ML20209A013

From kanterella
Revision as of 20:31, 11 March 2022 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Rev. OL-24 to Final Safety Analysis Report, Chapter 8, Electric Power
ML20209A013
Person / Time
Site: Callaway Ameren icon.png
Issue date: 11/13/2019
From:
Ameren Missouri, Union Electric Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML20209A098 List: ... further results
References
ULNRC-06547
Download: ML20209A013 (146)


Text

CALLAWAY - SP TABLE OF CONTENTS CHAPTER 8.0 ELECTRIC POWER Section Page

8.1 INTRODUCTION

............................................................................................. 8.1-1 8.1.1 UTILITY GRID DESCRIPTION.................................................................. 8.1-1 8.1.2 ONSITE POWER SYSTEM DESCRIPTION ............................................. 8.1-1 8.1.3 SAFETY-RELATED LOADS...................................................................... 8.1-2 8.1.4 DESIGN BASES ........................................................................................ 8.1-2 8.1.4.1 Offsite Power System........................................................................... 8.1-2 8.1.4.2 Onsite Power System........................................................................... 8.1-3 8.1.4.3 Design Criteria, Regulatory Guides, and IEEE Standards ................... 8.1-4 8.2 OFFSITE POWER SYSTEM .......................................................................... 8.2-1 8.3 ONSITE POWER SYSTEMS ......................................................................... 8.3-1 8.3.1 AC POWER SYSTEMS ............................................................................ 8.3-1 8.3.1.1 Description .......................................................................................... 8.3-1 8.3.1.2 Analysis ............................................................................................. 8.3-28 8.3.1.3 Physical Identification of Safety-Related Equipment ......................... 8.3-28 8.3.1.4 Independence of Redundant Systems .............................................. 8.3-29 8.3.2 DC POWER SYSTEMS .......................................................................... 8.3-37 8.3.2.1 Description ........................................................................................ 8.3-37 8.3.2.2 Analysis ............................................................................................. 8.3-39 8.3.3 FIRE PROTECTION FOR CABLE SYSTEMS ....................................... 8.3-46 8.

3.4 REFERENCES

....................................................................................... 8.3-46 App. 8.3A STATION BLACKOUT ......................................................................8.3A-1 8.3A.1 INTRODUCTION .....................................................................................8.3A-1 8.0-i

CALLAWAY - SP TABLE OF CONTENTS (Continued)

Section Page 8.3A.2 STATION BLACKOUT GENERAL CRITERIA AND ASSUMPTIONS .....8.3A-4 8.3A.3 CALLAWAY STATION BLACKOUT DURATION ....................................8.3A-4 8.3A.3.1 AC Power Design Characteristic Group .............................................8.3A-4 8.3A.3.2 Emergency AC Power Configuration Group.......................................8.3A-7 8.3A.3.3 Emergency Diesel Generator (EDG) Reliability .................................8.3A-8 8.3A.3.4 Coping Duration Category..................................................................8.3A-9 8.3A.4 PROCEDURES FOR SBO ......................................................................8.3A-9 8.3A.5

SUMMARY

OF SBO COPING ASSESSMENT .......................................8.3A-9 8.3A.5.1 Condensate Inventory for Decay Heat Removal ................................8.3A-9 8.3A.5.2 Class 1E Battery(ies) Capacity......................................................... 8.3A-10 8.3A.5.3 Compressed Air................................................................................ 8.3A-10 8.3A.5.4 Effects of Loss of Ventilation ............................................................ 8.3A-10 8.3A.5.5 Containment Isolation....................................................................... 8.3A-10 8.3A.5.6 Reactor Coolant Inventory................................................................ 8.3A-10 8.3A.6 GRADED QA PROGRAM FOR SBO .................................................... 8.3A-11 8.3A.7 REFERENCES ...................................................................................... 8.3A-11 8.0-ii

CALLAWAY - SP LIST OF TABLES Number Title 8.3-1 Class 1E DC System Loads 8.3-2 125 V DC Class 1E Battery Loading Cycle (Amperes Required per Time Interval per Battery After Loss of AC Power) Subsystems 1 and 4 8.3-3 125 V DC Class 1E Battery Loading Cycle (Amperes Required per Time Interval per Battery After Loss of AC Power) Subsystems 2 and 3 8.3-4 Failure Modes and Effects Analysis 8.3A-1 Comparison to NUMARC 87-00, Guideline and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors 8.3A-2 Comparison of Graded QA Program for Station Blackout with Criteria of Regulatory Guide 1.155, Rev. 0, Appendix A Quality Assurance Guidance for Non-Safety Systems and Equipment 8.0-iii Rev. OL-19 5/12

CALLAWAY - SP LIST OF FIGURES Number Title 8.3-1 (Sheet 1) Main Single Line Diagram 8.3-1 (Sheet 2) Single Line Diagram Essential Service Water System 8.3-2 List of Loads Supplied by the Emergency Diesel Generator 8.3-3 Logic Diagram Standby Generation Excitation Control 8.3-4 Logic Diagram Standby Generator System Protection 8.3-5 Logic Diagram Standby Generator Engine and Governor Control 8.3-6 DC Main Single Line Diagram 8.3-7 DC Main Single Line Diagram (PK03 and PK04 Bus) 8.0-iv Rev. OL-14 12/04

CALLAWAY - SP CHAPTER 8.0 ELECTRIC POWER

8.1 INTRODUCTION

8.1.1 UTILITY GRID DESCRIPTION The generator units are connected to the respective transmission systems. The transmission system voltage is 345 kV for Callaway. The utility has integrated transmission networks and interconnections with neighboring systems. A description of the system network and interconnections is given in Section 8.1.1 of the Site Addendum.

8.1.2 ONSITE POWER SYSTEM DESCRIPTION The onsite power system is provided with preferred (offsite) power from the offsite system through two independent and redundant sources of power. One preferred circuit from the switchyard supplies power to a three-winding startup transformer. This startup transformer feeds two medium-voltage 13.8-kV busses and a 13.8/4.16-kV ESF transformer equipped with an automatic load tap changer (LTC) with its associated capacitor bank. The second preferred (offsite) circuit is connected to the second 13.8/

4.16-kV ESF transformer equipped with an automatic load tap changer with its associated capacitor bank. Each transformer normally supplies its associated medium voltage 4.16-kV Class 1E bus. Refer to Figure 8.3-1.

The two 13.8-kV busses supply power to the nonsafety-related auxiliary loads of the unit.

The 13.8-kV busses are also connected to a three-winding unit auxiliary transformer, in addition to the startup transformer. The unit auxiliary transformer is connected to the main generator through an isolated phase bus duct.

Two 4.16-kV non-Class 1E busses are supplied power from two 13.8-kV busses through two 13.8/4.16-kV station service transformers.

Non-Class 1E low-voltage 480-V loads are supplied power from two 13.8-kV busses through 480-V load centers and 480-V motor control centers.

The onsite power system is divided into two separate load groups, each load group consisting of an arrangement of busses, transformers, switching equipment, and loads fed from a common power supply. Power is supplied to auxiliaries at 13.8 kV, 4.16 kV, 480 V, 480/277 V, 208/120 V, 120 V ac, 250 V dc, and 125 V dc.

The onsite standby power system includes the Class 1E ac and dc power for equipment used to maintain a cold shutdown of the plant and to mitigate the consequences of a DBA.

8.1-1 Rev. OL-24 11/19

CALLAWAY - SP Class 1E ac system loads are separated into two load groups which are powered from separate ESF transformers or two independent diesel generators (one per load group).

Each load group distributes power by a 4.16-kV bus, 480-V load centers, and 480-V motor control centers.

The Class 1E dc system provides four separate 125-V dc battery supplies per unit for Class 1E controls, instrumentation, power, and control inverters. Refer to Figure 8.3-6.

8.1.3 SAFETY-RELATED LOADS Refer to Figure 8.3-2 for a listing of loads supplied by the Class 1E ac system. Refer to Table 8.3-1 for a list of loads supplied by the Class 1E dc system. The loads and their safety functions are identified in the above references.

8.1.4 DESIGN BASES 8.1.4.1 Offsite Power System 8.1.4.1.1 Safety Design Bases SAFETY DESIGN BASIS ONE - Electrical power from the power grid to the plant site is supplied by two physically independent circuits designed and located so as to minimize the likelihood of simultaneous failure.

SAFETY DESIGN BASIS TWO - Each of these independent circuits has the capability to safely shut down the unit. The first preferred circuit, which is connected to the startup transformer, has the capacity to supply the startup and all the auxiliary loads (both group 1 and group 2 simultaneously) of the unit.

SAFETY DESIGN BASIS THREE - The second preferred power circuit, which supplies power to the ESF transformer, has the capacity to supply all the safety-related loads of the unit.

SAFETY DESIGN BASIS FOUR - The loss of the nuclear unit or the most critical unit on the grid will not result in the loss of offsite power to the Class 1E busses.

8.1.4.1.2 Power Generation Design Bases POWER GENERATION DESIGN BASIS ONE - The switchyard power circuit breaker control for 345-kV breakers is designed with duplicate and redundant systems, i.e., two independent battery systems, two trip coils per breaker, and two independent protective relay schemes.

8.1-2 Rev. OL-24 11/19

CALLAWAY - SP 8.1.4.2 Onsite Power System 8.1.4.2.1 Safety Design Bases SAFETY DESIGN BASIS ONE - The onsite power system includes a separate and independent Class 1E electric power system for each unit (GDC-17).

SAFETY DESIGN BASIS TWO - The onsite Class 1E electric power system is divided into two independent load groups, each with its own power supply, busses, transformers, loads, and associated 125-V dc control power. Each load group is independently capable of maintaining the plant in a cold shutdown (GDC-17).

SAFETY DESIGN BASIS THREE - One independent diesel generator is provided for each Class 1E ac load group in each unit.

SAFETY DESIGN BASIS FOUR - No provisions are made for automatic transfer of load groups between redundant power sources.

SAFETY DESIGN BASIS FIVE - No portion (ac or dc) of the onsite standby power systems is shared between units (GDC-5).

SAFETY DESIGN BASIS SIX - The Class 1E electric systems are designed to satisfy the single failure criterion (GDC-17).

SAFETY DESIGN BASIS SEVEN - For each of four protection channels, one independent 125-V dc and one 120-V vital ac power source are provided. Batteries are sized for 200 minutes of operation without the support of battery chargers.

SAFETY DESIGN BASIS EIGHT - Raceways are not shared by Class 1E and non-Class 1E cables. However, associated cables connected to Class 1E busses are treated as Class 1E cables with regard to separation and identification and are run in their related Class 1E raceway system.

SAFETY DESIGN BASIS NINE - Special identification criteria are applied for Class 1E equipment, including cabling and raceways. Refer to Section 8.3.1.3.

SAFETY DESIGN BASIS TEN - Separation criteria are applied which establish requirements for preserving the independence of redundant Class 1E load groups or power systems. Refer to Section 8.3.1.4.1.

SAFETY DESIGN BASIS ELEVEN - Class 1E equipment is designed with the capability of being tested periodically (GDC-18).

SAFETY DESIGN BASIS TWELVE - Two physically and electrically independent ESF transformers equipped with automatic load tap changers with associated capacitor banks are provided to supply the Class 1E ac electric power system for the Callaway Plant.

8.1-3 Rev. OL-24 11/19

CALLAWAY - SP 8.1.4.2.2 Power Generation Design Bases POWER GENERATION DESIGN BASIS ONE - A separate non-Class 1E dc system is provided for non-Class 1E controls and dc motors.

8.1.4.3 Design Criteria, Regulatory Guides, and IEEE Standards The onsite power system is generally designed in accordance with IEEE Standards 279, 308, 317, 323, 334, 344, 379, 382, 383, 384, 387, 450, and 484.

Compliance with Regulatory Guides 1.6, 1.9, 1.22, 1.29, 1.30, 1.32, 1.40, 1.41, 1.47, 1.53, 1.62, 1.63, 1.68, 1.73, 1.75, 1.81, 1.89, 1.93, 1.100, 1.106, 1.108, 1.118, and 1.131 and IEEE Standards 323-1974, 338-1971, 344-1975, 384-1974, 387-1984, 308-1974, and 317-1976 are discussed below:

Refer to Appendix 3A for the applicable revision dates on regulatory guides.

Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1 and Section 8.2 of the Site Addendum FSAR.

REGULATORY GUIDE 1.6, INDEPENDENCE BETWEEN REDUNDANT STANDBY (ONSITE) POWER SOURCES AND BETWEEN THEIR DISTRIBUTION SYSTEMS - The Class 1E system is divided into redundant load groups so that loss of any one group will not prevent the minimum safety functions from being performed.

Figure 8.3-1 shows this arrangement.

Each ac load group has connections to two preferred (offsite) power supplies and to a single diesel generator. Each diesel generator is exclusively connected to a single Class 1E 4.16-kV load group and has no automatic connection to the redundant load group.

For a discussion of this regulatory guide, with respect to the Class 1E dc system, refer to Section 8.3.2.2.1.

No provisions exist for automatic transfer of loads between redundant onsite power supplies.

The diesel generator of one load group cannot be automatically paralleled with the diesel generator of the redundant load group.

Interlocks are provided to assure that a single operator error would not parallel the standby power sources of redundant load groups. Refer to Section 8.3.1.1.3.

REGULATORY GUIDE 1.9, SELECTION, DESIGN, AND QUALIFICATION OF DIESEL-GENERATOR UNITS USED AS ONSITE ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS -

8.1-4 Rev. OL-24 11/19

CALLAWAY - SP Callaway Plant was initially licensed to Regulatory Guide 1.108 and Regulatory Guide 1.9, Revision 2 with regard to the original design and testing of the emergency diesel generators. Regulatory Guide 1.9, Revision 2 was essentially an endorsement of IEEE Standard 387-1977 with a number of provisions specified in the Regulatory Position section of the Regulatory Guide.

For ongoing testing of the emergency diesel generators, Callaway Plant conforms to the Technical Specifications and with exceptions (as described in the Technical Specification 3.8.1 Bases) to the test recommendations of Regulatory Guide 1.9, Revision 3. These SR frequencies may be controlled under the SFCP described in TS 5.5.18. Revision 3 of Regulatory Guide 1.9 integrates the pertinent guidance previously addressed in Revisions 1 and 2 of Regulatory Guide 1.9 and the guidance of Revision 1 of Regulatory Guide 1.108. Regulatory Guide 1.9, Revision 3 endorses IEEE Standard 387-1984 with respect to design, qualification and periodic testing of diesel generator units, subject to the supplemental design considerations specified in Section C.1 and the diesel generator testing provisions specified in Section C.2 of the Regulatory Guide.

In conformance with the original design criteria, the continuous rating of each diesel generator is greater than the sum of the conservatively estimated loads needed to be supplied following any design basis event. Load requirements are noted in Callaway site specific calculations.

The diesel generators are designed as follows:

a. To start and accelerate to rated speed, in the sequence shown in Figure 8.3-2, all the needed engineered safety features and emergency hot shutdown loads.
b. So that at no time during the loading sequence do the frequency and voltage decrease to less than 95 percent of 60 Hz and 75 percent of 4.16 kV, respectively.
c. To recover from transients caused by step-load increases or resulting from the disconnection of full load so that the speed does not cause damage to moving parts. During recovery, the speed of the diesel generator will not exceed 75 percent of the difference between nominal speed and the overspeed trip set point, or 115 percent of nominal, whichever is lower.

Voltage will be restored to within 10 percent of nominal and frequency within 2 percent of nominal in less than 60 percent of each load sequence time interval.

The suitability of each diesel generator is confirmed by the manufacturer's prototype qualification test data and preoperational tests.

8.1-5 Rev. OL-24 11/19

CALLAWAY - SP REGULATORY GUIDE 1.22, PERIODIC TESTING OF PROTECTION SYSTEM ACTUATION FUNCTIONS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.29, SEISMIC DESIGN CLASSIFICATION - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.30, QUALITY ASSURANCE REQUIREMENTS FOR THE INSTALLATION, INSPECTION, AND TESTING OF INSTRUMENTATION AND ELECTRIC EQUIPMENT - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.32, CRITERIA FOR SAFETY-RELATED ELECTRIC POWER SYSTEMS FOR NUCLEAR POWER PLANTS - Compliance with IEEE Standard 450-1995 and the dc power requirements of IEEE Standard 308-1974 is discussed in Section 8.3.2.2.1. (See Appendix 3A for discussion of compliance with Regulatory Guide 1.32 in relation to IEEE Standard 450.)

Compliance with ac power requirements of IEEE Standard 308-1974 is as follows:

The Class 1E ac power system is designed to ensure that any design basis event, as listed in Table 1 of IEEE 308, does not cause either (1) loss of electric power to a number of engineered safety features, surveillance, or protection system device sufficient to jeopardize the safety of the unit or (2) loss of electric power to equipment that could result in a reactor power transient capable of causing significant damage to the fuel or the reactor coolant system.

The Class 1E power system is capable of performing its function when subjected to the effects of any of the design basis events. The Class 1E loads are designed to perform their functions adequately for the design variations of voltage and frequency in the Class 1E system.

Circuit breaker control is provided in the control room and on the circuit breakers of the preferred power supplies and diesel generator supplies to the 4.16-kV busses of the Class 1E system. Controls are provided in each diesel generator room for local operation of the diesel generator.

Class 1E equipment and associated design, operating, and maintenance documents are distinctly identified as described in Section 8.3.1.3.

Each type of Class 1E equipment is qualified by analysis, by successful use under similar conditions, or by actual test to demonstrate its ability to perform its function under applicable design basis events.

A failure modes and effects analysis is performed. Refer to Section 8.3.1.2.1.

8.1-6 Rev. OL-24 11/19

CALLAWAY - SP Supplementary design criteria of IEEE 308 are addressed in the applicable sections describing specific Class 1E equipment.

The surveillance requirements of IEEE 308 are followed in the design, installation, and operation of Class 1E systems and consist of the following:

a. Preoperational equipment tests and inspections are performed in accordance with the procedures described in Chapter 14.0 with all components installed.
b. Preoperational system tests are performed in accordance with the procedure described in Chapter 14.0 with all components installed.
c. Periodic equipment tests are performed at the scheduled intervals to detect deterioration of the system toward an unacceptable condition and to demonstrate that the standby power equipment and other components that are not running during normal operation of the station are operable.
d. Surveillance system tests referred to in item c above are performed at scheduled intervals to demonstrate the operational readiness of the system.

With regard to Section 7 of IEEE 308 and Regulatory Guide 1.93, the Callaway Technical Specifications discuss operating alternatives under degraded Class 1E ac system conditions.

Section 8 of IEEE 308 describes multiunit considerations and is not applicable to the Callaway Plant.

The electrical and physical independence between redundant standby (onsite) power sources is discussed in the responses to Regulatory Guides 1.6 and 1.75.

Connection of non-Class 1E equipment to Class 1E systems is discussed in the response to Regulatory Guide 1.75.

Diesel generator set capacity is discussed in the response to Regulatory Guide 1.9.

REGULATORY GUIDE 1.40, QUALIFICATION TESTS OF CONTINUOUS-DUTY MOTORS INSTALLED INSIDE THE CONTAINMENT OF WATER-COOLED NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.41, PREOPERATIONAL TESTING OF REDUNDANT ONSITE ELECTRIC POWER SYSTEMS TO VERIFY PROPER LOAD GROUP ASSIGNMENTS - The onsite electric power systems, designed in accordance with Regulatory Guides 1.6 and 1.32, are tested as part of the preoperational testing program and also after major modifications. The tests are performed in accordance with the 8.1-7 Rev. OL-24 11/19

CALLAWAY - SP procedures outlined in Chapter 14.0. These tests verify the independence between the redundant onsite power sources and their load groups.

The Class 1E power system is isolated from the preferred (offsite) transmission network by direct actuation of the Class 1E undervoltage relays monitoring the Class 1E busses, resulting in tripping of the supply breakers.

The Class 1E power system is tested functionally, one load group at a time, by allowing one load group to be powered only by its associated diesel generator while the bus is disconnected from the preferred power source. The redundant load group remains completely disconnected from its associated diesel generator and preferred power source.

An engineered safety features actuation signal (ESFAS) is simulated to start the diesel generators and initiate automatic sequencing. Functional performance of the loads is checked. Each test is of sufficient duration to achieve stable operating conditions and thus permit the onset and detection of adverse conditions which could result from improper assignment of loads.

During testing of one Class 1E load group, the busses of the redundant load groups not under test are monitored to verify absence of voltage on these busses and loads, indicating no interconnection of load groups.

Refer to Section 8.3.2.2.1 for a discussion of this regulatory guide with respect to dc systems.

REGULATORY GUIDE 1.47, BYPASSED AND INOPERABLE STATUS INDICATION FOR NUCLEAR POWER PLANT SAFETY SYSTEMS - A detailed description of the engineered safety features status panel is provided in Section 7.5. A section of this panel is devoted to providing indication of the configuration and, therefore, the operability of the Class 1E ac power distribution system.

REGULATORY GUIDE 1.53, APPLICATION OF THE SINGLE FAILURE CRITERION TO NUCLEAR POWER PLANT PROTECTION SYSTEMS - Refer to Section 7.3 for the response to this regulatory guide.

REGULATORY GUIDE 1.62, MANUAL INITIATION OF PROTECTIVE ACTIONS - Refer to Appendix 3A, Responses to Regulatory Guides.

REGULATORY GUIDE 1.63, ELECTRIC PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS - The electric penetration assemblies conform to IEEE Standard 317-1976.

The electrical penetration assemblies do not incorporate self-fusing characteristics.

They are designed to withstand the maximum possible fault current versus time conditions (which could occur because of single random failures of circuit overload 8.1-8 Rev. OL-24 11/19

CALLAWAY - SP protection devices) for any electrical fault external to the penetration within the two leads of any one single-phase circuit or the three leads of any one three-phase circuit.

In accordance with Regulatory Guide 1.63, the following system features are provided to ensure compliance with this requirement of the regulatory guide.

a. Medium Voltage System For medium voltage circuits feeding loads (e.g. RCPs) in the reactor building, the primary protection is provided by the individual load circuit breakers, which are backed up by the main bus feeder breaker. Spatial separation is achieved by locating the primary (load breaker) and backup (bus feeder breaker) relays in separate switchgear cubicles on a given bus. Primary and backup circuit protection for control power are supplied from two separate dc sources. The penetration withstands the maximum available fault current for the respective durations which are characteristic of both the primary and backup protection. The switchgear is located in the turbine building. Separate non-Class 1E battery sources are provided for the primary and backup protection and circuit breaker control. (No safety-related 4.16-kV loads are located within the reactor building).
b. Low Voltage Load Center Loads
1. Class 1E Loads For low voltage Class 1E load centers feeding loads in the reactor building, similar protection is provided, as in the case of the medium voltage system. The primary and backup protection is provided by individual load circuit breakers and associated load center main feeder breakers, respectively. Spatial separation is achieved by locating the primary (load breaker) and backup (load center main breaker) protective devices in separate cubicles on a given load center. The penetration withstands the available range of fault current and time duration for the load center main feeder breaker trip. No battery sources are necessary, since the breaker trip units are direct acting.
2. Non-Class 1E load center loads are few in number, and are treated on an individual basis as follows:

(a) Containment Polar Crane, Refueling Temporary Power Disconnect Switch, and Non-Class 1E MCC The containment polar crane, Refueling Temporary Power Disconnect Switch, and MCC are powered from their respective non-class 1E load centers located in the auxiliary building. For the non-Class 1E MCC, primary and backup 8.1-9 Rev. OL-24 11/19

CALLAWAY - SP protection is provided in a manner similar to that described for Class 1E load center loads in Item 1. The primary and backup protection is provided by the individual load circuit breaker and the associated load center main feeder breaker, respectively. For the containment polar crane and refueling temporary power disconnect switch, primary and backup protection is provided by the individual load center feeder breaker and properly rated fuses, respectively. The penetration will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.

(b) Pressurizer Backup Heaters The pressurizer backup heaters are supplied from non-Class 1E load centers, which are located in the auxiliary building.

Individual 480-V molded case circuit breakers feeding the heaters provide the primary protection. Fuses in series with these circuit breakers provide backup protection. The fuses are located in a different vertical section than the molded case circuit breakers. The penetrations will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.

(c) Pressurizer Control Group Heaters The pressurizer control group heaters are supplied from a non-Class 1E load center through an SCR controller and a bank of molded case circuit breakers. Since the SCR controller is fused, the primary protection is provided by the molded case circuit breakers, and the backup protection is provided by the fuses in the SCR controller. The penetration withstands the range of fault current and time duration which are characteristic of the primary and backup devices.

c. Low Voltage Motor Control Center Loads
1. General MCC loads The 480-V loads within the reactor building are supplied power from Class 1E or non-Class 1E MCCs (as applicable) which are located in the auxiliary building. In this case, the primary protection is provided by the combination of a molded case circuit breaker (instantaneous only) and the thermal overload relays in the starter, for motor loads. The primary protection is provided by a thermal-magnetic circuit breaker in the case of feeder tap breakers.

8.1-10 Rev. OL-24 11/19

CALLAWAY - SP In both cases, backup protection is provided by introducing properly rated fuses in each cubicle between the breaker and the load.

Although the primary (circuit breaker) and backup (fuse) protection are located within the same MCC compartment, these two protection means are diverse in their fault clearing mechanisms. An exception to this occurs in the case of large feeder tap breakers and larger motors connected to the MCCs. In this case, where the penetration is relatively large and can practicably be coordinated with the MCC incoming breaker, the fuses are not used. In both cases, the penetration withstands the available current and time duration which are characteristic of the primary and backup devices.

2. Motor-Operated Valves Motor-operated valves which have overload relays in their respective motor starters are treated similarly to 480-V motor loads previously discussed. Class 1E motor-operated valves on which motor starter overload protection has been eliminated are treated in a similar fashion (fuses are added to the individual motor starter cubicles). Although the primary (circuit breaker) and backup (fuse) protection are located within the same MCC compartment, these two protection means are diverse and mutually exclusive as to their sensing and fault clearing mechanisms. However, in this case, the penetrations are sized such that their thermal limits are above the fuse curve and the vertical intercept of the magnetic-only circuit breakers. (Normal motor applications require the penetration characteristic withstand to be greater than the fuse and the thermal element characteristic.)
d. Low Voltage Control Systems Primary protection is provided by a fuse in the control circuit. Backup protection is provided by fuses in the control power transformer primary or by redundant fuses in the transformer secondary. The penetrations will withstand the range of fault current and the time duration which is characteristic of the primary and backup protection devices.
e. Instrument Systems The energy levels in the instrument systems are sufficiently low so that no damage occurs to the electric penetration.
f. DC Loads 8.1-11 Rev. OL-24 11/19

CALLAWAY - SP Primary and backup fuses are provided with the penetrations withstanding the available fault current and time duration which are characteristic of those devices.

REGULATORY GUIDE 1.68, INITIAL TEST PROGRAMS FOR WATER-COOLED NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.73, QUALIFICATION TESTS OF ELECTRIC VALVE OPERATORS INSTALLED INSIDE THE CONTAINMENT OF NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.75, PHYSICAL INDEPENDENCE OF ELECTRIC SYSTEMS - This regulatory guide sets forth criteria for the separation of circuits and electric equipment. These circuits and equipment either comprise or are associated with the Class 1E power systems, the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that are essential to the operation of these systems. The separation criteria are discussed in Section 8.3.1.4.1 and meet the recommendations of Regulatory Guide 1.75. The following discussion supplements and clarifies several of the items presented in the guide. Paragraph numbers herein correspond to paragraph numbers in IEEE 384-1974.

Paragraph 4.1 Two completely separate and independent load groups, each of which is capable of safely shutting down the unit, are provided. Separation between these load groups and between associated circuits and non-Class 1E circuits is implemented to an extent commensurate with the hazard potential of the areas in which they are installed. See Section 8.3.1.1.2.

Paragraph 4.2 Various means of attaining physical separation of safety-related circuits and equipment include separate cable spreading rooms, separate cable chases, raceways, barriers, and distance. See Section 8.3.1.4.1.

Paragraph 4.3 Equipment and circuits requiring separation are determined and delineated early in the design stage. Distinctive identification on documents and drawings is provided. See Section 8.3.1.3.

Paragraph 4.4 Section 8.3.1.4.1.1 satisfies this guide paragraph.

8.1-12 Rev. OL-24 11/19

CALLAWAY - SP Paragraph 4.5 Associated circuits are separated and identified as if safety related. Associated circuits are not uniquely labeled as such; rather, they are identified as any safety-related circuit of the same separation group would be.

Where non-Class 1E circuits are associated by reason of their sharing of Class 1E sources, the following specific criteria are followed:

a. Tripped AC Loads Non-Class 1E loads which are tripped on occurrence of an SIS are as given below. These circuits beyond the isolation device (Class 1E breaker or contactor) are treated per non-Class 1E and nonassociated criteria.
1. Air compressors
2. Standby ac lighting
3. Battery chargers, 125 V and 250 V
4. Pressurizer heaters backup groups
5. CRDM cooling fans
6. Boric acid transfer pumps
7. Removed
8. Balance-of-plant computer
9. UHS cooling tower sump pumps
10. UHS sump heaters
11. Boric acid filter to charging pump valve
12. ESW Pump House monorail hoist
13. ESW and UHS cooling tower unit heaters
b. Non-Class 1E Instrument AC Power System Each separation group of the non-Class 1E instrument ac power system is supplied from three delta-connected, suitably qualified, single phase transformers. The 480-V power circuits up to their connection to the 8.1-13 Rev. OL-24 11/19

CALLAWAY - SP transformers are safety related. These transformers are of the regulating type and exhibit a current-limiting characteristic such that a short circuit on the secondary (non-Class 1E) circuit will result in a primary (Class 1E) circuit current that is within the current-carrying capability of the transformer.

Further, in order to assure that the Class 1E system is not compromised upon the accidental imposition of 480-V ac on the transformer secondary (120-V ac) circuit, two circuit breakers in series are utilized in the transformer primary circuit of each separation group.

For these reasons, the circuits beyond the transformer secondaries are treated per non-Class 1E and non-associated criteria. The non-Class 1E instrument ac power system is not tripped upon the occurrence of an SIS.

c. Control Room DC Lighting The 125-V dc system supplies control board emergency lighting from the Class 1E dc battery. These cables are identified and separated as safety related.

Paragraph 4.6 Two channels of non-safety-related cables and raceway are associated with the normal plant systems and equipment. These channels require no specific separation. However, they are separated from the four safety-related separation groups by the same criteria that is applied to the separation of the four safety-related separation groups from each other.

