ML16207A557

From kanterella
Revision as of 06:50, 6 May 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search
South Texas, Units 1 and 2, Revision 18 to Updated Final Safety Analysis Report, Chapter 10, Steam and Power Conversion System
ML16207A557
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 04/28/2016
From:
South Texas
To:
Office of Nuclear Reactor Regulation
Shared Package
ML16207A547 List: ... further results
References
NOC-AE-16003371
Download: ML16207A557 (146)


Text

STPEGS UFSAR 10.1-1 Revision 18 10.0 STEAM AND POWER CONVERSION SYSTEM 10.1 SUMMARY DESCRIPTION The Steam and Power Conversion System is designed to produce electrical power from heat produced by the Nuclear Steam Supply System (NSSS). The waste heat is rejected into the reservoir.

The condensed turbine exhaust steam is returned through feedwater (FW) heaters to the steam generators (SGs). Table 10.1-1 provides a summary of important design and performance characteristics of the Steam and Power Conversion System. The major components of the Steam and Power Conversion System are: main steam turbine, generator, main steam condenser, condensate pumps, condensate polishing demineralizer, Turbine Gland Sealing System including gland steam condenser, Turbine Bypass System, turbine-driven SG feed pumps, booster feed pumps, moisture separator drip tank pumps, closed-FW heaters, low-pressure (LP) heater drip pumps, moisture separator-reheaters (MSR), the startup FW pump and the deaerator. The heat rejected in the condenser is removed by the Circulating Water System (CWS). The guaranteed thermal rating of the NSSS (including pumping power) at Tavg of 593F is 3,874 MWt. When provided with FW at 442F, the SGs produce 17,213,512 lb/hr of steam at 1,053 psia at the guaranteed thermal rating. Figure 10.3-1 shows this portion of the Steam System with the appropriate nuclear safety-related systems classification.

The saturated steam produced by the SGs is passed through the high pressure (HP) turbine, where the steam is expanded and is then exhausted to two single-stage moisture separator reheaters in parallel arrangement. The moisture separators remove the moisture content of the steam, and the reheaters superheat the steam before it enters the LP turbines, where the steam is expanded further. Steam for the reheater is taken from the main steam (MS) system upstream of the HP turbine. From the LP turbines the steam is exhausted into the condenser, where it is condensed and deaerated. Figures 10.3-2 and 10.3-3 show the above portion of the Steam System. The condensate pumps take suction from the condenser hotwell and deliver the condensate through the condensate polishing demineralizer, the gland steam condenser, and the LP closed FW heater trains to the deaerator. The FW from the deaerator storage tanks is supplied to the FW booster pumps which feed the SG FW pumps. The SG feedwater pumps supply feedwater to the SGs through the HP FW heater train. Steam for heating the FW in the heating cycle is supplied from turbine extractions. The drains from the flash tank, which collects drainage from the fifth- and sixth-stage FW heaters (heaters no. 15 and no.16), is pumped forward by LP heater drip pumps to the condensate stream upstream of the fifth-stage FW heater (heater no. 15). The drains from the HP FW heaters (heater no. 11) are cascaded to the deaerator. The deaerator also receives pumped drains from the moisture separator drip tanks and the LP FW heaters (heaters no. 13 and no.14) are cascaded to the next lower pressure FW heater.

Figures 10.4.7-1 and 10.4.7-2, Condensate; Figures 10.4.7-3 and 10.4.7-4, FW; Figure 10.3-4, Extraction Steam; and Figures 10.4.7-5, 10.4.7-7, and 10.4.7-9, Heater Drips, show these systems as described.

The turbine is a tandem-compound, six-flow, 1,800-rpm machine installed outdoors on a turbine pedestal. Steam is supplied to the unit at a throttle pressure of 1,023 psia and 0.10 percent moisture from four SGs.

The turbine guaranteed rating is 1,311,838 kW at a backpressure of 3.5 in. Hg abs. and 0 percent makeup.

STPEGS UFSAR 10.1-2 Revision 18 Turbine overspeed protection is discussed in Section 10.2.

The rating of the electric generator is 1,504,800 kVA, 60 Hz, 0.90 power factor, and short circuit ratio equal to 0.63 for Unit 1 and 0.58 for Unit 2 corresponding to the maximum expected turbine capability at 1.5 in. Hg condenser pressure. The turbine shaft and the SG feed pump turbine shafts are sealed to prevent inleakage of air to the turbines or outleakage of steam. The three-shell condenser is of the single-pass type. Circulating water for the condenser is provided from a reservoir, where heat is primarily rejected into the atmosphere by surface evaporation and radiation.

