-3 to 1 x 102 Ci/cc RM-8168 1 x 10-7 to 1 x 105 Ci/cc RM-8169 E-05A Radiation Exposure Meters None See Note 6 (Continuous indication at fixed locations) None E-05B Airborne Radio-Halogens and None See Note 12 Particulates None E-05C Plant and Environs Radiation None None See Note 12 E-05D Plant and Environs Radioactivity None See Note 15 None E-06 Wind Direction 0-360° See Note 13 Speed 0-100 mph Temperature (-10)-(+18) °F Various

TE (1) Deleted TE (2) During normal operation, containment narrow range sump level is used to indicate level and initiate an alarm for the operator to manually start the sump pumps.

Because the narrow range sump would be filled to capacity in the event of an accident, following an accident the containment wide range sump level would be used to monitor containment water level.

TE (3) Containment narrow range sump level, transmitter LT-9155A is an installed spare that is not connected to any indicator. It is a backup that can be easily terminated to replace the normal narrow range sump level transmitter LT-9155.

TE (4) Deleted.

TE (5) No existing instrument monitors this variable. Contingency plans to obtain and analyze samples of primary coolant are contained within Chemistry Department implementing procedures.

TE (6) Deleted on Regulatory Guide 1.97, Rev. 3.

o, not cost-effective per NUREG/CR 2644.

TE (7) No existing instrument monitors this variable.

TE (8) The following is a list of dampers and limit switches for variable D-33:

V-202, 2-HV-203A,2-HV-203B, 2-HV-206A, 2-HV-206B, 2-HV-207, 2-HV-208, 2-HV-210, V-211, 2-HV-212A, 2-HV-212B, ZS-8000, ZS-8001, ZS-8002, ZS-8003B, 8004, ZS-8005, ZS-8006, ZS-8007, ZS-8009, ZS-8010, ZS-8361.

TE (9) The status is indicated by voltmeters, ammeters, watt meters, and status lights on the main control board. The status of the starting air for the diesels is alarmed in the control room. All sensors are located in a mild environment.

TE (10) Deleted.

TE (11) Particulate and iodine filters for these monitors are removed for laboratory analysis.

TE (12) Portable instruments are used to monitor this variable per Regulatory Guide1.97, Rev. 2.

TE (13) Actual wind direction indicates a 0°-540° range (1.5 revolutions) for computer averaging purposes.

TE (14) Deleted.

TE (15) Isotopic analysis via various on-site and off-site gamma (GeLi) spectrometers.

ision 3906/30/21 A-AUDIBLE ALARM V-VISUAL ALARM METER INDICATION AND ALARM (A.V.)

L DETECTION CONTROL DESCRIPTION RANGE mr/hr ASSEMBLY ROOM LOCAL CONTROL LOGIC Containment Personnel 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Access Match Scintillation Containment Refueling 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Machine Service Platform Scintillation Auxiliary Building 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Drumming and Scintillation Decontamination Area Charging Pump Area 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Scintillation MPS-2 FSAR Sampling Room 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Scintillation Radioactive Waste 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Processing Area (Elevation (- Scintillation

)25 feet 6 inches)

Radioactive Waste 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Processing Area Scintillation (Elevation (-)45 feet 6 inches) 7.5-54

ision 3906/30/21 A-AUDIBLE ALARM V-VISUAL ALARM METER INDICATION AND ALARM (A.V.)

L DETECTION CONTROL DESCRIPTION RANGE mr/hr ASSEMBLY ROOM LOCAL CONTROL LOGIC Control Room 1 x 10-1 to 1 x 104 Gamma- A, V A, V N/A Scintillation Spent Fuel Pool Area 1 x 10-1 to 1 x 104 Gamma- A, V A, V 2-out-of-4 Scintillation Engineered Safety Features Actuation System Spent Fuel Pool Area 1 x 10-1 to 1 x 104 Gamma- A, V A, V 2-out-of-4 Scintillation Engineered Safety Features Actuation System MPS-2 FSAR Spent Fuel Pool Area 1 x 10-1 to 1 x 104 Gamma- A, V A, V 2-out-of-4 Scintillation Engineered Safety Features Actuation System Spent Fuel Pool Area 1 x 10-1 to 1 x 104 Gamma- A, V A, V 2-out-of-4 Scintillation Engineered Safety Features Actuation System 7.5-55

ision 3906/30/21 A-AUDIBLE ALARM V-VISUAL ALARM METER INDICATION AND ALARM (A.V.)

L DETECTION CONTROL DESCRIPTION RANGE mr/hr ASSEMBLY ROOM LOCAL CONTROL LOGIC Drumming Area 10 to 106 Gamma- N/A A, V N/A (Elevation (-)45 feet 6 Scintillation inches)

Containment High Range 103 to 1011 Ionization A, V N/A 1-out-of-2 H2 Radiation Monitor Chamber Purge Valves Closure Containment High Range 103 to 1011 Ionization A, V N/A 1-out-of-2 H2 Radiation Monitor Chamber Purge Valves Closure MPS-2 FSAR 7.5-56

DECADE HANNEL RANGE AUTOMATIC ISOLATION NO. DESCRIPTION

  • CPM FUNCTION M-4262

Blowdown Sample Valves M-6038 Reactor Building Closed 10 to 10 6 None Cooling Water Monitor M-9049 Clean Liquid Waste Monitor 10 to 10 6 Clean Liquid Waste Discharge M-9116 Aerated Liquid Waste Monitor 10 to 10 6 Aerated Liquid Waste Discharge M-9327 Condensate Recovery Tank 10 to 10 6 Condensate Recovery Tank Monitor Discharge ND-RE245 Condensate Polishing Waste - 10 to 10 6 Condensate Polishing Facility Neutralizing Sump Monitor Waste - Neutralizing Sump Discharge ll monitors include an off-line, gamma scintillation detector.

Channel Detector Number Description Type Sampler Type Decade Range M-8132A

  • Unit 2 Stack Monitor Beta Off-Line Part. 10 - 106 cpm Particulate Scintillation M-8132B Unit 2 Stack Monitor Beta Off-Line Gas 10 - 106 cpm Gaseous Scintillation M-8168 Unit 2 Stack Mid GM Tubes Off-Line Gas & 10 x E -3 to and High Range Part. 10 x E+5 Ci/cc M-8169 Unit 2 Millstone GM Tubes Off-Line Gas & 10 x E -7 to Stack Wide Range Part. 10 x E+5 Ci/cc M-8123A
  • Containment Air Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M-8123B Containment Air Beta Off-Line Gas 10 - 106 cpm Monitor - Gaseous Scintillation M-8262A
  • Containment Air Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M-8262B Containment Beta Off-Line Gas 10 - 106 cpm Recirculating Air Scintillation Monitor - Gaseous M-8434A
  • Radwaste Vent Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M-8434B Radwaste Vent GM Tube Off-Line Gas 10 - 106 cpm Monitor - Gaseous M-5099 Condenser Air Gamma Adjacent to 10 - 107 cpm Ejector Discharge Scintillation Line Gas Monitor - Gaseous M-8011 Control Room GM Tube Off-Line Gas 10 - 106 cpm Monitor - Gaseous M-9799 Control Room GM Tube On-Line Gas 0.1 - 104 mr/hr

& B Intake Duct M-8145A

  • Fuel Handling Beta Off-Line Part. 10 - 106 cpm Exhaust Air Monitor Scintillation

- Particulate

Channel Detector Number Description Type Sampler Type Decade Range M-8145B Fuel Handling GM Tube Off-Line Gas 10 - 106 cpm Exhaust Air Monitor

- Gaseous M-8997

  • Radwaste Vent Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M-8998
  • Radwaste Vent Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M 8999
  • Radwaste Vent Beta Off-Line Part. 10 - 106 cpm Monitor - Particulate Scintillation M-9095 Filtered Waste Gas Beta Off-Line Gas 10 - 106 cpm to Millstone Stack Scintillation Monitor - Gaseous eplaceable charcoal cartridge assembly is provided for laboratory analysis of iodine.

Channel Detector Sampler Number Description Type Type Decade Range M4299A Number 1 Steam Ion Chamber On Line 10 10 4 R/HR Generator Main Proximity Steam Line Radiation Monitor M4299B Number 1 Steam Ion Chamber On Line 10 10 4 R/HR Generator Proximity Atmospheric Dump Steam Radiation Monitor M4299C Number 2 Steam Ion Chamber On Line 10 10 4 R/HR Generator Main Proximity Steam Line Radiation Monitor M4296A Number 1 Steam Gamma On Line 10 10 -1 ci/ml Generator N-16 Scintillator Proximity Monitor M4296B Number 2 Steam Gamma On Line 10 10 -1 ci/ml Generator N-16 Scintillator Proximity Monitor

Light Color Regulating CEAs Shutdown CEAs d Upper electrical limit Upper electrical limit een Lower electrical limit Lower electrical limit mber Dropped CEA Dropped CEA hite Between upper and lower limits (Not Applicable) ue (Not Applicable) Exercise limit

SENSOR LOCATIONS

1 CONTROL ROOM 1.1 Design Bases 1.1.1 Functional Requirements control room accommodates controls, alarms, indications, and instrumentation necessary to rate the nuclear power unit. This includes instrumentation for startup, normal operation, tdown, and maintaining the plant in a safe condition under abnormal situations including

-of-coolant accidents (LOCA).

1.1.2 Design Criteria following criteria have been implemented in the design of the control room:

a. The control room shall be equipped with adequate radiation protection to permit access and occupancy under accident conditions without personnel receiving radiation exposures in excess of 5 rem to the whole body, or its equivalent to any part of the body, for the duration of the accident as required by 10 CFR 50, Criterion 19.
b. Ventilation shall be provided to allow occupancy during and after a design basis accident (DBA).
c. Section 5.4.3 contains the structural design criteria for the auxiliary building in which the control room is located.
d. For Missile Protection, see Section 5.2.5.1.

1.2 Description Unit 2 control room is adjacent to the Unit 1 control room and is accessible from both the iliary and turbine buildings. It houses the enclosed walk-in duplex type main control boards, h integral consoles and miscellaneous instrument panels and racks, as well as its own air-ditioning and fire protection panels. All control boards which are safety related are designed to mic Class I requirements. In addition, the control room is equipped with separate, enclosed ervisors offices. Figure 7.6-1 shows the general arrangement of the control room.

Unit 2 control room can be occupied under all credible accident conditions and is provided h redundant air conditioning systems, redundant filtration systems, an airborne radioactivity ctor in the fresh air intake ductwork, and fresh air isolation dampers. A high radiation signal matically switches the air conditioning system to the recirculation mode by closing the fresh dampers, starting both filtration trains, and closing the exhaust dampers. The recirculation de can also be manually actuated from the control room. Makeup outside air can be drawn

urs inside the control room.

materials used in the construction of the control room will not support combustion. Electrical ng is flame resistant. Portable CO2 fire extinguishers are placed in readily accessible stations he control room, and respiratory protective equipment is available to the operators at all times.