All non-safety-related circuits are routed separately from safety-related and associated circuits to the above criteria. The specific separation distance required by Paragraphs 5.1.3, 5.1.4, or 5.6 is complied with.

Paragraph 5.1.1.1 The requirements of this paragraph are met. See Section 8.3.1.4.1.1.

Paragraph 5.1.1.2 Areas in which the only source of fire is electrical are divided into two groups--cable spreading areas and general plant areas. Section 8.3.1.4.1.1 is followed.

Paragraph 5.1.1.3 8.1-14 Rev. OL-24 11/19

CALLAWAY - SP The separation distances of 1 horizontal and 3 vertical feet in the cable spreading and main control rooms and 3 horizontal and 5 vertical feet in general plant areas are provided, and are described in Section 8.3.1.4.1.1.

Cables and raceways are selected with flame-retardant properties.

Section 8.3.1.1.9 provides design bases so that the trays are not overfilled.

Hazards are limited to failures or faults internal to the electrical equipment.

The use of splices in Class 1E systems is limited to the following areas:

a. Splices are used in long duct bank runs to site buildings, such as intake structures for ESW systems, where cables are longer than is practical to manufacture and pull. All splices in the long duct bank runs are done in the vicinity of the manholes.
b. Where small control or instrument devices are supplied with short pigtails, the field cable may be terminated to the pigtail by means of an approved connection, which is adequately insulated, located close to the device, and enclosed in the connecting conduit.
c. Another possible area would be in the event of cable damage in an operating plant where a splice might be preferable over total replacement of the cable. Such instances are resolved on a case-by-case basis.
d. In cases in which field-run cables are incompatible with the terminal size on the devices to which they must terminate, a splice to a short, appropriate pigtail may be made to permit the required termination. Such instances are approved on a case-by-case basis, where the adequacy of the pigtail is confirmed and splices are made with qualified materials and are restricted to enclosures such as MCCs, termination compartments, and panels.
e. Splices made with qualified materials are used within enclosures where specified by design.
f. Qualified materials are used to splice the field thermocouple extension cable to the mineral insulated pigtail on the incore thermocouple connectors.

Paragraph 5.1.2 Exposed Class 1E raceways are marked in a distinct, permanent manner at intervals not exceeding 15 feet and at points of entry to and exit from enclosed areas.

8.1-15 Rev. OL-24 11/19

CALLAWAY - SP In addition, separate color identification is provided for each separation group of field wired, safety-related cables.

As stated in reference to Paragraph 4.5, associated circuits are identified the same as their related Class 1E circuits, and are, therefore, distinguished from one another as stated above.

See Section 8.3.1.3.

Paragraph 5.1.3 Section 8.3.1.4.1.1 satisfies this paragraph.

Paragraph 5.1.4 Section 8.3.1.4.1.1 satisfies this paragraph.

Paragraph 5.2.1 Sections 8.3.1.1.3 and 9.5.6.2.1 satisfy this paragraph.

Paragraph 5.2.2 Section 8.3.1.1.3 satisfies this paragraph.

Paragraph 5.3.1 Each of the four Class 1E batteries is located in a separate room of the control building.

Paragraph 5.3.2 As per Section 8.3.2.1, physical separation, electrical isolation, and redundancy are provided for the entire Class 1E dc system, including the battery chargers.

Paragraph 5.4.1 As per Section 8.3.1.1.7, Class 1E switchgear of redundant load groups is located in separate rooms in the control building.

Paragraph 5.4.2 As per Section 8.3.1.1.7, Class 1E motor control centers of redundant load groups are located in separate rooms within seismic Category I buildings.

Paragraph 5.4.3 8.1-16 Rev. OL-24 11/19

CALLAWAY - SP All vital distribution switchboards of different separation groups are located in separate rooms in the control building. Each switchboard is located with the vital switchgear of its respective separation group.

Paragraph 5.5 Two separate penetration areas are provided. One area contains cables for separation groups 2 and 4, each group having separate penetration assemblies. The other area contains cables for separation groups 1 and 3, each group again having separate penetration assemblies. All raceway separation criteria apply to the penetrations. See Section 8.3.1.4.1.1.

Paragraph 5.6.1 Section 8.3.1.4.1.1 satisfies this guide paragraph.

Paragraph 5.6.2 Separation criteria for wiring internal to control boards are satisfied by Section 8.3.1.4.1.2.

Paragraph 5.6.3 Identification of wiring internal to control boards is provided by separation group designation. See Section 8.3.1.3.

Paragraph 5.6.4 Single control devices to which different separation groups are connected are avoided, wherever practicable. Where single devices are unavoidable, electrical isolation is provided. Where separation by distance is not practicable and internal fire is the only consideration, fire barriers, conduit, or wire duct are used. See Section 8.3.1.4.1.2.

Paragraph 5.6.5 Within control boards and other panels, nonsafety-related wiring is not harnessed with safety-related wiring. Where both types of wiring are contained within the same board or panel, the nonsafety-related wiring is separated from the safety-related wiring by means of barriers or by a distance equal to or greater than 6 inches.

Paragraph 5.6.6 Load Group 1 and Protection Channels 1 and 3 enter the lower cable spreading room and hence enter from the bottom of the control board. Load Group 2 and Protection Channels 2 and 4 generally enter the upper cable spreading room and hence enter from the top of the control board. The only exception to this is in the console which has 8.1-17 Rev. OL-24 11/19

CALLAWAY - SP channels 2 and 4 brought directly from the channel 2 and 4 vertical shaft via embedded floor raceways into separate openings into the bottom of the console. The scheme meets all requirements of Paragraph 5.1.3. See Section 8.3.1.4.1.1.

Paragraph 5.7 Class 1E instruments of different separation groups are generally precluded from occupying the same cabinet. Where this is not practicable, such instruments are located in separate compartments of the cabinet, or are adequately separated by barriers.

Paragraph 5.8 Section 7.3 satisfies the requirements of this paragraph.

Paragraph 5.9 Location of Class 1E actuated equipment is evaluated to ensure that adequate separation for redundant equipment is implemented.

REGULATORY GUIDE 1.81, SHARED EMERGENCY AND SHUTDOWN ELECTRIC SYSTEMS FOR MULTI-UNIT NUCLEAR POWER PLANTS - This is not applicable since the Callaway Plant is a single unit site.

REGULATORY GUIDE 1.89, QUALIFICATION OF CLASS 1E EQUIPMENT FOR NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.93, AVAILABILITY OF ELECTRIC POWER SOURCES - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.100, SEISMIC QUALIFICATION OF ELECTRIC EQUIPMENT FOR NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.106, THERMAL OVERLOAD PROTECTION FOR ELECTRIC MOTORS ON MOTOR-OPERATED VALVES - Overload protection for safety-related, motor-operated valves is discussed in Section 8.3.1.1.2. Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.108 - PERIODIC TESTING OF DIESEL GENERATOR UNITS USED AS ONSITE ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS The original testing of the emergency diesel generators was performed in conformance with Regulatory Guide 1.108. After final assembly and preliminary startup testing, each diesel generator was tested as described in Section 8.3.1.1.3.

8.1-18 Rev. OL-24 11/19

CALLAWAY - SP Ongoing, periodic surveillance testing of the diesel generators is performed in accordance with the plant Technical Specifications. The testing requirements in the Technical Specifications are based on Regulatory Guide 1.9, Revision 3. These surveillance frequencies may be controlled under the SFCP described in TS 5.5.18. The testing guidance of Regulatory Guide 1.108 was largely incorporated into Regulatory Guide 1.9, Revision 3. Refer to Appedix 3A for additional information regarding Regulatory Guide 1.108.

REGULATORY GUIDE 1.118, PERIODIC TESTING OF ELECTRIC POWER AND PROTECTION SYSTEMS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.131, QUALIFICATION TESTS OF ELECTRIC CABLES, FIELD SPLICES, AND CONNECTIONS FOR LIGHT-WATER-COOLED NUCLEAR POWER PLANTS - The requirements of IEEE Standard 383, 1974 have been used for the qualification of cables, field splices, and connections.

The cable, field splices, and connections are qualified to the environmental conditions and all design basis events (e.g., steam line break) by testing and/or analysis.

Type tests for design basis event conditions consist of subjecting nonaged and aged cables, field splices, and connections to a sequence of environmental extremes that simulate the most severe postulated conditions of a design basis event and specified conditions of installation with exception to the outside containment MSLB temperature condition which is analyzed as discussed in Section 3B.4.2. Type tests demonstrate margin by application of multiple transients, increased level or other justifiable means.

Electrical and physical performance of the cable is measured during and following the environmental cycle. All environmental conditions are enveloped by the qualification program. However, the factors for margin given in Section 6.3.1.5 of IEEE 323 are not used.

Testing data is provided to establish the long-term performance of the insulation. Data is evaluated using the Arrhenius technique, using a minimum of three data points including one at or near 136°C and two others at least 10°C apart in temperature. No ongoing qualification is used.

The recommendations of Regulatory Guide 1.89 are discussed later in this section.

Vertical tray flame testing is performed in accordance with IEEE 383, Paragraph 2.5.

However, aged samples are not used.

No field splices are used in the cable trays.

Fire tests are performed with the vertical tray perpendicular to the plane of the horizon.

A gas burner flame source releasing approximately 70,000 Btu/hr is used.

8.1-19 Rev. OL-24 11/19

CALLAWAY - SP The ribbon gas burner flame source is mounted in accordance with the requirements of the regulatory guide, except that the flame is directed from the back side of the cable tray.

Oil or burlap as an alternate flame source is not used.

The requirements outlined in Regulatory Guide Position 13 are met as noted above and as discussed in the NUREG-0588 Submittals/Equipment Qualification Work Packages.

IEEE 323-1974 IEEE STANDARD FOR QUALIFYING CLASS 1E EQUIPMENT FOR NUCLEAR POWER GENERATING STATIONS - Environmental qualification of Class 1E electric equipment and the extent of compliance with IEEE 323 are discussed in Section 3.11(B) and 3.11(N).

IEEE 338-1971 CRITERIA FOR THE PERIODIC TESTING OF NUCLEAR POWER GENERATING STATION PROTECTION SYSTEMS - Refer to Table 7.1-2 for application of this standard to various systems.

IEEE 344-1975 SEISMIC QUALIFICATION OF CLASS 1E ELECTRIC EQUIPMENT FOR NUCLEAR POWER GENERATING STATIONS - Seismic qualification of Class 1E electric equipment and the extent of compliance with IEEE 344 are discussed in Section 3.10(B) and 3.10(N).

IEEE 387-1984 CRITERIA FOR DIESEL GENERATOR UNITS APPLIED AS STANDBY POWER SUPPLIES FOR NUCLEAR POWER GENERATING STATIONS- The original design and testing of the emergency diesel generators conformed to Regulatory Guide 1.9, Revision 2 and Regulatory Guide 1.108. Regulatory Guide 1.9, Revision 2 endorsed IEEE Standard 387-1977, and original compliance was demonstrated based on the design criteria of IEEE 387 as stated below.

Periodic, in-service testing of the diesel generators is performed in accordance with the plant Technical Specifications and the test recommendations of Regulatory Guide 1.9, Revision 3. Regulatory Guide 1.9, Revision 3 endorses requirement of IEEE Standard 387-1984 with respect to design, qualification and periodic testing of diesel generator units, subject to the supplemental design considerations specified in Section C.1 and the diesel generator testing provisions specified in Section C.2 of the Regulatory Guide.

Differences between the test requirements of the Technical Specifications and the recommendations of the regulatory guide are due to the Standard Technical Specifications and/or approved changes to the Technical Specifications.

The following demonstrates compliance with design criteria of IEEE 387:

a. Service Environment 8.1-20 Rev. OL-24 11/19

CALLAWAY - SP The diesel-generator unit provides power to appropriate ventilation equipment to maintain an acceptable environment within the diesel-generator rooms.

b. Starting, Loading, and Design Load Profile The diesel-generator unit is capable of starting, accelerating, being loaded, and carrying the design load described in Section 8.3.1.1.3. The unit energizes its cooling equipment within an acceptable time.
c. Quality of Power Refer to previous discussions in this section on Regulatory Guide 1.9 concerning frequency and voltage limits.
d. Ratings Refer to previous discussions in this section on Regulatory Guide 1.9 concerning the basis for the continuous rating of the diesel generator.
e. Interactions Refer to previous discussions in this section for an analysis per Regulatory Guide 1.6 for assurance that independence is provided between redundant diesel generators and the Class 1E electric system. Mechanical systems are designed so that a single failure affects the operation of only a single diesel generator.
f. Qualification Refer to Section 3.11(B) for the extent of compliance to IEEE 323.
g. Design and Application Considerations Design conditions such as vibration, torsional vibration, and overspeed are considered in accordance with the requirements of IEEE 387.
h. Governor and Voltage Regulator Operation Governor and voltage regulator manually actuated droop modes are automatically reset in the isochronous modes in the event of the loss of offsite power.
i. Control 8.1-21 Rev. OL-24 11/19

CALLAWAY - SP The diesel generator is provided with control systems permitting automatic and manual control. The start-diesel signal is functional, except in the local (repair and maintenance) mode. The capability is provided at each diesel generator for restricted manual starting in the event of a control room emergency. Refer to previous discussions in this section for a further description of the control systems.

j. Surveillance Voltage, current, frequency, and power metering are provided in the control room to permit assessment of the operating condition of each diesel generator.

Surveillance instrumentation is provided in accordance with IEEE 387, as described in Sections 9.5.4 through 9.5.8.

k. Testing Tests are conducted on each diesel-generator unit in accordance with IEEE 387, as listed in Section 8.3.1.1.3.

IEEE 317-1976 IEEE STANDARD FOR ELECTRICAL PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR NUCLEAR POWER GENERATING STATIONS - Electrical penetration assemblies are used for all electrical and fiber-optic cables that pass through the reactor building. These assemblies are designed and tested in accordance with IEEE Standard 317.

Principal design criteria for these assemblies include the following:

a. The mechanical design, materials, fabrication, examination, and testing of the pressure-retaining boundary of the electrical penetration assembly, excluding optical fibers, electrical conductors, feed-through connectors, insulation, potting compounds, and gaskets, are in accordance with the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Subsection NE, for Class MC compounds.
b. The electrical penetration assembly is designed to meet all the electrical requirements for the specified service environment without dielectric breakdown or overheating.
c. The electrical penetration assembly is designed to have a total gas leakage rate through its pressure-retaining boundary exclusive of the aperture seal not greater than 1 x 10-6 standard (20°C at one atmosphere of pressure) cubic centimeters per second of dry helium (or equivalent means of measurement) at the maximum specified containment design pressure.

8.1-22 Rev. OL-24 11/19

CALLAWAY - SP

d. A leak test is performed on each penetration assembly following installation. The test is capable of detecting a leakage rate of 1 x 10-2 cubic centimeters per second or less of dry nitrogen with maximum containment pressure applied across the penetration assembly pressure barrier seal at ambient temperature.
e. Each penetration room has a continuous nitrogen supply system manifolded to each penetration assembly. The design and installation of the system facilitates periodic individual penetration assembly gas leak rate testing after installation.
f. The electrical penetration assembly design is such that safety-related channel separation is maintained.
g. The penetration assembly design is qualified by testing for the intended service within the service and DBE environment.

8.1-23 Rev. OL-24 11/19

CALLAWAY - SP 8.2 OFFSITE POWER SYSTEM The offsite ac power supply for the startup, normal operation, and safe shutdown of the Callaway Plant is supplied from the transmission network. The principal design bases as applied to the offsite power system are described in Section 8.1.4. The offsite power systems are described in Section 8.2 of the Site Addendum.

The offsite power systems from the transmission line network to the startup transformer and ESF transformer XNB01 are discussed in Section 8.2 of the Site Addendum. That portion of the offsite power system is not in the SNUPPS Standardized design.

The portion of the offsite power system from the startup transformer and ESF transformer XNB01 to the 4.16-kV Class 1E busses is within the scope of the SNUPPS Standardized design and is discussed here.

Two physically independent sources of offsite power in the standardized portion of the design are brought to the onsite power system. One circuit is fed from ESF transformer XNB01 and supplies power normally to its associated 4.16-kV Class 1E bus. The other circuit is fed from one secondary winding of the startup transformer, through ESF transformer XNB02, and supplies power normally to its associated 4.16-kV Class 1E bus. In addition, each offsite power circuit can be manually aligned to supply power to the opposite or both 4.16-kV Class 1E busses, if required. Each of these offsite power circuits is designed to be available in sufficient time to ensure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded following a loss of all onsite power sources and the remaining offsite power circuit.

The two ESF transformers XNB01 and XNB02 are separated by a 3-hour fire wall. The cables associated with each of these offsite power circuits are routed in separate and distinct raceways. Electrical drawings show the duct banks and other routing features of the two circuits for the cables for the ESF transformers to the 4.16-kV Class 1E busses and for cables from the startup transformer to the 13.8-kV switchgear and from the 13.8-kV switchgear to ESF transformer XNB02.

The offsite power circuits, including the transformers and cables, have been sized to carry their anticipated loads continuously. Each ESF transformer is sized to carry both safety-related load groups continuously. The secondary feeder cables to the 4.16-kV Class 1E busses are sized in excess of that required to carry their maximum load continuously. The startup transformer is sized to carry its anticipated loads continuously.

For additional details of the sizing of these components, refer to Section 8.3.1.

The two offsite power circuits are fully testable. Since they are continuously energized and they are continuously tested by their use. When one circuit is shutdown, relays, meters, and other instruments can be tested and calibrated as required. XNB01 and XNB02 LTC control is tested during ESFAS testing.

8.2-1 Rev. OL-17 4/09

CALLAWAY - SP Control and instrumentation power for these offsite power circuits is provided by the Non-Class 1E dc system. A dc power source from separate station batteries is provided to each offsite power circuit for control and relaying purposes.

From the above considerations, it is concluded that the installation, sizing, and control of both of the offsite power circuits are designed so as to minimize the likelihood of their simultaneous failure under operating and accident conditions.

For additional details concerning the compliance of the offsite power system with General Design Criteria, refer to Section 3.1.

The instrumentation associated with the offsite ac power system provides sufficient information to determine the system availability at any time.

Drawings E-21NB01 and E-21NB02, Single Line Meter and Relay Diagrams for the Safety-Related 4.16-kV Busses NB01 and NB02 show the surveillance details of the ESF transformers and their associated 4.16-kV busses. Table 8.3-4 of the FSAR, Failure Modes and Effects Analysis, shows the system failure modes and the method of such failure detection.

8.2-2 Rev. OL-17 4/09

CALLAWAY - SP 8.3 ONSITE POWER SYSTEMS The onsite power system is comprised of a standardized portion within the power block and a nonstandardized portion outside of the power block. The electrical power systems within the power block and Class 1E nonstandard site portions are described in this section. The non-Class 1E electrical power systems outside of the power block are described in Section 8.3 of the Site Addendum.

8.3.1 AC POWER SYSTEMS 8.3.1.1 Description The onsite ac power system includes a Class 1E system and a non-Class 1E system.

8.3.1.1.1 Non-Class 1E System The non-Class 1E ac system is that part of the power system outside the broken-line enclosures indicated in Figure 8.3-1. The non-Class 1E ac system distributes power at 13.8 kV, 4.16 kV, 480 V, and 208/120 V ac for all nonsafety-related loads. The non-Class 1E ac system also supplies preferred (offsite) power to the Class 1E ac system through two ESF transformers. One ESF transformer is supplied power directly, by one of the preferred power circuits, from the offsite power system. The second ESF transformer is supplied power from one of the secondary windings of the startup transformer. This startup transformer is supplied power from the second preferred power circuit from the offsite power system. Feeds to ESF transformer XNB01 and the startup transformer are described in the Site Addendum.

The unit auxiliary transformer and the startup transformer each have two secondary windings rated at 13.8 kV.

Two 13.8-kV busses supply power to nonsafety-related loads. Each 13.8-kV bus is connected to a secondary winding of the startup transformer and also to a secondary winding of the unit auxiliary transformer. During starting of the unit, both 13.8-kV busses are supplied power from the startup transformer. The busses are later transferred to the unit auxiliary transformer, during power generation, by a manually initiated transfer.

Automatic transfer of the 13.8-kV busses from the unit auxiliary transformer to the startup transformer is provided.

The transfer functions in accordance with the following criteria:

a. The bus transfer is performed immediately following electrical faults and critical turbine trips (trips immediately hazardous to the turbine) in the generation system, where the generator/network can no longer supply power to the reactor coolant pumps. Critical turbine trips are low vacuum, thrust bearing wear, high vibration, low bearing oil pressure, and the 8.3-1 Rev. OL-24 11/19

CALLAWAY - SP manual trip pushbutton when it is pushed while a high vibration trip signal is present.

b. The bus transfer is delayed 30 seconds following noncritical turbine generator trips not involving electrical faults. The turbine generator will remain connected to the switchyard during the delayed period to allow the switchyard to supply power to the reactor coolant pump busses for 30 seconds before any transfer is made.

The startup transformer has the capacity to supply both non-Class 1E and both Class 1E load groups simultaneously. Refer to Section 8.1.2 for a definition of load group. Figure 8.3-1 shows the transformers, feeders, busses, and their connections. It also lists all loads directly supplied from each 13.8-kV and 4.16-kV bus.

Two feeders from each of the two 13.8-kV busses supply power to non-Class 1E site loads located outside the power block. The maximum load per bus is 21.7 MVA. Loads and power distribution systems are described in detail in Section 8.3.1 of the Site Addendum.

The startup transformer is equipped with two secondary windings, each rated at 13.8 kV, 50 MVA FOA.

The startup transformer, ESF transformers, and their associated feeder cables have all been sized to carry their expected loads continuously. During normal system operation, transformer loads are below the manufacturer's FOA design limitations. Under abnormal system configurations, such as when an ESF or station service transformer is out of service, loads may be transferred to the alternate startup transformer secondary winding.

Provisions exist for the automatic transfer of busses PB03/PB04 and for manual transfer of busses NB01/NB02 to their alternate source. Under these conditions, additional loads may be placed on a startup transformer secondary winding. The secondary winding that supplies power to 13.8 kV bus PA02 and ESF transformer XNB02 has been selected for a load analysis.

Analyses have been performed to evaluate the maximum bus and transformer loadings that may result from these transformer failures. In all cases the loads are less than the FOA rating of the startup transformer. These loads represent the maximum credible loads that may be achieved during abnormal system operation. The following conditions are analyzed:

  • A station service transformer has failed prior to an accident.
  • An ESF transformer has failed prior to an accident. The same startup transformer winding may be loaded with loads supplied from the failed ESF transformer.
  • Both a station service and an ESF transformer have failed prior to an accident.

8.3-2 Rev. OL-24 11/19

CALLAWAY - SP Using the guidelines of ANSI C57.92-1962, operation of oil-immersed power transformers in an overloaded condition is permissible. Measurable loss of transformer life occurs if an overload is allowed to persist for extended periods of time.

The protective relays associated with the startup transformer are set above the maximum load values.

The continuous ampacity of the feeder cables from the startup transformer to the 13.8 kV switchgear PA02 and ESF transformer XNB02 is not exceeded under any loading condition described above.

Each offsite power source (Engineered Safety Features transformers XNB01 and XNB02) is provided with a separate capacitor bank. They do not share any common electrical or control circuits and they cannot be paralleled even if the Class 1E 4.16kV Busses NB01 and NB02 are cross connected. Therefore, the probability that simultaneous failures of both capacitor banks will cause both offsite sources to become inoperable is negligible. Each capacitor bank has the capacity to raise the voltage at its respective NB bus by reducing the inductive losses in the system.

Capacitor banks NB03 and NB04 are non-safety related and are connected to the non-safety related transformers using manual full load break switches. Capacitor bank NB03 is associated with train A equipment. Capacitor bank NB04 is associated with train B equipment.

Full load break switches NB0301 and NB0401 provide a means of disconnecting the capacitor banks from the transformers for equipment maintenance. Each capacitor bank is interlocked with its respective Emergency Diesel Generator to freeze automatic actions and thereby prevent system interactions during Emergency Diesel Generator testing. Each capacitor bank receives an interlock signal from its respective LOCA sequencer to prevent excessive capacitor cycling during sequencer operation.

Control Room annunciation is provided to indicate system trouble, lockout relay trips, and manual control switches out of position. The Diesel Generator freeze interlock is annunciated in the Control Room to confirm proper system interface.

Two over voltage protection relays are installed in each capacitor bank control section to protect against NB bus over voltages caused by inadvertent actuation of the capacitor banks.

The credible failure mechanisms of the Capacitor Banks that have the worst-case potential effect on Class 1E equipment can be categorized into three distinct cases.

Case 1 is the failure of the capacitor banks to turn on, Case 2 is the failure of the capacitor banks to turn off, and Case 3 is a failure in the capacitor bank that causes the feeder breaker to the associated 13.8 kV to 4.16 kV transformer to trip. A failure modes and effects analysis was performed and appropriate portions are included in Table 8.3-4.

8.3-3 Rev. OL-24 11/19

CALLAWAY - SP The review of the failure cases listed above confirms that expected system responses are enveloped by the existing accident analysis. Case 2 bus high voltage, is an analyzed and accepted failure case.

This small voltage increase may cause a slight increase in the thermal aging of any energized electric equipment. In order to prevent the aging, two specific design features have been included. The first design feature consists of over voltage Control Room annunciators to NG busses NG01, NG02, NG03, NG04, NG07, and NG08. The second design feature consists of over voltage protection relays in each of the capacitor banks to shut the capacitors off if an over voltage condition is detected.

The ESF transformers are equipped with automatic on-load tap changers. The automatic load tap changers are capable of varying the voltage at the respective NB bus by +/-16% (1% per step with 32 steps), the equivalent of approximately +/- 665 Volts at the 4160 Volt level. The Load tap changer range is limited by a gear driven limit switch limiting the voltage extremes created by the transformers.

The LTC transformers do not share any common electrical or control circuits and they cannot be paralleled even if the Class 1E 4.16kV Busses NB01 and NB02 are cross connected. Therefore, the probability that simultaneous failures of both transformers to cause both offsite sources to become inoperable is negligible.

The failure of one transformer will have no effect on the operability of the other transformer or Class 1E equipment train. The credible failure mechanisms of the transformers that will have the worst-case effects on the associated Class 1E equipment are summarized on Table 8.3-4.

The control circuits, like the capacitor bank control circuits, are interlocked with its respective Emergency Diesel Generator to freeze automatic actions and thereby prevent adverse system interactions during Emergency Diesel Generator testing. A Diesel Generator freeze interlock signal annunciator in the Control Room confirms proper tap changer system interface.

In addition, Control Room annunciators are provided to indicate if the load tap changers are capacitor bank control circuits are not in automatic. Automatic control is needed to obtain the voltage control from these components.

Control Room annunciator provide indication of system trouble. A multi-point annunciator is provided at each transformer to allow the quick determination of the cause of the trouble signal.

With both systems (load tap changers and capacitor banks) in operation, the general response to a voltage decrease is for the capacitor bank to provide a rapid voltage increase if needed, then the LTC will step to correct the voltage back to a 4.16 kV level and thus turn the capacitor bank off.

8.3-4 Rev. OL-24 11/19

CALLAWAY - SP The voltage control systems function to ensure that the voltage at NB01 and NB02 is sufficient to reset the safety related degraded voltage relays and loss of voltage relays before time limits are exceeded. With this, the preferred offsite power sources are retained to power the safety related electrical distribution system. The voltage control systems also function to ensure that overvoltages are not present in the safety related electrical distribution system when fed from the preferred power sources.

8.3.1.1.2 Class 1E AC System The Class 1E ac system is that portion of the onsite power system inside the broken-line enclosures shown in Figure 8.3-1.

The Class 1E ac system distributes power at 4.16 kV, 480 V, 208/120 V, and 120 V ac to all safety-related loads. Also, the Class 1E ac system supplies certain selected loads which are not safety related but are important to the plant operation. Figure 8.3-2 lists the major safety-related and isolated nonsafety-related loads supplied from the Class 1E ac system.

In addition to the above power distribution, the Class 1E ac system contains standby power sources which provide the power required for safe shutdown in the event of a loss of the preferred power sources.

The following describes various features of the Class 1E systems:

POWER SUPPLY FEEDERS - Each 4.16-kV load group is supplied by two preferred power supply feeders and one diesel generator (standby) supply feeder. Each 4.16-kV bus supplies motor loads and 4.0-kV/480-V load center transformers with their associated 480-V busses.

BUS ARRANGEMENTS - The Class 1E ac system is divided into two redundant load groups per unit (load groups 1 and 2). For each unit, either one of the load groups is capable of providing power to safely reach cold shutdown for that unit. Each ac load group consists of a 4.16-kV bus, 480-V load centers, 480-V motor control centers, and lower voltage ac supplies.

LOADS SUPPLIED FROM EACH BUS - Refer to Figure 8.3-2 for a listing of Class 1E system loads and their respective busses.

MANUAL AND AUTOMATIC INTERCONNECTIONS BETWEEN BUSSES, BUSSES AND LOADS, AND BUSSES AND SUPPLIES - No provisions exist for automatically connecting one Class 1E load group to another redundant Class 1E load group or for automatically transferring loads between load groups. The incoming preferred power supply associated with a load group can supply the 4.16-kV Class 1E bus of the other load group by manual operation of the requisite 4.16-kV circuit breakers when required.

8.3-5 Rev. OL-24 11/19

CALLAWAY - SP Interlocks are provided that would prevent an operator error that would parallel the standby power sources of redundant load groups.

For a further discussion of interlocks, refer to Section 8.3.1.1.3.

INTERCONNECTIONS BETWEEN SAFETY-RELATED AND NONSAFETY-RELATED BUSSES - No interconnections are provided between the safety-and nonsafety-related busses. The startup transformer supplies power through the same winding to a 13.8-kV bus and a 13.8/4.16-kV ESF transformer.

REDUNDANT BUS SEPARATION - The Class 1E switchgear, load centers, and motor control centers for the redundant load groups are located in separate rooms of the control building and auxiliary building in such a way as to ensure physical separation.

Refer to Section 8.3.1.4.1 and Section 8.3.1.1.7 for the criteria governing redundant bus separation.