Three condenser vacuum pumps are provided for hogging the condenser before startup and continuous air removal during operation.

A condensate polishing demineralizer system is provided for removing impurities and facilitating good feedwater purity control.

To enable the NSSS to follow turbine load reductions which may exceed transient load-changing capabilities, the Turbine Bypass System, designed for 40 percent of rated steam flow, is provided to give a maximum load rejection capability, in conjunction with a 10 percent reactor power decrease, of 50 percent rated steam flow without a trip. An Auxiliary Feedwater System (AFWS) primarily functions to supply FW to the SGs whenever the normal FW supply is not available. It is also available during hot and cold shutdown to back up the main FW system. No radiation shielding is required for the components and piping of the Steam and Power Conversion System.

The system safety-related components included in the Steam and Power Conversion System are: Main steam isolation valves (MSIVs) and MSIV bypass valves SG power-operated relief valves SG safety valves MS lines extending from the SG to the downstream side of the torsional and moment restraint located in the Isolation Valve Cubicle (IVC) wall. FW isolation valves FW lines from the upstream side of the torisional and moment restraint located in the IVC wall to the SG AFW System CN-3087 STPEGS UFSAR 10.1-3 Revision 18 Steam supply to the steam-driven AFW pump turbine Turbine limit switches and pressure switches for reactor trip on turbine trip system. Overpressure protection for the Steam and Power Conversion System is provided by the SG safety valves, which are in accordance with the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel (B&PV) Code,Section III. Further discussion of these valves is provided in Section 10.3. Loss of external electrical load and/or turbine trip is discussed in detail in Chapter 15 along with other accidents which affect the Steam and Power Conversion System.

Under normal operating conditions, there are no detectable radioactive contaminants in the Steam and Power Conversion System. The system is monitored for any increase in radioactivity as discussed in Chapter 11. Also discussed in Chapter 11 are the radiological aspects of primary-to-secondary system leakage resulting from SG tube leaks. The criteria and bases of the various steam and condensate systems instrumentation are to monitor system variables to provide maximum plant availability, automatic control of equipment, and identification of abnormal conditions. Safety-related steam and condensate instrumentation is designed to meet the appropriate guidelines of Regulatory Guides (RGs) 1.29, 1.22, and 1.62 and Institute of Electrical and Electronic Engineers (IEEE) 279. These instruments are protected from the effects of earthquake, flood, missiles, pipe whip, and jet impingement, as applicable. Failure of nonsafety-related portions do not affect the safety functions of the instrument systems.

Sections 7.3, 7.4 and 7.5 describe the required safety instrumentation associated with the steam and condensate systems. All remaining steam and condensate instrumentation systems are nonsafety-related and are used for normal operation. All steam and condensate systems instrumentation is shown on the Chapter 10 figures.