2 MAIN CONTROL BOARDS 2.1 Design Bases 2.1.1 Functional Requirements main control boards are designed for plant control during startup, normal operation, tdown, and emergency operation.

2.1.2 Design Criteria following criteria are used in the design of the main control boards:

a. Protective systems are separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, independence requirements of the protection system.
b. Wherever redundant protective or safeguards channels of a system are provided, devices and related wiring including the incoming terminal blocks of one channel are isolated from other channels to ensure that failure of any one channel will not affect any of the remaining channels.

ontrol Room Design Review (CRDR) was performed in response to Nuclear Regulation REG) 0737, Supplement 1. The control panels were modified to conform to the NUREG 0 design criteria. All devices are grouped according to their functions. Circuits are nnelized and physically separated in accordance with facility codes assigned to each loop and ice.

h circuit and raceway within the board is given a unique identification and each wire is color ed for easy channel identification. For separation criteria details, see Section 8.7.3.1.

trol Room panel-mounted indicators and valve-position indicating lamps that are used to sfy Regulatory Guide 1.97 (Rev. 2) requirements have been specifically encoded by marking instrument labels to identify them as Regulatory Guide 1.97 indications. See Table 7.5-3 for a of Regulatory Guide 1.97 (Rev. 2) instruments.

2.2.1 System main control boards are comprised of the following eight sections.

Boards Function Designation Engineered safeguards CO 1 Chemical and volume control (CVCS) CO 2 Reactor coolant system (RCS) CO 3 Reactivity control CO 4 Steam generator (SG) and feedwater control CO 5 Plant auxiliaries CO 6 Turbine-generator-exciter control CO 7 Station service electrical CO 8 eight sections are arranged in an L shaped array from left to right in the listed order with reactivity control boards section in the center corner (see Figure 7.6-1). The boards are losed walk-in duplex switchboard type with an integral bench-type control console in the

t. All sections are built and analyzed to meet Seismic Class I specifications. (See tion 5.8.5 for analysis procedure.) The control board, including all mounted equipment, will ain structurally intact such that no equipment will become loose, separated, or dislocated n subjected to a design basis earthquake (DBE). Furthermore, those devices which are safety ted will function during and after a DBE. Figures 7.6-2 through 7.6-8 show the control board ngement.

trol and indicating instruments, switches and indicating lights are installed on the front face of control boards and on console tops. Instrument power supplies, protection devices, isolation lifiers, and miscellaneous blind instruments as well as some of the secondary instruments are unted on both the rear face of the control boards, and the instrument racks located adjacent to control panels. Annunciator panels are installed across the top of each of the vertical section of h board. (The annunciator is discussed in Section 7.7.)

2.2.2 Components h the exception of a few multi channel recorders, most process instruments on the main trol boards are miniature electronic type using the 10 to 50 ma and 4 to 20 ma signal levels.

miniature recorders are mounted on racks which can be pulled out on chassis tracks for ease of ntenance.

angement of controls and monitoring instrumentation are shown in Figure 7.6-7, Sheet 1.

trol element assembly (CEA) position indication and controls are located on the front face of 4 board section. A detailed description is given in Section 7.5.3.

eneral, control switches for circuit breakers, pump motors, and fans are equipped with pistol-handles and rectangular escutcheon plates. Control switches that operate valves and dampers typically equipped with knob operators and legend plates. Switches for voltmeters and meters typically have round knurled handles. Some control switches are key operated.

tches that operate the drain valves for the main and auxiliary steam turbine systems are back-ted push-button type. These switches are grouped together on their respective board section ease of identification.

cating lights for valve position, motor operation, etc., are generally the filament type with ered lense. The colors of the lenses, as shown in the listing, indicate the status of equipment ration:

Red: Utilized to denote a component in its active state, (i.e., equipment running, valve open, breaker closed).

Green: Utilized to denote a component in its passive state, (i.e., equipment off, valve closed, breaker open).

Amber: Utilized to denote an off-normal condition, (i.e., relay trip or off-normal status of equipment or parameter).

White: Utilized to denote power available or automatic operational mode.

Blue: Utilized to denote permissive conditions for operation fulfilled.

e terminations, except coaxial, triaxial and certain other detector and plug-connected cables, made with ring-tongue solderless compression-type connectors which are securely bolted to ier-type terminal blocks.

oming and outgoing 10 to 50 ma and 4 to 20 ma current loop signals are terminated at Class Test/Disconnect Terminal Block Assemblies.

h control board is equipped with two copper ground busses, one on the front and one on the side of the duplex control board extending the entire length with the steel structure and nected to the bus so as to effectively ground the entire structure. Circuits requiring grounding separately and directly connected to the ground bus. Device cases not otherwise grounded are unded through the device enclosures and the steel structure of the control board.

main control boards are designed to allow control of the plant during all modes of operation.

s includes normal plant operation, startup and shutdown, as well as emergency operation.

2.4 Availability and Reliability 2.4.1 Special Features the convenience of operating personnel, all major processes are presented graphically.

ruments are either located on process mimic lines or are shown connected to certain processes nfluence lines. SGs, turbines, tanks, and etc., are shown schematically in the process. Pumps valves in most cases are represented by their respective control switches and indicating lights.

process lines and symbols are color coded.

those pumps and valves associated with safety actuation signals that are provided with a ual override capability, override is possible only subsequent to the safety actuation signal.

switch must first be turned to the safe condition before it can override the safety command al. This operating procedure is designed to prevent an operator from overriding a safety signal ntentionally. When a safety-actuated device is overridden, an indication is provided by the us panel. Override capability for the AFW System actuated components is as described in tions 7.3.3.1 and 10.4.5.3.

o independent sets of manual safety signal actuation switches and safety signal block switches provided on the CO 1 engineered safeguard section. The switches are guarded so as to prevent vertent operation. Details of the manual actuation switch functions are given in tions 7.3.2.3 and 7.3.2.6.

o pairs of reactor trip pushbutton switches are provided on the CO 4 board section. Details are n in Section 7.2.3.3.12.

ddition to the position indicating lights or running lights for valves, pumps, fans and dampers, h safety-related equipment, which is automatically initiated to satisfy safety functions, is vided with a white and blue status light and a set of Engineering Safety Feature (ESF) unciators. These windows will alarm during an ESF actuation if any safety-related component s to relocate to its accident position.

ESF Status Light Panel designated as COIX, is designed to provide continuous indicating of status of ESF equipment under all normal plant operation. The position of safety-related trol valve RB-402 is also continuously indicated on Panel C01X because it responds to the e CIAS closure signal as isolation valve CH-089. No other ESF position monitoring attribute rovided for valve RB-402. Also, the position of containment air radiation monitor sample line ation valves AC-527, -528, -529 and -530 are continuously indicated on Panel C01X using a le blue and white status light for each pair of isolation valves, sample supply and return, ing each of the two redundant monitor safety trains.

ypasses.

ESF Status Panel is a free standing enclosed fabricated steel panel with rear access doors as wn in Figure 7.6-11. The status panel is located adjacent to the Engineered Safeguards Panel 1 (see Figure 7.6-1). The panel is divided into three separate sections with barrier plates to vide adequate separation between channels. Each piece of ESF equipment is provided with a te and a blue indicating light on the front of the panel.

a. Blue Status Light - The blue status light will light when its respective valve, pump or fan is in its safe position, i.e., the state of the equipment after actuation by an ESF signal. Examples would be closure of a containment isolation valve on a containment isolation actuation signal (CIAS) or starting a safety injection pump on a safety injection actuation signal (SIAS). The blue light will be continuously lit when the equipment is in its safe state during normal plant operation.
b. White Status Light - The white status light is located adjacent to the blue status light for each piece of ESF equipment. The white light is normally off. It is arranged to go on when power is not available to the actuating circuit due to a blown fuse, tripped or racked out circuit breaker or loss of power, or when the equipment is administratively bypassed for maintenance. In addition, LOCK-OUT position of key operated and safety-related switches are indicated by a white light on the status panel.

The white lights are powered from redundant 125-volt DC vital battery circuits.

c. Status Panel Light Grouping - The white and blue status lights are grouped on the panel according to each ESF actuation signal such as CIAS, SIAS, enclosure building filtration actuation signal (EBFAS), etc. This method of display provides ease in operator verification after an ESF actuation signal that all equipment actuated by a particular ESF signal has gone to its safe state since all blue lights within that grouping should go on.

visions are made so that it is possible to conduct online testing of the main steam isolation trip es to ensure that the valves are capable of performing their functions when a trip signal is ated.

mputer inputs from instrument loops that are connected to the control boards are obtained ugh precision resistors connected in series in the loops. These resistors are located at the inal blocks at each applicable board section.

2.4.2 Tests and Inspections tinuity and dielectric tests will be conducted on each wire prior to plant operation.

itionally, each instrument channel will be given a functional test using simulated signals at the

3 RADIOACTIVE WASTE PROCESSING SYSTEM PANELS 3.1 Design Bases 3.1.1 Functional Requirements radioactive waste disposal system control panels are required to provide the controls, rumentation, and alarms required to operate and monitor the waste process systems.

3.1.2 Design Criteria following criteria have been implemented in the design of the radioactive waste disposal em control panels.

a. Appropriate systems shall be provided for the radioactive waste systems and associated handling areas to detect conditions that may result in excessive radiation levels and to enable the operator to initiate appropriate control actions.
b. Means shall be provided for monitoring effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated incidents.
c. Same as Section 7.6.2.1.2.b.

3.2 System Description 3.2.1 System r radioactive waste processing control panels are provided, one for each type of radioactive te.

Board Function Designation ean liquid radioactive waste C63 seous radioactive waste C61 rated liquid radioactive waste C60 ndensate demineralizer waste CDX se control panels are located in the general vicinity of the respective equipment. The panels free standing cubicles with instruments, switches and annunciators located on the front and

ntially identical to those stipulated in Section 8.7.3.1. Figures 7.6-9, 7.6-10 and 7.6-12 ugh 7.6-15 show the panel layout arrangements.

3.2.2 Components radioactive waste control panels have a mixture of pneumatic and electronic instruments, and e capillary type temperature indicating devices. With the exception of one large case recorder, nstruments are the miniature type.

electronic instruments utilize 10 to 50 ma signals whereas the 3 to 15 psig signal is standard the pneumatic instruments.

h of the radioactive waste control panels is equipped with an annunciator system installed ss the top of the panel. The annunciator is of solid-state design and is complete with logic dules, flasher, horn, power supply, and pushbutton switches. All alarms are annunciated at r local panel with a master alarm provided in the control room. Annunciator details are found ection 8.7.3.1.b.

trol switches, indicating lights, terminals, terminal blocks and wiring are identical to those d for the main control boards. All instrument tubings are seamless, soft-annealed copper,

-quarter inch OD. All fittings are brass flareless compression types.

3.3 System Operation radioactive waste processing control panels are designed to control and monitor the disposal adioactive wastes in a safe and efficient manner.