CLASS 1E EQUIPMENT CAPACITIES -

a. 4.16-kV Switchgear Bus 2000A continuous rating Incoming breakers 2000A continuous, 350 MVA interrupting Feeder breakers 1200A continuous, 350
b. 480-V Unit Load Centers Transformers 1000 kVA, 3 phase, 60-Hz, 4000/480 V Bus 1600A continuous Incoming breakers (See Note)

(GE AKR) 1600A continuous, 50,000A rms symmetrical interrupting (Square D) 1600A continuous, 65,000A rms symmetrical interrupting 8.3-6 Rev. OL-24 11/19

CALLAWAY - SP Feeder breakers (See Note)

(GE AKR) 800A continuous, 30,000A rms symmetrical interrupting (with instantaneous trip) 25,000A rms symmetrical interrupting (without instantaneous trip)

(Square D) 800A continuous, 42,000A rms symmetrical interrupting Note: The GE AKR breakers used in the 480V Unit Load Centers are being replaced with Square D breakers with higher interrupting rating. The breaker replacement is being phased in over several years. During the interim period both breaker types will be in-use in the 480V Unit Load Centers.

c. 480-V Motor Control Centers Horizontal bus 600A continuous, 25,000A rms symmetrical Vertical bus 300A continuous, 25,000A rms symmetrical Breakers (molded case) 25,000A rms symmetrical, minimum interrupting (singly for thermal-magnetic breakers and in combination with a starter for magnetic only breakers)

AUTOMATIC LOADING AND LOAD SHEDDING - The automatic loading sequence of the Class 1E busses is indicated in Figure 8.3-2.

If preferred power is available to the 4.16-kV Class 1E bus following a LOCA, the Class 1E loads will be started in programmed time increments by the load sequencer. The sequencer provides an interlock signal to the capacitor banks and ESF transformer load tap changers to assure proper system operation and coordination. The emergency standby diesel generator will be automatically started but not connected to the bus.

However, in the event that preferred power is lost following a LOCA, the load sequencer will function to shed selected loads and automatically start the associated standby diesel generator (connection of the standby diesel generator to the 4.16-kV Class 1E bus is performed by the diesel generator control circuitry). Load sequencers will then function to start the required Class 1E loads in programmed time increments.

A failure modes and effects analysis and a reliability study have been performed on the load shedder emergency load sequencers (LSELS). These studies have shown that no failure within a single LSELS can result in the failure of both sources of offsite power, that 8.3-7 Rev. OL-24 11/19

CALLAWAY - SP there are no credible sneak circuits or common mode failures in the LSELS that could render both the onsite and offsite power sources unavailable, and that sequencing of loads on the offsite power system does not compromise the reliability of the offsite power source.

There are no permissive devices (e.g., lube oil pressure) incorporated into the final actuation control circuitry for large horsepower, safety-related motors.

Refer to Section 8.3.1.1.3 for additional information on load shedding and sequencing.

CLASS 1E EQUIPMENT IDENTIFICATION - Refer to Section 8.3.1.3 for details regarding the physical identification of Class 1E equipment.

INSTRUMENTATION AND CONTROL SYSTEMS FOR THE APPLICABLE POWER SYSTEMS WITH THE ASSIGNED POWER SUPPLY IDENTIFIED - The dc control supplies for switchgear breaker operation are separate and independent so that Class 1E dc load group 1 supplies Class 1E load group 1 switchgear. The battery chargers for dc load group 1 are fed from the same load group switchgear. Class 1E dc load group 2 supplies Class 1E load group 2 switchgear. For further information on the dc power system, refer to Section 8.3.2.

Each 4.16-kV switchgear bus and 480-V load center bus is equipped with an undervoltage relay for annunciation in the control room. The voltage of each bus is monitored by instruments in the control room.

ELECTRIC CIRCUIT PROTECTION SYSTEMS - Protective relay schemes or direct-acting trip devices on primary and backup circuit breakers are provided throughout the onsite power system in order to:

a. Isolate faulted equipment and/or circuits from unfaulted equipment and/or circuits
b. Prevent damage to equipment
c. Protect personnel
d. Minimize system disturbances The short circuit protective system is analyzed to ensure that the various adjustable devices are applied within their ratings and set to be coordinated with each other to attain selectivity in their operation. The combination of devices and settings applied affords the selectivity necessary to isolate a faulted area quickly with a minimum of disturbance to the rest of the system.

Major types of protection applications that are used consist of the following:

8.3-8 Rev. OL-24 11/19

CALLAWAY - SP

a. Overcurrent Relaying Each bus supply breaker (except the standby diesel breaker) is equipped with three inverse-time overcurrent relays and one inverse-time ground fault relay for bus faults and to provide backup for feeder circuit relays. Bus supply breakers from the standby emergency diesel generator are equipped with three inverse-time overcurrent relays only. Ground protection is provided on each generator neutral.

Each 4.16-kV motor circuit breaker has three overcurrent relays, each with one long-time and two instantaneous elements for overload, locked rotor, and short circuit protection. Each 4.16-kV motor circuit breaker is also equipped with an instantaneous ground current relay.

The current for Class 1E motors is monitored by computer in the control room and at the Class 1E switchgear.

Each 4.16-kV supply circuit breaker to a load center transformer has three overcurrent relays with long-time and instantaneous elements. An instantaneous overcurrent ground current relay provides sensitive ground fault protection.

b. Undervoltage Relaying Each 4.16-kV Class 1E bus is equipped with undervoltage relays for diesel generator start initiation and undervoltage annunciation.

Each 480-V Class 1E load center bus is equipped with undervoltage relays for undervoltage annunciation.

c. Differential Relaying The main, unit auxiliary, startup, station service, and ESF transformers are equipped with differential relays. These relays provide high-speed disconnection to prevent severe damage in the event of transformer internal faults.

Motors rated above 3,500 horsepower are equipped with differential protection.

The main generator and the standby emergency generator are provided with differential protection.

d. 480-V Load Center Overcurrent Relaying 8.3-9 Rev. OL-24 11/19

CALLAWAY - SP Each 480-V load center circuit breaker is equipped with a solid state device which has an adjustable phase and ground overcurrent trip.

e. 480-V Motor Control Center Overcurrent Relaying Molded case circuit breakers provide time overcurrent and/or instantaneous short circuit protection for all connected loads. The molded case circuit breakers for motor circuits are equipped with instantaneous trip only. Motor overload protection is provided by ambient compensated thermal trip units in the motor controller, except for the ultimate heat sink cooling tower fan motor protections at locations NG07SAF1, NG08SAF1, NG07SBF1, and NG08SBF1, where the thermal overload protection for the fast-speed operation is bypassed. For these applications, motor overload protection is provided by breakers NG0703, NG0803, NG0704, and NG0804, respectively. The molded case breakers for nonmotor feeder circuits provide thermal time overcurrent protection as well as instantaneous short circuit protection.

As noted above, all starters for motor-operated valves are equipped with thermal overload relays. The thermal overload relay trip contacts located in 480-V motor control centers, for Class 1E valves, are bypassed with jumpers except when the valve motors are undergoing maintenance testing. For surveillance valve stroke tests, and in order to maintain circuit integrity, thermal overload relay contact jumpers are not removed during such tests.

The starters and the feeder circuit breakers located in the motor control center are coordinated with the motor control center incoming supply breakers so that, upon ground fault, the protective device nearest the fault trips first. Where coordination is not possible using the protective devices normally furnished in a standard motor control center module, solid-state ground fault protectors are added to the affected modules on an individual basis.

f. Phase Imbalance Relaying Each 4.16-kV Class 1E bus is equipped with two phase imbalance relays for phase imbalance annunciation in the control room. Open phase conditions that may occur are detected from the negative sequence voltage produced during this condition. In addition, an open phase detection system is located on the high-side neutral of Safeguards Transformer B in the switchyard, which produces an alarm in the control room. This system will detect any open phase condition that may occur, under all Safeguards Transformer B loading conditions, using active and passive detection elements that detect a zero-sequence impedance change in the neutral of the transformer. Utilizing the phase imbalance relaying and the switchyard 8.3-10 Rev. OL-24 11/19

CALLAWAY - SP open phase detection system together, all open phase conditions on the preferred off-site power sources, under all transformer loading conditions, are detected.

TESTING OF THE AC SYSTEMS DURING POWER OPERATION - All Class 1E circuit breakers and motor controllers are testable during reactor operation, except for the electric equipment associated with those Class 1E loads identified in Chapter 7.0.

During periodic Class 1E system tests, subsystems of the engineered safety features actuation system, such as safety injection, containment spray, and containment isolation, are actuated, thereby causing appropriate circuit breaker or contactor operation. The 4.16-kV and 480-V circuit breakers and control circuits can also be tested independently while individual equipment is shut down. The circuit breakers can be placed in the test position and exercised without operation of the associated equipment.

SHARING OF SYSTEMS AND EQUIPMENT BETWEEN UNITS - There is no sharing of Class 1E systems or equipment between units.

8.3.1.1.3 Standby Power Supply The standby power supply for each safety-related load group consists of one diesel generator complete with its accessories and fuel storage and transfer systems. It is capable of supplying essential loads necessary to reliably and safely shut down and isolate the reactor. Each diesel generator is rated at 6,201 kW for continuous operation.

Additional ratings are 6,635 kW for 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />, 6,821 kW for 7 days, and 7,441 kW for 30 minutes. The generator 2-hour rating is equal to the 7-day rating. One diesel generator is connected exclusively to a single 4.16-kV safety feature bus of a load group.

Each unit has two load groups, and the safety-related equipment on both load groups is similar. The load groups are redundant and, for each unit, one load group is adequate to satisfy minimum engineered safety features demand caused by a LOCA and loss of preferred power supply. The diesel generators are electrically isolated from each other.

Physical separation for fire and missile protection is provided between the diesel generators, since they are housed in separate rooms of a seismic Category I structure (see the response to NRC Question 430.8 for a detailed discussion). Power and control cables for the diesel generators and associated switchgear are routed to maintain physical separation.

Ratings for diesel generator sets are established in order to satisfy the requirements set forth in Regulatory Guide 1.9. Refer to Section 8.1.4.3.

The diesel generator loads are determined on the basis of nameplate rating, pump pressure and flow conditions, or pump runout conditions. The bases for the loads are noted in Callaway site specific calculations. The continuous rating of the diesel generator is based on the maximum total load required at any time.

The functional aspects of the onsite power system are discussed below.

8.3-11 Rev. OL-24 11/19

CALLAWAY - SP STARTING INITIATING CIRCUITS - The diesel generators are started on the following:

a. Receipt of a safety injection signal (SIS)
b. Loss of voltage to the respective 4.16-kV Class 1E bus to which each generator is connected
c. Manual - Remote switch actuation (main control room)
d. Manual - Local switch actuation (diesel generator room)
e. Emergency Manual - Local switch actuation (diesel generator room)

Refer to logic diagrams -- Figures 8.3-3, 8.3-4, and 8.3-5.

DIESEL STARTING MECHANISM AND SYSTEM - Refer to Section 9.5.6.

TRIPPING DEVICES - The following protective functions are provided for each diesel generator:

a. Start failure relay
b. Engine overspeed
c. High jacket coolant temperature
d. Low lube oil pressure
e. High crankcase pressure
f. Generator differential The above protective devices, which function to shut down the diesel or trip the diesel generator breaker, are also retained during an SIS.

The high jacket coolant temperature, low lube oil pressure, and high crankcase pressure interlocks initiate shutdown only upon satisfying the applicable trip logic. A false trip on one channel does not erroneously shut down the diesel generator.

The remaining protective functions that are retained during an SIS are (1) generator differential, (2) engine overspeed, and (3) start failure.

In accordance with the provisions of Regulatory Guide 1.9, the engine overspeed and generator differential trips are retained to protect the diesel generator set from massive damage. The start failure protection functions to interrupt the starting of the diesel 8.3-12 Rev. OL-24 11/19

CALLAWAY - SP generator if a predetermined speed is not reached or if lube oil pressure is not established within a predetermined time following the start initiation.

Reverse power, loss of field, generator over-excitation, generator overcurrent, generator voltage-restrained overcurrent, generator ground overcurrent, and underfrequency protection are also provided but cause a trip only during tests when the diesel generator is operating in parallel with the preferred power system.

Underfrequency protection is provided for safely separating the diesel generators from the preferred source (when previously synchronized to it) without damage to or shutdown of the diesel generators.

The diesel generators are monitored from the control room, and each device, when actuated, initiates an annunciator in the control room. These functions are also provided with alarms in the diesel generator room. The alarms are set so that they provide a warning of impending trouble prior to trip of the diesels.

INTERLOCKS - Circuit breaker electrical interlocks are provided to prevent automatic closing of a diesel generator breaker to an energized or faulted bus.

If the preferred power has been lost, undervoltage relays on the incoming (offsite) side of the 4.16-kV feeder breakers prevent closure of these breakers.

The two 4.16-kV circuit breakers which control the incoming preferred source power to a 4.16-kV Class 1E bus are so interlocked that only one breaker can be closed at any one time. This is to prevent parallel operation of the preferred sources.

When operating from the diesel generator supply (loss of offsite power), redundant load groups cannot be manually connected together since the 4.16-kV circuit breakers controlling the incoming preferred power supplies to the Class 1E busses are interlocked to prevent paralleling of the diesel generators.

During normal operation (offsite power available), interlocks are provided in the form of synchronizing check relays to prevent an operator error that would parallel the redundant standby power sources.

PERMISSIVES - A single key-operated switch (AUTO, LOCAL/MANUAL) in the diesel generator room is provided for each diesel generator to block automatic start signals when the diesel is out for maintenance (i.e., LOCAL/MANUAL position). When in the LOCAL/MANUAL position, an annunciator is initiated in the control room.

A pushbutton in the control room and a local pushbutton are provided to allow manual start capability.

A local handswitch is provided to allow a modified diesel engine start in which the speed of the diesel engine is limited to reduce stress and wear on the engine. An emergency 8.3-13 Rev. OL-24 11/19

CALLAWAY - SP start signal (SIS, loss of voltage, or emergency manual start) overrides the local modified start handswitch.

During periodic diesel generator tests, subsequent to diesel start and synchronization to the preferred system, a switch in the control room allows parallel operation with the preferred system and actuates an interlocking freeze signal to the associated capacitor bank. This freeze signal causes the capacitor bank to stop automatic operation and to hold in its present state during diesel generator tests and to prevent system interactions.

This freeze interlock is removed automatically when diesel generator parallel operation is terminated.

LOAD-SHEDDING CIRCUITS - Upon recognition of a loss of or degraded voltage on a 4.16-kV Class 1E bus, a logic signal is initiated to effect the following on each load group:

a. Shed selected loads
b. Send signal to start diesel
c. Trip 4.16-kV preferred power supply breakers Two voltage sensing schemes are employed on each 4.16-kV Class 1E bus to initiate the required logic signal. One scheme will recognize a loss of voltage, and the other will recognize a degraded voltage. Four potential transformers on each bus provide the necessary input voltages to the protective devices necessary to achieve the above protection.

In order to recognize a loss of voltage, four instantaneous undervoltage relays are used.

The output contacts of these relays are directed to logic circuits that process the four undervoltage input circuits into the 2-out-of-4 logic circuit described above. This scheme is used on each bus.

The loss of voltage logic signal is set below the minimum bus voltage encountered during diesel generator sequential loading. A brief time delay is employed to prevent false trips arising from transient undervoltage (spike) conditions.

In order to recognize a degraded voltage, a diverse protection scheme is used. The above four potential transformers each provide an analog output signal of 0-120 volts.

This signal is directed to logic circuits and processors that convert the analog signals into a 2-out-of-4 logic signal, whenever the signal drops below a preset value. This scheme serves only to trip the incoming offsite power circuits breakers when that power source has been determined to be degraded. This design cannot adversely affect the sequential loading of the diesel generators.

The degraded voltage logic signal is set at the minimum permissible continuous bus voltage. A time delay is provided that prevents damage to or spurious tripping of the 8.3-14 Rev. OL-24 11/19

CALLAWAY - SP permanently connected Class 1E loads by limiting the amount of time they are exposed to a degraded voltage. The final voltage and time setpoints will be determined based on an analysis of the auxiliary power distribution system, including the Class 1E busses at all voltage levels. The use of an SIS contact in series with the degraded voltage logic circuit output contact ensures that the Class 1E busses will be immediately separated from the offsite power system whenever an accident occurs and the offsite power system is not able to accept the loads continuously. An alarm is also provided to alert the operator to a degraded voltage condition. It is delayed until any motor starting-induced bus voltage transient has sufficient time to clear.

Three-phase voltage balance is monitored to ensure that three-phase motors or their protection circuits are not adversely impacted by open phase conditions in the preferred offsite sources. Two voltage imbalance relays are provided on each Class 1E bus, NB01 and NB02. Actuation of either one of these voltage imbalance relays will initiate a Control Room annunciator alarm to alert operators to potential open phase conditions affecting the operability of the preferred offsite source.

As each generator reaches rated voltage and frequency, the generator breaker connecting it to the corresponding 4.16-kV bus closes. With the SIS, connection of the diesel generator to the 4.16-kV bus is not made unless the preferred source of power is lost. The diesel generator is able to accept loads within 12* seconds after receipt of a starting signal, and all automatically sequenced loads are connected to the Class 1E bus within 35 seconds thereafter. Refer to Figure 8.3-2. Relays at the diesel generator detect generator rated voltage and frequency conditions and provide a permissive interlock for the closing of the respective generator circuit breaker. Upon loss of the preferred source of power without a LOCA, the load sequencer system initiates the starting of the diesel generators and sheds all loads, except the load centers and the ECCS centrifugal charging pumps.

Following diesel start and connection to the Class 1E bus, the loads are automatically sequenced onto the bus at programmed time intervals. A fast responding exciter and voltage regulator ensure voltage recovery of the diesel generator after each load step.

Field flashing is utilized on the diesel generators for fast voltage buildup during the start sequence. Momentary voltage and frequency dips will not exceed a maximum of 25 percent below nominal rating (4.16 kV) for voltage and 5 percent for frequency.

The voltage levels at safety-related buses are optimized for the expected load conditions throughout the anticipated range of voltage of the offsite system by adjustment of transformer taps. This analysis is verified to be accurate by testing.

  • For operational concerns the Callaway Technical Specifications allow a 12-second start time, but the FSAR analyses were based on a 10-second start time. Sensitivity studies described in References 2, 3, and 4 have accounted for the 12-second start time.

8.3-15 Rev. OL-24 11/19

CALLAWAY - SP TESTING - Because the diesel generator is not of the type or size that has been previously used as a standby emergency power source in nuclear power plant service, the following tests are performed at the manufacturer's facility:

a. Load capability qualification tests were performed as follows:
1. The engine was brought to temperature equilibrium conditions and then run at rated load for 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />. Immediately following this period, the diesel was run for 2 additional hours at the rated short-time load. This is in accordance with Paragraph 6.3.1(1) and (2) of IEEE 387-1977.
2. A load rejection from rated load was performed in one step. The engine speed did not exceed the normal speed plus 75 percent of the difference between normal speed and the overspeed setpoint.

This is in accordance with Paragraph 6.3.1(3) of IEEE 387-1977.

3. A no load test was conducted for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> followed by loading to the rated load to demonstrate the capability to carry full load following operation of no load. This is in accordance with Paragraph 6.3.1(4) of IEEE 387-1977. Refer to Section 9.5.8.2.3 for a discussion of the manufacturer's operating recommendations for light and no load operations for extended periods. (Note that IEEE-387 contains no requirement for analyzing or inspecting the exhaust gas or the exhaust system during or following this test. The acceptance criterion is the acceptance of the rated load.)
b. At least 300 valid start and load tests are performed on one diesel generator. This includes all valid tests performed offsite. A valid start and load test is defined as an unloaded start from design conditions with subsequent loading to at least 50 percent of the continuous rating within the required time interval and continued operation until temperature equilibrium is attained. This is in accordance with Paragraph 6.3.2 of IEEE 387-1977. At least 90 percent of these start tests will be made from hot standby conditions and 10 percent from design hot equilibrium.

A failure-to-start rate in excess of one per hundred requires further testing as well as a review of the system design adequacy.

If failures to start are found to be caused by failures of a generic nature in a single component, it may be possible to correct the problem by use of a different kind of component or to correct the deficiency in the component.

If it is possible to independently test the component after its deficiencies have been corrected, it is not necessary to repeat the 300 starting tests of the complete diesel generator unit. If the component is successfully tested 8.3-16 Rev. OL-24 11/19

CALLAWAY - SP 300 times or more under acceptable simulated starting conditions, it is only necessary to continue and complete the original required 300 unit tests with the replacement component.

If starting failures are of a random nature or cannot be readily identified as being generic component failures, additional starting tests of the complete unit are performed after each starting problem has been corrected. The additional tests are of a sufficient number to verify the required starting reliability.

c. At least two full load and margin tests are performed on each diesel generator to demonstrate the start and load capability of these units with some margin in excess of the design requirements. The margin test includes step-loading the diesel generator with a test load at least 10 percent larger than the largest design single-step load. This is in accordance with Paragraph 6.3.3 of IEEE 387-1977.

In addition to the above tests, after final assembly and preliminary startup testing each diesel generator is tested at the site prior to reactor fuel loading to verify actual electrical loading on the diesel generator and to demonstrate its ability to perform its intended function. The diesel generator is given each of the following tests, in accordance with Paragraph 6.4 of IEEE 387-1977 to certify the adequacy of the unit for the intended service.

a. Starting tests to demonstrate the ability to start automatically on simulation of loss of ac voltage and attain stabilized frequency and voltage within the rated limits and time.
b. Load acceptance tests to demonstrate the ability to accept the design loads in the design accident loading sequence and to maintain voltage and frequency within acceptable limits.
c. Rated load tests, with the diesel in parallel with the offsite system, to demonstrate the ability to carry the continuous rated load until temperature equilibrium is reached, followed by operation for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at the short-time rated load of the diesel generator, followed by operation for 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> at the continuous rated load, without exceeding the manufacturer's design limits.
d. Functional tests to demonstrate diesel generator capability at full load temperature conditions by rerunning tests a and b above immediately following c above. If these tests are not satisfactorily completed, it is not necessary to repeat the tests of item c above prior to rerunning this test.

Instead, prior to rerunning these tests, the diesel generator may be operated at the continuous rated load for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or until operating temperature has stabilized.

8.3-17 Rev. OL-24 11/19

CALLAWAY - SP

e. Design load tests to demonstrate the ability to carry the design load for a time required to reach equilibrium temperature plus 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> without exceeding the manufacturer's design limits.
f. Load rejection tests to demonstrate the ability to reject the maximum rated load without exceeding speeds or voltages that cause tripping, mechanical damage, or harmful overstresses.
g. Electrical tests to demonstrate that the electrical properties of the generator, excitation system, voltage regulator, engine governor system, and the control and surveillance systems are acceptable for the intended application including:
1. Synchronize the diesel generator unit with offsite system while the unit is connected to the emergency load.
2. Transfer the emergency load to the offsite system.
3. Isolate the diesel generator unit from the offsite system.
4. Restore diesel unit to standby status.
h. A minimum of 35 consecutive valid tests are to be run with no failures to demonstrate the required reliability.
i. Subsystem tests to demonstrate the capability of the control, surveillance, and protection systems to function in accordance with their intended application.
j. Tests to demonstrate the capability of the diesel generator unit to respond to an emergency start signal within the required time.

After being placed in service, the standby power system is tested periodically in accordance with the plant Technical Specifications to demonstrate the continued ability of the unit to perform its intended function.

FUEL OIL STORAGE AND TRANSFER SYSTEMS - The diesel generator fuel oil system is described in Section 9.5.4.

DIESEL GENERATOR COOLING AND HEATING SYSTEMS - The diesel generator cooling water system is described in Section 9.5.5.

INSTRUMENTATION AND CONTROL SYSTEMS FOR STANDBY POWER SUPPLY -

Equipment is provided in the control room for each diesel generator for the following operations:

8.3-18 Rev. OL-24 11/19

CALLAWAY - SP

a. Remote manual starting and stopping
b. Remote manual synchronization
c. Remote manual speed, frequency and voltage adjustment
d. Governor and voltage droop selection
e. Automatic or manual voltage regulator selection A handswitch is provided in the diesel room to allow modified start testing of the diesel engine to reduce stress and wear on the engine.

A master transfer switch is provided in the diesel room for automatic and local-manual control selection. The switch is normally in the automatic position, whereby the engineered safety features system senses an accident or loss of preferred power and starts the diesel. The master transfer switch is placed in the local-manual position to allow manual operation of the diesel locally when it is out for maintenance. Equipment is provided locally at each diesel generator for manual starting in case of a control room evacuation. The local emergency start feature functions to start the diesel generator, regardless of the position of the master transfer switch.

Equipment is provided at each local control panel for the following operation (when the master transfer switch is in the local position):

a. Manual starting
b. Manual stopping
c. Speed, frequency and voltage regulation
d. Automatic or manual regulation selection
e. Exciter field removal and reset The local control operation is annunciated in the control room. The dc power source for the diesel generator instrumentation and control system is of the same load group as the respective diesel generator.

Controls and monitoring instruments for the Callaway emergency diesel generators are installed in freestanding, floor-mounted control panels, separate from the engine skid.

Only those sensors and other electrical controls (solenoid valves and governor actuator) which send or receive signals to and from the control panels are mounted on the diesel generator unit. Although the panels are mounted on the same floor as the engine skid they do not employ vibration mounts because the floor is of sufficient mass to dampen the engine vibrations.

8.3-19 Rev. OL-24 11/19

CALLAWAY - SP Each diesel generator is equipped with the following alarms at the local control panel:

a. Lube oil pressure low
b. Lube oil temperature high
c. Lube oil temperature low
d. Lube oil level high in sump
e. Lube oil level low in sump
f. Lube oil filter differential pressure high
g. Lube oil strainer differential pressure high
h. Fuel oil filter differential pressure high
i. Fuel oil strainer differential pressure high
j. Fuel oil pressure low
k. Jacket coolant pressure low
l. Jacket coolant temperature high
m. Jacket coolant temperature low
n. Jacket coolant level low in expansion tank
o. Diesel generator undervoltage
p. Start failure
q. Engine trouble shutdown
r. Generator underfrequency
s. Barring device engaged
t. DC control power failure
u. Starting air pressure low train 1
v. Starting air pressure low train 2 8.3-20 Rev. OL-24 11/19

CALLAWAY - SP

w. Crankcase pressure high
x. Engine overspeed trip
y. Any switch not in auto position
z. Generator protective relay trip aa. Diesel main bearing temperature high ab. Exciter power P.T. fuse blown ac. Intercooler water pressure low ad. Intercooler water temperature high ae. Intercooler water temperature low af. Rocker arm lube oil filter differential pressure high ag. Rocker arm lube oil level high ah. Rocker arm lube oil pressure low ai. Diesel generator underexcitation aj. Diesel generator field grounded The following conditions are separately alarmed in the control room:
a. Diesel out of service
b. Diesel local alarm
c. Diesel generator undervoltage or underfrequency
d. Diesel overvoltage
e. Diesel negative phase sequence Electrical instruments are provided in the control room and at the diesel generator for surveillance of generator voltage, current, frequency, power, and reactive volt amperes.

The breaker status of each 4.16-kV breaker of the engineered safety features system is displayed by red and green indicating lamps in the control room. Local indication is provided at the switchgear.

8.3-21 Rev. OL-24 11/19

CALLAWAY - SP A window is provided on the engineered safety features status panel in order to determine the availability of the diesel generator. The window reads Emergency Diesel Generator and operates as described in Section 7.5.2.2. This window is activated by all conditions which render the diesel inoperable:

a. Loss of dc control power
b. Generator relay trip
c. Barring device engaged
d. Starting air pressure low
e. Engine shutdown
f. Start failure
g. Diesel generator control switch not in auto position
h. Diesel generator auxiliaries control switch in off position.

8.3.1.1.4 Control Rod Drive Power Supply Electric power to control rod drive mechanisms is supplied by two full-capacity, motor-generator sets. Each motor-generator set is connected to a separate non-Class 1E 480-V load center. Each generator is of the synchronous type and is driven by a 200-hp induction motor. The ac power is distributed to the rod control power cabinets through two series-connected reactor trip breakers.

8.3.1.1.5 Vital Instrument AC Power Supply Four independent Class 1E 120-V vital instrument AC power supplies are provided to supply the four channels of the protection systems and reactor control systems. Each vital instrument AC power supply consists of an uninterruptible power supply (UPS), i.e.,

an inverter equipped with an integral bypass constant-voltage transformer (CVT), and a distribution bus. Each inverter, in turn, is independently supplied by a Class 1E 125-VDC battery (in support of the UPS function), as described in Section 8.3.2.

Normally, and as required by the plant's Technical Specifications, the inverter is operating to supply the vital AC bus. If an inverter is inoperable or is to be removed from service, the vital AC bus can be supplied from the UPS Class 1E bypass CVT.

Alternatively, a swing (backup) inverter/UPS may be employed to operate in place of the normal-source inverter.

Two swing inverters (equivalent in design to the normal-source inverters) are provided such that one swing inverter (NN17) can serve as a substitute for either of the NN11/

8.3-22 Rev. OL-24 11/19

CALLAWAY - SP NN13 inverters, and the other swing inverter (NN18) can serve as a substitute for either of the NN12/NN14 inverters. A selector switch located on the swing inverter is positioned to select the appropriate inverter to be replaced. (A key lock is used to maintain the selector switch position.) Either of two 125-VDC power sources may be selected for the in-service swing inverter via the inverter's DC manual transfer switch (via key-operated switches). When utilized during plant operation, and in order to maintain independence, an in-service swing inverter is powered from the DC bus associated with the substituted normal-source inverter.

Each inverter/UPS consists of a 7.5 KVA solid-state inverter, an integral 480 VAC to 120 VAC single-phase regulating transformer for use as a standby source, an automatic static transfer switch that will switch to the backup supply in the event of inverter failure and a manual maintenance bypass switch that will switch to the backup supply during maintenance activities. The normal supply for each inverter/UPS is from one of the four Class 1E DC buses. The inverter/UPS standby source for each unit, i.e., bypass CVT, is supplied from a 480 VAC MCC that is associated with the same AC load group. The inverter gating and synchronizing circuit monitors the output of the standby supply and ensures that the inverter output is in phase with the standby supply. The static transfer switch will automatically transfer the inverter loads to the bypass CVT when one of the following conditions occurs.

1. Undervoltage detected on the output of the inverter SCR bridge.
2. Undervoltage detected on the output of the inverter.
3. Manual initiation.
4. Output overcurrent greater than 120% of rating.

If the inverter output and bypass source are not in-phase, or if the bypass is unavailable, the static transfer switch logic blocks the static switch from automatically transferring the load.

Each inverter/UPS unit is equipped with metering and relaying to provide the following local alarms and status indicators noted on the main control board.