STPEGS UFSAR 10.1-4 Revision 18 TABLE 10.1-1 SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) 1. Turbine Generator Data: Manufacturer Westinghouse Type TC6F 40 Number of cylinders 1 HP, 3 LP Net generator output, kW (maximum guaranteed) 1,311,838 2. Cycle Data: Gross heat rate, Btu/kW hr (NSSS rated power) 9,907.1 Design condenser pressure, in. Hg abs. 3.5 Final FW design temperature, F 440 3. Steam Conditions at Throttle Valve (NSSS rated power): Flow, lb/hr 15,708,821 Pressure, psia 1,023 Temperature,F 547.4 Enthalpy, Btu/lb 1,189 Moisture content, percent 0.47 4. Turbine Cycle Arrangement: Steam reheat stages 1 Number of FW heating stages 6 Heater drip system Pumped forward MS turbine bypass capacity, percent 40 5. Condenser Design Data: Number 1 Turbine exhaust steam at valve wide open, lb/hr 8,855,105 Condensate outflow, lb/hr 9,325,017 Condenser duty, Btu/hr 8,623,000,000 Condenser pressure, in. Hg abs. 3.5 Circulating water flow, gal/min 906,957 Number of shells 3 Number of passes 1 Circulating water inlet temperature,F (max) 95 Circulating water outlet temperature,F (max) 114 Turbine bypass steam, lb/hr (40-percent) 6,903,903 (1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.1-5 Revision 18 TABLE 10.1-1 (Continued) SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) 6. Auxiliary Feedwater Storage Tank: Number 1 Capacity, gal 525,000 Technical Specification required volume, gal 485,000 Material of construction Concrete, stainless steel lined 7. Demineralized Water Storage Tank: Number 1 (serves both Units 1 and 2) Capacity, gal 1,000,000 Material of construction Carbon steel, corrosion resistant interior coating 8. Condensate Pumps: Number 3 Capacity 50% Type Vertical can Flow, gal/min 8,000 Design total dynamic head, ft 1,430 Motor, hp 4,000 9. SG Feed Pumps: Number 3 Type Horizontal, 1 Stage Flow, gal/min 15,750 Design total dynamic head, ft 2,420 Turbine driver, hp 10,000 10. Low-Pressure Heater Drip Pumps: Number 3 Type Vertical, 6 Stage Flow, gal/min 1,650 Design total dynamic head, ft 800 Motor, hp 800 (1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.1-6 Revision 18 TABLE 10.1-1 (Continued) SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) 11. Feedwater Booster Pumps: Number 3 Type Horizontal, 1 Stage Flow, gal/min 21,740 Design total dynamic head, ft 410 Motor, hp 2,500 12. Circulating Water Pumps: Number 4 Type Vertical, mixed flow Flow, gal/min 226,850 Design head, ft 45 Motor, hp 3,500 13. Auxiliary Feedwater Pumps: a. Motor-Driven Number 3 Type Centrifugal, horizontal, multistage Flow, gal/min 540 Design total dynamic head, ft 3,600 Motor, hp 800 b. Turbine-Driven Number 1 Type Centrifugal, horizontal, multistage Flow, gal/min 540 Design total dynamic head, ft 3,600 Turbine, hp 663

(1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.1-7 Revision 18 TABLE 10.1-1 (Continued) SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) 14. Condenser Hotwell Makeup Pumps: Number 2 Type Centrifugal, horizontal Flow, gal/min 1000 Design total dynamic head, ft 100 Motor, hp 40 15. Steam Generator Recirculation Pumps: Number 4 Type Centrifugal, horizontal Flow, gal/min 150 Design total dynamic head, ft 210 Motor, hp 20 16. Moisture Separator Drip Pumps: Number 4 Type Centrifugal, horizontal, Flow, gal/min 1150 Design total dynamic head, ft 220 Motor, hp 100 17. Deleted 18. Feedwater Heaters: a. Extraction Stage No. 1 Type Closed, horizontal, U-tube Number of shells 2 (1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.1-8 Revision 18 TABLE 10.1-1 (Continued) SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) b. Extraction Stage No. 2 (Deaerating FW Heater) Type Open, horizontal, tray type Number of storage tanks 2 Storage capacity, gal. 195,000 c. Extraction Stage No. 3 Type Closed, horizontal, U-tube Number of shells 2 d. Extraction Stage No. 4 Type Closed, horizontal, U-tube Number of shells 2 e. Extraction Stage No. 5 Type Closed, horizontal, U-tube Number of shells 3 f. Extraction Stage No. 6 Type Closed, horizontal, U-tube Number of shells 3 (1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.1-9 Revision 18 TABLE 10.1-1 (Continued) SUMMARY OF IMPORTANT DESIGN AND PERFORMANCE CHARACTERISTICS OF THE STEAM AND POWER CONVERSION SYSTEM (1) 19. Secondary Makeup Tank: Number 1 Capacity, gal 300,000 Material of construction Stainless steel plate 20. Start-up Steam Generator Feedwater Pumps: Number 1 Type Horizontal Flow, gal/min 8700 Design total dynamic head, ft 2510 Motor, hp 7000 21. Moisture Separator Reheater: Number of shells 2 Surface area (each), ft2 29,675 Dimensions: Length, ft-in. Shell OD, in. 92-10 12-9

(1) All operating conditions are based on RCS Tavg of 593F STPEGS UFSAR 10.2-1 Revision 14 10.2 TURBINE GENERATOR 10.2.1 Design Bases The function of the turbine generator (TG) is to receive steam from the steam generators (SGs), economically convert a portion of the thermal energy contained in the steam to electric energy, and provide extraction steam for six stages of feedwater (FW) heating. The TG serves no safety function and has no safety design basis. The TG is designed with the following capabilities:

1. The TG is intended for base load operation.
2. The turbine generator load-change characteristics are compatible with the restrictions imposed by or on the Nuclear Steam Supply System (NSSS). The NSSS is capable of accepting a step load change of 10 percent and ramp load change of 5 percent per minute over the load range of 15 to 100 percent. These load change rates can be accomplished without the operation of the Turbine Bypass System (TBS) described in Section 10.4.4.With operation of the TBS, the reactor can accept step load rejections of up to 40 percent of rated thermal power without causing a reactor trip by bypassing steam to the condenser and, if required, to atmosphere.