3.4 Availability and Reliability 3.4.1 Test and Inspection tinuity and dielectric tests were conducted on all wires. Additionally, each instrument channel given a functional test using simulated input signals. Pneumatic systems were also given a age test.

4 HOT SHUTDOWN PANEL 4.1 Design Bases 4.1.1 Functional Requirements merous design features are provided to make control room inaccessibility a highly unlikely nt. However, in the event the operator is forced to abandon the control room, the hot shutdown

4.1.2 Design Criteria following criteria have been implemented in the design of the hot shutdown panel:

a. Equipment at appropriate locations outside the control room shall be provided with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls, to maintain the unit in a safe condition during hot shutdown as required by Design Criterion 19.
b. Circuits in the control room shall be maintained intact.
c. The reactor shall be tripped.

4.2 System Description 4.2.1 System Hot Shutdown Panel is located in the West 480 Volt Switchgear Room on the 36 feet 6 inches ation. This panel, which is designated as C21, is normally not in use. All plant operation uding emergency shutdown can be accomplished at the main control boards in the control

m. However, in the event the operator is forced to abandon the control room and the reactor is ped, it is possible for the operator to maintain the unit in the hot shutdown condition by trols and instrumentation provided on this panel. This panel is built and analyzed to meet mic Class I specifications. (See Section 5.8.5 for analysis procedure.) The panel, including all unted equipment, will remain structurally intact such that no equipment will become loose, arated, or dislocated when subjected to a DBE.

or equipment normally required for hot shutdown are shown in Table 7.6-1.

following indications and controls are provided on the hot shutdown panel:

Indications:

Pressurizer level Pressurizer pressure Steam generator level Steam generator pressure Steam generator auxiliary feedwater (AF)

Condensate storage tank (CST) level Cold leg temperature Wide range neutron flux

Letdown pressure Controls:

Steam dump to atmosphere Letdown flow Pressurizer spray Charging pump Pressurizer backup heater AF valve AF pump AF pump crossover valve AF pump turbine speed Main Steam to AF Pump turbine stop valve controls and instrumentation are compatible with those provided on the main control board.

panel arrangement is shown on Figure 7.6-10.

sequent to a hot shutdown, it is possible to bring the unit to the cold shutdown condition safely ernal to the control room) with the following additional provisions and procedures:

Boric acid gravity feed valves can be manually operated to effect boric acid flow to the charging pump suction.

Low-pressure safety injection (LPSI) pumps can be controlled by control switches provided on the associated 4,160 volt emergency switchgear cubicles.

or equipment normally used for cold shutdown is shown in Table 7.6-2.

4.2.2 Components ruments on this panel are generally the miniature electronic type using the 10 to 50 ma signal.

trol switches, indicating lights, terminals, terminal blocks, and wiring are similar to those d for the main control boards.

4.3 System Operation hot shutdown panel is provided for emergency operation only. In an event which forces cuation of the main control room, the operators will be able to bring the plant safely to the hot tdown condition by controls provided on this panel. It includes controls and instrumentation the pressurizer heaters and sprays, charging pumps, and auxiliary feedwater system (AFWS).

mally controlling instruments on this panel are set in the By Pass position, i.e., the main

4.4 Availability and Reliability 4.4.1 Special Features ce the hot shutdown panel is never used except in case of an emergency, full-height doors are vided to close off the panel front. Doors are normally closed and locked. An open door is med in the control room.

ensure maximum availability, two channels of controls and instrumentation are provided on panel. One channel is capable of performing its function to maintain hot shutdown.

aration requirements are given in Section 8.7.3.1.

4.4.2 Tests and Inspections ensure the integrity and availability of the system in case of an emergency, the controls and rumentation are inspected and functionally tested in accordance with the Technical cification.

5 FIRE SHUTDOWN SYSTEM PANELS 5.1 Design Basis 5.1.1 Functional Requirements Fire Shutdown System is comprised of I&C panels which provide the means to achieve hot tdown in the event of a fire in any single fire area. This capability is achieved through three inct design control measures. The first control requires that the Fire Shutdown System panels located in a different fire zone from the main control room. This will ensure that both control ions will not fail because of fire in the main control room. The second control method is to ure that all I&Cs used for the Fire Shutdown System are electrically isolated from the I&Cs d in the main control board. This will ensure that I&Cs used at both locations will not be med by a control room fire. The third method is to control cable routing so that a fire in any t fire zone cannot simultaneously cause a loss of vital indication and control at both the Fire tdown System panels and at the main control board.

5.1.2 Design Criteria Design Criteria for the Fire Shutdown System is contained in 10 CFR 50 Appendix R. A mary of the applicable criteria is given below:

A single train of I&Cs must be available to achieve hot shutdown following a fire in a single fire zone.

The system must be electrically isolated to prevent electrical faults from affecting the equipment.

The system shall accommodate postfire conditions where offsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

I&Cs shall functionally provide:

  • Reactivity control
  • Reactor cooling makeup
  • Decay Heat Removal 5.2 System Description Fire Shutdown System is divided into two distinct systems: the first system, referred to as the ttle-Up Panels, provide the means to remove power from all valves which can cause a loss of mary system water inventory and secondary system steam; the second system, referred to as Fire Shutdown Panel, provides the vital indication and control for critical shutdown ems.

5.2.1 Bottle-Up Panels (C70A, C70B)

Bottle-Up Panels are located in the East 480 V Switchgear Room along the exit route from main control room into the turbine hall. Bottle-Up Panel C70A is used to isolate Z1 control emes and Bottle-Up Panel C70B is used to isolate Z2 control schemes.

h Bottle-Up Panel contains five (5) isolation switches. In the normal position, the isolation tches connect field cables directly to the control room. This position permits control from the trol room. In the isolate position, the isolation switches open all the field cable wires which oves all voltage sources from the valve schemes. This action forces the affected valves to their ed (failsafe) position.

following isolation valves may be closed/isolated at the Bottle-Up Panels:

C70A (Z1 Schemes) C70B (Z2 Schemes)

HS's) Main Steam Isolation Valves MSIV'S (MS-64A & MS-64B) - (2 HSs)

SIV) (MS-64A & MS-64B)

HS) SG #1 Blowdown Isolation SG #2 Blowdown Isolation (MS-220B) -(1 HS)

S-220A)

HS) Pressurizer Power Operated Relief Pressurizer PORV* (RC-404) - (1 HS) lve (PORV)* (RC-402)

HS) SG #1 Atmospheric Dump Quick SG #2 Atmospheric Dump Quick Open en Permissive and Normal Control Permissive Isolation - (1 HS) eration Isolation 5.2.2 Fire Shutdown Panels (C9, C10)

Fire Shutdown Panels (C9, C10) are located in the turbine building at the fifty-four (54') foot

l. Panel C9 contains instrumentation signal processing electronics, which condition field sducer signals, process the signals for meter display at Panel C10 and isolates and retransmits signals for use in the control room. Panel C10 contains meters to display the C9 rumentation signals and contains control switches and isolation switches. C10 switches both ate circuits from the control room, and permit local manual control.

Control Room Panels use facility 1 and Z1 I&C schemes to ensure that the plant can achieve shutdown for a fire at panels C9 and C10. For this scenario, hot shutdown can be achieved m the main control room by using the facility 1 and Z1 I&Cs.

d I&C cables are routed directly from the instrumentation or control device to panels C9 and

. Routing is controlled so that most of the facility 2 and Z2 cabling does not pass through the e fire zone with functionally redundant facility 1 and Z1 channels. Where the same fire zone t be shared, the Z2 cabling is wrapped in a three hour fire barrier.

panel C10, the field signal is isolated by switches prior to cable routing for use in the main trol room. These switches are two position maintained contact switches. In the remote ition, the field cable wiring is directly connected to the control room cable which permits trol scheme operation remotely from the control room or hot shutdown panel. In the local ition, the control room connection is broken and the field cable wires are connected to a local trol handswitch, a local power source and local fuses. This position permits manual control at el C10 only.

lts in the control scheme cable runs from panel C10 to the control room are removed by ing the scheme isolation switch into the local position. In the local position, local fuses and l power sources are used to assure power availability independent of any control room fusing ower sources.

following indications and controls are provided at the Fire Shutdown Panels:

Indication:

Steam Generator number 2 Pressure

Pressurizer Pressure Pressurizer Level Hot Leg Temp Cold Leg Temp AF Flow

  • CST Level Wide Range Nuclear Instrument
  • Controls:

Controller for Steam Generator number 2 Atmospheric Dump Valve (ADV) HIC 4224A

  • Controller for AF Flow FW - 43B
  • Charging Pump P18C Control Charging Pump P18B Control Charging Pump Header Isolation Valve CH - 429
  • Letdown Isolation Valve CH - 089 Charging Line Distribution Valve CH - 519
  • Auxiliary Spray Valve CH - 517 Terry Turbine Steam Supply Valve (SV - 4188)

Terry Turbine Speed Control (HS - 4192C)

Indicator or control may not be available for an R-1 fire. Alternate methods of compliance are provided in the Millstone Unit 2, 10 CFR 50 Appendix R Compliance Report Components switches on panel C10 are generally the miniature electronic type. Indicating lights, inals, terminal blocks, and wiring on panels C9, C10, C70A and C70B are similar to those d for the main control boards.

5.3 System Operation Fire Shutdown System Panels (C9, C10, C70A and C70B) can be utilized for any emergency nt which requires control room evacuation. In an event which forces evacuation of the main trol room, the operators will be able to bring the plant safely to the hot shutdown condition by trols provided on these panels. The fire shutdown system panels can be used for any rgency event, unlike the hot shutdown panel which would lose control features if fire ages circuits in the Control Room.

ays available and highly reliable.

5.4.1 Special Features ce the fire shutdown system panels are never used except in case of an emergency, full height rs are provided to close off the panel fronts. Doors are normally closed. An open door is med in the control room.

5.4.2 Tests and Inspections ensure the integrity and availability of the system in case of an emergency, the controls and rumentation are inspected and functionally tested periodically.