1. DC LOW VOLTAGE*
2. DC HIGH VOLTAGE*
3. INVERTER OUTPUT LOW VOLTAGE
4. INVERTER OUTPUT HIGH VOLTAGE*
5. AC OUTPUT OVERLOAD*

8.3-23 Rev. OL-24 11/19

CALLAWAY - SP

6. INVERTER FAILURE*
7. FUSE BLOWN*
8. BYPASS SOURCE LOW VOLTAGE*
9. BYPASS SOURCE FAILURE*
10. OVER TEMPERATURE*
11. IN SYNC
12. OUT OF SYNC*
13. INVERTER SUPPLYING LOAD
14. BYPASS SOURCE SUPPLYING LOAD Those alarms shown with an asterisk provide a summary alarm in the Control Room as well. Local indicating lamps and alarm contacts are also provided to alarm when either the static switch or maintenance bypass switch are aligned to the bypass source.

A separate NN INV TRBL/XFR annunciator is provided on the main control board for each inverter/UPS. The main control board annunciators will alarm when the load is transferred to the bypass source using either the static switch or the manual maintenance bypass switch, or when any local alarm is present. Computer points on the plant computer are provided for each annunciator input to indicate which condition brought in the alarm.

If a normal-source inverter/UPS along with its bypass source (CVT) is inoperable or is to be removed from service, the vital AC bus can be supplied from a swing inverter/UPS through use of the manual transfer switch on the inverter/UPS cabinet. A key interlock is provided to ensure that only a single transfer to the swing inverter/UPS can be made at one time using the swing inverter/UPS manual transfer switch. Complete loss of a power supply to a vital AC bus, i.e., loss of the inverter and its bypass CVT (for either a normal-source inverter or swing inverter), is alarmed by separate main control board annunciator windows using undervoltage relays in the distribution panels. Refer to Figure 8.3-6 for the single-line arrangement of the vital instrument AC power supply.

8.3.1.1.6 Nonvital Instrument AC Power Supply The nonvital 120/208-V instrument ac power supply is designed to furnish reliable power to all nonsafety-related plant instruments. In addition, it is utilized as the primary source of power for the public address system.

8.3-24 Rev. OL-24 11/19

CALLAWAY - SP The nonvital instrument ac system for each unit is divided into two panelboard sections.

Each section is supplied by three single-phase isolation transformers connected into a three-phase configuration connected to a Class 1E motor control center. In the event of the loss of normal auxiliary power, the transformers are automatically energized by the emergency diesel generators. In the event that the isolation transformers fail the instrument buses will be automatically transferred to non-Class 1E motor control centers.

8.3.1.1.7 Electric Equipment Layout The following are the general features of the electric equipment layout:

a. Class 1E switchgear, load centers, and motor control centers of redundant load groups are located in separate rooms within seismic Category I buildings.
b. Four Class 1E battery supplies are located in the control building. Each battery is located in a separate room. Battery ventilation considerations are addressed in Section 9.4.1.
c. The battery charger, inverter/UPS, and DC busses associated with each of the four subsystems are in separate rooms outside the battery rooms.
d. Two cable spreading rooms are provided, one above and one below the control room. This enhances redundant cable separation.
e. Redundant diesel generators and associated supporting equipment are located in separate rooms in the seismic Category I diesel generator building.

Electrical equipment layout drawings showing the location of electrical equipment and equipment and cable raceways are listed in Section 1.7.

8.3.1.1.8 Design Criteria for Class 1E Equipment Design criteria are discussed below for the Class 1E equipment:

MOTOR SIZE - For all motors rated above 480 Volts, the horsepower is generally equal to or greater than the maximum horsepower required by the driven load under normal running or runout conditions.

In the case of the ECCS centrifugal charging pumps (600 hp nameplate rating and 690 brake horsepower) and safety injection pumps (450 hp nameplate rating and 517.5 brake horsepower) which are under the scope of the NSSS supplier, the brake horsepower exceeds the nameplate rating of the motor, but is within the capability of the motors which have a service factor of 1.15.

8.3-25 Rev. OL-24 11/19

CALLAWAY - SP MINIMUM MOTOR ACCELERATING VOLTAGE - All Class 1E motors fed from the 4.16-kV busses are specified with accelerating capability at 75 percent of the motor nameplate rating (4,000 volts). Class 1E motors rated for use on lower voltage busses, which are required to start concurrently with large 4-kV motors, are specified with accelerating capability at 65 percent of the motor nameplate rating.

To prevent valve damage from the oversizing of motors, all motor-operated valve actuators are specified with accelerating capability at 80 percent of the nameplate rating.

The electrical system is designed so that the total voltage drop on the Class 1E motor circuits is less than that required to accelerate those motors.

MOTOR STARTING TORQUE - The motor starting torque is capable of starting and accelerating the connected load to normal speed within sufficient time to perform its safety function for all expected operating conditions, including the design minimum bus voltage stated in Section 8.3.1.1.3.

MINIMUM MOTOR TORQUE MARGIN OVER PUMP TORQUE THROUGH ACCELERATING PERIOD - The minimum torque margin (accelerating torque) is such that the pump-motor assembly reaches nominal speed within sufficient time to perform its safety function at design minimum terminal voltage.

MOTOR INSULATION - Insulation systems are selected on the basis of the particular ambient conditions to which insulation is exposed. For Class 1E motors located within the containment, the insulation system is selected to withstand the postulated acccident environment.

TEMPERATURE MONITORING DEVICES PROVIDED IN LARGE HORSEPOWER MOTORS - Each motor in excess of 1,500 hp is provided with six resistance temperature detectors (RTD) embedded in the motor slots, two per phase. In normal operation, the RTD at the hottest location (selected by test) monitors the motor temperature and provides a computer alarm in the control room on high temperature. Each 4.16-kV motor bearing (except residual heat removal) is provided with one temperature sensor which will provide an alarm on bearing high temperature.

INTERRUPTING CAPACITIES - The interrupting capacities of the protective equipment are determined as follows:

a. Switchgear Switchgear interrupting capacities are greater than the maximum short circuit current available at the point of application. The magnitude of the short circuit currents in the medium voltage systems is determined in accordance with ANSI C37.010-1972. The offsite power system, a single operating diesel generator, and running motor contributions are considered 8.3-26 Rev. OL-24 11/19

CALLAWAY - SP in determining the fault level. All motors connected to the bus are considered to be running when the short circuit is postulated.

High voltage power circuit breaker interrupting capacity ratings are selected in accordance with ANSI C37.06-1971.

b. Load Centers, Motor Control Centers, and Distribution Panels Load centers, motor control centers, and distribution panel circuit breakers have a symmetrical rated interrupting current as great as the determined total available symmetrical current at the point of application. Symmetrical current is determined in accordance with the procedures of ANSI C37-1973 for low-voltage circuit breakers other than molded-case breakers and of NEMA Standards Publication AB 1 for molded case circuit breakers.

ELECTRIC CIRCUIT PROTECTION - Refer to Section 8.3.1.1.2 for criteria regarding the electric circuit protection.

GROUNDING REQUIREMENTS - Equipment and system grounding will be designed using IEEE 80, 1971 Guide for Safety in AC Substation Grounding, and IEEE 142, 1972, Recommended Practice for Grounding of Industrial and Commercial Power Systems as a guide.

8.3.1.1.9 Cable Derating and Cable Tray Fill The ampacity and group derating factors of the cables are in accordance with the manufacturer's recommendations and IPCEA publications P46-426 for cables in conduit, duct bank, and maintained spaced trays and P54-440 for cables in randomly filled trays.

The cable ampacities are based on a maximum conductor temperature of 90°C, 100-percent load factor, and all cables fully loaded.

For trays containing power cables only, fill is generally limited to 30 percent of the usable cross section of a 4-inch-deep tray. Where this condition cannot be maintained, a design engineer reviews each case for the adequacy of the design for both physical fill and derating.

Trays containing only control or instrumentation cables are generally limited to a 50-percent fill. Where this condition cannot be maintained, a design engineer reviews each case for adequacy of design for physical fill only and will allow a higher fill percentage so that the total fill does not protrude above the loading depth of the tray.

Conduit fill is in compliance with the provisions of Chapter 9.0 (Table 4) of the NEC.

Where these provisions cannot be maintained, a design engineer reviews each case and will allow a higher fill percentage based on actual cable sizes, conduit sizes, length of conduit, and number of bends.

8.3-27 Rev. OL-24 11/19

CALLAWAY - SP 8.3.1.2 Analysis 8.3.1.2.1 Compliance with General Design Criteria 17 and 18 and Regulatory Guides For discussion of regulatory guides in regard to Class 1E ac systems, refer to Section 8.1.4.3.

Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1.

A failure modes and effects analysis is provided in accordance with IEEE 352-1972.

Refer to Table 8.3-4.

8.3.1.2.2 Safety-Related Equipment Exposed to Hostile Environment The detailed information on all Class 1E equipment that must operate in a hostile environment during and/or subsequent to an accident is furnished in Section 3.11(B) and 3.11(N).

8.3.1.3 Physical Identification of Safety-Related Equipment Each circuit (scheme) and raceway is given a unique alphanumeric identification. This identification provides a means of distinguishing a circuit or raceway association with a particular channel or load group, and is assigned on the basis of the following criteria:

SEPARATION GROUP 1 - A safety-related instrumentation, control, or power scheme/

raceway associated with safety-related load group 1 or protection system channel 1.

SEPARATION GROUP 2 - A safety-related instrumentation, control, or power scheme/

raceway associated with protection system channel 2.

SEPARATION GROUP 3 - A safety-related instrumentation, power, or control scheme/

raceway associated with protection system channel 3.

SEPARATION GROUP 4 - A safety-related instrumentation, control, or power scheme/

raceway associated with safety-related load group 2 or protection system channel 4.

Nonsafety-related cables and raceways associated with all normal plant (non-Class 1E) equipment are uniquely identified and separately routed from safety-related cables and raceways, as described in Section 8.1.4.3.

The unique identification afforded virtually all nonsafety-related cables is their black color. Other colors may be used if they do not correspond to a safety-related cable color and it has been evaluated by engineering to be acceptable.

Nameplates with colored backgrounds are provided for all IEEE 308 Class 1E equipment (such as transformers, motors, motor control centers, switchgear, panels, and 8.3-28 Rev. OL-24 11/19

CALLAWAY - SP switchboards) under A/E scope. Each separation group has its distinguishing color. The applicable channel or load group designation is marked on each nameplate. For the identification of instrumentation and control equipment, refer to Section 7.1.2.3.

Raceways are marked in a distinct, permanent manner at intervals not to exceed 15 feet and at points of entry to, and exit from, enclosed areas.

Color identification is provided for each separation group of all field-wired, safety-related cables.

Within control panels where more than one separation group is present, wiring is identified by separation group designation or, if enclosed by conduit, the conduit is identified by separation group designation.

Within a cabinet or panel which is associated and identified with a single separation group, the internal wiring is exclusively associated with the same separation group and, therefore, requires no further identification.

In cases where the majority of the wiring within a cabinet or panel is primarily one separation group, standard color wire and/or sleeves for the majority separation group is used. The remaining wiring is identified, using the appropriate color, as defined in applicable specifications or drawings. When colored sleeves are used in lieu of colored wiring, the sleeves are provided at both ends of the wire and at strategic intervals along its length.

Design drawings provide distinct identification of Class 1E equipment.

Operating and maintenance documents pertaining to Class 1E equipment are distinctly identified.

8.3.1.4 Independence of Redundant Systems 8.3.1.4.1 Separation Criteria This section establishes the criteria and the bases for preserving the independence of redundant Class 1E power systems.

8.3.1.4.1.1 Raceway and Cable Routing

a. Wherever possible, cable trays are arranged from top to bottom, with trays containing the highest voltage cables at the top and trays containing the lowest voltage cables at the bottom. A raceway designated for a single voltage category of cables contains only cables of the same voltage category. Voltage categories are:
1. 15-kV power (non-Class 1E) 8.3-29 Rev. OL-24 11/19

CALLAWAY - SP

2. 5-kV power
3. Large 600-V power (cables from load centers)
4. 600-V power (cables from motor control centers, control cables and unshielded switched signal cables)
5. Instrumentation cables (analog and shielded digital signal cables)

Whenever practical, fiber optic cables are routed with instrumentation cables, but may be routed through raceways of any voltage category.

b. Cables associated with each safety-related separation group, as defined in Section 8.3.1.3, are run in separate conduits, cable trays, ducts, and penetrations.
c. The arrangement of electrical equipment and cabling minimizes the possibility of a fire in one separation group from propagating to another separation group.

Except when confirming analyses support less stringent requirements, the following rules apply to those areas in which the only source of fire is electrical. Areas in which the only source of fire is electrical are divided into two groups--cable spreading rooms and general plant areas.

GENERAL - Routing of instrumentation, control, or power cables through rooms or spaces where there is a potential for accumulation of large quantities of combustible fluids is avoided. Where such routing is unavoidable, only cables of one separation group are allowed. In addition, the cables are enclosed in conduit. Openings in solid floors for vertical runs of cables are sealed with fire resistant material.

GENERAL PLANT AREAS - In plant areas from which equipment with potential hazards such as missiles, external fires, and pipe whip are excluded, the separation criteria are as follows:

a. Cable trays of different separation groups have a minimum horizontal separation of 3 feet if no physical barrier exists between the trays. In the limited number of areas where horizontal separation of 3 feet is unattainable, a fire barrier is installed extending at least 1 foot above the top of the tray (or to the ceiling) and 1 foot below the bottom of the tray (or to the floor).
b. For cable trays of different separation groups, there is a minimum vertical separation of 5 feet between open-top trays stacked vertically. In the limited number of areas where trays of different separation groups are stacked with less than 5 feet of vertical separation, a fire barrier is placed 8.3-30 Rev. OL-24 11/19

CALLAWAY - SP between the two separation groups. The barrier extends 1 foot to each side of the tray system (or to the wall).

c. In the case where a tray of one separation group crosses over a tray of a different separation group and the vertical separation is less than 5 feet, a fire barrier is installed extending 1 foot from each side of each tray and 5 feet along each tray from the crossover.
d. Where it is necessary that cables of different separation groups approach the same or adjacent control panels with less than 3-foot horizontal or 5-foot vertical spacing, isolation is maintained by installing both separation groups in steel conduit or enclosed wireway or by installing fire barriers between the separation groups. In the case of horizontal separation, the barrier extends 1 foot below the bottom of the tray (or to the floor) to 1 foot above the top of the tray (or to the ceiling). In the case of vertical spacing, the barrier extends 1 foot on each side of the tray system (or to the wall).
e. Isolation between separation groups is considered to be adequate where physical separation is less than that indicated in Items a, b, and c above, provided the circuits of different separation groups are run in enclosed raceways that qualify as barriers or other barriers are installed between the different separation groups. The minimum distance between these enclosed raceways and between barriers and raceways is 1 inch. The barriers are installed as described in a through d above.

In cases of open trays containing safety-related cables and totally enclosed conduits containing non-safety related cables, the safety design basis is to protect the safety related cables from failure of the non-safety related circuits, and not vice-versa. In consideration of this basis, enclosing the non-safety circuits in conduit and maintaining at least one inch separation provides an acceptable level of protection. The conduit can contain only a limited quantity of combustible material (cable insulation and jackets).

Furthermore, there is insufficient oxygen inside the conduit to support combustion of more than a fraction of the available material.

Based on these considerations, it is established that a one inch separation between a conduit containing non-safety related circuits and an open tray containing safety related circuits is sufficient to assure that any failure within the non-safety related circuits will not propagate into and compromise the integrity of the safety-related circuits.

The minimum separation between speaker cables, coiled handset cables, and pre-fabricated deskset cables of the Gaitronics public address (PA) system and Class 1E conduit and enclosed raceway is one (1) inch. The voltage and current level of these non-1E cables during a fault condition internal to the circuit is sufficiently low to preclude combustion of the PA 8.3-31 Rev. OL-24 11/19

CALLAWAY - SP system cables. Therefore, the independence and integrity of the Class 1E circuits is maintained.

f. The minimum separation distance between a low-voltage #14 AWG non-Class 1E thermostat control cable supplied from its transformer/relay and any Class 1E cable is one (1) foot. Each of these non-Class 1E cables provides for heater control from a thermostat via contact closure in the thermostat. The associated heaters are located throughout the plant.

These cables are supplied power by a transformer/relay device operating at an output voltage of approximately 30 volts. The one-foot separation criterion has been shown to prevent hazards due to electromagnetic interference or potential cable fires from affecting the operation of Class 1E cables.

IEEE 384-1974 allows for degree of separation to be commensurate with the damage potential. The minimum separation distance can be established by analysis of the proposed cable installation. Therefore, a calculation was performed to analyze the above cable installation criterion for potential fire hazards as well as potential electromagnetic interference hazards.

The fire hazard analysis concluded that the maximum power available due to a cable-related fault was two (2.0) watts. The thermodynamic model developed from the expected physical installation showed that the maximum temperature developed at the fault location was 154.5oF. This temperature is well below any of the cable component ignition temperatures.

The electromagnetic interference calculation found that the maximum induced voltage in an unshielded pair of #14 AWG wires was 0.882 V peak at a one-foot distance with the worst exposed conductor configuration. The possible unshielded victim cables in the plant are operated at nominal voltages of 120 VAC and 125 VDC. This noise level (0.882 V) would not be enought to affect any control circuits. The low-level signal (instrument) cables in the plant are all shielded and would not be affected by this electromagnetic interference.

g. The minimum separation between #16 AWG non-Class 1E leads to the lamp heads of emergency lighting fixtures and Class1E cables is also one foot. The associated emergency lighting fixtures are located throughout the plant. The non-1E leads are fed from a 6-V battery and are protected by a 25-A fast-acting fuse.

A calculation was performed to analyze potential fire hazards under faulted conditions and to analyze potential electrostatic/electromagnetic hazards under normal operatons and faulted conditions. The calculation indicates 8.3-32 Rev. OL-24 11/19

CALLAWAY - SP there is no fire hazard present. It also indicates the largest voltage induced from electrostatic/electromagnetic coupling is 0.099 V which is not large enough to affect control circuits. Instrumentation circuits are shielded and are not affected by electromagnetic interference.

h. Non-class 1E cables used for the plant's Wi-Fi communication system are routed/located throughout the plant. No minimum separation distance between these unshielded, twisted-pair cables and any class 1E cables is necessary to prevent adverse effects on the class 1E cables, with respect to fire or electromagnetic interference (EMI) concerns. The Wi-Fi communication cables are only utilized within low-power circuits ( 200 milliwatts). Thus, they cannot combust or produce a fire hazard from a fault condition, nor can they produce unacceptable EMI effects from inductive or capacitive coupling.

CABLE SPREADING AREAS - The cable spreading area does not contain high energy equipment such as switchgear, transformers, rotating equipment, or potential sources of missiles or pipe whip and is not used for storing flammable materials. (Circuits in the cable spreading area are limited to control and instrument functions and also those power supply circuits and facilities serving the control room and instrument systems.)

Power supply feeders 480 V and above are installed in enclosed raceways. Separation criteria are as follows:

a. The minimum separation distance between redundant Class 1E cable trays is 1 foot between trays separated horizontally and 3 feet between trays separated vertically.
b. Where termination arrangements preclude maintaining the minimum separation distance, the redundant circuits are run in enclosed raceways or other barriers are provided between redundant circuits. The minimum distance between these redundant enclosed raceways and between barriers and raceways is 1 inch. The fire barriers are installed as described above in General Plant Areas.
c. Arrangement and/or protective barriers preclude locally generated forces or missiles from destroying redundant systems. In the absence of confirming analyses to support less stringent requirements, the following rules have been used:
1. The routing of Class 1E circuits and the location of Class 1E electrical equipment is reviewed for exposure to hazards such as high pressure piping, missiles, flammable material, and flooding.

A degree of separation or physical protection commensurate with the damage potential of the hazard is provided so that the independence of redundant Class 1E subsystems is maintained.

8.3-33 Rev. OL-24 11/19

CALLAWAY - SP The separation of redundant Class 1E circuits and equipment makes use of features inherent in the plant design, such as using different rooms or opposite sides of rooms or areas.

2. The separation of Class 1E circuits and equipment is such that the required independence is not compromised by the failure of mechanical systems served by the Class 1E systems. For example, Class 1E circuits are routed or protected so that failure of related mechanical equipment of one redundant subsystem cannot jeopardize Class 1E circuits or equipment essential to the operation of the other redundant subsystem.
d. Nonsafety-related cables are not routed through safety-related raceways.

However, if a nonsafety-related cable is fed from a safety-related power service it may be routed through safety-related raceways of the same separation group as that of the power service. For a discussion of nonsafety-related circuits fed from safety-related sources through isolation devices, refer to Section 8.1.4.3 - Regulatory Guide 1.75.

e. Load group 1 and protection channels 1 and 3 and load group 2 and protection channels 2 and 4 cables are routed through separate cable chases and cable spreading rooms. The former circuits enter the lower cable spreading room, while the latter circuits enter the upper cable spreading room.
f. The independence of redundant NSSS safety-related systems is discussed below:

Safety-related reactor trip, engineered safety features actuation, and instrumentation and control power supply systems are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria and Paragraph 4.6 of IEEE 279, 1971.

Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function.

Physical separation of wiring for each redundant channel set is used.

Redundant analog equipment is separated by locating modules in different protection rack sets.

Each redundant channel set is energized from a separate ac power feed.

There are four separate process protection analog rack sets. Separation of redundant analog channels begins at the process sensors and is maintained in the analog protection racks to the redundant trains in the logic racks. Redundant analog channels are separated by locating modules in different rack sets. Within these racks, field run 8.3-34 Rev. OL-24 11/19

CALLAWAY - SP nonsafety-related shielded cables having a signal level of 100 V or less are routed in common wireways with safety-related shielded cables with no physical separation. Internal cabinet safety and nonsafety-related cables are similarly routed. Justification for this method of routing is contained in Reference 1. The field run nonsafety-related shielded cables to these cabinets are routed in accordance with Reference 1.

Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core.

Protection system channel inputs are separated from the solid state protection system train outputs as follows:

1. Shielded cables defined in the NSSS vendor protection system documentation (process sensing circuits, solid state protection system logic cabinet inputs from control board switches, and pushbuttons) are separated from 120-V AC instrumentation and vital instrument bus voltage cables and 120-V AC and 125-V DC control voltage cables.
2. Prefabricated cables which connect process control system 24-V DC signals to the protection system input are separated from the 120-V AC instrumentation and vital instrument bus voltage cables, 120-V AC and 125-V DC control voltage cables.
3. The 48-V DC reactor trip logic Train A and Train B output circuits are installed in separate conduits.
4. Train A protection system outputs (120-V AC and 125-V DC Class 1E control voltage unshielded cables only) are contained in the same tray as protection system channel I unshielded cables.
5. Train B protection system outputs (120-V AC and 125-V DC Class 1E control voltage unshielded cables only) are contained in the same tray as protection system channel IV unshielded cables.

These requirements are complied with in the field circuiting.

8.3.1.4.1.2 Control Boards and Other Panels Within the control boards and other panels associated with protection systems, circuits and instruments of different separation groups (see Section 8.3.1.3) are independent and physically separated horizontally and vertically by a distance of 6 inches. Where 8.3-35 Rev. OL-24 11/19

CALLAWAY - SP physical separation is impracticable, conduit and/or fire barriers are utilized to maintain independence.

The Westinghouse Solid State Protection System Logic and Output, Nuclear Instrumentation System, and 7300 Series Process Control System cabinets are exempt from the 6 inch separation criteria, as discussed in Section 7.1.2.2.1.

Single control devices to which different separation groups are connected are avoided, wherever practicable. Where single devices are unavoidable, electrical isolation is provided. Devices that provide electrical isolation include relays, isolation amplifiers, and solid-state optical couplers. A small number of control switches (e.g., reactor trip switches, lockout relays) contain different separation group wiring to their control contacts. For these switches, electrical independence is maintained, and physical barriers are provided between each separation group. Within control boards and other panels, nonsafety-related wiring is not harnessed together with safety-related wiring.

However, if an associated nonsafety-related cable is supplied from a safety-related bus it is treated as a safety-related cable and is harnessed with safety-related cables of the same group. Harnesses of different separation groups are separated physically by a distance of 6 inches. Where physical separation is impracticable, fire barriers, conduit, or wire duct is used to maintain independence.

The Gaitronics Handset/Amplifier on the Main Control Board Panel - RL005/6 used for plant communication has nonsafety cabling routed between its components that is not separated from Class 1E systems/circuits by six inches or more.

A calculation was performed to analyze the above cabling installation criteria for potential fire hazards. The fire hazard analysis concluded that short circuits on any of the cables would not produce currents higher than the ampacity ratings of the cables. Also, the fault temperatures would not exceed any ignition temperatures for the cables and the electromagnetic effects are insignificant. Thus, no potential exists to produce a fire and the cabling can be routed not meeting the six inch criteria.

8.3.1.4.1.3 Reactor Containment Penetration Areas Two separate penetration areas are provided for all cables that must pass through the containment wall. The south penetration area contains cable for Separation Groups 2 and 4, each group having separate penetration assemblies. The north penetration area contains cable for Separation Groups 1 and 3, each group again having separate penetration assemblies. Raceway separation criteria, as described in this section, apply in routing cable through the penetration areas.

8.3.1.4.2 Administrative Responsibilities and Controls for Assuring Separation Criteria During Design and Installation The scheme and raceway channel identification (refer to Section 8.3.1.3) facilitates and ensures the maintenance of separation in the routing of cables and the connection of 8.3-36 Rev. OL-24 11/19

CALLAWAY - SP control boards and panels. At the time of the cable routing assignment in the design office, the routing engineer checks to ensure that the separation group designation on the scheme to be routed is compatible with the raceways in the intended route.

Extensive use of computer program checks helps ensure separation. Each circuit and raceway is identified in the computer program, and the identification includes the applicable separation group. The program used in routing specifically checks to ensure that cables of a particular separation group are routed through the appropriate raceways.

The routing is also confirmed by quality control personnel, during installation, to be consistent with the design document. Color identification of equipment and cabling (refer to Section 8.3.1.3) assists field personnel in this effort.

8.3.2 DC POWER SYSTEMS 8.3.2.1 Description The DC power system consists of four independent Class 1E 125-V DC subsystems, four non-Class 1E 125-V DC subsystems, and one non-Class 1E 250-V DC system. The DC power system is designed to provide reliable and continuous power for controls, instrumentation, inverters, and DC emergency auxiliaries.

The Class 1E DC system provides DC electric power to the Class 1E DC loads and for control and switching of the Class 1E systems. Physical separation, electrical isolation, and redundancy are provided to comply with the requirements of IEEE 308. The four Class 1E DC power subsystems are shown in Figure 8.3-6. Subsystems 1 and 4 provide control power for AC Load Groups 1 and 2, respectively. These subsystems also provide vital instrumentation and control power for channels 1 and 4, respectively, of the reactor protection and engineered safety features systems. DC subsystems 2 and 3 provide vital instrumentation and control power for channels 2 and 3, respectively, of the reactor protection and engineered safety features systems. Each Class 1E DC power subsystem consists of one 125-V battery, one primary battery charger, one inverter, distribution switchboards, a shared swing battery charger, a shared swing inverter/UPS, swing inverter transfer switches, and swing battery charger transfer switches. The primary battery chargers for DC subsystems 1 and 3 are supplied 480-V AC power from different Class 1E busses of Load Group 1 while their shared swing battery charger is supplied 480-V AC power from either a Class 1E bus of Load Group 1 or a non-Class 1E bus from load group 5. Similarly, the primary battery chargers for DC subsystems 2 and 4 are supplied 480-V AC power from different Class 1E busses of Load Group 2 while their shared swing battery charger is supplied 480-V AC power from either a Class 1E bus of Load Group 2 or a non-Class 1E bus from load group 6. The inverter/UPS cabinets provide four independent 120-V AC vital instrumentation and control power supplies for the channels of reactor protection and engineered safety features systems.

Two swing battery charger subsystems are provided for the Class 1E DC power subsystems. One for use with Class 1E DC subsystems 1 and 3 and the other for use with Class 1E DC subsystems 2 and 4. The swing battery chargers are physically located on the 2000 foot elevation in the Class 1E AC switchgear rooms and 8.3-37 Rev. OL-24 11/19

CALLAWAY - SP permanently connected to their respective Class 1E DC power subsystems via manually controlled electrically operated transfer switches. In the event of a failure of a primary battery charger, the respective swing battery charger can be quickly aligned to provide power to the affected DC power subsystem. Therefore, the malfunctioning equipment may be repaired without imposing long-term disruption of the system. Once the swing battery charger is aligned to a given DC power subsystem all of the required annunciated trouble conditions are monitored on the swing charger and an annunciator window on the main control boards is lit to alert the control room staff that a swing charger is in use.

The batteries, racks, chargers, inverters, and auxiliary distribution equipment (switchboards and transfer switches) are designed seismic Category 1, and are designed to maintain their functional capability during and after an SSE.

The non-Class 1E loads for the power block are supplied by separate DC systems. A 125-V DC system is provided to supply nonvital control and instrumentation (see Figures 8.3-6 and 8.3-7). Two 200-A DC feeders off PK01 and PK02 (Figure 8.3-6) are provided to supply the site system DC control loads. In addition, a 250-V DC system (Figure 8.3-6) is provided to supply nonvital DC motors, such as emergency lube oil pumps and emergency seal oil pumps. The 125-V DC system (Figure 8.3-7), in conjunction with inverters, also provides power for the plant computers, fire detection system, radiation monitoring, public address system, and the digital feedwater control system. Loads served from the 125-V DC PK05 bus include breaker control power for the AEPS (Site Addendum Section 8.4) and the non-safety auxiliary feedwater pump (Standard Plant Sections 9.2.6, 10.4.7, and 10.4.9).

The 250-V DC system includes one battery and two battery chargers, one charger serving as a backup for the other. The non-Class 1E 125-V DC system includes five batteries (PK11-PK15), each of which has one battery charger.

One battery charger of the 250-V DC system and all battery chargers of the non-Class 1E 125-V DC system are supplied 480-V AC power from the standby power system.

The 125-V and 250-V DC Class 1E and non-Class 1E systems are subjected to a maximum voltage of 140 V and 280 V DC, respectively. This occurs during the equalization of the batteries. All equipment associated with and connected to the DC systems is designed to withstand the maximum voltage during equalization.

8.3.2.1.1 Safety-Related DC Loads Table 8.3-1 identifies loads related to each Class 1E 125-V DC subsystem.

8.3.2.1.2 Class 1E Station Batteries and Battery Chargers BATTERY CAPACITY - The Class 1E batteries are sized in excess of that required to supply the loads in Tables 8.3-2 and 8.3-3 for 200 minutes. The required capacity is 8.3-38 Rev. OL-24 11/19

CALLAWAY - SP initially evaluated from design loads, with margin, imposed on each battery throughout the 200-minute duty cycle.