With the reactor power decrease and the TBS, the reactor can accept a step load rejection of 50 percent without causing a reactor trip. 3. The TG is designed to accept a sudden loss of full load without exceeding design overspeed.

4. The TG is designed to permit periodic testing under load of steam valves which are necessary for overspeed protection, emergency overspeed trip circuits, and several other trip circuits. 5. The failure of any single component will not cause the rotor speed to exceed the design overspeed.6. Unlimited access to all levels of the turbine area under all operating conditions is provided.
7. The TG is designed to trip automatically under abnormal conditions as designated in Section 10.2.2.9.The TG is manufactured according to manufacturer standards. Turbine disk materials are in accordance with Reference 3.5-2. 10.2.2 System Description 10.2.2.1 General. The main turbine is a tandem-compound unit, consisting of one double-flow high-pressure (HP) turbine and three low-pressure (LP) turbines, running at 1,800 rpm.Exhaust steam from the HP turbine passes through two single-stage moisture separator reheaters (MSRs) before entering the LP turbines. The exhaust steam from the three LP turbines is condensed in the condenser. The connection from the LP turbine to the condenser is physically separated from the turbine overspeed protection equipment. CN-2821 STPEGS UFSAR 10.2-2 Revision 14 During normal operation the main lubricating oil pump is driven by a take-off from the main turbine shaft. During startup or shutdown, an AC motor-driven pump supplies bearing oil to the TG. A DC motor-driven oil pump is provided in case of loss of AC power. The piping and instrument diagrams (P&IDs) for the Turbine Lube Oil System and Electrohydraulic Fluid System are shown in Figures 10.2-7 and 10.2-8. The general arrangement drawings of the TG System are listed in Table 1.2-1. 10.2.2.2 Main Steam Line and Inlet Features. Steam is transferred from four SGs to the turbine via main steam (MS) lines. The steam lines are headered upstream of the turbine throttle and governor valves. The main turbine bypass valves are located downstream of the MS equalizing header and permit steam bypass to the main condenser during transient conditions (see Figures 10.3-1 through 10.3-3). The MS System is discussed in Section 10.3. The turbine is provided with two separate side-mounted steam chests located on each side of the HP element above the operating floor. Each such assembly consists of two stop-throttle valves and two governing control valves. Each throttle valve contains a permanent strainer to prevent foreign matter from entering the control valves and the turbine. Each inlet throttle valve has an internal pilot valve which is designed for throttling operation and is used to bring the unit up to synchronous speed. Each throttle valve, with separate and independent controls, is hydraulically opened and spring-closed.

The major function of these throttle valves is to shut off the flow of steam to the turbine in the event the unit overspeeds beyond the setting of the overspeed trip or when other protective devices function. The four governing control valves take control of the unit at 90-percent synchronous speed and regulate the flow of steam to the HP turbine. Each governing control valve, with independent and separate controls, is hydraulically opened and spring-closed. Due to the series arrangement of the valves, individuality of controls and the actuation of all operable valves by the overspeed trip function, a single failure of any of the above valves cannot disable the turbine overspeed trip functions. 10.2.2.3 High-Pressure Turbine. The HP turbine element is of the double-flow design and as such is inherently thrust-balanced. Steam from the four control valves enters at the center of the turbine element through four inlet pipes, two in the base and two in the cover. These pipes feed four double-flow nozzle chambers which are flexibly connected to the turbine casing. Each nozzle chamber is free to expand and contract relative to the adjacent chambers. Steam leaving the nozzle chambers passes through the control stage and flows through the reaction blading. The reaction blading is mounted in blade rings, which in turn are mounted in the turbine casing. The blade rings are center-line-supported to ensure center alignment while allowing for differential expansion between the blade ring and the casing. Extraction steam from the HP turbine is used for heating in HP FW heater No. 1. Steam exhausts from the HP turbine cover and base, through crossunder piping to the combined MSR assemblies.