6 MISCELLANEOUS LOCAL CONTROL PANELS 6.1 Design Bases 6.1.1 Functional Requirements al control panels for noncritical systems are located throughout the plant. Most of these local els are part of packages furnished by mechanical and electrical manufacturers. Each panel tains the indications, controls, and alarms required for safe operation of the system.

mps xiliary feedwater 10.4.5.4.4, 10.4.5.4.5, Table 10.4-1 arging 9.2.2.2, Table 9.2-9 CCW 9.4.2.2, Table 9.4-1 rvice water 9.7.2.2.2, Table 9.7-2 actor Coolant 4.3.3, Table 4.3-4 lves tdown 9.2.2.2, Table 9.2-4 xiliary feedwater regulating 10.4.5.3 mospheric dump 10.3.2.2, Table 10.3-1, Table 10.3-3 essurizer spray 4.3.7, Table 4.3-8 orage Tanks ndensate storage 10.4.5.3 at Exchangers CCW 9.4.2.2, Table 9.4-1 iscellaneous essurizer heaters 4.3.5 ntainment cooling units 6.5 esel generator 8.3 itchgear, 4160 volts 8.2 0 V emergency unit substation 8.4 0 V emergency motor control center 8.4 5 DC battery 8.5 5 VDC switchgear and distribution panels 8.5 C/DC inverters and 120 VAC vital instrumentation 8.6 ses actor protection instrumentation 7.2

ABLE 7.6-2 MAJOR EQUIPMENT NORMALLY USED FOR COLD SHUTDOWN ps Auxiliary feedwater 10.4.5.4.4, 10.4.5.4.5, Table 10.4-1 Charging 9.2.2.2, Table 9.2-9 RBCCW 9.4.2.2, Table 9.4-1 Service water 9.7.2.2.2, Table 9.7-2 Boric acid transfer 9.2.2.2, Table 9.2-11 Low pressure safety injection 6.3.2.2, Table 6.3-2 Reactor Coolant 4.3.3, Table 4.3-4 ves Letdown 9.2.2.2, Table 9.2-4 Auxiliary feedwater regulating 10.4.5.3 Atmospheric dump 10.3.2.2, Table 10.3-1, Table 10.3-3 Pressurizer spray 4.3.7, Table 4.3-8 age Tanks Condensate storage 10.4.5.3 Boric acid storage 9.2.2.2, Table 9.2-10 t Exchangers RBCCW 9.4.2.2, Table 9.4-1 Shutdown 6.3.2.2, Table 6.3-3 cellaneous ssurizer heaters 4.3.5 tainment cooling units 6.5 sel generator 8.3 tchgear, 4160 volts 8.2 V emergency unit substation 8.4 V emergency motor control center 8.4 VDC battery 8.5 VDC switchgear and distribution panels 8.5

/DC inverters and 120 VAC vital instrumentation buses 8.6 ctor protection instrumentation 7.2

35 FEET 6 INCHES figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

GURE 7.6-2 C01, CRP, FRONT VIEW ARRANGEMENT SAFEGUARDS SECTION (SHEET 1)

(SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

(SHEET 3) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

(SHEET 4) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

SYSTEM (SHEET 1) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

SYSTEM (SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

SYSTEM (SHEET 3) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

SYSTEM (SHEET 4) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

FEEDWATER CONTROL (SHEET 1) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

FEEDWATER CONTROL (SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

FEEDWATER CONTROL (SHEET 3) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

FEEDWATER CONTROL (SHEET 4) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

(SHEET 1) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

(SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TURBINE-GENERATOR (SHEET 1) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TURBINE-GENERATOR (SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TURBINE-GENERATOR (SHEET 3) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

TURBINE-GENERATOR (SHEET 4) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ELECTRIC (SHEET 1) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ELECTRIC (SHEET 2) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ELECTRIC (SHEET 3) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ELECTRIC (SHEET 4) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

(C01X) figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ision 3906/30/21 MPS-2 FSAR 7.6-48 ision 3906/30/21 MPS-2 FSAR 7.6-49 ision 3906/30/21 MPS-2 FSAR 7.6-50 ision 3906/30/21 MPS-2 FSAR 7.6-51 1 DESIGN BASES 1.1 Functional Requirements Main Control Board Annunciator provides the operator with visual and audible indications m external contacts if a limiting condition is being approached or abnormal conditions exist for system so annunciated.

1.2 Design Criteria Main Control Board Annunciation System has been designed to meet the following criteria:

1. Respond to a permanent, fixed time momentary, or time dependent momentary alarm condition.
2. Via visual and audible devices (lights and electronic horns) indicate this response on the front panels of the Control Board.
3. By visual and audible devices indicate a return to normal condition for the point in alarm.
4. Provide means to silence the initial alarm horn and still maintain a bona fide alarm indication via lights.
5. Provide means of testing alarm lights without interfering with the normal status of the various systems in the plant.
6. Provide auxiliary contact outputs to the plant computer.
7. Provide means to silence audible alarms after a reactor trip via a Master Silence Switch.

2 SYSTEMS DESCRIPTION 2.1 System annunciator windows are installed in panels across the top front of each board section. The unciators in each panel are grouped in accordance with the function of each board section, in eral, i.e., alarms for Engineered Safeguards on CO1, Chemical & Volume Control Systems ms on CO2, etc. Board sections CO1, CO4, CO5, and CO8 have individual electronic horns alarm push-button controls and horn.

annunciator logic is of solid-state design, and housed in free-standing cabinets located rnal to the Main Control Board. The system is powered by a primary AC to DC power supply

r. IAC VR11 and IAC VR21 will automatically swap to their respective diesel generator ked AC source in the event of a failure of the UPS. This ensures the annunciator system with a able power source. The voltage across the field contacts is 125 VDC except for parts of nine uits which go through the RPS cabinets. Interposing relays were installed in those circuits to er the voltage to 28 VDC in the RPS cabinets and to reduce potential common mode noise.

annunciators DC voltage is isolated from the IAC power supplies through the two redundant to DC converters.

und detectors are provided to alarm whenever a ground exists on any annunciator contact ut circuit or any annunciator power supply. Portions of nine circuits which go through the RPS inets are not monitored by ground detectors. These circuits are protected by fuses. The mbled annunciators are tested per NEMA Standard ICS-2.42.

Master Silence Switch is located in the Control Room at the SCOs desk (C17C).

3 OPERATION annunciator is equipped with six sets of push buttons; their function and operation are as ows:

knowledge push button Upon receipt of an alarm, i.e., field contact off norm, depressing acknowledge push button on the corresponding control panel changes the flashing window teady and silences the audible alarm.

ence push button Depressing any one of the silence push buttons silences all alarm ns should the operator choose to do this prior to acknowledging an alarm. Silence push ons do not operate to silence the audible tone that sounds when the field contacts return to mal.

set push button After an alarm has been acknowledged and the field contacts have rned to normal, depressing the reset push button on the corresponding control panel section ses the slowly flashing bright window to change to steady dim lighted and silences the audible st push button Depressing the test push button on the corresponding control panel ion shall perform a functional test of all annunciator alarm points and the audible alarm on panel.

Condition Visual Audible ld contact normal Dim lighted Off ld contact off-normal Fast flashing bright On ld contact off-normal Silence Button Fast flashing bright Off pressed ld contact return to normal before Fast flashing bright On nowledge arm acknowledged Steady bright if field contact Off off-normal ld contact returned to normal after Slow flashing bright On

  • nowledge ld contact returned to normal, alarm reset Dim lighted Off Different Tone ster Audible Silence Switch will turn off all audible alarms in silence mode.

or system alarms are described with systems in their appropriate section.

1 DESIGN BASES 1.1 Functional Requirements mmunication systems are provided to meet the requirements for operation and maintenance of generating unit. Further provision is made for routine and emergency communications ween the unit operator and outside locations such as the system operator and public authorities.

1.2 Design Criteria ustry standards for communication are observed, and precautions are taken so no failure of e systems will compromise the proper functioning of any protective system. Redundancy and aration are provided between the dial telephone system, the public address system, and the lkie-talkie radios. The power supply for all communication systems is from a dependable AC attery source.

2 SYSTEM DESCRIPTION 2.1 Systems

a. Public Switched Network (off-site Dial Telephone System)
b. Intraplant Private Branch Exchange (PBX) telephones
c. Microwave system
d. Multiplexing/SONET System
e. Radio facilities
f. Carrier current
g. Maintenance system
h. Fuel handling system
i. Public address system
j. Evacuation alarm 2.2 Components
a. Public Switched Network
b. Intraplant Private Branch Exchange (PBX) Telephones The intraplant switching network or private branch (PBX) is a telephone system consisting of standard telephones, multiline telephones, pico cellular phones, and a digital PBX.
c. Microwave System A microwave system provides all three generating units at the Millstone site with an extremely reliable telecommunications medium. The microwave system links the Millstone site to other utility companies throughout New England.

The microwave system uses low-power radio signals that operate in frequency bands established for industrial users by the Federal Communications Commission. These frequency allocations fall in the 2, 6, and 18 GHz industrial microwave frequency bands. Two types of microwave communications equipment are in use:

Analog Frequency Division Multiplex Equipment The Analog Frequency Division Multiplex (FDM) microwave equipment uses frequency modulation techniques to place the information that is being sent on the microwave radio. The amount of information that may be placed on the microwave system is set by Federal Communications Commission Rules and Regulations (Part 94) to be equivalent to 480 voice telephone channels. A voice channel is interpreted as a balanced four-wire circuit (2 wires for send and 2 wires for receive) which passes audio signals in the voice frequency range (300 Hz to 3,400 Hz) and has output and input impedances of 600 ohms. Also included with each voice channel is another nonvoice circuit which is referred to as an out-of-band signaling channel. The purpose of this channel is to reproduce contact type signals such as a phone being dialed or a telephone handset being lifted from the phone hookswitch.

The type of telecommunications traffic that is placed on the microwave system is the same type that would normally be placed on a dedicated, 4 wire, data grade telephone circuit. This would include some of the following uses:

- Dial repeating tie trunks or tie lines that connect the telephone PBX at one location within the system to a similar PBX at another location.

- Automatic ring down circuits for use as hot line dedicated phones; where lifting a phone at one end will cause the phone on the other end of the circuit to ring.

radio control circuits which provide one-way control as required by radio paging transmitters as well as control circuits that provide two-way control for standard mobile radio operation.

- Data circuits that connect one computer with another or allow data gathering equipment to communicate with a central host computer.

- Data circuits that carry analog data also can benefit from the greater reliability offered by the microwave system. This type of telecommunications traffic includes telemetering of important analog quantities and reporting alarms that are remote from the Millstone site.

- Data circuits, which are used for protective relaying signals, provide the electric generating and transmission system with protection from catastrophic failure.

Digital Time Division Multiplex Equipment The Digital Time Division Multiplex (TDM) microwave equipment uses amplitude modulation techniques to place the information that is being sent out on the microwave radio. The digital microwave system provides all of the capabilities offered by the analog microwave system with the addition of high-speed data channels that are capable of transmitting and receiving data at a rate of up to 56,000 bits per second. This data rate is very valuable when large blocks of data have to be transferred from one computer to another. The digital microwave system also provides digital service over North American Standard Digital Services - first level (DS-1) at 1.544 megabits per second. In addition to the high speed data handling ability offered by the DS-1 signal path, voice traffic can also be encoded and placed on DS-1 circuits in groups of up to 24 voice channels.

d. The Multiplexing/SONET system connected in a diverse ring configuration (fiber optic cable) and multiplexing equipment supports the station.
e. Radio facilities consist of multiple separable systems available to the unit operator.
f. Plug-in headsets for carrier current voice transmission over each of the three interconnecting 345 kV lines.
g. Equipment for the maintenance system consists of directly connected amplified outlet jacks wired to cover each of several working areas, with five channel selector switches at each station. Portable instruments consist of headsets with boom mounted transmitter, each with a plug to match the outlet jacks.

and outside the containment structure. This system includes an instrument on the reactor polar crane.

i. The public address system, manufactured by Gai-Tronics, consists of permanently installed loudspeakers throughout the unit. Cone type speakers are used indoors, and weather proof re-entrant horn type speakers are used outdoors. Each loudspeaker has its own integral amplifier. An amplifier failure would affect only its associated loudspeaker, permitting normal use of all others.
j. The evacuation alarm consists of audio frequency oscillators that supply a distinctive tone signal to the public address loudspeakers located throughout the unit. An ambient noise level device assures that the output sound level is sufficiently high for each location.