From this capacity, a margin of 25 percent is applied to ensure that the rated battery capacity is at least 125 percent of that required. This margin is consistent with the 80 percent capacity battery replacement criteria given in IEEE Standard 450-1995.

As a result of the above sizing, the batteries are selected from those larger sizes that are commercially available. The resulting battery selection ensures capacity in excess of 150 percent of the system requirements.

BATTERY CHARGER CAPACITY - The capacity of each primary Class 1E battery charger and of each swing battery charger is based on the largest combined demand of all the steady state loads and the charging capacity to restore the battery from the design minimum charge state (one duty cycle) to a fully charged state within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (irrespective of the status of the plant during which these demands occur).

INSPECTION, MAINTENANCE, AND TESTING - Testing of the DC power system is performed during plant operation, in accordance with IEEE Standard 450-1995 and the plant Technical Specifications.

Preoperational tests and inspections were performed in accordance with the procedures described in Chapter 14.0.

8.3.2.1.3 Separation and Ventilation The Class 1E batteries, chargers, and DC switchgear of each separation group are located in separate rooms of the seismic Category I control building. The swing battery chargers are located in the AC switchgear rooms on the 2000 foot elevation of the seismic Category 1 control building. One swing battery charger is located in room 3301 and the other swing batter charger is located in room 3302. Chargers and DC switchgear are in separate rooms from the batteries. The battery rooms are ventilated by a system which is designed to preclude the possibility of hydrogen accumulation.

Section 9.4.1.2 contains a description of the battery room ventilation system. Battery room temperature is controlled or the batteries appropriately derated so that the battery capacity is maintained at a level that satisfies the requirements of Section 8.3.2.1.2.

8.3.2.2 Analysis 8.3.2.2.1 Compliance with General Design Criteria, Regulatory Guides, and Industry Standards The following paragraphs analyze compliance of the Class 1E DC power system with Regulatory Guides 1.6, 1.32, 1.41, 1.81, 1.93, 1.128, and 1.129 and IEEE Standards 308-1974 and 450-1995.

8.3-39 Rev. OL-24 11/19

CALLAWAY - SP Compliance with General Design Criteria 17 and 18 is discussed in Section 3.1.

Refer to Appendix 3A for the applicable revision dates on regulatory guides.

REGULATORY GUIDE 1.6, INDEPENDENCE BETWEEN REDUNDANT STANDBY (ONSITE) POWER SOURCES AND BETWEEN THEIR DISTRIBUTION SYSTEMS -The Class 1E DC system is separated into four subsystems, two per load group. Each DC subsystem is energized by one battery and one primary battery charger.

One swing battery charger is provided as a back-up for the primary battery chargers for Load Groups 1 and 3, and one swing battery charger is provided as a back-up for the primary battery chargers for Load Groups 2 and 4. Each primary battery charger is supplied from its associated AC Load Group while the swing battery chargers are supplied from either a preferred Class 1E Load Group or a Non-class 1E Load Group.

The batteries are exclusively associated with a single 125-V DC bus. No provision exists for transferring loads between redundant 125-V DC subsystems. Thus, sufficient independence and redundancy exist between the 125-V DC subsystems to ensure performance of minimum safety functions, assuming a single failure.

REGULATORY GUIDE 1.32, CRITERIA FOR SAFETY-RELATED ELECTRIC POWER SYSTEMS FOR NUCLEAR POWER PLANTS The requirements of Regulatory Positions C.1 and C.2 pertaining to the DC systems are met as follows:

a.

Reference:

Paragraph C.1.b of the regulatory guide. Refer to Section 8.3.2.1.2.

b.

Reference:

Paragraph C.1.c of the regulatory guide. The battery performance test interval is as specified in IEEE Standard 450-1995 and the plant Technical Specifications, rather than the 3 years specified in Table 2 of IEEE Standard 308-1974.

The battery service test is performed in addition to the battery performance discharge test, consistent with Regullatory Guiide 1.32. However, a modified performance discharge test may be performed in lieu of a service test if desired, in accordance with the provisions of the Technical Specifications and IEEE Standard 450-1995. The battery service test interval is 18 months, in accordance with the provisions of the Technical Specifications. See Appendix 3A for discussion of compliance with Regulatory Guide 1.32 in relation to IEEE Standard 450.

c.

Reference:

Paragraph C.1.d of the regulatory guide. Refer to Regulatory Guide 1.6 above in this section.

d.

Reference:

Paragraph C.2.a of the regulatory guide. Refer to Regulatory Guide 1.81 below in this section.

8.3-40 Rev. OL-24 11/19

CALLAWAY - SP

e.

Reference:

Paragraph C.2.b of the regulatory guide. Refer to Regulatory Guide 1.93 below in this section.

REGULATORY GUIDE 1.41, PREOPERATIONAL TESTING OF REDUNDANT ONSITE ELECTRIC POWER SYSTEMS TO VERIFY PROPER LOAD GROUP ASSIGNMENTS - In compliance with this regulatory guide, the Class 1E 125-V DC subsystems designed in accordance with Regulatory Guides 1.6 and 1.32 are tested as follows:

a. Testing of the DC power system, including an acceptance test of battery capacity, is performed prior to unit operation and after major modifications or repairs in accordance with the procedures described in Chapter 14.0.
b. The charger, battery connections, and charger supply are checked for proper assignment to the proper AC load group.
c. Class 1E 125-V DC subsystems are functionally tested, along with the associated AC load group, by disconnecting and isolating the other AC load group, its AC power sources, and the associated DC subsystem.

Each test includes simulation of an engineered safety features actuation signal, startup of the standby diesel generator and the load group under test, sequencing of loads, and the functional performance of the loads.

During these tests, the ability of the 125-V DC subsystem to perform its intended functions, e.g., control of diesel generators and Class 1E AC switchgear, is checked.

d. During the testing of the Class 1E 125-V DC subsystem associated with one AC load group, the busses of the 125-V DC subsystem associated with the AC load groups not under test are monitored to verify the absence of voltage, indicating no interconnection of the DC systems.

REGULATORY GUIDE 1.81, SHARED EMERGENCY AND SHUTDOWN ELECTRIC SYSTEMS FOR MULTI-UNIT NUCLEAR POWER PLANTS - Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.93, AVAILABILITY OF ELECTRIC POWER SOURCES -Refer to Appendix 3A for the response to this regulatory guide.

REGULATORY GUIDE 1.128, INSTALLATION DESIGN AND INSTALLATION OF LARGE LEAD STORAGE BATTERIES FOR NUCLEAR POWER PLANTS - The requirements of IEEE 484, 1975 are used for the installation of batteries.

The battery room ventilation system limits hydrogen concentration to less than 2 percent by volume at any location in the battery area.

8.3-41 Rev. OL-24 11/19

CALLAWAY - SP Restraining channel beams and tie rods are electrically insulated from the cell cases and are finished with acid-resistant paint.

The requirements of Regulatory Guide 1.120 for safety-related battery rooms are complied with. Refer to Appendix 3A for the response to this regulatory guide.

The requirements of Regulatory Guide 1.100 are complied with. Refer to Appendix 3A for the response to this regulatory guide.

Batteries are located in a well-ventilated location with adequate aisle space and space above cells.

Temperature differential between cells is no greater than 3º C at a given time. The presence of localized heat sources is precluded.

Eyewash facilities are provided in the corridor between the battery rooms as shown on Figure 1.2-24.

Battery racks provide for the mounting of batteries in a twostep configuration.

Fire detection sensors and alarms are provided as described in Section 9.5.1.

During unpacking, any cell with electrolyte level 1/2 inch or more below the top of the plates is replaced.

Cells are stored in a clean, level, dry, and cool location. Extremely low ambient temperatures and localized sources of heat are avoided.

The recommendations for a freshening charge outlined in IEEE 484, Paragraph 5.3.1 are followed after the installation of the batteries.

A hydrogen survey is performed to verify that the ventilation system limits hydrogen concentration to less than 2 percent by volume. This survey data is recorded and maintained in a permanent file for future reference.

REGULATORY GUIDE 1.129, MAINTENANCE, TESTING, AND REPLACEMENT OF LARGE LEAD STORAGE BATTERIES FOR NUCLEAR POWER PLANTS -The requirements of IEEE Standard 450-1995 are followed as explained in Appendix 3A and as further described below.

IEEE Standard 308-1974, IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations - For compliance with the AC power requirements of IEEE 308, refer to Section 8.1.4.3.

The following provides compliance for the DC power requirements of IEEE 308.

8.3-42 Rev. OL-24 11/19

CALLAWAY - SP The Class 1E DC system provides DC electric power to the Class 1E DC loads and for the control and switching of the Class 1E systems. Physical separation, electrical isolation, and redundancy are provided to prevent the occurrence of common mode failures. The design of the Class 1E DC system includes the following:

a. The DC system is separated into four subsystems.
b. The safety actions of each group of loads are independent of the safety actions provided by its redundant counterpart.
c. Each DC subsystem includes power supplies that consist of one battery, one primary battery charger, and access to one swing battery charger.
d. The batteries are not interconnected.
e. The batteries do not have a common failure mode.

Each Class 1E DC distribution circuit is capable of transmitting sufficient energy to start and operate all the required loads in that circuit. Distribution circuits to redundant equipment are independent of each other. The distribution system is monitored to the extent that it is shown to be ready to perform its intended function. The DC auxiliary devices required to operate the equipment of a specific AC load group are supplied from the DC subsystem of the same load group.

The batteries are maintained in a fully charged condition and have sufficient stored energy to operate all the necessary circuit breakers and to provide an adequate amount of energy for all required emergency loads for 200 minutes after loss of AC power or charger failure.

Each primary and swing battery charger has sufficient capacity to restore the battery from the design minimum charge (one duty cycle) to its fully charged state while supplying the largest combined demand of the steady-state loads. The primary battery charger of one subsystem is independent of the battery charger for the redundant subsystem. The swing battery chargers are connected to the primary battery chargers through a series of transfer switches which assure circuit independence.

Instrumentation is provided to monitor the status of each DC subsystem. No instrumentation is shared between subsystems.

A summary annunciator in the control room is provided to alarm on any one of the following conditions. Each condition is also provided with individual alarm windows at the main switchboard.

a. Charger input breaker open
b. Charger output breaker open 8.3-43 Rev. OL-24 11/19

CALLAWAY - SP

c. Charger failure
d. Charger input AC undervoltage
e. Charger output DC undervoltage
f. Charger output DC overvoltage
g. DC bus undervoltage
h. Distribution switchboard undervoltage
i. DC ground
j. Battery circuit continuity monitor
k. Swing Charger in Use Indicating instruments are provided to monitor the following:
a. Battery output amperes (local and control room)
b. Bus voltage (local and control room)
c. Charger output current (local and control room)
d. Charger output voltage (local only)
e. Distribution switchboard white light (local only)

Each primary and swing battery charger has an input AC and output DC circuit breaker for isolation of the charger. Each primary and swing battery charger power supply is designed to prevent the AC supply from becoming a load on the battery due to a power feedback as the result of the loss of AC power to the charger.

Equipment to the Class 1E DC system is protected and isolated by fuses or circuit breakers in the event of a short circuit or overload conditions. Indication is provided to identify equipment that is made unavailable per the following:

Event Available Indication

a. Battery charger AC input Control room summary alarm, alarm at breaker trip main switchboard, breaker position at charger 8.3-44 Rev. OL-24 11/19

CALLAWAY - SP

b. Battery charger DC output Control room summary alarm, alarm at breaker trip main switchboard, breaker position at charger
c. Battery fuse blow Control room summary alarm, alarm at main switchboard
d. Distribution switchboard Control room summary alarm, alarm at feeder fuse blow main switchboard local white light
e. Distribution circuit fuse Individual equipment alarm blow
f. Inverter DC feeder fuse Inverter Trouble Alarm / Static Switch blow Transfer
g. Inverter output AC breaker 120-V AC vital bus undervoltage trip alarm
h. Battery high rate of Control room computer alarm discharge Periodic testing and surveillance requirements for the Class 1E batteries are detailed in the Callaway Technical Specifications.

Dependable power supplies are provided for the reactor protection system and engineered safety features actuation system. Four independent DC and AC power supplies are provided for control and instrumentation of these systems. The independent DC supplies are provided by distribution circuits from distribution panels on each system. Independent ac supplies are provided by the four inverters and associated 120-V AC vital busses. Refer to Section 8.3.1.1.5 for further description of these vital instrument AC power supplies.

IEEE STANDARD 450-1995, IEEE RECOMMENDED PRACTICE FOR MAINTENANCE, TESTING, AND REPLACEMENT OF VENTED LEAD-ACID BATTERIES FOR STATIONARY APPLICATIONS - The following recommended practices of IEEE 450 for maintenance, testing, and replacement of batteries are followed for the Class 1E batteries:

a. Maintenance, inspections, and tests, including cell differential temperature measurements, are carried out on a regularly scheduled basis to comply with the requirements of IEEE 450.
b. An acceptance test of battery capacity is performed at the factory to determine if it meets the specified discharge rate and duration.

8.3-45 Rev. OL-24 11/19

CALLAWAY - SP

c. The first performance test of battery capacity is carried out within the first 2 years of service. The subsequent performance tests of battery capacity are made once every 5 years until the battery shows signs of degradation.

Refer to the Callaway Technical Specifications, Section 3.8.4.

d. Performance tests of battery capacity are given at 18-month test intervals to any battery that shows signs of degradation or which has reached 85 percent of the expected service life, in accordance with the provisions of the plant Technical Specifications.
e. Battery service tests or modified performance tests, as described in Sections 5.3 and 5.4 of IEEE Standard 450-1995, respectively, are performed at 18-month intervals in accordance with the provisions of the plant Technical Specifications.
f. The rating of the battery when purchased is approximately 25 percent greater than that required to supply the emergency load requirements.

This margin permits a battery replacement criteria of 80-percent rated capacity (refer to Section 8.3.2.1.2).

g. Records of the data obtained from inspections and tests are kept along with test procedures, to comply with the requirements of IEEE 450.

8.3.3 FIRE PROTECTION FOR CABLE SYSTEMS The measures employed for the prevention of and protection against fires in electrical cables are described in Section 9.5.1.

Section 8.3.1.4.1, Separation Criteria, provides information regarding separation between redundant cable trays.

8.

3.4 REFERENCES

1. Marasco, F. W. and Siroky, R. M., Westinghouse 7300 Series Process Control System Noise Tests, WCAP-8892-A, June 1977.
2. SLNRC 84-0069, dated April 17, 1984.
3. SLNRC 84-0071, dated April 23, 1984.
4. SLNRC 84-0077, dated May 2, 1984.

8.3-46 Rev. OL-24 11/19

CALLAWAY - SP TABLE 8.3-1 CLASS 1E DC SYSTEM LOADS I. DC Subsystem 1 (Separation Group 1)

a. Diesel generator NE01 control and field flashing
b. Solenoid valves, indicating lights, and miscellaneous power and controls associated with load group 1
c. Class 1E switchgear of load group 1 dc control
d. Inverter/UPS NN11 or Swing Inverter/UPS NN17
e. Reactor trip switchgear, channel 1 dc control
f. Main control room dc emergency lighting
g. Load shedder and emergency load sequencer panel
h. Engineered safety feature status panel
i. Diesel generator 1 control panel II. DC Subsystem 4 (Separation Group 4)
a. Diesel generator NE02 control and field flashing
b. Solenoid valves, indicating lights, and miscellaneous power and controls associated with load group 2
c. Class 1E switchgear of load group 2 dc control
d. Inverter/UPS NN14 or Swing Inverter/UPS NN18
e. Reactor trip switchgear Channel 2 dc control
f. Engineered safety features status panel
g. Load shedder and emergency load sequencer panel
h. Diesel generator 2 control panel Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-1 (Sheet 2)

III. DC Subsystem 3 (Separation Group 3)

a. Inverter/UPS NN13 or Swing Inverter/UPS NN17
b. Miscellaneous indicators, power, and controls associated with Separation Group 3 IV. DC Subsystem 2 (Separation Group 2)
a. Inverter/UPS NN12 or Swing Inverter/UPS NN18
b. Miscellaneous indicators, power, controls, and auxiliary feedwater pump turbine controls associated with Separation Group 2 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-2 125 V DC CLASS 1E BATTERY LOADING CYCLE (AMPERES REQUIRED PER TIME INTERVAL PER BATTERY AFTER LOSS OF AC POWER) SUBSYSTEMS 1 AND 4 Load description (1) 0-1 1-2 2-140 140-141 141-238 238-240 Function min min min min min (4) min Diesel generator control and 2 2 2 35 2 35 Initial generator field flashing excitation and control Class 1E AC switchgear 61 106 6 6 6 91 circuit breaker operation (2) Control power Control panel indicating lights, 32 32 32 32 32 32 control circuits, and Control and instrumentation instrumentation Distribution panels (2) 204 7 5 0 0 8 Distribution of power Reactor trip switchgear 7 1 1 1 1 1 control Reactor protection Inverters 66 66 66 66 66 66 Vital instrumentation power Control room lighting (3) 9 9 9 9 9 9 Illumination Load shedder and emergency 6 6 6 6 6 6 Class 1E cabinet load sequencer (LSELS) power supply Miscellaneous loads 2 2 2 2 2 2 Miscellaneous Total amperes/interval 389 231 129 157 124 250 Rev. OL-19 5/12

CALLAWAY - SP TABLE 8.3-2 (Sheet 2)

(1) The loading cycle assumes that all continuous loads will be running for the entire duration (240 minutes). Momentary loads are based on the worst case conditions during the emergency. For example, the first column represents the loads that are required at time zero.

(2) Some loads vary at different times during the first minute, as they are actuated by the load shedder and emergency load sequencer (LSELS). The first minute load was based on the most conservative load seen during the first minute, which occurs in the 0 - 10 second range.

(3) Control room emergency lighting is only on Subsystem 1, Subsystem 4 loads will be lower than the loads shown for Subsystem 1.

(4) The load profile combines the requirements of the 200 minute loss of site power (LOOP) with loss of coolant accident (LOCA), and the 240 minute station black out (SBO). The 200 minute load duration is the design requirement for the batteries for a LOOP with LOCA and loss of battry chargers. The section from 141 to 238 minutes was extended to meet a 240 minute coping period for the SBO requirement. The 240 minute duty cycle represents the most limiting condition for the batteries.

Rev. OL-19 5/12

CALLAWAY - SP TABLE 8.3-3 125 V DC CLASS 1E BATTERY LOADING CYCLE (AMPERES REQUIRED PER TIME INTERVAL PER BATTERY AFTER LOSS OF AC POWER) SUBSYSTEMS 2 AND 3 Load description (1) 0-1 1-2 2-140 140-141 141-238 238-240 Function min1 min min min min (3) min Inverters 40 40 40 40 40 40 Vital instrumentation power Misc. indicators, power, 28 5 5 28 5 28 Power and control and controls, including auxiliary turbine-driven feedwater valve (2)

Miscellaneous loads 32 55 55 32 55 32 Miscellaneous Total amperes/interval 100 100 100 100 100 (1) The loading cycle assumes that all continuous loads will be running for the entire duration (240 minutes).

(2) Auxiliary turbine-driven feedwater valve is only on Subsystem 2, Subsystem 3 loads will be lower than the loads shown for Subsystem 2.

(3) The load profile combines the requirements of the 200 minute loss of offsite power (LOOP) with loss of coolant accident (LOCA), and the 240 minute station black out (SBO). The 200 minute load duration is the design requirement for the batteries for a LOOP with LOCA and loss of battery chargers. The section from 141 to 238 minutes was extended to meet a 240 minute coping period for the SBO requirement. The 240 minute duty cycle represents the most limiting condition for the batteries.

Rev. OL-19 5/12

CALLAWAY - SP TABLE 8.3-4 FAILURE MODES AND EFFECTS ANALYSIS This table presents the failure mode and effects analysis (FMEA) of the engineered safety features (ESF) auxiliary electrical power system for the Callaway Plant. The purpose of the analysis is to demonstrate that the Class 1E power system can provide sufficient power to ensure the operation of all ESF loads required for safe shutdown, assuming a single component failure, as defined in IEEE Standard 308-1974.

Components which are included in the analysis are listed on the first sheets of the table.

Refer to Figures 8.3-1 and 8.3-6 for the location of these components in the system.

Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 2)

A. LIST OF MAJOR ELECTRICAL EQUIPMENT 125-V DC 120-VAC Battery Fusible 125-V Distr Manual Tsfr Distr 480-V MCC 13.8 kV Transformers D-G Charges Batteries Switches Swbd Swbd Inverters Bkr Swbd Breakers Breakers (L.G.2) XNG02 XNB02 NE02 NK22 NK12 89NK0201 89NK0402 89NK0404 NK02 NK42 NN12 52NN0201 NN02 52NG02AFF3 252PA0201 XNG04 XMR01 NK24 NK14 89NK0202 89NK0409 89NK0411 NK04 NK44 NN14 52NN0401 NN04 52NG02ADF1 XNG06 NK26 89NK0209 89NK0204 89NK0405 NK54 NN18 52NG02ABR1 XNG08 89NK0401 89NK0211 89NK0203 52NG02AGF3 89NK0403 (L.G.1) XNG01 XNB01 NE01 NK21 NK11 89NK0101 89KN0302 89NK0304 NK01 NK41 NN11 52NN0101 NN01 52NG01ACR3 XNG03 NK23 NK13 89NK0102 89NK0309 89NK0311 NK03 NK43 NN13 52NN0301 NN03 52NG01ABF1 XNG07 NK25 89NK0109 89NK0104 89NK0105 NK51 NN17 52NG01ABR1 XNG05 89NK0301 89NK0111 89NK0103 52NG01ABR2 89NK0303 4160-V 480-V 480-V Bus L.C. MCC 4-kV Breakers 480-V Breakers (L.G.2) NG02 NG02A NG06E 152NB0209 152NB0212 152NB0201 152NB0205 152NB0216 52NG0401 52NG0206 52NG0803 52NG0405 NB02 NG04 NG02B NG08F 152NB0211 152NB0208 152NB0206 152NB0215 52NG0201 52NG0207 52NG0805 NG08 NG04C NG02T 152NB0213 152NB0204 152NB0207 152NB0214 52NG0406 52NG0216 52NG0208 NG04T NB04 NG04D NG08S 152NB0210 152NB0202 152NB0203 152NB0217 52NG0407 52NG0804 (L.G.1) NG01 NG01A NG05E 152NB0112 152NB0109 152NB0104 152NB0105 152NB0116 52NG0101 52NG0307 52NG0703 52NG0305 NB01 NG03 NG01B NG07F 152NB0110 152NB0106 152NB0107 152NB0115 52NG0301 52NG0306 52NG0705 NG07S NG07 NG03C NG01T 152NB0113 152NB0101 152NB0108 152NB0114 52NG0106 52NG0116 52NG0108 NB03 NG03D NG03T 152NB0111 152NB0103 152NB0102 152NB0117 52NG0107 52NG0704 Transfer Switches (L.G.2) NK72 NK74 NK80 NK76 NK78 (L.G.1) NK71 NK73 NK79 NK75 NK77 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 3)

B. FAILURE MODES AND EFFECTS ANALYSIS Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure N/A Offsite power Provides power to Loss of power Loss of preferred Undervoltage relays, None-Offsite power Offsite system failure, startup xfmr XMR01 power to xfmr XMR01 volt-meters, lights or supplied by alternate transmission line failure, undervoltage source through ESF bus fault, failure of swyd annunciation. xfmr XNB01. bkr, low grid voltage.

N/A Offsite power Provides power to ESF Loss of power Loss of preferred Undervoltage relays, None-Offsite power Offsite system failure, xfmr XNB01 power to XNB01 volt meters, lights or supplied by alternate transmission line failure, undervoltage source through startup bus fault, failure of swyd annunciation xfmr XMR01. bkr, low grid voltage.

XMR01 Startup transformer Provides preferred Fails to provide Loss of preferred Overcurrent, neutral None-Offsite power Internal fault, lightning power to ESF xfmr power power to XNB02 ground overcurrent, supplied by alternate arrestor failure, bushing XNB02 and differential relays; source through ESF failure, cooling system fault pressure xfmr XNB01. failure (during startup only) annunciation; undervoltage annunciation for bus NB02.

XNB01 ESF transformer Provides preferred Fails to provide Loss of preferred Undervoltage None. D-G NE01 Internal fault, bushing power to bus NB01 power power to bus NB01 annunciation on bus energizes NB01 until bkr failure and backup power to and backup power to NB01 152NB0109 is manually bus NB02 bus NB02 Periodic testing and closed.

inspection ESF Transformer Provides voltage Controllers fail low Raises NB bus Overvoltage None. Capacitor banks Primary and back-up XNB01 automatic support for ESF voltage unexpectedly annunication from NG will not interact. Short controllers fail low.

load tap changer busses load centers term overvoltage has (LTC) been evaluated. Limit device prevents extreme voltage changes.

XNB02 offsite power available.

Control fails high Lowers NB bus Undervoltage None. Capacitor Banks Primary and back-up voltage unexpectedly annunication step on. Eventually, controllers fail high, LTC degraded voltage controller potential circuits shed bus. transformers fail high Loads are transferred to Diesel Generators.

XNB02 offsite power available.

Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 4)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 152NB0114 1200-A, 4.16-Kv Provides backup Fails Open Loss of non-Technical Indicating lights, None. Non-Technical Mechanical failure, relay N.O. breaker power to and protects Specification backup undervoltage Specification backup failure, loss of control bus NB01. (Backup power to bus NB01 annunciation on bus power provided to NB02 power power is from the NB01 (via 152NB0214)

AEPS which is used for beyond-design-basis events involving a loss of offsite power and concurrent inoperability of both safety-related diesel generators. See Site Addendum Section 8.4.)

Fails closed Bus NB01 isolated by Periodic testing and None. Bus isolated by PB0503 inspection PB0503. ESF loads fed by NB02 152NB0214 1200-A, 4.16-Kv Provides backup Fails Open Loss of non-Technical Indicating lights, None. Non-Technical Mechanical failure, relay N.O. breaker power to and protects Specification backup undervoltage Specification backup failure, loss of control bus NB02. (Backup power to bus NB02 annunciation on bus power provided to NB01 power power is from the NB02 (via 152NB0114)

AEPS which is used for beyond-design-basis events involving a loss of offsite power and concurrent inoperability of both safety-related diesel generators. See Site Addendum Section 8.4.)

Fails closed Bus NB02 isolated by Periodic testing and None. Bus isolated by PB0502 inspection PB0502. ESF loads fed by NB01 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 5)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Tap changer fails to NB bus voltage LTC controller self None. Voltage will not Controller lock-up, LTC move remains as is without check causes MCB be adjusted. Can result motor failure, LTC LTC control LTC trouble in overvoltage or potential transformers fail annuniciation. Over/ undervoltage depending low, voltage-sensing Under Voltage on offsite voltage. transformer fuses fail.

annunciation Undervoltage may result in load shed. Loads are transferred to Diesel generator. Overvoltage is evaluated. XNB02 offsite power available.

NB03 XNB01 voltage Provides voltage Fails to provide Loss of preferred UV annunciation on None. D-G NE01 Internal fault, internal part support capacitor support for the NB01 voltage support to power to bus NB01 bus NB01. Periodic energizes NB01 until bkr failure, loss of control bank Class 1E bus NB01 and backup power to testing and inspection 152NB0109 is manually power.

bus NB02 closed.

Control system fails, Slight overvoltage Overvoltage None. Short-duration Capacitor bank PLC provides excessive annunciation on NG overvoltage operation is failure.

voltage to NB01 load centers evaluated.

XNB02 ESF transformer Provides preferred Fails to provide Loss of preferred Undervoltage None. D-G NE02 Internal fault, bushing power to bus NB02 power power to bus NB02 annunciation on bus energizes NB02 until bkr failure and backup power to and backup power to NB02 152NB0212 is manually bus NB01 bus NB01 closed.

Periodic testing and inspection ESF Transformer Provides voltage Controllers fail low Raises NB bus Overvoltage None. Capacitor banks Primary and back-up XNB02 automatic support for ESF voltage unexpectedly annunication from NG will not interact. Short- controllers fail low.

load tap changer busses load centers term overvoltage has been evaluated. Limit device prevents extreme voltage changes.

XNB01 offsite power available.

Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 6)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Control fails high Lowers NB bus Undervoltage None. Capacitor banks Primary and back-up voltage unexpectedly annunication step on. Eventually, controllers fail high, LTC degraded voltage controller potential circuits shed bus. transformers fail high Loads are transferred to Diesel Generators.

XNB01 offsite power available.

Tap changer fails to NB bus voltage LTC controller self None. Voltage will not Controller lock-up, LTC move remains as is without check causes MCB be adjusted. Can result motor failure, LTC LTC control LTC trouble in overvoltage or potential transformers fail annuniciation. Over/ undervoltage depending low, voltage-sensing under-voltage on offsite voltage. transformer fuses fail.

annunciation Undervoltage may result in load shed. Loads are transferred to Diesel generator. Overvoltage is evaluated. XNB01 offsite power available.

NB04 XNB02 voltage Provides voltage Fails to provide Loss of preferred UV annunciation on None. D-G NE02 Internal fault, internal part support capacitor support for the NB02 voltage support to power to bus NB02 bus NB02. Periodic energizes NB02 until bkr failure, loss of control bank Class 1E bus NB02 and backup power to testing and inspection 152NB0212 is manually power.

bus NB01 closed.

Control system fails, Slight overvoltage Overvoltage None. Short-duration Capacitor bank PLC provides excessive annunciation on NG overvoltage operation is failure.

voltage to NB02 load centers evaluated.

252PA0201 1,200-A 13.8-kV Provides power to and Fails open Loss of preferred Indicating lights, None. D-G NE02 feeds Mechanical failure, relay N.C. incoming feeder protects ESF xfmr power to xfmr XNB02 undervoltage bus NB02 until bkr failure, control power bkr XNB02 annunciation on bus 152NB0212 is closed. failure NB02 Fails closed Swyd bkr isolates xfmr Periodic testing and None. D-G NE02 feeds XMR01 inspection bus NB02 until bkr 152NB0212 is closed.

152NB0209 2,000-A, 4.16-kV Provides preferred Fails open Loss of preferred Indicating lights, None. Bus NB02 Mechanical failure, relay N.C. breaker power to and protects power to bus NB02 undervoltage supplied by D-G NE02 failure, loss of control bus NB02 annunciation on bus power NB02 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 7)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Fails closed Bus NB02 isolated by Periodic testing and None. Bus NB02 N.C. bkr 252PA0201 inspection isolated by N.C. bkr 252PA0201; ESF loads fed by L.G.1.