Turning vanes at the piping elbows minimize pressure drop and flow disturbance.

STPEGS UFSAR 10.2-3 Revision 14 10.2.2.4 Combined Moisture Separator Reheaters. The turbine is provided with two horizontal cylindrical shell MSR assemblies. These assemblies are located on the turbine operating floor with one MSR on either side of the turbine. Steam from the exhaust of the HP turbine is conducted to the assemblies in crossunder piping. A portion of the steam from the crossunder piping is used in the deaerator. Internal manifolds in the MSR assemblies distribute the wet steam. The wet steam then flows through demisters, where the moisture is removed. The upper section of each MSR shell has two tube bundles; steam leaving the moisture separator flows over the bundles, where it is heated by MS taken from the MS equalizing header. This reheating ensures that the steam entering the LP element has a relatively high degree of superheat (approximately 150F of superheat at rated NSSS power heat balance conditions). The reheated steam leaves through openings in the top of each MSR shell, flows through the reheat stop and intercept valves, and enters at the side of each LP turbine. Steam is taken from the MSR No. 11 (East) shells for the three SG feed pump turbines.

10.2.2.5 Low-Pressure Turbine. Three double-flow LP turbine elements are arranged in tandem with the HP turbine. The LP turbine elements are fabricated from steel plate to provide uniform wall thickness, thus reducing thermal distortion to a minimum. The annulus between the inner and outer casings is subjected to low temperature exhaust steam from the LP turbines. The temperature drop from the crossover steam temperature to the exhaust steam temperature is taken across two walls, an inner cylinder, and a thermal shield. This prevents the full temperature drop across any one wall, also holding thermal distortion to a minimum. The fabricated inner cylinder is supported at the horizontal centerline and fixed transversely at the top and bottom by dowel pins.

The inner cylinder is surrounded by the thermal shield. The steam leaving the last row of blades flows into the diffusing section of the exhaust system, which improves turbine efficiency. The shape of the diffusing section dictates the static pressure variation that occurs between the condenser inlet and the last blade exit. 10.2.2.6 Generator. The generator has a hydrogen-cooled rotor, a liquid-cooled stator, and a brushless exciter. It is sized to accept the gross output of the turbine with admission valves fully open. It is a direct-coupled, 60-Hz, three-phase unit. It is rated at 1,504,800 KVA, 0.90 power factor, and 25,000 volts. Generator rating is in accordance with ANSI Standard C50.10, and temperature rise and insulation class are in accordance with National Electrical Manufacturer's Association standards for a Class B insulation system. The housing is designed to operate in 75 psig hydrogen gas pressure.Hydrogen is used to cool all the generator internals, exclusive of the stator coils, which are cooled with water. The hydrogen in the generator is circulated by means of a multistage axial flow blower mounted in the exciter end of the generator housing. A multi-section water-to-hydrogen cooler is employed to cool the hydrogen after it is discharged from the blower. The hydrogen leaving these hydrogen coolers is directed to both ends of the rotor through axial ducts in the stator.

STPEGS UFSAR 10.2-4 Revision 14 Water for cooling the generator stator winding is circulated by two AC motor-driven pumps through a water-to-water heat exchanger (HX) of sufficient capacity to limit the temperature of the stator coil discharge water to approximately 176F.A water tank pressurized by hydrogen is provided to maintain the pressure of the water-cooled system above atmospheric pressure to prevent oxygen from entering the system. The water pressure is maintained below the hydrogen pressure in the generator housing to avoid any possibility of water leaking into the machine. Should any small leaks occur in the windings, hydrogen would leak into the water, rather than water leaking into the machine. Should a leak occur, the gas pressure in the water tank tends to rise, and excess gas is vented into the atmosphere. A gas meter located in this vent line measures the gas vented through the line and gives an indication of any leak which might occur. Hydrogen for cooling the generator is stored outdoors. The storage facilities are shown on Figure 1.2-3. 10.2.2.7 Electrohydraulic Control System. The TG unit is provided with an Analog Electrohydraulic Control (EHC) System which is designed and operated as described below. 10.2.2.7.1 Turbine Valves: Figure 10.2-1 is a schematic picture of a TG provided with the EHC System. The turbine is equipped with the following steam valves: 1. Throttle valves