3 SYSTEM OPERATION 3.1 Normal Operation

b. The intraplant switching network is directly coupled to the public switched network. Additionally, there is a Federal Telecommunication System (FTS 2000) installed. This system is a federal dial telephone network which is independent of the plant private branch exchange (PBX). It is also independent of the public switched network. FTS 2000 telephones are installed as follows:
  • Reactor Safety Counterpart Link (RSCL) - EOF and TSC
  • Management Counterpart Line (MCL) - EOF and TSC
  • Local Area Network (LAN) - EOF and TSC
  • Protective Measures Counterpart Link (PMCL) - EOF and Health Physics Network (HPN) - EOF This network allows telephone calls to be made to the NRC, both in Bethesda and Region One.

Microwave System The microwave equipment at the Millstone site interfaces with the remainder of the NU microwave telecommunications system through an active microwave repeater site located in Haddam, Connecticut. The Millstone site and all other

remain fully operational with a 40 pound per square foot wind load and a 0.5 inch of radial ice. This is equivalent to loading that results from a sustained 100 mile per hour wind with all system component dimensions exaggerated by the 0.5 inch of ice at all points plus the additional weight generated by the formation of ice 0.5 inch thick. The survival rating for equipment is, in actuality, greater than the rate corresponding to conditions described above.

Additionally, all sites are fenced and equipment is operated from 24 or 48 V DC power which is provided by high quality lead-calcium batteries which are float charged by industrial grade AC powered battery charges. The batteries are sized to provide complete power requirements for the microwave equipment for a period of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The batteries are backed up by an uninterruptible power supply at Millstone site and by propane fueled generators at remote microwave sites.

The microwave system provides the Millstone site with two additional telecommunications networks which are completely separate from the off-site telephone system. The use of these diverse systems to share the telecommunications requirements of the Millstone site results in enhanced telecommunications reliability because a failure of either system does not completely interrupt off site telecommunications traffic. The microwave system also allows Millstone to access a modern telephone PBX located approximately 50 miles from the site at the NU headquarters in Berlin, Connecticut. In an emergency situation, NU personnel would be able to displace less critical microwave channels with the additional traffic from the Millstone site.

Multiplexing/SONET Systems Millstone is supported by a Synchronous Optical Network (SONET) connected in a diverse ring configuration (fiber optic cable) and by multiplexing equipment.

This equipment is located in the CPF building and in Building 475.

Telecommunication traffic placed on the SONET system is the same type that would be placed on the microwave system. The multiplexer has the capability to reroute the traffic assigned through the different media: the SONET terminal, the microwave system and a leased circuit.

The SONET terminal is powered by a 48 VDC source with battery backup. The batteries can provide backup power for a period of 35 hours4.050926e-4 days <br />0.00972 hours <br />5.787037e-5 weeks <br />1.33175e-5 months <br />.

Multiple Radio Systems The multiple radio systems include the following communication systems:

- O&M/security/trunked radio system

- Waterford Police System;

- Tri-town UHF radio system;

- State Police system;

- Very High Frequency (VHF) radio paging system.

A dedicated radio remote-control console is provided in the Millstone 2 control room for communications with all associated onsite as well as offsite radio facilities (as outlined above). Its power source is lighting panel LPCI, a highly reliable non-vital panel powered by the Emergency Diesel Generator backed Computer Power Inverter D50A. Normally, all radio systems, except the unit's O&M system, are quiet to the unit operator unless selected by the operator for monitoring or operation. Tone alert, except on the O&M system, is provided to enable remotely located radio dispatchers to contact the control room operator.

The radio console installed in the Millstone 2 control room consists of two individual bays secured together as a consolidated unit. The total length of the equipment is 46 inches with a height of 43.75 inches and an overall depth of 29.5 inches. The console is an equipment enclosure housing audio amplifiers (TR modules), tone generators (encoders), tone decoders, and dual power supplies.

The console generates low level audio and DC voltages only, for the single purpose of controlling remotely located base station radios.

The radio control center equipment is mounted in a single width housing with a beveled front, projected writing surface and panel turret.

The power supplies and termination panels for the control consoles are located in the lower portion of the equipment housing. Provisions are included on the rear-hinged termination panel for securing cable entries. The two upper bays contain the heart of the console radio control system. These two bays can be considered as left center and right center as viewed from the operator side of the console. The left side of the console contains the controls for police, site security, tri-town, operations/maintenance radios, and master control module. The emergency alert paging system occupies the right half of the console. The radio control panel is mounted directly in front of the radio dispatchers position. This provides the interface functions required between the operator and the console (microphone, speakers, volume controls, push-to-talk switches).

horizontally to accommodate different operators and is internally rubber-vibration-isolated to avoid physical damage.

The console contains two power supplies - a low voltage supply and a high voltage supply, each with an input voltage of 120 VAC. The low-voltage supply provides

+24 VDC and is capable of handling up to 24 radio channels. It includes a nominal

+13.8 VDC +/-10 percent regulator which, in conjunction with an overcurrent protection circuit, can provide a maximum continuous output current of 1 amp.

The power supply has an output current capability of 8 amps. The high voltage supply provides +175 VDC for keying up to 24 DC controlled radios.

The console contains 15 audio amplifiers (T/R modules) with expansion capability of 15 future modules. One T/R module is used with each radio control channel.

The module contains both logic circuits and receive/transmit audio circuits. The logic circuits include channel select, keying, busy, and priority functions. The receive audio circuits include speech processing (using an audio compressor circuit), muting, audio gating, and a voice enabled call indicator. The transmit audio circuits include a preamplifier, tone mixing amplifier, gating circuits, and a transmit audio line driver.

There are three tone generators (encoders) with external pushbutton operator controls located in the console. A touch-tone encoder allows standard touch code 2-frequency tone codes to be transmitted from the communications console. It can be used wherever a coded signal is required for selective calling or data transmissions. The encoder front panel includes a light emitting diode (LED) indicator which alerts the operator that the transmission of a code can proceed. A programmable timing circuit automatically resets the encoder and unkeys the transmitter if the tone sequence is not entered within a predetermined time. The encoder and transmitter automatically reset if the operator fails to complete a code entry. All codes generated by the encoder are compatible with standard touch-tone equipment. A two tone sequential tone generator allows encoding pocket pagers and fixed receive monitors. The operating controls and indicators are located on the front panel of the unit. The encoder has 16 pushbuttons, a four digit call code display, a call indicator, and a talk indicator. A code is manually punched into the encoder keyboard and the sequence is automatically sent whenever desired. The transmitter stays on the air for a predetermined amount of time after the code transmittal terminates in order for a voice message to be sent out to the desired pager or monitor.

The console contains eight touch-tone decoders that activate indicator lights and a sonalert audible device. This alerts the operator of an incoming call on a particular channel. The audio circuits of the console are muted until activated by the decoder, and turned on to normal volume when a proper code sequence is decoded. The

It should be noted that the Millstone 2 console is operationally identical to console in Units 3. This provides an expanded backup system for the communications system on the Millstone site.

O&M/Security/Trunked Radio System This is a five channel digital based trunking radio system. The trunking repeaters and central controllers are installed in the Telecommunications Radio Housing adjacent to the Millstone stack. The repeater stations are capable of 75 watts of RF power output with continuous duty operation. The primary power source is 120 VAC. The backup power is provided by a diesel generator. Panel type antennas are mounted on the stack. A backup system, designed to come on line in the event of a failure at the primary site, is installed in B475-3. The Control Room has access to a dedicated channel from the communications console. The base station is located in the CPF Building. The directional antennas are located on the roof of the CPF Building and the installation design is such to withstand windspeeds up to and including 100 mph.

System control is from the radio consoles in Units 2 and 3, the security central and secondary alarm stations, and the Emergency Operations Facility (EOF).

A one channel, digital based 900MHz radio system is provided to the Site Security in the event of a failure of the primary 800MHz radio system. The 900MHz repeater is located in the CPF Building. The repeater is capable of 100 watts of RF power output with continuous duty operation. The primary power source is 120 VAC and the backup power source is battery. The individual portable radio is also equipped with a small antenna which provides portable-to-portable feature between the radios. An omnidirectional antenna is mounted on the roof of the CPF Building and the installation design is such to withstand windspeeds up to and including 100 mph.

Command Control Network The CONVEX CCN is a two way radio system using tone alert signaling to provide communications among the control room, the CONVEX load dispatcher and other key operating facilities.

This system is controlled by the radio console in Units 2 and 3. The transmitter/

receiver base station is installed in the Condensate Polishing Facility (CPF). It is installed in an impact resistant, 41 inch cabinet bonded to electrical ground. AC voltage is the primary power source. The base station is fully solid-state incorporating integrated circuitry, located on plug-in modules or independent printed circuit boards. Highly reliable reed switches are used for antenna

for frequency control. The unit contains a continuous duty transmitter that can operate indefinitely on full power. There are five front mounted metering receptacles for ease of maintenance troubleshooting. The station is remotely controlled by tone frequencies. The wire line controlling the station need not have DC continuity for operation.

The base station is connected to the antenna via a jacketed one-half inch diameter semirigid coaxial cable. The cable is installed in cable tray OTX 850N which is dedicated to communication cables only. The cable ultimately terminates at the antenna mount on the CPF penthouse. The coaxial cable has the outer copper jacket bonded to ground before entry into the building. The coaxial cable has an impedance of 50 ohms and offers a combination of remarkable flexibility, high strength, and superior electrical performance. It includes a copper clad aluminum center conductor, low loss cellular polyethylene foam dielectric, corrugated copper outer conductor, and a protective black polyethylene jacket. The antenna is rigidly mounted to a permanent bracket secured to the parapet of the CPF penthouse. It is a highly directional r-f radiating device with a power gain of 5 dB. The antenna is designed to withstand severe environmental conditions. Radiating elements are made of three-quarter inch diameter tubing and reinforced with seven-eighths inch diameter sockets at the mounting boom. It contains direct ground lightning protection and has a wind rating survival of 97 mph. The installed antenna weighs 37 pounds.

Waterford Police Radio The Waterford Police Department two-way radio system provides communications between the Waterford Emergency Communications Dispatcher and the Control Room. The system is controlled by the radio console in Units 2 and 3. The base station is located in the CPF telecommunications room.

The antenna is installed on the CPF Building penthouse. It is provided with lightning protection and has a wind rating of 150 mph.