152NB0109 2,000-A, 4.16-kV Provides backup Fails open Loss of backup power Indicating lights, None. Backup power to Mechanical failure, relay N.O. breaker power to and protects to bus NB01 undervoltage bus NB01 supplied by failure, loss of control bus NB01 annunciation on bus D-G NE01. power NB01 Fails closed Bus NB01 isolated by Periodic testing and None. Bus NB01 N.C. bkr 252PA0201 inspection isolated by N.C. bkr 252PA0201; bus NB02 supplied by D-G NE02 until bkr 152NB0212 is closed.

152NB0112 2,000-A, 4.16-kV Provides preferred Fails open Loss of preferred Indicating lights, None. Bus NB01 Mechanical failure, relay N.C. breaker power to and protects power to bus NB01 undervoltage supplied by D-G NE01. failure, loss of control bus NB01 annunciation on bus power NB01 Fails closed Bus NB01 isolated by Periodic testing and None. Bus isolated by N.C. swyd bkr inspection swyd bkr; ESF loads fed by L.G.2.

152NB0212 2,000-A, 4.16-kV Provides backup Fails open Loss of Backup power Indicating lights, None. Back-up power Mechanical failure, relay N.O. breaker power to and protects to NB02 undervoltage to bus NB02 supplied by failure, loss of control bus NB02 annunciation on bus D-G NE02.

NB02 Fails closed Bus NB02 isolated by Periodic testing and None. Bus NB02 N.C. swyd bkr inspection isolated by N.C. swyd bkr; bus NB01 supplied by D-G NE01 until bkr 152NB0109 is closed.

NB01 4.16-kV bus Distributes electrical Fails to distribute Loss of ESF loads on Undervoltage None. Redundant load Overload or power power NB01 annunciation group provides all ESF short circuit functions.

Periodic testing and inspection NB02 4.16-kV bus Distributes electrical Fails to distribute Loss of ESF loads on Undervoltage None. Redundant load Overload or power power NB02 annunciation group provides all ESF short circuit functions.

Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 8)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Periodic testing and inspection 152NB0113 1200-A, 4.16-kV Provides power to and Fails open Loss of preferred Indicating lights, None. Redundant load Mechanical failure, relay N.C. breaker protects xfmr XNG01 power to L.C. NG01 undervoltage group provides all ESF failure, control power annunciation on L.C. functions. failure NG01 Fails closed Bus NB01 isolated by Periodic testing and None. Redundant load bkr 152NB0112 inspection group provides all ESF functions.

152NB0110 1200-A, 4.16-kV Provides power to and Fails open Loss of preferred Indicating lights, None. Redundant load Mechanical failure, relay N.C. breaker protects xfmr XNG03 power to L.C. NG03 undervoltage group provides all ESF failure, control power annunciation on L.C. functions. failure NG03 Fails closed Bus NB01 isolated by Periodic testing and None. Redundant load bkr 152NB0112 inspection group provides all ESF functions.

152NB0210 1200-A, 4.16-kV Provides power to and Fails open Loss of preferred Indicating lights None-redundant load Mechanical failure, relay N.C. breaker protects xfmr XNG04 power to L.C. NG04 undervoltage group provides all ESF failure, control power annunciation on L.C. functions failure NG04 Fails closed Bus NB02 isolated by Periodic testing and None-redundant load bkr 152NB0209 inspection group provides all ESF functions XNG01 4.16-kV/480-V load Provides primary Fails to provide Loss of primary power Overcurrent, ground None-redundant load Internal fault, bushing center xmfr power source to L.C. power to L.C. NG01 and overcurrent, neutral group provides all ESF failure NG01 and alternate alternate power to overcurrent functions power source to L.C. L.C. NG03 annunciation, NG03 undervoltage annunciation on L.C.

NG01.

Periodic testing and inspection.

XNG03 4.16-kV/480-V load Provides primary Fails to provide Loss of primary power O.C., ground O.C., None-redundant load Internal fault, bushing center xmfr power source to L.C. power to L.C. NG03 and neutral O.C. annun, UV group provides all ESF failure NG03 and alternate alternate power to annun on L.C. NG03. functions power source to L.C. L.C. NG01 NG01 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 9)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Periodic testing and inspection 152NB0111 2,000-A, 4.16-kV Connects diesel Fails open Loss of diesel Indicating lights, None-redundant load Mechanical failure, relay N.O. diesel generator NE01 to bus generator power to undervoltage group provides all ESF failure, control power generator breaker NB01 bus NB01 annunciation on bus functions failure NB01 Fails closed Damage to D-G NE01, Periodic testing and bus NB01 isolated by inspection bkr 152NB0112 152NB0211 2,000-A, 4.16-kV Connects diesel Fails open Loss of diesel Indicating lights, None-redundant load Mechanical failure, relay N.O. diesel generator NE02 to generator power to undervoltage group provides all ESF failure, control power generator breaker NB02 bus NB02 annunciation on bus functions failure NB02 Fails closed Damage to D-G NE02, Periodic testing and bus NB02 isolated by inspection bkr 152NB0209.

NE01 4.16-kV emergency Provides emergency Fails to provide Loss of emergency D-G undervoltage/ None-redundant load Fault, mechanical failure, diesel generator power to bus NB01 emergency power power to bus NB01 under freq, overcurrent, group provides all ESF loss of excitation Volt restrained O.C., functions reverse power, loss of field, over-excitation, differential, and neut ground O.C.

annunciation. Periodic testing and inspection.

Undervoltage annunciation on bus NB01 NE02 4.16-kV emergency Provides emergency Fails to provide Loss of emergency D-G UV/UF, O.C., Volt None-redundant load Fault, mechanical failure, diesel generator power to bus NB02 emergency power power to bus NB02 restr O.C., reverse pwr, group provides all ESF loss of excitation loss of field, over- functions.

excitation, diff and neut GRD O.C.

annunciation. Periodic testing and inspection.

Undervoltage annunciation on bus NB02.

Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 10)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 152NB0106 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights, None-pressurizer Mechanical failure, relay N.C. breaker protects xfmr XPG21 pressurizer to backup undervoltage heaters are not safety failure, control power heaters annunciation on L.C. related failure PG201 Fails closed Bus NB01 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0112 inspection group provides all ESF functions 152NB0208 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights, None-pressurizer Mechanical failure, relay N.C. breaker protects xfmr XPG22 pressurizer backup undervoltage heaters are not safety failure, control power heaters annunciation on L.C. related failure PG22 Fails closed Bus NB02 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0209 inspection group provides all ESF functions XNG04 4.16-kV/480-V L.C. Provides primary Fails to provide Loss of primary power Overcurrent, ground None-redundant load Internal fault, bushing xmfr power source to L.C. power to L.C. NG04 and overcurrent, neutral, group provides all ESF failure NG04 and alternate alternate power to overcurrent functions power source to L.C. L.C. NG02 annunciation NG02 Undervoltage annunciation on L.C.

NG04. Periodic testing and inspection XNG02 4.16-kV/480-V L.C. Provides primary Fails to provide Loss of primary power O.C., ground O.C., None- redundant L.G. Internal fault, bushing xmfr power to L.G. NG02 power to L.C. NG02 and neut O.C., annun provides all ESF failure and alternate power alternate power to functions source to L.C. NG04 L.C. NG04 Undervoltage annunciation on L.C.

NG02 52NG0101 1,600-A, 480-V N.C. Provides power to and Fails open Loss of power to-L.C. Indicating lights None- redundant L.G. Mechanical failure, relay breaker protects L.C. NG01 NG01 undervoltage provides all ESF failure, loss of control annunciation on L.C. functions power NG01 Fails closed L.C. xfmr isolated by Periodic testing and None-redundant L.G.

bkr 152NB0113 inspection provides all ESF functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 11)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 52NG0301 1,600-A, 480-V N.C. Provides power to and Fails open Loss of power to-L.C. Indicating lights, None- redundant L.G. Mechanical failure, relay breaker protects L.C. NG03 NG03 undervoltage provides all ESF failure, loss of control annunciation on L.C. functions power NG03 Fails closed L.C. xfmr isolated by Periodic testing and None-redundant L.G.

bkr 152NB0110 inspection provides all ESF functions 52NG0401 1,600-A, 480-V N.C. Provides power to and Fails open Loss of power to-L.C. Indicating lights None- redundant L.G. Mechanical failure, relay breaker protects L.C. NG04 NG04 undervoltage provides all ESF failure, loss of control annunciation on L.C. functions power NG04 Fails closed L.C. xfmr isolated by Periodic testing and None-redundant L.G.

bkr 152NB0210 inspection provides all ESF functions 52NG0201 1,600-A, 480-V N.C. Provides power to and Fails open Loss of power to-L.C. Indicating lights, None-redundant L.G. Mechanical failure, relay breaker protects L.C. NG02 NG02 undervoltage provides all ESF failure, loss of control annunciation on L.C. functions power NG02 Fails closed L.C. xfmr isolated by Periodic testing and None-redundant L.G. Mechanical failure, relay bkr 152NB0213 inspection provides all ESF failure, loss of control functions power 52NG0116 1,600-A, 480-V N.O. Ties L.C. NG01 with Fails open Loss of alternate Indicating lights, None-redundant L.G. Mechanical failure, relay breaker NG03 in the event of power to either L.C. undervoltage provides all ESF failure, loss of control loss of primary power NG01 or NG03 annunciation on either functions power to either L.C. NG01 or NG03 Fails closed L.C. NG01 and NG03 Periodic testing and None-redundant L.G.

isolated by bkrs inspection provides all ESF 52NG0101 and/or functions 52NG0301 52NG0216 1,600-A, 480-V N.O. Ties L.C. NG04 with Fails open Loss of alternate Indicating lights, None-redundant L.G. Mechanical failure, relay breaker NG02 in the event of power to either L.C. undervoltage provides all ESF failure, loss of control loss of primary power NG02 or NG04 annunciation on either functions power to either L.C. NG02 or NG04 Fails Closed L.C. NG02 and NG04 Periodic testing and None-redundant L.G.

isolated by bkrs inspection provides all ESF 52NG0201 and/or functions 52NG0401 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 12)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure L.C. NG01 480-V load center Distributes electrical Fails to distribute Loss of loads on L.C. Undervoltage None-redundant L.G. Overload power power NG01; loss of annunciation provides all ESF Short circuit alternate source to functions NG03 Periodic testing and inspection L.C. NG03 480-V load center Distributes electrical Fails to distribute Loss of loads on L.C. Undervoltage None-redundant L.G. Overload power power NG03; loss of annunciation provides all ESF Short circuit alternate source to functions NG01 Periodic testing and inspection L.C. NG04 480-V load center Distributes electrical Fails to distribute Loss of loads on L.C. Undervoltage Non-redundant L.G. Overload power power NG04; loss of annunciation provides all ESF Short circuit alternate source to functions NG02 Periodic testing and inspection L.C. NG02 480-V load center Distributes electrical Fails to distribute Loss of loads on L.C. Undervoltage None-redundant L.G. Overload power power NG02; loss of annunciation provides all ESF Short circuit alternate source to functions NG04 Periodic testing and inspection 52NG0106 800-A, 480-V Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay N.C. breaker protects MCC NG01A NG01A annunciator provides ESF functions failure, loss of control power Fails closed L.C. NG01 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0101 inspection provides ESF functions 52NG0107 800-A, 480-V Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay N.C. breaker protects MCC NG01B NG01B annunciator provides ESF functions failure, loss of control power Fails closed L.C. NG01 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0101 inspection provides ESF functions 52NG0306 800-A, 480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG03C NG03C annunciator provides ESF functions failure, loss of control power Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 13)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Fails closed L.C. NG03 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0301 inspection provides ESF functions 52NG0307 800-A, 480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG03D NG03D annunciator provides ESF functions failure, loss of control power Fails closed L.C. NG03 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0301 inspection provides ESF functions 52NG0406 800-A, 480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG04C NG04C annunciator provides ESF functions failure, loss of control power Fails closed L.C. NG04 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0401 inspection provides ESF functions 52NG0407 800-A,480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG04D NG04D annunciator provides ESF functions failure, loss of control power Fails closed L.C. NG04 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0401 inspection provides all ESF functions 52NG0207 800-A, 480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG02B NG02B annunciator provides all ESF failure, loss of control functions power Fails closed L.C. NG02 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0201 inspection provides ESF functions 52NG0206 800-A, 480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG02A NG02A annunciator provides all ESF failure, loss of control functions power Fails closed L.C. NG02 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0201 inspection all ESF provides all ESF functions functions NG01A 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation on fdr None-redundant L.G. Overload center power power NG01A breaker trip, loss of provides all ESF Short circuit individual load functions indicating lights Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 14)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure NG01B 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation on fdr None-redundant L.G. Overload center power power NG01B breaker trip, loss of provides all ESF Short circuit individual load functions indicating lights Periodic testing and inspection NG03C 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation for bkr tip, None-redundant L.G. Overload center power power NG03C loss of individual load provides all ESF Short circuit indicating lights functions Periodic testing and inspection NG03D 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation for bkr None-redundant L.G. Overload center power power NG03D trip, loss of individual provides all ESF Short circuit load indicating lights functions Periodic testing and inspection NG04C 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation for bkr None-redundant L.G. Overload center power power NG04C trip, loss of individual provides all ESF Short circuit load indicating lights functions Periodic testing and inspection NG04D 480-V motor control Distributes electrical Fails to distribute Loss of loads on MCC Annunciation for bkr None-redundant L.G. Overload center power power NG04D trip, loss of individual provides all ESF Short circuit load indicating lights functions Periodic testing and inspection NG02B 480-V Motor control Distributes electrical Fails to distribute Loss of loads on Annunciation for bkr None-redundant L.G. Overload center power power NG02B trip, loss of individual provides all ESF Short circuit load indicating lights functions Periodic testing and inspection NG02A 480-V motor control Distributes electrical Fails to distribute Loss of loads on Annunciation for bkr None-redundant L.G. Overload center power power NG02A trip, loss of individual provides all ESF Short circuit load indicating lights functions Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 15)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 52NG0208 800-A, 480-Volt N.C. Provides power to and Fails open Loss of loads on MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects NG02T NG02T annunciation provides all ESF failure, loss of control functions power Fails closed L.C. NG02 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0201 inspection provides all ESF functions 52NG0405 800-A, 480-Volt N.C. Provides power to and Fails open Loss of loads on MCC Indicating lights, trip None-redundant L.G. Mechanical failure, relay breaker protects NG04T NG04T annunciation provides all ESF failure, loss of control functions power Fails closed L.C. NG04 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0401 inspection provides all ESF functions NG01T 480-V motor control Distributes electric Fails to distribute Loss of loads on MCC Annunciation on FDR None-redundant L.G. Overload, center power power NG01T bkr trip provides all ESF short circuit functions NG03T 480-V motor control Distributes electric Fails to distribute Loss of loads on MCC Annunciation on FDR None-redundant L.G. Overload, center power power NG03T bkr trip provides all ESF short circuit functions NG02T 480-V motor control Distributes electric Fails to distribute Loss of loads on MCC Annunciation on FDR None-redundant L.G. Overload, center power power NG02T bkr trip provides all ESF short circuit functions NG04T 480-V motor control Distributes electric Fails to distribute Loss of loads on MCC Annunciation on FDR None-redundant L.G. Overload, center power power NG04T bkr trip provides all ESF short circuit functions 52NG0108 800-A, 480-Volt N.C. Provides power to and Fails open Loss of power to MCC Indicating lights trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG01T NG01T annunciator provides all ESF failure, loss of control functions power Fails closed L.C. NG01 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0101 inspection provides all ESF functions 52NG0305 800-A, 480-Volt N.C. Provides power to and Fails open Loss of power to MCC Indicating lights trip None-redundant L.G. Mechanical failure, relay breaker protects MCC NG03T NG03T annunciator provides all ESF failure, loss of control functions power Fails closed L.C. NG03 isolated by Periodic testing and None-redundant L.G.

bkr 52NG0301 inspection provides all ESF functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 16)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 152NB0101 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects RHR PP PE PEJ01A provides the ESF failure, loss of control J01A Function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB01 provides all ESF functions 152NB0103 1,200-A 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects S.I. PP PEM01A provides the ESF failure, loss of control PEM01A function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB01 provides all ESF functions 152NB0104 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects cent chgng PP PBG05A provides the ESF failure, loss of control PBG05A function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB01 provides all ESF functions 152NB0107 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant Mechanical failure, relay breaker protects comp clg wtr PEG01A PEG01C provides the failure, loss of control PP PEG01A ESF function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB01 provides all ESF functions 152NB0108 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects comp clg wtr PEG01C provides the ESF failure, loss of control PP PEG01C function power Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 17)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB02 provides all ESF functions 152NB0102 1,200-A, 4.16-kV Provides power and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects cont spray PP PEN01A provides the ESF failure, loss of control PEN01A function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB02 provides all ESF functions 152NB0105 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects aux fw PP PAL01A provides the ESF failure, loss of control PAL01A function power Periodic testing and inspection Fails closed Bus NB01 isolated by Undervoltage None-redundant L.G.

bkr 152NB0112 annunciation on NB01 provides the ESF all ESF functions function 152NB0204 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects RHR PP PEJ01B provides the ESF failure, loss of control PEJ01B function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0202 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects S.I. PP PEM01B provides the ESF failure, loss of control PEM01B function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 18)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 152NB0201 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects cent chgng PP PBG05B provides the ESF failure, loss of control PBG05B function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0206 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant Mechanical failure, relay breaker protects comp clg wtr PEG01B PEG01D provides the failure, loss of control PEG01B ESF function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0207 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant Mechanical failure, relay breaker protects comp clg wtr PEG01D PEG01B provides the failure, loss of control PP PEG01D ESF function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0203 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects cont spray PP PEN01B provides the ESF failure, loss of control PEN01B function power Periodic testing and inspection Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0205 1,200-A, 4.16-kV Provides power to and Fails open Power unavailable at Indicating lights None-redundant L.G. Mechanical failure, relay breaker protects aux FW PP PAL01B provides the ESF failure, loss of control PAL01B function power Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 19)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Fails closed Bus NB02 isolated by Undervoltage None-redundant L.G.

bkr 152NB0209 annunciation on NB02 provides all ESF functions 152NB0116 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights None-redundant load Mechanical failure N.C. breaker protects XNG05 XNG05 group provides all Relay failure necessary functions Loss of control power Undervoltage annun on MCC NG05E Fails closed Bus NB01 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0112 inspection group provides all necessary functions 152NB0117 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights None-redundant load Mechanical failure N.C. breaker protects XNG07 XNG07 group provides all Relay failure necessary functions Loss of control power Loss of indicating lights in MCC load ckts.

Undervoltage annunication on NG07 Fails closed Bus NB01 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0112 inspection group provides all necessary functions 152NB0216 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights None-redundant load Mechanical failure N.C. breaker protects XNG06 XNG06 Undervoltage group provides all Relay failure annunciation on MCC necessary functions Loss of control power NG06E Fails closed Bus NB02 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0209 inspection group provides all necessary functions 152NB0217 1,200-A, 4.16-kV Provides power to and Fails open Loss of power to Indicating lights None-redundant load Mechanical failure N.C. breaker protects XNG08 XNG08 group provides all Relay failure necessary functions Loss of control power Loss of indicating lights in MCC load ckts.

Undervoltage annunication on NG08 Fails closed Bus NB02 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0209 inspection group provides all necessary functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 20)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure XNG07 4.06-kV/480-V L.C. Provides power to L.C. Fails to provide Loss of power to L.C. Overcurrent, ground None-redundant load Internal fault xmfr NG07 power NG07 overcurrent, neutral group provides all overcurrent necessary functions annunciation Periodic testing and inspection Undervoltage annunciation on NG07 XNG08 4.06-kV/480-V L.C. Provides power to L.C. Fails to provide Loss of power to L.C. Overcurrent, ground None-redundant load Internal fault xmfr NG08 power NG08 overcurrent, neutral group provides all overcurrent necessary functions annunciation Periodic testing and inspection Undervoltage annunciation on NG08 XNG05 4.06-kV/480-V xmfr Provides power to Fails to provide Loss of power to MCC Overcurrent, ground None-redundant load Internal fault MCC NG05E power NG05E overcurrent, neutral group provides all overcurrent necessary functions annunciation Loss of indicating lights in MCC load ckts Periodic testing and inspection XNG06 4.06-kV/480-V xmfr Provides power to Fails to provide Loss of power to MCC Overcurrent, ground None-redundant load Internal fault MCC NG06E power NG06E overcurrent, neutral group provides all overcurrent necessary functions annunciation Loss of indicating lights in MCC load ckts Periodic testing and inspection LC NG07 480-V load center Distributes electrical Fails to provide Loss of loads on L.C. Undervoltage None-redundant load Overload bus power power NG07 annunciation group provides for Short circuit necessary functions Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 21)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure LC NG08 480-V load center Distributes electrical Fails to provide Loss of loads on L.C. Undervoltage None-redundant load Overload bus power power NG08 annunciation group provides all Short circuit necessary functions Periodic testing and inspection NG05E 480-V motor control Distributes electrical Fails to provide Loss of loads on MCC Trip annunciation on None-redundant load Overload center power power NG05E feeder bkrs group provides for Short circuit necessary functions Loss of indicating lights in MCC load ckts Periodic testing and inspection NG06E 480-V motor control Distributes electrical Fails to provide Loss of loads on MCC Trip annunciation on None-redundant load Overload center power power NG06E feeder bkrs group provides all Short circuit necessary functions Loss of indicating lights in MCC load ckts Periodic testing and inspection 52NG0705 800-A/480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights None-redundant load Mechanical failure breaker protects MCC NG07F NG07F group provides all Relay failure Trip annunciation necessary functions Loss of control power Loss of indicating lights in MCC load ckts Fails closed L.C. NG07 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0117 inspection group provides all necessary functions 52NG0805 800-A/480-V N.C. Provides power to and Fails open Loss of power to MCC Indicating lights None-redundant load Mechanical failure breaker protects MCC NG08F NG08F group provides all Relay failure Trip annunciation necessary functions Loss of control power Loss of indicating lights in MCC load ckts Fails closed L.C. NG08 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0217 inspection group provides all necessary functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 22)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 52NG0703 800-A/480-V N.C. Provides power to and Fails open Loss of power to Loss of indicating lights None-redundant load Mechanical failure breaker protects MCC NG07S cooling tower fan on MCC loads group provides all Relay failure CEF01A necessary functions Loss of control power Fails closed L.C. NG07 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0117 inspection group provides all necessary functions 52NG0803 800-A/480-V N.C. Provides power to and Fails open Loss of power to Loss of indicating lights None-redundant load Mechanical failure breaker protects MCC NG08S cooling tower fan on MCC loads group provides all Relay failure CEF01B necessary functions Loss of control power Fails closed L.C. NG08 isolated by Periodic testing and None-redundant load N.C. bkr 152NB0217 inspection group provides all necessary functions NG07S 480-V motor control Distributes electric Fails to distribute Loss of loads on Loss of indicating lights None-redundant load Overload center power power NG07S on MCC loads group provides all Short circuit necessary functions Periodic testing and inspection NG08S 480-V motor control Distributes electric Fails to distribute Loss of loads on Annunciation on fdr bkr None-redundant load Overload center power power NG08S trip. Loss of indicating group provides all Short circuit lights on MCC loads necessary functions Periodic testing NG07F 480-V motor control Distributes electric Fails to provide Loss of loads on MCC Trip annunciation on None-redundant load Overload center power power NG07F feeder bkrs group provides all Short circuit necessary functions Loss of indicating lights in MCC load ckts Periodic testing and inspection NG08F 480-V motor control Distributes electric Fails to provide Loss of loads on MCC Trip annunciation on None-redundant load Overload center power power NG08F feeder bkrs group provides all Short circuit necessary functions Loss of indicating lights in MCC load ckts Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 23)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 152NB0115 1200-A, 4.16-kV Provides power to and Fails open Loss of PP PEF01A Indicating lights None-redundant load Mechanical failure N.C. circuit breaker protects PP PEF01A group provides the Relay failure necessary function Loss of control power Periodic testing and inspection Fails closed Bus NB01 isolated by UV annunciation at None-redundant load N.C. bkr 152NB0112 MCB group provides all necessary functions 152NB0215 1,200-A, 4.16-kV Provides power to and Fails open Loss of PP PEF01B Indicating lights None-redundant load Mechanical failure N.C. circuit breaker protects PP PEF01B group provides the Relay failure necessary function Loss of control power Periodic testing and inspection Fails closed Bus NB02 isolated by UV annunciation at None-redundant load N.C. bkr 152NB0209 MCB group provides all necessary functions 52NG0704 800-A/480-V N.C. Provides power to and Fails open Loss of power to Loss of indicating lights None-redundant load Mechanical failure circuit breaker protects MCC NG07S cooling tower fan on MCC loads group provides the Relay failure CEF01C necessary functions Loss of control power Fails closed Load center NG07 Periodic testing and None-redundant load isolated by 4.16-kV inspection group provides all bkr 152NB0117 necessary functions 52NG0804 800-A/480-V N.C. Provides power to and Fails open Loss of power to Loss of indicating lights None-redundant load Mechanical failure circuit breaker protects MCC NG08S cooling tower fan on MCC loads group provides the Relay failure CEF01D necessary function Loss of control power Load center NG08 Periodic testing and None-redundant load isolated by 4.16-kV inspection group provides all bkr 152NB0217 necessary functions NK11 125-V battery Provides backup Fails to provide Loss of backup dc Solid state battery None-redundant dc Short to ground, internal power to dc bus NK01 adequate output power to bus NK01 monitor, local subsystem provides all shorts if charger NK21 fails; voltage indication, control room necessary functions provides extra power annunciation during surges Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 24)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure NK13 125-V battery Provides backup dc Fails to provide Loss of backup dc Solid state battery None-redundant dc Short to ground, internal power to dc bus NK03 adequate output power to bus NK03 monitor, local subsystem provides all shorts if charger NK23 fails; voltage indication, control room necessary functions provides extra power annunciation during surges Periodic testing and inspection NK12 125-V battery Provides backup dc Fails to provide Loss of backup dc Solid state battery None-redundant dc Short to ground, internal power to dc bus NK02 adequate output power to bus NK02 monitor, local subsystem provides all shorts if charger NK22 fails; voltage indication, control room necessary functions provides extra power annunciation during surges Periodic testing and inspection NK14 125-V battery Provides backup dc Fails to provide Loss of backup dc Solid state battery None-redundant dc Short to ground, internal power to dc bus NK04 adequate output power to bus NK04 monitor, local subsystem provides all shorts if charger NK24 fails; voltage indication, control room necessary functions provides extra power annunciation during surges Periodic testing and inspection 89NK0101 125-V, N.C. fusible Provides power to and Fails open Loss of battery NK11 Battery output amps None-battery charger Mechanical failure switch protects bus NK01 source to bus NK01 indicated in control NK21 provides power room 89NK0301 125-V, N.C. fusible Provides power to and Fails open Loss of battery NK13 Battery output amps None-battery charger Mechanical failure switch protects bus NK03 source to bus NK03 indicated in control NK23 provides power room 89NK0201 125-V, N.C. fusible Provides power to and Fails open Loss of battery NK12 Battery output amps None-battery charger Mechanical failure switch protects bus NK02 source to bus NK02 indicated in control NK22 provides power room 89NK0401 125-V, N.C. fusible Provides power to and Fails open Loss of battery NK14 Battery output amps None-battery charger Mechanical failure switch protects bus NK04 source to bus NK04 indicated in control NK24 provides power room Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 25)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure NK21 125-V battery Charges battery NK11; Fails to provide None-battery NK11 Local indication and None-battery NK11 Fault, component failure charger provides primary power picks up load until control room summary provides power (spare power to bus NK03 swing charger NK25 is annunciation for input charger is also aligned undervoltage and available) output under and over voltage Periodic testing and inspection NK23 125-V battery Charges battery NK13; Fails to provide None-battery NK13 Local indication and None-battery NK13 Fault, component failure charger provides primary power picks up load until control room summary provides power (spare power to bus NK03 swing charger NK25 is annunciation for input charger is also aligned undervoltage and available) output under and over voltage Periodic testing and inspection NK22 125-V battery Charges battery NK12; Fails to provide None-battery NK12 Local indication and None-battery NK12 Fault, component failure charger provides primary power picks up load until control room summary provides power (spare power to bus NK02 swing charger NK26 is annunciation for input charger is also aligned undervoltage and available) output under and over voltage Periodic testing and inspection NK24 125-V battery Charges battery NK14; Fails to provide None-battery NK14 Local indication and None-battery NK14 Fault, component failure charger provides primary power picks up load until control room summary provides power (spare power to bus NK04 swing charger NK26 is annunciation for input charger is also aligned undervoltage and available) output under and over voltage Periodic testing and inspection 89NK0102 125-V, N.C. fusible Provides power to and Fails open Loss of battery Charger output amps None-battery NK11 Mechanical failure switch protects bus NK01 charger NK21 source indicated in control supplies bus NK01 to bus NK01 room 89NK0302 125-V, N.C. fusible Provides power to and Fails open Loss of battery Charger output amps None-battery NK13 Mechanical failure switch protects bus NK03 charger NK23 source indicated in control supplies bus NK03 to bus NK03 room Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 26)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 89NK0202 125-V, N.C. fusible Provides power to and Fails open Loss of battery Charger output amps None-battery supplies Mechanical failure switch protects bus NK02 charger NK22 source indicated in control bus NK02 to bus NK02 room 89NK0402 125-V, N.C. fusible Provides power to and Fails open Loss of batter charger Charger output amps None-battery supplies Mechanical failure switch protects bus NK04 NK24 source to bus indicated in control bus NK04 NK04 room NK01 125-VDC bus Distributes electrical Fails to distribute Loss of Sep. Grp. 1 dc Ground detection local None-redundant Overload power power power indication of subsystem provides all Short circuit undervoltage, and necessary functions summary annunciation at control room Periodic testing and inspection NK03 125-VDC bus Distributes electrical Fails to distribute Loss of Sep. Grp. 3 dc Ground detection local None-redundant Overload power power power indication of subsystem provides all Short circuit undervoltage, and necessary functions summary annunciation at control room Periodic testing and inspection NK02 125-VDC bus Distributes electrical Fails to distribute Loss of Sep. Grp. 2 dc Ground detection, local None-redundant Overload power power power indication of subsystem provides all Short circuit undervoltage, and necessary functions summary annunciation at control room Periodic testing and inspection NK04 125-VDC bus Distributes electrical Fails to distribute Loss of Sep. Grp. 4 dc Ground detection, local None-redundant Overload power power power indication of subsystem provides all Short circuit undervoltage, and necessary functions summary annunciation at control room Periodic testing and inspection 89NK0111 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN11 Loss of dc input to inv None-bus NN01 fed by Mechanical failure switch protects 7.5-kVA power to bus NN01 annunciated inverter backup source inverter NN11 or swing inverter NN17 Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 27)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 89NK0311 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN13 Loss of DC input to inv None-bus NN03 fed by Mechanical failure switch protects 7.5-kVA power to bus NN03 annunciated inverter backup source inverter NN13 or swing inverter NN17 89NK0211 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN12 Loss of DC input to inv None-bus NN02 fed by Mechanical failure switch protects 7.5-kVA power to bus NN02 annunciated inverter backup source inverter NN12 or swing inverter NN18 89NK0411 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN14 Loss of DC input to inv None-bus NN04 fed by Mechanical failure switch protects 7.5-kVA power to bus NN04 annunciated inverter backup source inverter NN14 or swing inverter NN18 89NK0103 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN17 Loss of DC input to inv None-bus NN01 fed by Mechanical failure switch protects 7.5-kVA power to bus NN01 annunciated inverter internal bypass inverter NN17 CVT source or normal inv UPS 89NK0303 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN17 Loss of DC input to inv None-bus NN03 fed by Mechanical failure switch protects 7.5-kVA power to bus NN03 annunciated inverter internal bypass inverter NN17 CVT source or normal inv UPS 89NK0203 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN18 Loss of DC input to inv None-bus NN02 fed by Mechanical failure switch protects 7.5-kVA power to bus NN02 annunciated inverter internal bypass inverter NN18 CVT source or normal inv UPS 89NK0403 125-V, N.C. fusible Provides power to and Fails open Loss of inverter NN18 Loss of DC input to inv None-bus NN04 fed by Mechanical failure switch protects 7.5-kVA power to bus NN04 annunciated inverter internal bypass inverter NN18 CVT source or normal inv UPS 89NK0104 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant dc Mechanical failure switch protects distr swbd NK41 at swbd NK41, subsystem provides NK41 undervoltage alarm at necessary functions swbd NK01, and trouble alarm at MCB 89NK0304 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant dc Mechanical failure switch protects distr swbd NK43 at swbd NK43, subsystem provides NK43 undervoltage alarm at necessary functions swbd NK03, and trouble alarm at MCB Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 28)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 89NK0204 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant DC Mechanical failure switch protects distr swbd NK42 at swbd NK42, subsystem provides NK42 undervoltage alarm at necessary functions NK02, and trouble alarm at MCB 89NK0404 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant DC Mechanical failure switch protects distr swbd NK44 at swbd NK44, subsystem provides NK44 undervoltage alarm at necessary functions NK04, and trouble alarm at MCB NK41 125-VDC control Distributes DC power Fails to distribute Loss of loads on distr Undervoltage indication None-redundant DC Overload distribution power swbd NK41 at NK41, undervoltage subsystem provides Short circuit switchboard alarm at NK01, trouble necessary functions alarm at MCB NK43 125-VDC control Distributes DC power Fails to distribute Loss of loads on distr Undervoltage indication None-redundant DC Overload distribution power swbd NK43 at NK43, undervoltage subsystem provides Short circuit switchboard alarm at NK03, trouble necessary functions alarm at MCB NK42 125-VDC control Distributes DC power Fails to distribute Loss of loads on distr Undervoltage indication None-redundant DC Overload distribution power swbd NK42 at NK42 undervoltage subsystem provides Short circuit switchboard alarm at NK02, trouble necessary functions alarm at MCB NK44 125-VDC control Distributes DC power Fails to distribute Loss of loads on dist Undervoltage indication None-redundant DC Overload distribution power swbd NK44 at NK44, undervoltage subsystem provides Short circuit switchboard alarm at NK04, trouble necessary functions alarm at MCB NN11 7.5 KVA Inverter Provides regulated AC Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN01 power automatically transfers static switch position interrupted as long as failure of DC input load to bypass source annunciation bypass source available and Swing Inverter NN17 is available 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated AC power to power blocked from output annunciation inverter normal supply swbd NN01 automatically and Swing Inverter transferring load NN17 is available Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 29)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Static Switch Provides automatic Fails to Transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN01 lost; annunciation subsystem provides loads to bypass source source bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection swing inverter NN17 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption necessary functions Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN01 lost; annunciation subsystem provides swing inverter NN17 necessary functions manually connected NN12 7.5 KVA Inverter Provides regulated AC Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN02 power automatically transfers static switch position interrupted as long as failure of DC input load to bypass source annunciation bypass source available and Swing Inverter NN18 is available 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated AC power to power blocked from output annunciation inverter normal supply swbd NN02 automatically and Swing Inverter transferring load NN18 is available Static Switch Provides automatic Fails to Transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN02 lost; annunciation subsystem provides loads to bypass source source bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection swing inverter NN18 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption necessary functions Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN02 lost; annunciation subsystem provides swing inverter NN18 necessary functions manually connected Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 30)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure NN13 7.5 KVA Inverter Provides regulated ac Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN03 power automatically transfers static switch position interrupted as long as failure of DC input load to bypass source annunciation bypass source available and swing inverter NN17 is available 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated ac power to power blocked from output annunciation inverter normal supply swbd NN03 automatically and swing inverter NN17 transferring load is available Static Switch Provides automatic Fails to transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN03 lost; annunciation subsystem provides loads to bypass source source bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection swing inverter NN17 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption. necessary functions Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN03 lost; annunciation subsystem provides swing inverter NN17 necessary functions manually connected NN14 7.5 KVA Inverter Provides regulated AC Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN04 power automatically transfers static switch position interrupted as long as failure of DC input load to bypass source annunciation bypass source available and Swing Inverter NN18 is available 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated ac power to power blocked from output annunciation inverter normal supply swbd NN04 automatically and Swing Inverter transferring load NN18 is available Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 31)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Static Switch Provides automatic Fails to transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN04 lost; annunciation subsystem provides loads to bypass source source bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection backup switch, or swing inverter NN18 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption necessary functions Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN04 lost; annunciation subsystem provides Swing UPS NN18 necessary functions manually connected NN17 7.5 KVA Inverter Provides regulated AC Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN01 power automatically transfers static switch position interrupted as long as failure of DC input or NN03 load to bypass source annunciation bypass source available and primary UPS NN11/