2. Governor valves
3. Reheat stop valves
4. Interceptor valves The throttle valves control the steam flow for wide-range speed control during startup, and the governor valves control the steam flow for synchronizing and load control.The interceptor valves control the steam flow from the MSRs to the LP turbines. The reheat stop valves provide backup protection for the interceptor valves on a turbine trip. 10.2.2.7.2 Valve Position Actuators: The schematic diagram for the servo-actuators used for the governor and throttle steam valves which require proportional position control is shown on Figure 10.2-2. The flow of HP fluid to the actuator is controlled by a servo-valve. The position control signals are summed at the servo-amplifier, resulting in a position error signal. The servo-amplifier modulates the servo-valve in response to this error signal to accurately position the actuator and steam valve. The servo-valves are mechanically biased to assure a fail-safe operation on loss of the electrical signal.A dump valve with the pilot actuated by the emergency trip header provides quick closing independent of the electrical system. When the header pressure is released, the operating fluid is diverted to drain. Heavy springs on the valve assembly provide the force for quick closing.

STPEGS UFSAR 10.2-5 Revision 14 The open-close control characteristics required for the reheat stop and interceptor valves simplify these actuator assemblies. The servo-valves and the linear variable differential transformer are not required for the reheat stop and interceptor valves.The same isolation and dumping features are used and, in addition, a solenoid valve provides the facility to close and open the steam valves as required for speed control and testing. 10.2.2.7.3 Fluid Supply System: The HP Fluid Supply System is shown on Figure 10.2-3. A dual pump arrangement is used. The pumps are variable displacement, constant pressure pumps.

The HP fluid is discharged through filters and stored in a bank of nitrogen-charged, piston-type accumulators. 10.2.2.7.4 Emergency Trip System: The HP fluid trip headers connected to each valve actuator assembly are controlled by a diaphragm-operated emergency trip valve and solenoid valves as shown on Figure 10.2-4. The mechanical overspeed trip device controls the diaphragm-operated emergency trip valve. When the trip valve is opened either by overspeed or other emergency conditions, the pressure in the two headers is released, initiating quick closing of all steam valve actuators. A solenoid valve arrangement controls the trip header for the governor and interceptor valves. These solenoid valves are energized by the overspeed protection controller to limit overspeed. Each interceptor valve is equipped with a separate solenoid valve mounted on the actuator block as mentioned before. These solenoid valves are energized to close the interceptor valves during a partial load loss to limit the accelerating steam torque acting on the unit. They are also energized during valve testing. 10.2.2.7.5 Electronic Controller:1. Digital Reference For control from the operator's panel in the control room, the desired speed or load reference is placed in the setter by means of push buttons and is also displayed on the operator panel. The controller is activated on command and controls the acceleration or loading data at the preselected rate in the appropriate direction.The actual value of the speed or load is also displayed continually on the operator's panel. A block diagram is shown on Figure 10.2-5. 2. Automatic Governor Valve Control and Manual Governor Valve Control The governor valve system consists of an automatic controller and position controls for each valve.The control valves are positioned in sequence as required by the turbine design requirements. The manual controller serves as a backup and provides direct operator control over the valve position.The automatic and manual controllers track each other. 3. Valve Position Limit The valve position limit controller modifies the automatic governor valve controller output and is activated by the operator.