Tri-Town UHF Radio System The Tri-Town UHF radio system is an administrative two-way radio system used by three towns in the Millstone area. Each of these towns has the ability to call the control room using tone alert signaling.

The system is controlled by the consoles in Units 2 and 3 and base/control station and repeater relay station. The base/control station is located in the CPF Building.

It contains two transmit frequencies, the second frequency being talk-around in the event of a repeater relay station failure. The unit is installed in an impact-resistant cabinet bonded to the electrical ground. The primary power source is 120

cable. The cable is 20 feet in length and is securely clamped to the building bulkhead with stainless steel clamps. The cable consists of a copper clad center conductor surrounded by a low loss foam dielectric. A corrugated copper outer conductor encloses this and the entire cable is jacketed with black polyethylene.

The antenna is rigidly mounted to the building exterior wall. The antenna is a heavy duty, lightweight, two-stack collinear array designed to provide 5 dB of gain, broad bandwidth, and minimum pattern distortion. A binary cable harness is used to ensure equal in-phase power distribution to all radiating elements. The wind survival of the antenna is 125 mph, and all elements are operated at DC ground to ensure immunity from lightning damage.

The repeater relay station is located in the Telecommunications Radio Housing adjacent to the Millstone stack. The repeater is fully solid-state and has r-f control capabilities to turn the unit on and off. The cabinet is bonded to electrical ground and its primary power source is 120 VAC backed up by the security diesel.

The station is connected to the antenna via a seven-eighths inch jacket semirigid coaxial cable. The cable length is 150 feet and is securely clamped to the stack with stainless steel clamps. The cable consists of a copper clad center conductor surrounded by a low loss foam dielectric. A corrugated copper outer conductor encloses this and the entire cable is jacketed with black polyethylene. The antenna is rigidly mounted to the stack exterior wall. The antenna is a heavy duty, lightweight two-stack collinear array designed to provide 9 dB of gain, broad bandwidth, and minimum pattern distortion. A binary cable harness is used to ensure equal in-phase power distribution to all radiating elements. The wind survival of the antenna is over 125 mph, and all elements are operated at DC ground to ensure immunity from lightning damage.

State Police Radio System The State Police radio system uses two frequencies. One frequency is used for radio tests and short duration communications. The second frequency is used for communications over extended periods of time. Tone alert signaling is used to allow State Police calls to the control room.

The system is controlled by the consoles in Units 2 and 3. The base station is a desk top style and is located in the CPF Building 212 telecommunications room.

The station fully utilizes the advantages of solid-state circuits; reliability, small size, ruggedness, and low maintenance requirements. Efficient heat radiators ensure safe operating temperatures for the transmitter power amplifier stages, and the power supply regulator transistors. The stations primary power source is 120 VAC, and it is protected from overcurrent conditions.

dedicated to communication cables only. The cable ultimately terminates at the antenna mount on the CPF Building 212 penthouse. The coaxial cable has the outer copper jacket bonded to ground before entry into the building. The coaxial cable has an impedance of 50 ohms, and offers a combination of remarkable flexibility, high strength, and superior electrical performance. It includes a copper clad aluminum center conductor, low-loss cellular polyethylene foam dielectric, corrugated copper outer conductor, and protective black polyethylene jacket. The antenna is rigidly mounted to permanent brackets secured to the parapet of the CPF Building 212 penthouse. The antenna is a unity power gain omnidirectional antenna with a wind rating survival of 100 miles per hour. The antenna uses a shunt-fed coaxial design in a rugged two piece construction. The lower section is enclosed in a heavy-wall fiberglass tube, and the upper fiberglass whip fastens via a protected one-half inch by 20 thread connector. The antenna has direct ground lightning protection and requires no ground plane elements for proper radiation.

The antenna weighs 10 pounds.

Dominion Energy Emergency Notification System (DEENS)

The Dominion Energy Emergency Notification System (DEENS) is web-based emergency notification and callback verification software. This software is designed to meet the needs of nuclear power facilities, including the requirements of notifications in accordance with 10 CFR 50 Appendix E and NUREG-0654.

The software utilizes multiple distributed data centers, with flexible capacity, and full stack redundancy with multiple SMS and voice providers vetted to ensure no downstream inter-dependencies. When activated, the system will contact the Millstone Emergency Response Organization and State and Local agencies via email, SMS text messaging, cell phone and LAN line. Emergency event information is included in the emailed Emergency Notification (ENF) sent to the State and local agencies.

The carrier current system provides direct communications with the substations at the termination of each of the outgoing transmission lines.

The 5-channel amplified system is used for maintenance purposes such as instrument calibration, equipment adjustment, and the like. The layout provides point-to-point service; as between the control room and a station within the unit, or between two stations within the unit. The instruments are not permanently installed, but are the portable type that can be plugged into jacks conveniently located throughout the unit. This jack system covers working areas, the main control board, and the operators desk.

The fuel handling system telephones are located along the fuel transfer canal, and provide ready communication among those engaged in loading or unloading fuel.

By means of coupling units to the crane power supply, a carrier system ties in a

The public address facilities consist of a voice-paging system that provides communication for the Unit 2 area. A switch is provided so that the unit operator can mute all outdoor speakers at night. A paging adapter is furnished by the telephone company so that designated PBX stations under b. above can dial into the paging system of Unit 1, Unit 2, Unit 3, or all.

In the unlikely event that all personnel must evacuate the area, switches in the control room energize containment, site and plant evacuation alarms. A distinctive tone generated by audio frequency oscillators is broadcast through the public address system loudspeakers. This signal takes precedence over all other use of the paging system.

4 AVAILABILITY AND RELIABILITY 4.1 Special Features alkie-talkie radios and pico cellular phones are available for communications between the tor polar crane and the operating floor of the containment structure. They are also available other intra-plant uses.

ministrative procedures prevent hand held UHF radios from affecting the solid state reactor ection and/or Engineered Safety Features (ESF) systems.

cables in the communication systems are independent from those of other systems and are lded or isolated from power cables and any other sources of line noise which could adversely ct the audibility of the systems. The communication systems use twisted, balanced audio pairs urther reduce the effects of longitudinally induced magnetic noise.

4.2 Design Evaluation failure of any system does not cause the malfunction of the other systems. To ensure high er supply reliability, nonvital systems (requiring power) receive power from the 120/208 V vital bus (Section 8.3.1), the Technical Support Center (TSC) electrical distribution system, or normal DC power system (Section 8.3.2). The plant-switched network is provided with a kup power system that is equipped with a rectifier and backup battery. The microwave system rovided with a separate battery-rectifier power system. The normal and emergency power ply systems for the SNETCO message network are located at the telephone company rating facilities.

design of the communication systems permits routine testing and inspection without upting normal communication facilities. The evacuation alarm system will be tested odically in accordance with normal station procedure.

1 DESIGN BASES 1.1 Functional Requirements July 26, 1984, the Code of Federal Regulations (CFR) was amended to include the ATWS e (Section 10 CFR 50.62, Requirements for Reduction of Risk from Anticipated Transients hout SCRAM [ATWS] Events for Light-Water-Cooled Nuclear Power Plants). An ATWS is xpected operational transient (such as loss of main feedwater, loss of condenser vacuum, or of offsite power), which is accompanied by a failure of the Reactor Trip System (RTS) to shut n the reactor. The ATWS Rule requires specific improvements in the design and operation of mercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor owing anticipated transients and to mitigate the consequences of an ATWS event.

10 CFR 50.62 requirements applicable to pressurized water reactors manufactured by mbustion Engineering (CE), are:

1. Each pressurized water reactor must have equipment from sensor output to final actuation device that is diverse from the RTS, which will automatically initiate the Auxiliary (or emergency) Feedwater System (AFWS) and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing RTS.
2. Each pressurized water reactor manufactured by CE must have a diverse SCRAM system from the sensor output to interruption of power to the control rods. This SCRAM system must be designed to perform its function in a reliable manner and be independent from the existing RTS (from sensor output to interruption of power to the control rods).

2 DISCUSSION ATWS is an anticipated operational occurrence (e.g., loss of main feedwater, or turbine trip) ch is accompanied by a failure of the Reactor Protection System (RPS) to shut down the tor. The limiting ATWS events are typified by a rapid Reactor Coolant System (RCS) heatup pressurization to above 3200 psia before moderator reactivity feedback substantially reduces tor power.

torically, CE has performed an analysis of selected transients which provide sufficient racterization of the CE Nuclear Steam Supply System (NSSS) design to ATWS events. For ssing the results of the ATWS analysis, CE used the following generalized criteria:

1. Radiological release within 10 CFR 100 Guidelines
2. RCS pressure less than emergency limits (3200 psia)
4. Fuel cladding - no degradation
5. Containment Pressure - within design pressure ed on CEs analysis, the consequence of a failure to SCRAM would lead to an RCS rpressurization, a violation to Criterion 2. Those ATWS events which would cause RCS rpressurization are:
1. Zero Power Control Element Assembly (CEA) Withdrawal
2. Loss of load
3. Loss of Main Feedwater (complete or partial)

Millstone Unit 2 Diverse SCRAM System (DSS) and ATWS Mitigating System Actuating cuitry (AMSAC) fulfills the NRC requirement addressed in 10 CFR 50.62. The DSS is diverse electrically independent from the RTS and provides a redundant path of reactor and turbine by a high-pressure setpoint. The AMSAC is modified from the existing Auxiliary Feedwater uation System (AFAS) to mitigate an ATWS event by redundant Auxiliary Feedwater (AF) ation from DSS.

DSS reduces the ATWS probability and AMSAC provides some limited mitigation.

wever, DSS/AMSAC is not expected to fully mitigate all ATWS events. Therefore, the ATWS em is not a direct response to all accidents analyzed in Chapter 14.

erence:

1. Analysis of Anticipated Transients Without Reactor SCRAM in Combustion Engineerings NSSSs, May 1976, Combustion Engineering, CENPD-158, Revision 1.

3 DESIGN CRITERIA 3.1 General systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent uirements normally applied to safety related equipment. However, this equipment is part of the ader class of structures, systems, and components important to safety defined in the oduction of 10 CFR 50, Appendix A (General Design Criteria [GDC]). Although the ATWS gation system is not required to meet all of the stringent requirements normally applied to ty related equipment per 10 CFR 50.62, the DSS/AMSAC is designed to Quality Assurance egory 1 requirements in accordance with the Quality Assurance Program (QAP).

a. No single component failure can prevent the performance of a safety function.
b. Channel independence is assured by separate connection of the sensors to the process systems and of the channels to vital instrument buses.
c. The four measurement channels provide trip signals to six independent logic matrices, arranged to effect a two-out-of-four coincidence logic having outputs to two independent trip paths.
d. A trip signal from any two-out-of-four protective channels on the same parameter causes an ATWS trip.
e. When one of the four channels is taken out of service, the protective system logic may be changed to two-out-of-three coincidence for an ATWS trip by bypassing the removed channel.
f. Independence is provided between redundant elements to preclude any interactions between channels during maintenance or in the event of channel malfunction.
g. Redundant elements are electrically isolated from each other such that events affecting one element are not reflected in any other redundant element.
h. The tripping function is accomplished via an energize to trip logic path to preclude inadvertent plant trips due to component failure.