NN13 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated AC power to power blocked from output annunciation inverter normal supply swbd NN01 or NN03 automatically and primary UPS NN11/

transferring load NN13 Static Switch Provides automatic Fails to transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN01/NN03 annunciation subsystem provides loads to bypass source source lost; bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection primary UPS NN11/

NN13 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption necessary functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 32)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN02/NN04 annunciation subsystem provides lost; primary UPS necessary functions NN12/NN14 manually connected NN18 7.5 KVA Inverter Provides regulated AC Fails to provide Static switch Loss of AC output and None-Load is not Fault, component failure, power to swbd NN02 power automatically transfers static switch position interrupted as long as failure of DC input or NN04 load to bypass source annunciation bypass source available and primary UPS NN12/

NN14 7.5 KVA Bypass Provides standby Fails to provide Static switch is Loss of Bypass AC None-Load remains on Internal Fault Source regulated AC power to power blocked from output annunciation inverter normal supply swbd NN02 or NN04 automatically and primary UPS NN12/

transferring load NN14 Static Switch Provides automatic Fails to transfer Inverter source to Loss of AC None-redundant AC Component failure transfer of inverter loads to the bypass swbd NN02/NN04 annunciation subsystem provides loads to bypass source source lost; bypass source necessary functions connected to load through maintenance Periodic testing and bypass switch, or inspection primary UPS NN12/

NN14 manually connected Inadvertently Bypass source Static switch position None-redundant AC Component failure transfers loads to the assumes load with no annunciation subsystem provides bypass source interruption necessary functions Fails Open Inverter and bypass Loss of AC None-redundant AC Component failure source to NN02/NN04 annunciation subsystem provides lost; primary UPS necessary functions NN12/NN14 manually connected 52NN0101 100-A/120-V Swbd NN01 fdr brkr Fails open Loss of power to swbd Periodic testing and None-redundant Mechanical failure normally closed from normal power NN01 inspection channel provides non-automatic ckt source-inverter NN11 necessary functions bkr Fails closed Swbd NN01 isolated Undervoltage None-redundant by inverter output bkr annunciation for swbd channel provides NN01 necessary functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 33)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 52NN0301 100-A/120-V Swbd NN01 fdr bkr Fails open Loss of power to swbd Periodic testing and None-redundant Mechanical failure normally closed from normal power NN03 inspection channel provides nonautomatic ckt bkr source-inverter NN13 necessary functions Fails closed Swbd NN03 isolated Undervoltage None-redundant by inverter output bkr annunciation for swbd channel provides NN03 necessary functions 52NN0201 100-A/120-V Swbd NN01 fdr bkr Fails open Loss of power to swbd Periodic testing and None-redundant Mechanical failure normally closed from normal power NN02 inspection channel provides nonautomatic ckt bkr source-inverter NN12 necessary functions Fails closed Swbd NN02 isolated Undervoltage None-redundant by inverter output bkr annunciation for swbd channel provides NN02 necessary functions 52NN0401 100-A/120-V Swbd NN01 fdr bkr Fails open Loss of power to swbd Periodic testing and None-redundant Mechanical failure normally closed from normal power NN04 inspection channel provides nonautomatic ckt bkr source-inverter NN14 necessary functions Fails closed Swbd NN04 isolated Undervoltage None-redundant by inverter output bkr annunciation for swbd channel provides NN04 necessary functions NN01 120-VAC instrument Distribute electrical Fails to provide Loss of loads on swbd Undervoltage None-redundant Overload switchboard power power NN01 annunciation channel provides Short circuit necessary functions Periodic testing and inspection NN03 120-VAC instrument Distribute electric Fails to provide Loss of loads on swbd Undervoltage None-redundant Overload switchboard power power NN03 annunciation channel provides Short circuit necessary functions NN02 120-VAC instrument Distributes electric Fails to provide Loss of loads on swbd Undervoltage None-redundant Overload bus power power NN02 annunciation channel provides Short circuit necessary functions Periodic testing and inspection NN04 120-VAC instrument Distributes electric Fails to provide Loss of loads on swbd Undervoltage None-redundant Overload bus power power NN04 annunciation channel provides Short circuit necessary functions Periodic testing and inspection Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 34)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 52NG01ABF1 150-A/480-V N.C. Provides power to and Fails open Loss of xfmr XPN07 Periodic testing and None-transformer loads Mechanical failure or circuit breaker protects xfmr XPN07 inspection are non-safety related 52NG01BEF4 Fails closed MCC NG01A is None-redundant MCC isolated by L.C bkr provides necessary 52NG0106 functions 52NG02ADF1 150-A/480-V N.C. Provides power to and Fails open Loss of xfmr XPN08 Periodic testing and None-transformer loads Mechanical failure or circuit breaker protects xfmr XPN08 inspection are non-safety related 52NG02BBF1 Fails closed MCC NG02A is None-redundant MCC isolated by L.C. bkr provides necessary 52NG0206 functions 52NG01ACR3 150-A/480-V N.C. Provides power to the Fails open Loss of NN17 bypass Loss of bypass source None-preferred source Mechanical failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN17 annunciation. functions Periodic testing and inspection.

Fails closed MCC NG01A isolated None-preferred source by N.C. bkr provides necessary 52NG0106 functions 52NG01ABR1 150-A/480-V N.C. Provides power to the Fails open Loss of NN11 bypass Loss of bypass source None-preferred source Mechanical Failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN11 annunciation functions Periodic testing and inspection Fails closed MCC NG01A isolated Loss of bypass source None-preferred source Mechanical Failure by N.C. bkr AC output voltage provides necessary 52NG0106 annunciation functions Periodic testing and inspection 52NG01ABR2 150-A/480-V N.C. Provides power to the Fails open Loss of NN13 bypass Loss of bypass source None-preferred source Mechanical Failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN13 annunciation functions Periodic testing and inspection Fails closed MCC NG01A isolated Loss of bypass source None-preferred source Mechanical Failure by N.C. bkr AC output voltage provides necessary 52NG0106 annunciation functions Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 35)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure Periodic testing and inspection 52NG02ABR1 150-A/480-V N.C. Provides power to the Fails open Loss of NN12 bypass Loss of bypass source None-preferred source Mechanical Failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN12 annunciation functions Periodic testing and inspection Fails closed MCC NG02A isolated Loss of bypass source None-preferred source Mechanical Failure by N.C. bkr AC output voltage provides necessary 52NG0206 annunciation functions Periodic testing and inspection 52NG02AGF3 150-A/480-V N.C. Provides power to the Fails open Loss of NN14 bypass Loss of bypass source None-preferred source Mechanical Failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN14 annunciation functions Periodic testing and inspection Fails closed MCC NG02A isolated Loss of bypass source None-preferred source Mechanical Failure by N.C. bkr AC output voltage provides necessary 52NG0206 annunciation functions Periodic testing and inspection 52NG02AFF3 150-A/480-V N.C. Provide power to the Fails open Loss of NN18 bypass Loss of bypass source None-preferred source Mechanical failure circuit breaker bypass source in source AC output voltage provides necessary inverter/UPS NN18 annunciation. functions Periodic testing and inspection.

Fails closed MCC NG02A isolated None-preferred source by N.C. bkr provides necessary 52NG0206 functions NK25 Group 1 & 3 Swing Replaces any of Fails to provide Inability to replace a Periodic testing and None-battery associated Fault, component failure 125-V battery chargers NK21, NK23 power failed charger inspection with failed charger charger supplies load NK26 Group 2 & 4 Swing Replaces either Fails to provide Inability to replace a Periodic testing and None-battery associated Fault, component failure 125 V battery charger NK22, NK24 power failed charger inspection with failed charger charger supplies load Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 36)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure 89NK0109 125-V, N.O. fusible Connects battery NK11 Fails open None Periodic testing and None Mechanical failure switch to resistive load for inspection discharge testing 89NK0309 125-V, N.O. fusible Connects battery NK13 Fails open None Periodic testing and None Mechanical failure switch to resistive load for inspection discharge testing 89NK0209 125-V, N.O. fusible Connects battery NK12 Fails open None Periodic testing and None Mechanical failure switch to resistive load for inspection discharge testing 89NK0409 125-V, N.O. fusible Connects battery NK14 Fails open None Periodic testing and None Mechanical failure switch to resistive load for inspection discharge testing 89NK0105 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant dc Mechanical failure switch protects distr swbd NK51 at swbd NK51 by alarm subsystem provides NK51 at swbd NK01 and necessary functions trouble alarm at MCB 89NK0405 125-V, N.C. fusible Provides power to and Fails open Loss of distr swbd Undervoltage indication None-redundant dc Mechanical failure switch protects distr swbd NK54 at swbd NK54, alarm at subsystem provides NK54 swbd NK04, and necessary functions trouble alarm at MCB NK51 125-V control Distributes dc power Fails to distribute Loss of loads on swbd Undervoltage indication None-redundant dc Overload distribution power NK51 on swbd NK51, UV subsystem provides Short circuit switchboard alarm at NK01, and necessary functions trouble alarm at MCB NK54 125-V dc control Distributes dc power Fails to distribute Loss of loads on swbd Undervoltage indicating None-redundant dc Overload distribution power NK54 on swbd NK54, UV subsystem provides Short circuit switchboard alarm at NK04, and necessary functions trouble alarm at MCB NK77 AC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK25 is not normally in NK25 use NK75 DC Transfer switch Transfer switch Fails to transfer Potential loss of power Periodic testing and None-swing charger Fault, component failure to NK01 or NK03 inspection NK25 is not normally in use NK71 DC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK25 is not normally in NK01 use Rev. OL-23 6/18

CALLAWAY - SP TABLE 8.3-4 (Sheet 37)

Method Effect on of Failure Effect on Causes of Equip. No. Equip. Name Function Failure Mode Subsystem Detection Total System Failure NK73 DC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK25 is not normally in NK03 use NK78 AC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK26 is not normally in NK26 use NK76 DC Transfer switch Transfer switch Fails to transfer Potential loss of power Periodic testing and None-swing charger Fault, component failure to NK02 or NK04 inspection NK26 is not normally in use NK72 DC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK26 is not normally in NK02 use NK74 DC Transfer switch Transfer switch Fails to transfer Potential loss of Periodic testing and None-swing charger Fault, component failure preferred power to inspection NK26 is not normally in NK04 use NK79 NN17 DC Transfer Transfer Switch Fails to transfer Potential loss of either Periodic testing and None-swing inverter Fault, component failure Switch power sources NK01 inspection NN17 is not normally in or NK03 to NN17 use NK80 NN18 DC Transfer Transfer Switch Fails to transfer Potential loss of either Periodic testing and None-swing inverter Fault, component failure Switch power sources NK02 inspection NN18 is not normally in or NK04 to NN18 use Rev. OL-23 6/18

CALLAWAY - SP APPENDIX 8.3A - STATION BLACKOUT 8.3A.1 INTRODUCTION On July 21, 1988, the Nuclear Regulatory Commission (NRC) amended its regulations in 10 C.F.R., Part 50. A new section, 50.63, was added which requires that each light-water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. It also identifies the factors that must be considered in specifying the station blackout duration. Section 50.63 requires that, for the station blackout duration, the plant be capable of maintaining core cooling and appropriate containment integrity. Section 50.63 further requires the following information:

1) A proposed station blackout duration including a justification for the selection based on the redundancy and reliability of the onsite emergency AC power sources, the expected frequency of loss of offsite power (LOOP), and the probable time needed to restore offsite power;
2) A description of the procedures that will be implemented for station blackout events for the duration (as determined in 1 above) and for recovery therefrom; and
3) A list and proposed schedule for any needed modifications to equipment and associated procedures necessary for the specified SBO duration.

Late in 1985, the Nuclear Management and Resources Council, NUMARC, established a working group on station blackout. A Nuclear Utility Group on Station Blackout (NUGSBO) provided the major portion of the technical support for the NUMARC station blackout working group. NUMARC determined that many of the concerns related to station blackout could be alleviated through industry initiatives to reduce overall station blackout risk.

The NUMARC Executive Committee approved industry initiatives to address the more important contributors to station blackout risk.

In order to provide guidance and methodologies for implementing the NUMARC station blackout initiatives, NUMARC published the document NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors.

The NRC has issued Regulatory Guide 1.155 Station Blackout which describes a means acceptable to the NRC Staff for meeting the requirements of 10 C.F.R. 50.63.

Regulatory Guide (RG) 1.155 states that the NRC Staff has determined that NUMARC 87-00 Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors also provides guidance that is in large part identical to 8.3A-1 Rev. OL-24 11/19

CALLAWAY - SP the RG 1.155 guidance and is acceptable to the NRC Staff for meeting these requirements.

Union Electric has evaluated Callaway Plant against the requirements of the SBO rule using guidance from NUMARC 87-00. The results of this evaluation are given in Table 8.3A-1. Union Electric responded to the NRC on Station Blackout in a submittal dated April 12, 1989 (Ref. 5), and in supplemental submittals dated March 29, 1990 (Ref. 6),

May 31, 1991 (Ref. 7) and July 10, 1992 (Ref. 9). The NRC approved the Union Electric SBO submittal in letters dated June 9, 1992 (Ref. 8) and October28,1992 (Ref. 10).

The NUMARC initiatives are:

1) Initiative 1A - Risk Reduction Each utility will review their site(s) against the criteria specified in NRC's revised draft Station Blackout Regulatory Guide, and if the site(s) fall into the category of an eight-hour or sixteen-hour site after utilizing all power sources available, the utility will take actions to reduce the site(s) contribution to the overall risk of station blackout. Non-hardware changes will be made within one year. Hardware changes will be made within a reasonable time thereafter.

Union Electric Response Using the guidance of NUMARC 87-00, Union Electric has reviewed the Callaway site against the criteria for a SBO event. As described in Table 8.3A-1 and Section 8.3A.3, the Callaway Plant station blackout duration was determined to be four hours without any need for hardware modifications.

2) Initiative 2 - Procedures Each utility will implement procedures at each of its site(s) for:

(a) coping with a station blackout; (b) restoration of AC power following a station blackout event; and, (c) preparing the plant for severe weather conditions (e.g., hurricanes) to reduce the likelihood and consequences of a loss of off-site power and to reduce the overall risk of a station blackout event.

Union Electric Response Callaway procedures comply with the guidelines of NUMARC 87-00 as described in Table 8.3A-1 and Section 8.3A.4.

3) Initiative 3 - Cold Starts 8.3A-2 Rev. OL-24 11/19

CALLAWAY - SP Each utility will, if applicable, reduce or eliminate cold fast-starts of emergency diesel generators through changes to technical specifications or other appropriate means.

Union Electric Response Amendment 21 to the Callaway License eliminated cold fast starts of the emergency diesel generators. The Amendment revised the Callaway Technical Specifications to increase overall emergency diesel generator reliability and to prevent undue stress and wear on the diesel generator engines. The amendment was effective on May 1, 1987.

4) Initiative 4 - AC Power Availability Each utility will monitor emergency AC power unavailability, utilizing data provided to INPO on a regular basis.

Union Electric Response Union Electric has a program for regular monitoring, trending, and submitting of emergency AC power unavailability data to INPO.

5) Initiative 5 - Coping Assessment Each utility will assess the ability of its plant(s) to cope with a station blackout.

Plants utilizing alternate AC power for station blackout response which can be shown by test to be available to power the shutdown busses within 10 minutes of the onset of station blackout do not need to perform any coping assessment.

Remaining alternate AC plants will assess their ability to cope for one-hour.

Plants not utilizing an alternate AC source will assess their ability to cope for four-hours. Factors identified which prevent demonstrating the capability to cope for the appropriate duration will be addressed through hardware and/or procedural changes so that successful demonstration is possible.

As part of the coping assessment, utilities are required to choose an EDG target reliability (0.95 or 0.975) and are required to maintain that chosen reliability.

Accordingly, each utility will employ the following exceedence trigger values (on a plant unit basis) as the mechanism for monitoring EDG target reliability and to support closure of generic issue B-56:

Selected EDG Failures In Failures in Failures In Target Reliability 20 Demands 50 Demands 100 Demands 0.95 3 5 8 0.975 3 4 5 8.3A-3 Rev. OL-24 11/19

CALLAWAY - SP Additionally, each utility, in response to an individual EDG experiencing 4 or more failures in the last 25 demands, will demonstrate restored EDG performance by conducting seven (7) consecutive failure free start and load-run tests. This form of accelerated testing shall be conducted at a frequency of no less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and of no more than seven (7) days between each demand. Each utility will, if applicable, address this reduction in accelerated testing through changes to technical specifications or other appropriate means.

Union Electric Response Union Electric has assessed the Callaway Plant's ability to cope during the SBO duration. This is discussed in Section 8.3A.5 and in Table 8.3A-1. The Callaway target EDG reliability was selected to be 0.95 as discussed in Section 8.3A.3.3.

The Callaway emergency diesel generator reliability program ensures that the reliability is maintained as high as possible. This program includes the target reliability of 0.95, discussed in Section 8.3A.3.3.

8.3A.2 STATION BLACKOUT GENERAL CRITERIA AND ASSUMPTIONS Procedures and equipment relied upon in a station blackout should ensure that satisfactory performance of necessary decay heat removal systems is maintained for the required station blackout coping duration. Additional requirements are to keep the core covered and to provide appropriate containment integrity to the extent that isolation valves perform their intended function without AC power. The general criteria and baseline assumptions used to evaluate the station blackout event are discussed in detail in Reference 1, NUMARC 87-00. Table 8.3A-1 compares Union Electric's evaluation of the Callaway Plant against NUMARC 87-00.

8.3A.3 CALLAWAY STATION BLACKOUT DURATION NUMARC 87-00, Section 3 was used to determine a station blackout duration of four hours for the Callaway Plant. This duration was determined based on the following plant considerations and on no requirements for plant modifications.

8.3A.3.1 AC Power Design Characteristic Group NUMARC 87-00 distinguishes between sites having particular susceptibilities to losing off-site power due to plant-centered, grid-related, and weather-related events. Three off-site power design groups are provided and are designed to be mutually exclusive. Of the three groups, group P1 includes those sites characterized by redundant and independent power sources that are considered less susceptible to loss as a result of plant-centered and weather-initiated events. Based upon NUMARC 87-00 guidance, the Callaway Plant is determined to be in AC Power Design Characteristic Group, P1. This determination is based upon the following criteria developed for the Callaway site specific characteristics. Callaway specific weather-related data is provided in NUMARC 8.3A-4 Rev. OL-24 11/19

CALLAWAY - SP 87-00 (Ref. 1), Tables 3-1 through 3-4. The NRC has reviewed these Tables and has accepted the validity of the Callaway specific data.

a. The expected frequency of grid-related LOOPs does not exceed once per twenty years. According to Table A.5 of NUREG-1032 (Ref. 2), industry data indicate that most sites, including, Callaway, are not expected to exceed the once per twenty year frequency. As discussed in the Callaway FSAR Section 8.2.2.2, the Union Electric system design and past performance of the transmission system support the projection of uninterrupted transmission grid availability necessary to meet all requirements over the life of the Callaway Plant.
b. Sites are categorized in groups based upon the estimated frequency of LOOPs due to extremely severe weather (ESW). The estimated frequency of loss of off-site power due to extremely severe weather is determined by the annual expectation of storms at the site with wind velocities greater than or equal to 125 mph. Sites within the ESW Group 1 have an annual frequency of storms, with wind velocities greater than or equal to 125 mph, less than 3.3 x 10-4. Using the site-specific National Oceanic and Atmospheric Administration (NOAA) data summarized in NUMARC 87-00 (Ref. 1), Table 3-2, Callaway has a 1.0 x 10-4 annual frequency of storms with wind velocities greater than or equal to 125 mph. This places the Callaway Plant in ESW Group 1.
c. The estimated frequency of LOOPs due to severe weather (SW) places the Callaway Plant in SW Group 2. Based on site specific factors an empirical formula is used to determine the estimated frequency of loss of off-site power due to severe weather in events per year. The factors include the annual expectation of tornados of severity f2 (windspeeds greater than or equal to 113 miles per hour) in events per square mile; and the annual expectation of storms for the site with wind velocities between 75 and 124 mph. Plants within SW Group 2 have an estimated frequency of loss of offsite power due to severe weather of 0.0033 or greater, up to but not including 0.0100.

For Callaway:

-4 -2 f = ( 1.3 x 10 ) h 1 + b h 2 + ( 1.2 x 10 ) h 3 + c h 4

-3 f = 5.045 x 10 = .005045 h1 = annual expectation of snowfall for the site in inches (24) 8.3A-5 Rev. OL-24 11/19

CALLAWAY - SP h2 = annual expectation of tornados of severity F2 or greater (1.06 x 10-4) h3 = annual expectation of storms for the site with wind velocities between 75 and 124 mph (0.05) h4 = annual expectation of storms with significant salt spray b = 12.5 for sites with multiple rights of way c = 0 for other sites The Callaway values for these factors were determined from the severe weather data contained in NUMARC 87-00, Table 3-3. Using the calculated frequency value of 5.045 x 10-3 and Table 3-4 from NUMARC 87-00, Callaway is classified as a SW Group 2 site.

d. The potential for long duration loss of off-site power events can have a significant impact on station blackout risk and required coping durations.

Long duration LOOP events are associated with grid failures due to severe weather conditions or unique transmission system features. Shorter duration LOOP events tend to be associated with specific switchyard features, in particular, (1) the independence of the off-site power sources constituting the preferred power supply to the shutdown buses on-site, and (2) the power transfer schemes when the normal source of AC power is lost. Two plant groupings , I 1/2 and I3, are used for classifying the interface of the preferred power supply to the safe shutdown bus. Of the two groups, the I 1/2 group is characterized by features associated with greater independence and redundancy of sources, and a more desirable transfer scheme. The plant groupings are based upon the applicability of three conditions A, B(1), or B(2), for a given plant. Condition A requires that all off-site power sources are connected to the unit's safe shutdown buses through either the switchyards or two or more electrically connected switchyards. Per the Callaway FSAR Site Addendum Section 8.2.1.2 and FSAR Figure 8.2-5, this condition is applicable to Callaway.

Condition B(1) requires the normal source of AC power to be from the unit main generator with no automatic transfers and one or more manual transfers of all safe shutdown buses to preferred or alternate off-site sources. Condition B(2) requires the normal source of AC power to be from the unit main generator with one automatic transfer and no manual transfers of all safe shutdown buses to one preferred or one alternate off-site power source.

Conditions B(1) and B(2) are not applicable to Callaway as described in FSAR Section 8.2.1.2. At Callaway the normal source of AC power to the 8.3A-6 Rev. OL-24 11/19

CALLAWAY - SP shutdown buses is from the switchyard. Since Condition A is applicable to Callaway and Conditions B(1) and B(2) are not, the Callaway off-site power system is assigned to the I 1/2 Group per NUMARC 87-00 guidance.

The importance of the site groupings becomes evident when combined with the potential for losing off-site power due to severe and extremely severe weather. Since the Callaway site is not susceptible to a hurricane-induced loss of off-site power and since its independence of off-site power system places it in the I 1/2 Group per Section 8.3A.3.1.d above, Table 3-5a of NUMARC 87-00 is used to determine the offsite power design characteristics P Group for Callaway. Per Sections 8.3A.3.1.b and 8.3A.3.1.c above, Callaway is placed in the ESW Group 1 and in the SW Group 2. Using the guidance in Table 3-5a Callaway is categorized in the P1 offsite power design characteristic group.

8.3A.3.2 Emergency AC Power Configuration Group The Callaway Plant is determined to be in the emergency AC power configuration group C (EAC Group C). After the likelihood of losing off-site power, the redundancy of the emergency AC power system is the next most important contributor to station blackout risk. With greater EAC system redundancy, the potential for station blackout diminishes, as does the likelihood of core damage. The importance of EAC redundancy is reflected through the use of four distinct EAC configuration groups. Those sites in group C have typical redundant and independent EAC sources to safe shutdown equipment.

Placement in this group depends on the number of EAC standby power supplies available and the number required to operate AC-powered decay heat removal equipment necessary to achieve and maintain safe shutdown in a station blackout.

Overall, the greater the level of EAC redundancy, the less restrictive are the station blackout coping durations and maximum EDG failure rates before longer coping durations are required, or corrective actions become necessary.