STPEGS UFSAR 10.2-6 Revision 14 4. Overspeed Protection Controller This controller is based on the anticipation principle. A block diagram is shown on Figure 10.2-6. The electrical output of the generator is measured and compared to the reheat steam pressure value, measured at the LP turbine inlet, which represents the energy input to the TG. If a given mismatch is present after a partial load drop, the interceptor valves are closed and opened after a certain time delay.5. Turbine Operation from Turbine Tripped to Full Load a. Turbine Tripped In the tripped condition the throttle, governor, reheat stop, and interceptor valves are all closed. b. Turbine Latched All valves, except the throttle valves, open wide when the turbine is latched. The throttle valves stay closed. c. Wide-Range Speed Control During wide-range speed control, the generator breaker is open and the turbine is latched. In wide-range speed control, the operator-indexed digital reference operates as a speed reference signal. The TG is accelerated to rated speed. A transfer from throttle valve to governor valve control must be made before synchronizing. At this time, the throttle valves open wide and the governor valves control the steam flow and the turbine speed. d. Synchronization and Initial Loading The generator is synchronized to the line system by the operator indexing the digital reference. When the operator closes the generator breaker, a generator breaker auxiliary contact indicates breaker closure to the EHC System, initiating the following events: 1) The digital reference as a variable speed reference is replaced by a fixed value equal to synchronous speed. 2) The digital reference is set equal to a value which will position the governor valves to produce 10-percent load. 3) The governor valves are positioned proportionally to the sum of the digital reference and frequency error signals. e. Impulse Chamber Pressure STPEGS UFSAR 10.2-7 Revision 14 The control valves have a nonlinear position-steam flow characteristic. However, the linear relationship of impulse chamber pressure to steam flow and load is used as turbine load feedbacking. The impulse chamber pressure feedback is activated by the operator. The EHC System has a proportional plus integral characteristic in this mode of operation. The digital reference controls the load when the impulse chamber pressure feedback is in service. Load control is also possible with the impulse chamber pressure feedback out of service. However, in this case, no linear relationship exists between the digital reference and the actual load. f. Operator's Panel The operator's panel contains all the indicators and controls for the control of turbine speed and load, as well as the controls for latching the overspeed trip and selecting the various modes of operation and valve test. Cables connect the operator's panel and the controller. g. Maintenance Provisions have been incorporated in the design of the EHC System to perform maintenance on the hydraulic system with the unit in operation. The pumping system is redundant. Dual pumps and motors, dual HP filters, dual return filters, and HXs are provided. Any of these devices can be replaced with the unit in service by shutting down one system and operating on the other system. The accumulators are connected to a manifold control block which permits the base charge to be checked in each accumulator with the unit in operation. The electronic controller has a maintenance panel which contains a built-in digital voltmeter and selector switches for checking throttle and governor valve servo-actuator signals and other analog signals. All control system adjustments are performed on this panel. 10.2.2.8 Turbine Overspeed Protection. There are no safety-related systems or portions of safety-related systems located in the Turbine Building except Class 1E limit switches and pressure switches as described in Section 7.2 for reactor trip on turbine trip. The following design features have been incorporated to ensure that any pipe rupture resulting in damage to an overspeed protection device would not prevent turbine trip. 1. Physical separation of "trip" devices

2. Fail-safe condition of relays
3. Effective redundancy of "trip" devices STPEGS UFSAR 10.2-8 Revision 14 4. Mechanical overspeed trip device These overspeed protection devices are diverse and redundant and incorporate electro-mechanical and mechanical systems which assure a turbine trip after single pipe rupture in the Turbine Building.

Three electro-mechanical speed sensors are located in the governor pedestal and one electro-mechanical and mechanical speed sensor is located in the turning gear pedestal. The normal condition of these relays is energized; therefore, any pipe rupture which damages these relays will deenergize them and cause the turbine to trip. The mechanical overspeed trip mechanism consists of an eccentric weight mounted in the end of the turbine shaft, which is balanced in position by a spring until the speed reaches 111 percent. The weight's centrifugal force then overcomes the spring and the weight flies out, striking a trigger that trips the overspeed trip valve releasing the auto-stop pressure to drain. Electrical failures have no effect upon the operation of this device. A description of the mechanical overspeed trip mechanism is also given in Section 10.2.2.8.3. The overspeed protection hierarchy is discussed in Section 10.2.2.8.3. The EHC system is shown in Figure 10.2-1 and the governor trip system is shown in Figure 10.2-4. 10.2.2.8.1 Valve Design: Redundancy is accomplished by providing throttle and governor valves. Separate reheat stop and interceptor valves provide redundancy in the valving between the MSR and the LP turbine. 10.2.2.8.2 Speed Sensing: In addition to the mechanical overspeed trip weight, three electromagnetic speed sensors are located in the governor pedestal and one is located in the turning gear pedestal. The following devices are provided:

1. Mechanical Overspeed Trip Weight This is a spring-loaded bolt located in a radial drilling of the turbine stub shaft (governor pedestal). The center of gravity of the bolt is located outside of the shaft center. 2. Electromagnetic Speed Pickups a. A speed pickup monitoring the turbine shaft rotation is used by the turbine supervisory instruments for speed indications and recordings. b. A speed pickup is used in the electrical overspeed trip device. This pickup is located in the turning gear pedestal to provide physical separation from other speed-sensing devices. c. There are additional pickups which are not relevant for overspeed protection. They are used for phase angle indications and spares.