3.2 Electrical Independence ATWS rule requires that the DSS be electrically independent from the RPS. Both the RPS DSS share four pressurizer pressure sensor channels. Each channel output is isolated between put to the RPS and output to the DSS. The isolation design is consistent with the present nsing basis for Millstone Unit 2. Subsequent DSS processing is totally electrically pendent from the RPS.

3.3 Environmental Qualification DSS is designed to operate for Anticipated Operational Occurrence environment which ns a normal containment environment and a mild control room environment. There is no uirement to qualify the DSS/AMSAC to Loss-of-Coolant Accident (LOCA) or High Energy e Break (HELB) environment since these are not considered anticipated operational urrences. The DSS electronics which share the same instrument rack and same power supply solation electronics for the RPS are qualified to IEEE-323-1983.

DSS need not work during or after a seismic event. However, all components that interface h Category 1E systems will be seismically restrained and electrically certified not to degrade Category 1E equipment. The DSS electronics which share the same instrument rack and same er supply as isolation electronics for the RPS are qualified to IEEE-344-1975.

3.5 Annunciation and Display DSS status and bypass indications will be provided in the control room. Trip alarm and ass will be annunciated on the main control board.

3.6 Testability DSS is designed as a four-channel system with individual bypass switch for each channel.

bypass switch will permit individual channel testing while the reactor is operating at power.

3.7 Diversity Millstone Unit 2 DSS design uses the existing RPS pressurizer pressure sensors to generate h the RPS and DSS actuation signals. Even though the DSS and RPS use common sensors, the S uses qualified, Category 1E electronics that have been analyzed to demonstrate isolation m the RPS. This minimizes the potential for adverse electrical interactions between the two ems.

ersity of manufacturer exists for the DSS and RPS bistables, power supplies and matrix relays.

DSS and RPS initiation relays and final actuation devices are both manufactured by the same dor; however, diversity of model/design principle exists.

Millstone Unit 2, Diverse Turbine Trip (DTT) design is such that the DTT shares all circuit ponents with the DSS, up to, but not including, the final trip device. Thus, all of the rmation that is applicable to DSS components discussed previously are applicable to the DTT ponents, up to, but not including the final trip device. When the DSS causes a reactor trip, it causes a turbine trip as the DSS interrupts power to the turbine trip undervoltage coils. The rse SCRAM relays provide isolation between the Category 1E and Noncategory 1E portions he circuits. Thus, with the implementation of the DSS, the existing turbine trip becomes a DTT to the diversity between the DSS and the existing RPS.

existing AFWS actuation circuitry, when installed at Millstone Unit 2, contained significant rsity from the RPS.

AFWS design at Millstone Unit 2, was upgraded following the TMI-2 accident in accordance h the TMI Action Plan Items II.E.1.1, Auxiliary Feedwater System Evaluation, and II.E.1.2, xiliary Feedwater System Automatic Initiation and Flow Indication, of NUREG-0737, arification of TMI Action Plant Requirements. Diversity of manufacturer exists for the erse Auxiliary Feedwater (DAFW) bistables, matrix relays, initiation relays and power

4 SYSTEM DESCRIPTION Millstone Unit 2 scheme for mitigating ATWS events consists of a DSS, an AMSAC system, a DTT system. The DSS provides a redundant path of reactor and turbine trip by a high surizer pressure setpoint. The AMSAC uses the existing AFAS to mitigate an ATWS event by undant AF initiation from DSS.

ATWS is designed to be highly reliable, resistant to inadvertent actuation, and easily ntained. Reliability is assured through the use of internal redundancy and industry proven em components. Inadvertent actuations are minimized through the use of internal redundancy, rgize to trip design, and good human factors practices. The time delay on low steam generator l and the coincidence logic used also minimize inadvertent actuations. Figure 7.9-1 details ATWS system.

4.1 Diverse Scram System DSS receives input from the existing RPS pressurizer pressure sensors. The pressurizer sure signals are routed to signal processing instrumentation consisting of bistables and logic uitry arranged in a two-out-of-four energize-to-actuate logic to trip the RPS Motor Generator G) set output contactors upon detection of conditions indicative of an ATWS event.

ual and audible alarms provide the control room operator with indication of DSS initiation.

visions have been included to allow the bypass of any one sensor input thus converting the c to two-out-of-three to allow for maintenance and testing of the sensors and associated signal cessing electronics. All bypasses are annunciated on the Main Control Board.

4.2 Diverse Auxiliary Feedwater Actuating System existing AFAS has been modified to satisfy the ATWS requirement. The present AFAS is ated upon low steam generator level (two-out-of-four logic) following a 3 minute, 25 second e delay. An ATWS event with reactor power greater than 20 percent will initiate automatic AF owing a 10-second time delay. An ATWS event with reactor power less than 20 percent will ate automatic AF following a 3 minute, 25 second time delay.

ual and audible alarms provide the Control Room operator with indication of AFAS initiation.

4.3 Diverse Turbine Trip Millstone Unit 2 DTT design is such that the DTT shares all circuit components with the S, up to, but not including, the final trip device.

providing a DTT.

5 SYSTEM COMPONENTS 5.1 System Hardware and Interface ure 7.9-2 provides an overview of the DSS/AMSAC hardware and interconnections between ponents. Four pressurizer pressure channels each containing logic for high-pressure trip, vide the inputs to DSS matrix located in panel C100. Two Nuclear Instrument (NI) channels, ch are indicative of reactor power level, interface with the AF initiation facilities Z1 and Z2 to vide a redundant AF initiation.

DSS matrix combines four channel trip contacts in a two-out-of-four voting matrix. The rix is arranged so that two channels will issue a DSS signal. If a channel is removed out of ice, the voting matrix automatically converts to a two-out-of-three voting configuration.

output from the DSS matrix directly drives the DSS relays, 94A/DSS and 94B/DSS. Both ys provide for the redundant AF initiation and the tripping of the MG output contactors.

5.2 Pressurizer Pressure Channels Millstone Unit 2, design uses the existing RPS pressurizer pressure sensors (PT-102A-D) to erate both the RPS and DSS actuation signals. Even though the DSS and RPS use common sors, the DSS uses qualified, Category 1E electronics that have been analyzed to demonstrate ation from the RPS. This minimizes the potential for adverse electrical interactions between two systems.

High Alarm contact drives four relays on a SPEC 200 N-2A0-L2C-R relay isolator card ch provides train isolation and interconnections for use in the DSS matrix. The High Alarm oint is 2400 psia.

5.3 Neutron Monitoring Channels o independent analog signals corresponding to 0 - 100 percent reactor power are routed from Reactor Regulating System (RRS) Channel X and Y to qualified Category 1E electronics.

0 percent reactor power alarm contact drives a relay on a SPEC 200 N-2A0-L2C-R relay ator card which provides train isolation and interconnections to the AF initiation circuitry.

5.4 Diverse SCRAM Matrix ure 7.9-3 shows the scheme arrangement for the Diverse SCRAM (DS) Matrix and its logical rconnections.

bination. Each contact in a string is associated with a disable/enable contact from the channel lock switch (HS-102).

matrix is arranged to activate the DSS relays 94A/DSS and 94B/DSS only when power is ilable. A High Alarm on any two channels will close two contacts on a vertical string. If the 102 switch is closed for both contacts, then both relays will activate.

h relays 94A/DSS and 94B/DSS are used to provide isolation between the DSS matrix, the AF ation facilities and the MG contactors and to ensure a DS in the event of a single relay failure.

rposing (auxiliary) relays 94X/MG1 and 94X/MG2 provide the auxiliary contacts to operate MG contactors and to provide additional isolation between the 480V MG control circuit and DSS control circuit.

5.5 Auxiliary Feedwater Initiation o contacts from the DSS relay are used in the AF initiation scheme. The first contact parallels steam generator low level - AF initiation relay contact and functions to start the 3 minute, 25 ond timer to initiate AF. The second contact starts a 10 second timer which will be used to ditionally start AF initiation 10 seconds after receiving a DS signal with Reactor Power level percent.

5.6 Motor Generator Contactors existing contactor schematic circuit is tripped by loss of motor power for longer than 2 onds, high or low current through the exciter, synchronization errors or bus overvoltage.

h MG contactor can be operated from either redundant DSS relay via auxiliary relay schemes.

iliary relays 94X/MG1 and 94X/MG2 are activated separately, by circuits containing parallel, mally open, contacts from the 94A/DSS and 94B/DSS relays. When activated by a DSS y(s), both auxiliary relays provide signals to open each MG contactor via normally closed tacts connected in series within each contactor control circuit. For a postulated single failure in SS, auxiliary relay or associated contact, this control scheme ensures that the redundant DSS eme will trip both contactors.

5.7 Power Supply DSS and AMSAC circuits use common AC power sources from the 120 VAC vital buses, 10, VA20, VA30, and VA40, for all components from the sensors to the initiation relays.

C100 matrix tripping relays (94A/DSS and 94B/DSS) are powered from 125 VDC power plies (via VA10 and VA20 respectively). Each power supply is rated for 100 percent capacity their outputs are diode auctioneered such that a single failure will not impact system ration.

DSS/AMSAC provides a backup to the RTS for initiating a reactor and turbine trip and AF in the event of an anticipated transient.

ATWS trip will occur when a high pressurizer pressure signal exceeds the setpoint of 2400 on two of the four inputs channels. Initiation of the ATWS will result in the following system onse:

1. A reactor (and subsequent turbine) trip will be processed by opening of series DSS auxiliary relay contacts in the RPS MG Set outputs.
2. AF initiation will occur after a 10 second time delay if reactor power remains 20 percent, otherwise, AF initiation will occur following a 3 minute, 25 second time delay.

6.1 Bypasses individual bypass (keylock) switch is available for each of the four pressure channels. This ass will allow on-line maintenance and testing capabilities of the DSS/AMSAC circuitry.

6.2 Annunciation and Display cation of individual pressure channel trip is available at the C100 status panel. An Amber p will be illuminated on the C100 status panel indicating a channel trip.

unciation alarms on main control board C04F are provided to alert the operator should an WS or AAFWIS (Automatic Auxiliary Feedwater Initiation System) initiation occur.

WS channel bypasses are annunciated on Main Control Board C04F.