The potential for excess EAC power sources to be used as Alternate AC is directly related to the existing level of EAC redundancy. Since EAC redundancy is an important parameter for determining station blackout coping duration categories, EAC power sources relied upon as Alternate AC power sources must not also be considered when assessing the required coping duration.

Per Table 3-7 of NUMARC 87-00 the Callaway designation of being in group C is based upon the following:

a. There are two emergency AC power supplies not credited as alternate AC power sources; and
b. One emergency AC power supply is necessary to operate safe shutdown equipment following a loss of offsite power.

8.3A-7 Rev. OL-24 11/19

CALLAWAY - SP 8.3A.3.3 Emergency Diesel Generator (EDG) Reliability The target emergency diesel generator reliability for Callaway is selected to be 0.95.

The selection of this value is consistent with NUMARC 87-00 and is based upon having a nuclear unit average EDG reliability for the last 100 demands greater than 0.95.

The unit EDG reliability is used in conjunction with the site's off-site power design characteristic, P1, and the EAC configuration Group C, to determine the unit's required station blackout coping duration. The unit EDG reliability is calculated by averaging the individual EDG reliability for the last 20, 50, and 100 demands for each machine.

The objective of the three-tier approach (i.e., 20, 50, and 100 Demands) to reliability measurements is to provide greater depth of understanding regarding reliability trends.

The 20-demand sample set is the most volatile, and offers a very sensitive indication of EDG performance. Since this indicator moves with each incremental failure or success, it is not considered a reliable measure of long-term performance. Similarly, the 100-demand sample set offers a long-term trend indication, while providing limited insight to recent trends due to data smoothing effects. The 50-demand sample set bridges the two indicators while also providing an intermediate level. Taken together, the set of indicators provides a fairly complete picture of EDG reliability.

Using Callaway data Union Electric has calculated EDG reliabities for each of two EDGs.

Based upon the results, the average reliability for the last 20, 50, and 100 Demands of two EDGs were determined as of April 17, 1989 (Ref. 4).

For Callaway:

Last 20 Demands 1.0 Last 50 Demands .978 Last 100 Demands .986 In order to determine the allowed EDG target reliability, the Callaway average reliabilities were compared against the following NUMARC criteria:

Last 20 Demands > 0.90 reliability Last 50 Demands > 0.94 reliability Last 100 Demands > 0.95 reliability The Callaway average reliability exceeds the above criteria. Since Callaway is in EAC Group C per Section 8.3A.3.2 and exceeds the NUMARC reliability criteria above, Callaway is allowed to select a target reliability of 0.95.

8.3A-8 Rev. OL-24 11/19

CALLAWAY - SP 8.3A.3.4 Coping Duration Category Using Table 3-8 of NUMARC 87-00, Callaway has a required coping duration category of four hours. The criteria supporting this four hour duration include the Callaway off-site power group 'P1', discussed in Section 8.3A.3.1, the EAC Group C, discussed in Section 8.3A.3.2, and the minimum EDG target reliability of 0.95, discussed in Section 8.3A.3.3.

8.3A.4 PROCEDURES FOR SBO Callaway procedures comply with the guidelines of NUMARC 87-00, Section 4. SBO response guidelines provide for operator actions to be taken in a SBO event; guidance is provided for operations and load dispatcher personnel for actions to restore AC power in a station blackout; and guidance is given for operators to determine the proper actions due to the onset of severe weather. Callaway procedures incorporate these guidelines and are described as follows:

a. The station blackout response guidelines of NUMARC 87-00, Section 4.2.1 are met by plant procedure, Loss of All AC Power.
b. The AC power restoration guidelines of NUMARC 87-00, Section 4.2.2, are met by the Ameren System Restoration Plan and by plant procedure, Loss of All AC Power.
c. The severe weather preparation guidelines of NUMARC 87-00, Section 4.2.3, are met by plant procedure, Severe Weather.

8.3A.5

SUMMARY

OF SBO COPING ASSESSMENT The ability of the Callaway Plant to cope with a station blackout for four hours has been assessed in accordance with NUMARC 87-00. The coping assessment assures that the Callaway Plant has adequate condensate inventory for decay heat removal during a SBO of the four hour duration; has adequate battery capacity to support decay heat removal during the four hour duration; ensure that air operated valves required for decay heat removal have sufficient reserve air or can be manually operated under station blackout conditions for four hours; ensure equipment operability by determining the average steady state temperature in dominant areas containing equipment necessary to achieve and maintain safe shutdown during the SBO; ensure that containment integrity can be provided during the SBO for the four hour duration, and the ability to maintain adequate reactor coolant system inventory. Each item of assessment is discussed in the following paragraphs, and in Table 8.3A-1.

8.3A.5.1 Condensate Inventory for Decay Heat Removal It has been determined using guidelines in Section 7.2.1 of NUMARC 87-00 that 160,000 gallons of water are required for decay heat removal for a four-hour coping duration. The 8.3A-9 Rev. OL-24 11/19

CALLAWAY - SP minimum permissible condensate storage tank level per Technical Specifications provides 281,000 gallons of water, which exceeds the required quantity for coping with a four-hour station blackout.

8.3A.5.2 Class 1E Battery(ies) Capacity A battery capacity calculation has been performed pursuant to NUMARC 87-00, Section 7.2.2, to verify that the Class 1E battery(ies) has sufficient capacity to meet station blackout loads for four hours.

8.3A.5.3 Compressed Air Air-operated valves relied upon to cope with a station blackout for four hours have sufficient backup air sources independent of the blacked out unit's preferred and Class 1E power supplies. The valves are identified in plant procedures.

8.3A.5.4 Effects of Loss of Ventilation The calculated steady state ambient air temperature for the steam driven AFW pump room (the dominant area of concern for a PWR) during a station blackout induced loss of ventilation is 144.5°F.

Reasonable assurance of the operability of station blackout response equipment in the above dominant area of concern has been assessed using Appendix F to NUMARC 87-00. No modifications are required to provide reasonable assurance for equipment operability.

The assumption in NUMARC 87-00, Section 2.7.1 that the control room will not exceed 120°F during a station blackout has been assessed. Calculations verify that the control room at the Callaway Plant will not exceed 120°F during a station blackout. Therefore, the control room is not a dominant area of concern.

8.3A.5.5 Containment Isolation The plant list of containment isolation valves has been reviewed to verify that valves which must be capable of being closed or that must be operated (cycled) under station blackout conditions can be positioned (with indication) independent of the preferred Class 1E power supplies. No plant modifications were determined to be required to ensure that appropriate containment integrity can be provided under SBO conditions.

Callaway procedures include all actions necessary to assure containment integrity.

8.3A.5.6 Reactor Coolant Inventory The ability to maintain adequate reactor coolant system inventory to ensure that the core is cooled for four hours has been assessed. A plant-specific analysis was used for this assessment. The expected rates of reactor coolant inventory loss under SBO conditions 8.3A-10 Rev. OL-24 11/19

CALLAWAY - SP do not result in uncovering the core in an SBO of four hours. Therefore, makeup systems under SBO conditions are not required to maintain core cooling under natural circulation (including reflux boiling).

8.3A.6 GRADED QA PROGRAM FOR SBO Callaway Plant's Station Blackout Program encompasses both safety related and non-safety related components, systems and structures. Regulatory Position C.3.5 of Regulatory Guide 1.155 recommends that a specific QA program be established for equipment not specifically covered by the existing QA requirements of Appendices B or R of 10CFR50.

A graded QA program has been established to assure compliance with 10CFR50.63, and to satisfy the guidance of Regulatory Guide 1.155 and NUMARC 87-00 with respect to the non-safety related station blackout items. The scope of the program encompasses the following:

a. Those components, systems and structures required to be available to function during the coping portion of a station blackout;
b. Those components, systems, and structures required to be available to function in support of the restoration of the preferred AC power during a station blackout event;
c. Those components, systems, and structures required to be available to mitigate the consequences of the effects of severe weather; and,
d. Those subcomponents of all of the above items, where such subcomponents are required to be available to support the above items when the above items are called upon to function.

Table 8.3A-2 describes the graded QA program for station blackout in comparision to the criteria of Regulatory Guide 1.155, Appendix A. The graded QA program makes reference to QA provisions found in applicable portions of the Operating Quality Assurance Program (OQAM), and is implemented in plant procedures.

8.3A.7 REFERENCES

1. NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives addressing Station Blackout at Light Water Reactors, November 1987.
2. NRC NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, 1985.
3. NRC Regulatory Guide 1.155, Station Blackout.

8.3A-11 Rev. OL-24 11/19

CALLAWAY - SP

4. Union Electric Calculations B0-01, B0-03, B0-04, B0-05, B0-07, B0-09 and BO-010 (Calculations Supporting the Station Blackout Submittal).
5. ULNRC-1973, dated April 12, 1989 (Union Electric's Response to NRC on Station Blackout).
6. ULNRC-2182, dated March 29, 1990 (a supplement to Union Electric's Response to NRC on Station Blackout).
7. ULNRC-2416, dated May 31, 1991 (a Supplement to Union Electric's Response to NRC on Station Blackout).
8. NRC Letter dated June 9, 1992, Callaway Nuclear Plant - Safety Evaluation of the Response to the Station Blackout Rule, 10CFR50.63.
9. ULNRC-2662, dated July 10, 1992 (a supplement to Union Electric's Response to NRC on Station Blackout).
10. NRC letter dated October 28, 1992, Callaway Nuclear Plant - Supplemental Safety Evaluation of the Response to the Station Blackout Rule, 10CFR50.63.

8.3A-12 Rev. OL-24 11/19

CALLAWAY - SP TABLE 8.3A-1 COMPARISON TO NUMARC 87-00, GUIDELINE AND TECHNICAL BASES FOR NUMARC INITIATIVES ADDRESSING STATION BLACKOUT AT LIGHT WATER REACTORS This evaluation documents the capability of Callaway Plant to cope with a station blackout (SBO) by summarizing the results of the coping assessment performed in accordance with NUMARC 87-00. Parenthetical references to NUMARC 87-00 are provided.

I. General Criteria and Baseline I. The validity of the NUMARC 87-00 Assumptions - Those applicable to baseline assumptions is determined as Callaway are as follows: follows:

A. Initial Plant Conditions A. Initial Plant Conditions

1. The station blackout event 1. The NUMARC 87-00 basis occurs while the reactor is (Ref: 2.2.2(1)) for this assumption operating at 100% rated is considered valid for Callaway thermal power and has been at additional plant-specific analysis is this power level for at least 100 not required.

days (Ref: 2.2.1(1))

2. Immediately prior to the 2. The NUMARC 87-00 basis postulated station blackout (Ref:2.2.2(2)) for this assumption is event, the reactor and considered valid for Callaway and supporting systems are within does not require plant specific normal operating ranges for justification.

pressure, temperature, and water level. All plant equipment is either operating or available from the standby state.

(Ref:2.2.1(2))

B. Initiating Event B. Initiating Event

1. The initiating event is assumed 1. The NUMARC 87-00 basis to be a loss of offsite power (Ref:2.3.2(1)) for this assumption is (LOOP) resulting from a considered valid for Callaway and switchyard-related event due to does not require plant specific random faults or an external justification.

event, such as grid disturbance or a weather event that affects the off-site power system either throughout the grid or at the plant. (Ref:2.3.1(1))

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 2)

2. No design basis accidents or 2. The NUMARC 87-00 basis other events are assumed to (Ref:2.3.2(4)) for this assumption is occur immediately prior to or considered valid for Callaway and during the SBO (Ref:2.3.1(4)) does not require plant specific justification.

C. Station Blackout Transient C. Station Blackout Transient

1. Following the loss of all off-site 1. The NUMARC 87-00 basis power, the reactor automatically (Ref:2.4.2(1)-(3)) for this trips with sufficient shutdown assumption is considered valid for margin to maintain subcriticality Callaway. Calculations have been at safe shutdown. The event performed to demonstrate the ends when AC power is ability to close breakers supplying restored to shutdown busses the Class 1E busses.

from any source (Ref:2.4.1(1))

2. The main steam system valves 2. The NUMARC 87-00 basis necessary to maintain decay (Ref:2.4.2(1)-(3)) is valid for heat removal functions operate Callaway. The Atmospheric Steam properly. (Ref:2.4.1(2)) Dump valves (ASDVs) are the only main steam system valves which must be operated throughout the four-hour coping period. The ASDVs:

(1) Are qualified for harsh environment conditions (FSAR Table 3.11(B)-3),

(2) have adequate back-up air supply and, (3) have controls powered by vital busses supplied by station batteries.

3. Safety Relief Valves or Power 3. The NUMARC 87-00 basis Operated Relief Valves operate (Ref:2.4.2(1)-(3)) is considered properly (Ref:2.4.1(3)) valid for Callaway without additional plant-specific analysis.
4. No independent failures, other 4. The NUMARC 87-00 basis than those causing the SBO (Ref:2.4.2(4)) for this assumption is event, are assumed to occur in considered valid for Callaway and the course of the transient does not require plant specific (Ref:2.4.1(4)) justification.

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 3)

5. AC power is assumed available 5. The NUMARC Basis for this 1 to necessary shutdown assumption (Ref: 2.4.2(5)) is equipment within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from applicable to Callaway.Section II either the offsite or 1E sources of this table establishes Callaway (Ref: 2.4.1(5)) as a four-hour plant.

D. Reactor Coolant Inventory Loss D. Reactor Coolant Inventory Loss

1. Sources of RCS inventory loss 1. The NUMARC 87-00 basis for this include: (1) normal system assumption (Ref: 2.5.2) is valid for leakage, (2) losses from Callaway. This was confirmed by letdown, and (3) losses due to calculation using allowable system reactor coolant pump seal leakage of 11 gpm and reactor leakage. Expected rates of coolant pump seal leakage of reactor coolant inventory loss 25 gpm per pump. (Following under SBO conditions do not implementation of plant result in uncovering the core in modification MP 10-0009, reactor the four hour period. Therefore, coolant pump seal leakage can be makeup systems are not reduced to 1gpm per pump when required and sufficient head the shutdown seals (one for each exists to maintain core cooling pump) actuate). Letdown losses of under natural circulation 167 ft3 (125 gpm for 10 minutes (including reflux boiling). (Ref: until letdown isolation) and RCS 2.5.1) shrinkage of 2866 ft3 due to cooldown, were also considered.

E. Operator Action E. Operator Action

1. Operator action is assumed to 1. The NUMARC 87-00 basis (Ref:

follow plant operating 2.2.2) for this assumption is procedures for the underlying applicable to Callaway. Operators symptoms or identified event are trained in the use of plant scenario associated with a emergency procedures.

station blackout (Ref: 2.6.1)

F. Effects of Loss of Ventilation F. Effects of Loss of Ventilation

1. Equipment operability inside 1. The NUMARC 87-00 basis containment: temperatures (Ref:2.7.2(1)) for this assumption resulting from the loss of was verified to be valid for ventilation are enveloped by Callaway. Calculations LOCA and HELB environmental demonstrate that containment profile. (Ref:2.7.1(1)) temperatures during a four-hour SBO (173°F peak) are bounded by DBA temperatures (384.9°F peak).
2. Equipment Operability Outside 2. Equipment Operability Outside Containment Containment Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 4)

a. Areas containing equipment a. The NUMARC 87-00 basis for required to cope with a this assumption station blackout need only (Ref:2.7.2(2)(a)) is applicable to be evaluated if the area is a Callaway. Calculations dominant area of concern evaluated plant rooms and if the dominant area of containing SBO equipment concern has not been required for decay heat removal previously evaluated as a and determined that only the harsh environment due to a AFW turbine driven pump room high or moderate energy (Rm 1331) is a dominant area line break. The dominant of concern. Calculations also area of concern is the steam established the steady state driven AFW pump room. SBO temperatures for the The control room complex control room complex at will have a steady state <120°F. Existing plant temperature less than 120°F procedures provide instructions and is therefore considered for opening cabinet doors within to be of low concern with 30 minutes of the event onset.

regard to elevated temperature effects provided the doors of cabinets containing instrumentation and controls are opened within 30 minutes of the events onset.

(Ref:2.7.1(2)(a))

b. Loss of heating in the b. The NUMARC 87-00 basis for battery room does not result this assumption in a decrease in battery (Ref:2.7.2(2)(b)) is valid for electrolyte temperature Callaway. Battery capacity sufficient to warrant battery calculations used the minimum capacity concern for a design ambient of 60°F.

four-hour period. Because the normal operating (Ref:2.7.1(2)(b)) ambient exceeds the design minimum and because, under SBO conditions, the battery rooms are adjacent to warm rooms, further consideration of a loss of battery capacity is not required.

3. Control Room Habitability 3. Control Room Habitability Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 5)

a. Loss of cooling in the control a. The calculated control room room for a four hour period temperature of <120°F for does not prevent the Rooms 3605 and 3601 are operators from performing reasonably consistent with the necessary action NUMARC basis for this (Ref:2.7.1(3)) assumption (Ref:2.7.2(3)),

which assumes a 110°F temperature in the control room. This basis is considered applicable to Callaway.

G. Instrumentation and Controls G. Instrumentation and Controls

1. Actions specified in emergency 1. The NUMARC 87-00 basis for this procedures for station blackout assumption is applicable to are predicted on use of Callaway. A review was performed instrumentation and controls to verify that required powered by vital busses instrumentation and controls are supplied by station batteries. powered by vital busses supplied Appropriate actions will be by station batteries.

taken by operations personnel in the event of erratic performance or failure of shutdown instrumentation (Ref:2.9.1)

H. Containment Isolation Valves H. Containment Isolation Valves

1. Containment isolation valves 1. The NUMARC 87-00 basis for this either fail in the safe condition assumption (Ref:2.10.2) is in accordance with the design applicable to Callaway Plant. The basis of the plant or can be capability to obtain the required manually closed (Ref:2.10.1) containment integrity has been verified.

II. Required Coping Duration Category: II. Required Coping Duration Category: was Section 3 of NUMARC 87-00 provides generated to establish Callaway's a methodology for determining the required Coping Duration Category in required SBO coping duration. The accordance with NUMARC 87-00. The five step are: results are:

A. Determine the Offsite Power A. Callaway is in the P1 Offsite Power Design Characteristics Group, Characteristic Group; based on plant weather, grid, and switchyard features (Ref:3.2.1);

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 6)

B. Classify the EAC power supply B. Callaway is in EAC power system configuration based on the configuration group C; redundancy of the emergency AC power system (Ref:3.2.2);

C. Determine the calculated allowed C. At the time of the 10CFR50.63 EDG target reliability based on the submittal (4/89), Callaway had an current reliability calculated above average reliability based on the last (Ref:3.2.3); and 100 demands of .986; D. Determine the allowed EDG target D. Callaway allowed EDG target reliability reliability based on the current is .95; and reliability calculated above (Ref:3.2.4); and E. Determine the required Coping E. Callaway's Coping Duration Category Duration Category based on the is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

results of A thru D above (Ref:3.2.5)

III. Coping with a Station Blackout Event: III. Coping With a Station Blackout Event:

Section 7 of NUMARC 87-00 provides Plant specific analyses have been an assessment procedure for coping performed to address the five step with an SBO. There are five steps to procedure outlined in NUMARC 87-00.

the procedure, addressing: The results, which demonstrate Callaway's ability to cope with a station blackout of four hour duration using the AC Independent approach, are summarized as follows:

A. Condensate Inventory for Decay A. Condensate Inventory for Decay Heat Heat Removal (Ref:7.2.1) Removal - A calculation using The purpose of this section is to plant-specific methodology was ensure adequate condensate performed to assure that adequate inventory for decay heat removal condensate inventory exists for decay during SBO for the required coping heat removal during a four-hour station duration. blackout. The calculated required condensate inventory is 160,000 gallons. The minimum permissible CST tank level per Tech. Specs.

provides 281,000 gallons of water, which exceeds the SBO requirement.

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 7)

B. Assessing the 1E Battery Capacity B. Assessing the 1E Battery Capacity - A (Ref:7.2.2) calculation was performed to verify that Callaway's Class 1E batteries are adequately sized for a conservative 240 minute duty cycle with margins of 25% for aging and 25% for future load addition. This calculation used a 60°F electrolyte temperature which is the minimum design ambient temperature for the battery rooms. This calculation demonstrates adequate battery capacity, without load stripping, to support decay heat removal during a station blackout for the required four-hour coping period.

C. Compress Air (Ref:7.2.3) C. Compressed Air - The backup air The purpose of this section is to supply tanks for the auxiliary ensure that air operated valves feedwater control valves and the required for decay heat removal steam generator atmospheric steam have sufficient reserve air or can dump valves are adequately sized for be manually operated under SBO a four-hour supply. These valves are conditions for the required the only active valves requiring duration. periodic operation throughout the SBO.

D. Effects of Loss of Ventilation - the D. Effects of Loss of Ventilation -

purpose of this section is to Calculations were performed to determine the average steady state analyze rooms containing equipment temperature(s) for the dominant necessary for decay heat removal area(s) of concern and then to during the four-hour SBO. This assess required equipment calculation identified the Turbine operability within the dominant Driven Aux. Feedwater Pump Room, area(s) of concern. (Ref:7.2.4) the D.C. Switchboard Rooms, the Class 1E Battery Rooms, the Control Room Complex and the Main Feedwater/Steam Tunnel as potential dominant areas of concern. Of these, only Room 1331, the turbine driven aux. feedwater pump room, is considered a dominant area of concern requiring an assessment of equipment operability. The DC switchboard and Class 1E battery rooms, with respective steady state temperatures of only Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 8) 103.9°F and 93.7°F are not considered dominant areas of concern.

Room 1331 contains the following equipment required for SBO coping:

P-AL-02 Turbine Driven Aux Feedwater Pump and Controls AL-PT-0026 Pressure Transmitter for P-AL-02 Suction Pressure Room 1331 is classified as a mild environment, per FSAR Table 3.11(B)-2 the DBA temperature for this room is 148.6°F due to the effects of postulated pipe breaks. The four-hour steady state SBO room temperature is calculated to be 144.5°F. The DBA temperature, therefore, envelopes the SBO temperature.

Per the following discussions, P-AL-02 and AL-PT-0026 have been qualified for temperatures in excess of the 148.6°F DBA temperature:

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 9)

1. The electronic control system for the Terry turbine is comprised of equipment originally supplied by Terry under spec. M-021 and the equipment upgrade supplied by Engine Systems Inc. under spec.

J-1070. The equipment supplied by Terry has been qualified at an accident temperature of 150°F for twelve hours and the remaining electrical accessories were qualified at accident temperatures of 212°F for six hours and 150°F for an additional six hours. The electronic equipment supplied by Engine Systems was qualified at a temperature of 150°F for continuous operation. The Limitorque operator for the trip and throttle valve was qualified for severe accident conditions for harsh environment application.

The temperature profile to which the valve operator was qualified includes a period of approximately 3 days at temperatures at or above 245°F.

2. AL-PT-0026 is a Rosemount model 1153AB6 which has been qualified for harsh environment applications.

The transmitter was designed for ambients up to 200°F and was tested at PWR HELB conditions that included a transient of 318°F for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

Based on the above, there exists a high degree of confidence that P-AL-02 and AL-PT-0026 will be operable at the SBO steady state room temperature of 144.5°F.

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-1 (Sheet 10)

E. Containment Isolation - the E. Containment Isolation - An analysis purpose of this section is to assure was performed to identify the that appropriate containment containment isolation valves of integrity can be provided during a concern and to assure the capability station blackout. It provides criteria for position indication and operation/

for identifying the containment closure, as required. This analysis isolation valves of concern and excludes ENHV0001/7 and provides steps to assure manual EJHV8811A/B because Tech. Specs.

operation and/or closure capability, require these valves to be closed as required. when operating at power.

Rev. OL-20 11/13

CALLAWAY - SP TABLE 8.3A-2 COMPARISON OF GRADED QA PROGRAM FOR STATION BLACKOUT WITH CRITERIA OF REGULATORY GUIDE 1.155, REV. 0, APPENDIX A QUALITY ASSURANCE GUIDANCE FOR NON-SAFETY SYSTEMS AND EQUIPMENT

1. Design Control and Procurement 1. Design Control and Procurement Document Control Document Control Measures should be established to 1.1 Design controls for station blackout ensure that all design-related activities shall be as described in guidelines used in complying with § the OQAM, Section 3.0, with the 50.63 are included in design and following clarifications.

procurement documents, and that deviations therefrom are controlled a. If an item is found to be one which must be available to function during a station blackout, but that item has not been classified as a station blackout item, then that item shall be evaluated to determine if that item must be modified to bring it into compliance with the requirements of 10CFR50.63.

b. Measures are taken to assure that the installation process of any new station blackout item will not degrade any existing item's ability to perform its intended function.
c. Measures will be taken to assure that, once installed, any new station blackout items will be independent, to the maximum extent practicable, of existing safety related components, systems and structures.
d. Measures are taken to assure that design changes to existing station blackout items do not degrade their own or any other required item's ability to perform its intended function.

Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 2)

e. The components required to function during a Station Blackout are identified, controlled and maintained current by the Callaway Equipment List program. This list is reviewed and updated following modifications of Station Blackout equipment.
f. ORC review is not required for temporary modifications prior to implementation.

1.2 The measures discussed above will include both the identification of these items as Special Scope Station Blackout items, and the inclusion of special requirements by the responsible Engineer for maintenance activities, operational considerations, inspections, and tests necessary to maintain a high degree of reliability.

1.3 Measures shall be established to ensure that applicable design requirements are specified and included in procurement documents and that deviations therefrom are controlled. QA provisions need not be specified in procurement documents where the design incorporates standard commercially available equipment and materials.

Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 3)

2. Instructions, Procedures and 2. Instructions, Procedures and Drawings. Drawings.

Inspections, tests, administrative 2.1 Design, procurement, installation, controls, and training necessary for inspection, maintenance and compliance with § 50.63 should be modification of components or prescribed by documented systems are accomplished in instructions, procedures and accordance with documented drawings and should be instructions, procedures, and accomplished in accordance with drawings. Controls for instructions, these documents procedures and drawings shall be as described in the OQAM, Section 5.0.

2.2 While this criterion is not required to be included in this program, documents are controlled as described in Callaway's administrative procedures.

2.3 Administrative procedures shall describe the activities, duties and responsibilities of the positions involved in the implementation of the station blackout program.

2.4 All necessary training related to the station blackout program shall be provided. This training shall be administered as part of the Callaway Plant training program.

3. Control of Purchased Material, 3. Control of Purchased Material, Equipment and Services Equipment and Services Measures should be established to Material, equipment and services ensure that purchased material, shall conform to procurement equipment, and services conform to documents as prescribed in Section the procurement documents. 1 of this program. Receipt inspection or installation inspection shall be utilized to assure that material and equipment conform to procurement documents.
4. Inspection 4. Inspection Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 4)

A program for independent 4.1 Maintenance or modifications to the inspection of activities required to station blackout equipment shall be comply with § 50.63 should be subject to inspection to assure established and executed by (or for) conformance to design and the organization performing the installation requirements. Such activity to verify conformance with inspections may occur as receipt documented installation drawings inspections or installation and test procedures for inspections, or both, as appropriate.

accomplishing the activities.

4.2 The installation of portions of the station blackout equipment shall be inspected where performance cannot be verified through preoperational tests.

4.3 Inspections are performed by individuals who are knowledgeable of station blackout design and installation requirements. These inspections are performed in accordance with procedures or checklists and shall include, as applicable, the following:

a. Identification of items/activities to be inspected.
b. Individuals/organizations responsible to perform inspections.
c. Referenced design documents and acceptance criteria.
d. Identification of the inspection method.
e. Documentation requirements.
f. Inspection results, inspection signoff.

Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 5) 4.4 Appropriate combinations of preventive maintenance, and inspections are performed periodically on station blackout equipment to assure high reliability of these items.

5. Testing and Test Control 5. Testing and Test Control A test program should be 5.1 Tests required by design or established and implemented to procurement documents to be ensure that testing is performed and performed onsite shall be performed verified by inspection and audit to in accordance with written demonstrate conformance with procedures, instructions or design and system readiness checklists to verify compliance with requirements. The tests should be design or system performance performed in accordance with requirements for station blackout.

written test procedures; test results Test results shall be documented.

should be properly evaluated and acted upon.

5.2 Appropriate tests shall be performed subsequent to modification or maintenance to confirm expected results. These results will provide a level of confidence in a structure, system, or component's operational or functional acceptability. The results of these tests shall be evaluated, with any deficiencies being corrected, prior to relying on the item to perform its intended function. Test results shall be documented.

5.3 Tests of significant changes to Emergency Operating Procecures (EOP's) are performed in accordance with Callaway's EOP Procedure Generation Package (PGP) and no additional requirements are imposed by this program.

Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 6) 5.4 While this criterion is not required by Regulatory Guide 1.155 to be included in this program, Measuring and Test Equipment (M&TE) is controlled as described in the administrative procedures.

6. Inspection, Test and Operating 6. Inspection, Test and Operating Status Status Measures should be establised to 6.1 The test or inspection status of a identify items that have satisfactorily station blackout item shall be passed required tests and identified. This identification will be inspections. as described in the OQAM, Section 14.0.

6.2 The operating status of a station blackout item shall be described in the administrative procedures.

7. Nonconforming Items 7. Nonconforming Items Measures should be established to Any station blackout item found to control items that do not conform to not conform with requirements specified requirements to prevent established by this program shall be inadvertent use or installation. controlled to prevent its inadvertent use or installation. These controls will be as described in the OQAM, Section 15.0.
8. Corrective Action 8. Corrective Action Measures should be established to Failures, malfunctions, deficiencies, ensure that failures, malfunctions, deviations, defective components, deficiencies, deviations, defective and nonconformances which affect components and nonconformances systems and components required are promptly identified, reported and to function per 10CFR50.63 shall be corrected. promptly identified, reported and corrected. This will be accomplished as described in the OQAM, Section 16.0.

Rev. OL-13 5/03

CALLAWAY - SP TABLE 8.3A-2 (Sheet 7)

9. Records 9. Records Records should be prepared and Records shall be maintained of the maintained to furnish evidence that activities described by this program.

the criteria enumerated above are These records will be maintained in being met for activities required to accordance with the OQAM, Section comply with § 50.63. 17.0.

10. Audits 10. Audits Audits should be conducted and Audits and surveillances of this documented to verify compliance program shall be performed to verify with design and procurement that the station blackout items are documents, instructions, being designed, procured, installed, procedures, drawings, and inspected, tested and maintained in inspection and test activities accordance with the applicable developed to comply with § 50.63. requirements and controls. These audits or surveillances will be performed in accordance with the OQAM, Section 18.0.

Rev. OL-13 5/03