6.3 Inadvertent Actuation DSS and AMSAC systems have been designed such that the frequency of inadvertent ations is minimized. Reliability of this system is ensured through the use of redundancy, ority voting logic, bypasses and energize to trip circuitry.

change slightly increases the likelihood of spurious reactor trip (i.e., a trip when no protection oints have been exceeded) because of the addition of electrical components which can rrupt power from the MG set to the CEDMs.

inadvertent actuation of the DSS or malfunction of the MG output contactors would result in interruption of power to the CEDM coils causing the rods to drop by gravity into the core. The ervoltage condition will also cause a turbine trip signal to be generated. Therefore, inadvertent S actuation would result in simultaneous turbine and reactor trip. An inadvertent DSS uation would resemble the interruption of power to or from the MG set as in the existing

change could also result in automatic AFWS actuation, regardless of steam generator level in current design), if the DSS is inadvertently actuated and a high neutron flux signal (> 20 ent) is sustained for 10 seconds. This could increase the challenges to the Engineered eguards Features (ESF), and increase the potential for feedwater nozzle thermal shock, steam erator overfill, and so on. However, for this to be a concern, two low-probability events must ur. Inadvertent DSS actuation is of low probability. Given that DSS actuation has occurred, tor SCRAM will occur and neutron flux will be below 20 percent within 10 seconds.

refore, a second (low probability failure) must occur, that is, a high neutron flux signal ause of miscalibration error or electrical component failure. Given that the plant was operating h neutron flux measurement calibrated in the first place, these failure modes are low bability. The conclusion is that inadvertent AFWS actuation, due to the change, is of gnificant probability compared to all other mechanisms for inadvertent actuation.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

.1 DESIGN BASES

.1.1 Functional Requirements auxiliary steam line break detection/isolation functions to isolate steam supply to specific ty related areas if steam leakage is detected due to an auxiliary steam line (or other) high rgy line break.

.2 DISCUSSION iliary Steam System auxiliary steam system is provided for building heating, freeze protection for outdoor water age tanks, and radwaste process requirements. The system is nonnuclear safety (NNS). Steam ormally provided by the Unit 3 auxiliary steam system via a crosstie between the Units.

ause the Unit 3 auxiliary steam system operates at 150 psig and the Unit 2 auxiliary steam em operates at 50 psig, a pressure reducing valve station, including isolation and relief valves installed. In addition a condensate return line from the Unit 2 auxiliary feedwater surge tank is ed to the Unit 3 condensate system. Condensate is routed to the auxiliary boiler deaerator, n the Unit 3 auxiliary boilers are supplying auxiliary steam, or to the Unit 3 condensate surge when Unit 3 main steam is supplying auxiliary steam.

ing Unit 2 plant shutdown, the Unit 3 auxiliary steam system provides steam to the Unit mber 2 auxiliary steam system. In the event both Units are shutdown the Unit 3 auxiliary steam ers maintains the capability to provide house heating steam to both Units, as well as the steam ds for the site fire water storage tanks freeze protection. Temporary electric heating has been vided to the fire water storage tanks while auxiliary steam supply is unavailable.

hnical Specification Numbers 3/4.1.2 (Boration Systems - Modes 5 & 6) and 3/4.5.4 fueling Water Storage Tank (Modes 1, 2, 3 and 4) establish minimum temperature uirements for safety related tanks that are heated by the auxiliary steam system.

CFR 50, Appendix A, Design Criterion 4, requires structures, systems, and equipment ortant to safety to be designed for effects and be compatible with environmental conditions ciated with effects of postulated pipe ruptures.

auxiliary steam system is classified as a high energy fluid system. The auxiliary steam perature detection system is installed to detect an auxiliary steam leak or line break in specific ty related areas shown on Figure 7.10-1. The detection system, if activated, will isolate the m supply to these areas to ensure operability of safety related equipment needed to safely shut n the plant.

e break analysis criteria and guidance are discussed in Section 6.1.4.

lification of Class 1E Electrical Equipment in Operating Reactors, and NUREG-0588 erim Staff Position on Environmental Qualification of Safety Related Electrical Equipment.

ulations for environmental qualification of electrical equipment are specified in CFR 50.49.

.3 DESIGN CRITERIA

.3.1 General following criteria have been used in the design of the auxiliary steam detection/isolation DI) system:

a. The system shall have redundant, independent subsystems.
b. The system shall have suitable subsystem and component alignments to assure operation of the complete subsystem with its associated components.
c. Capabilities shall be provided to assure the system function with onsite power (assuming offsite power is not available) or with offsite electrical power.
d. A single failure in either subsystem shall not affect the functional capability of the other subsystem.
e. The system shall be designed to permit periodic inspection of important components, such as temperature detectors and automatic isolation valves to assure the integrity and capability of the system.
f. The ASDI system shall be designed to permit appropriate periodic pressure and functional testing to assure the operability and performance of the active components of the system, and the operability of the system as a whole. Under conditions as close to the design as practical, performance shall be demonstrated of the full operational sequence that brings the system into operation, including operation of applicable portions of the detection system.
g. The components of the detection system shall be designed to operate in the most severe environment to which it is exposed during an auxiliary steam line break.

0.3.2 Electrical Independence ASDI system is designed with two electrically independent channels in accordance with E 279, Criteria for Protection Systems for Nuclear Power Generating Stations (1971).

perature detectors associated with the ASDI system are qualified to withstand the predicted ironment resulting from an auxiliary steam line break in the auxiliary and enclosure buildings.

ectors and associated components are qualified in accordance with IEEE 323, Qualifying ss 1E Equipment for Nuclear Power Generating Stations (1974). Isolation valves, associated trols, and other active components are designed to fail in the safe direction and are not uired to be environmentally qualified.

.3.4 Seismic Qualification ASDI system is seismically qualified to ensure detection of a steam line break in the required s, transmission of the signal, and closure of isolation valves for the auxiliary steam supply to Auxiliary Building. Components are seismically qualified to IEEE 344, Recommended ctices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating tems (1974).

.3.5 Annunciation and Display ASDI system status and bypass indications are provided in the control room. Detection alarm bypass are annunciated on the main control board.

.3.6 Testability ASDI System is designed as a two channel system. Each channel is provided with a bypass tch to allow periodic test of each channel without causing isolation of the auxiliary steam ply to the Auxiliary Building.

0.4 SYSTEM DESCRIPTION ASDI System is shown schematically in Figure 7.10-1. The ASDI System consists of eight s of RTDs located in the areas of the auxiliary building as shown.

perature detectors (RTDs) are installed at locations easily accessible from floor level for ntenance and calibration. The temperature detector electronics are located in control cabinets 2 and C503 in the East 480 volt Loadcenter Room. Associated control relays and hand tches are located in panel C-80 in the main Control Room.

Ds are resistance temperature detector type. The detection/isolation are set at a maximum shold set point value of approximately 115°F to rapidly detect a potential steam line break or

. The exact set point is determined based on maximum design temperature applicable to the ective area (see FSAR Section 9 for this basis) with a suitable margin included as needed to id spurious actuation and alarms. Actuation of any alarm bistable causes the respective steam ation valve to close. Status indicating lights (red) are provided at C502/C503 panels for each perature switch. A computer point and main control board alarm is provided for each iliary Steam Detection Isolation System Actuation.

h train of alarm switches has their control contacts wired in series. Reset of the system after an m switch actuates is accomplished via hand switch in the control room (panel C-80). The dswitch will reopen the auxiliary steam isolation valves after the affected RTD returns to mal ambient conditions. The RTDs are seismic and environmentally qualified.

h RTD will actuate one of (2) automatic isolation valves to close. The position of the auxiliary m isolation valves is indicated by red-green indicating lamps on the C80 panel in the control

m. Maintenance/Bypass switch engagement is indicated by an amber lamp on C-80 panel and annunciated on a common alarm window on panel CO6.

er an actuation of an isolation valve(s) and the alarm bistable resets, the annunciator will reset, the auxiliary steam isolation valves will remain closed. The operator must take deliberate on by operating hand switch(es) on the C80 panel to re-open the closed valve(s).

control scheme has a built-in maintenance/bypass keylock switch on the C80 panel which ws calibration of the bistables without closing the auxiliary steam isolation valves. This ction is a key locked hand switch. The bypass condition is annunciated on panel CO6 when he bypass position. An amber light on C80 panel indicates when the alarm bistable trip ction has been bypassed. Procedural controls have been established and will be maintained to ct compensatory measures during periods when the trip function is bypassed.

automatic isolation valves are located in the Turbine Building prior to the Auxiliary Steam etration into the Auxiliary Building at the Turbine/Auxiliary building wall. The valves are pendent and redundant to each other to meet single failure criteria. The valves are high ormance (very low leakage), butterfly type with an offset disc and metallic seat.

valves are air-operated, air to open, vent to close. They fail closed with spring assist on loss nstrument air or power. Each valve is provided with a high capacity, rapid discharge solenoid t valve to ensure closure time of less than five seconds. The valve and air operator are mically qualified. The solenoid vent valves and valve position limit switches are purchased Q and seismically qualified. However, these items do not have to be maintained in the MP2 Q master list since the isolation valves are not required to isolate if a steam line breaks in the bine Building. Each isolation valve has an air pressure regulator based on design pressure tations of the air operator diaphragm. The regulator is located upstream of the solenoid vent e and is nonsafety related.

piping system is designed in accordance with ANSI B31.1 design criteria.

AND CONDENSATE figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-2 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

ce environmental conditions vary for different areas of the plant, there are several ironmental zones. Safety related equipment and components are qualified to meet their ormance requirements under normal, abnormal, and accident operating conditions based on environmental zone in which the equipment is exposed.

Millstone Electrical Equipment Qualification (EEQ) Program is a process that ensures the tinued qualification of equipment which must function during and following the design ditions postulated for design basis accidents and the post-accident duration. This program has n developed to ensure that environmental qualification criteria are applied to electrical ipment important to safety in accordance with 10 CFR 50.49 and to document the process ugh which this qualification is demonstrated. It incorporates NRC Regulation, Regulatory des, and other positions and guidelines, as well as Institute of Electrical and Electronic ineers (IEEE) Standards and sound engineering practices.

Design Basis area of the EEQ program consists of the Environmental Qualification Master (EQML) and the plant normal and accident environmental conditions. The EQML is the set equipment required to be environmentally qualified. Environmental Parameters include perature, pressure, relative humidity, chemicals, spray potential, submergence, accident ation, and gamma/beta radiation dose (where applicable). These parameters are given in terms time-based profile. Changes in equipment function or operating mode, substitution of new del numbers, and the addition or deletion of equipment in the plant, shall require a revision of EEQ program documentation. Changes to the environmental parameters such as revisions to dent analyses, rerouting or modifying the high energy lines, or changes in the functional ration of the HVAC system may result in revisions to the EEQ program documentation.

t Report Assessments (TRA), Equipment Qualification Records (EQR), and referenced design uments provide an auditable proof of the equipment qualification. The qualification process is ed on the testing and/or analysis of same or similar equipment or material such that this ipment performance becomes the model or proof of how the installed equipment is anticipated ehave when exposed to design basis accident environmental conditions. Emulation of the ed equipments internal, external, and maintained configuration is necessary to enable the test epresent the plant installed equipment. Products of the qualification verification include allation, maintenance, and procurement requirements that must be implemented to ensure that installed equipment is the same as the equipment tested.

pter 12.10 describes alternate requirements for RISC-3 SSCs.