STPEGS UFSAR 10.2-9 Revision 14 10.2.2.8.3 Overspeed Protection Hierarchy:1. Main Speed Control Loop When the generator breaker opens, the electronic controller speed control loop uses the value of rated speed as its setpoint. Thus, when the unit exceeds rated speed, the governor valves move to the closed position. 2. Overspeed Protection Controller (Breaker Status)

If the unit is carrying more than 30 percent load and the generator breaker opens, the governor and interceptor valves are closed rapidly. Speed is maintained below the overspeed trip point. The interceptor valves are oscillated between closed and partially open until the reheater steam is dissipated. This oscillation is controlled by the acceleration responsive auxiliary governor. After turbine speed has decreased, the auxiliary governor releases control to the normal speed control governor.

Thereafter, the governor valves take over speed control and maintain rated speed if the control system is in automatic. The TG coasts down to turning gear operation if the system is in manual. 3. Overspeed Protection Controller (103 Percent Speed Setpoint)

The governor and interceptor valves are closed rapidly when the unit exceeds 103 percent of rated speed and remain closed until the speed drops below 103 percent. Thereafter, the valves function as described under Section 10.2.2.8.3 (2) above. 4. Mechanical Overspeed Trip Weight If the speed reaches the setpoint of the trip weight (as a standard, 111 percent of rated speed) all steam valves are tripped (throttle, governor, reheat stop, and interceptor valves). The trip is accomplished by releasing the auto-stop oil pressure when the overspeed trip weight operates the mechanical trip lever. Speed is maintained below 120 percent of rated speed.

The unit coasts down to turning gear operation. 5. Electrical Overspeed Trip The electrical overspeed trip channel is independent of the control system and uses a pickup located in the turning gear pedestal. When the speed reaches the trip point (as a standard, 111 percent of rated speed), steam valves are tripped by deenergizing trip solenoids in the electrohydraulic fluid lines. Speed is maintained below 120 percent of rated speed. The unit coasts down to turning gear operation. 6. Valve Closure Times All the above valves close in 150 milliseconds or less, to provide additional protection to the main generator.

STPEGS UFSAR 10.2-10 Revision 14 7. Extraction Nonreturn Valves Upon loss of load, the steam contained within turbine extraction lines could flow back into the turbine, across the remaining turbine stages, and into the condenser. Condensate contained in feedwater heater will flash to steam under this condition and contribute to the backflow of steam. To guard against this backflow of steam and the contribution it would make to a rotor overspeed condition, each extraction line to FW heaters 11A and B, 13A and B, and 14A and B has a bleeder trip valve and a motor-operated isolation valve. This is shown on Figure10.3-4. The motor-operated isolation valve serves no function in stable operation after a turbine trip. Bleeder trip valves are power-assisted nonreturn valves with a free-swinging clapper which is held open by steam flow in operation and closes of its own weight when steam flow is zero.

In addition, the clapper is closed rapidly by a reverse flow of steam into the turbine. An actuation is provided as a backup which partially closes the clapper should it stick for any reason. The clapper is free to close rapidly when reverse flow of fluid into the turbine occurs, even if the actuator does not close. The actuator also assists in rapid closing of the clapper by driving it quickly into the reverse flow stream to take advantage of the additional closing force exerted by this flow and the additional pressure drop resulting from the reduced flow area. The actuators are held open by air pressure and are spring-loaded to close upon loss of air pressure. The actuators are closed upon a turbine trip by redundant electrical and mechanical mechanisms. Each actuator uses a three-way solenoid located close to the actuator to dump air rapidly upon turbine trip. The electrical trip is backed up by an oil-operated air pilot valve which mechanically cuts off the common air supply and dumps air from the bleeder trip valve air header when the turbine is tripped. Similar valves are provided in the extraction lines to the deaerator. Because backflow from these lines would be isolated from downstream turbine stages by the reheat stop and intercept valves, the bleeder trip valves in the deaerator extraction lines actually do not have a function in preventing turbine overspeed. No bleeder trip valves are provided in the extraction lines to FW heaters 15A, B, and C, and 16A, B, and C. These are the two lowest pressure extraction points. These FW heaters, which are located in the condenser neck, use anti-flash baffles to control the rate of energy input to the turbine after a trip. The turbine manufacturer has performed an analysis of turbine operation after a sudden loss of load, including the actual volumes of extraction steam upstream of the bleeder trip valves, actual steam and water volumes in the heaters which do not have bleeder trip valves, and assuming the worst case bleeder trip valve sticks open. The resulting maximum speed is within the design envelope. (Closure time is on the order of one second). Provisions are included for periodic testing of the bleeder trip valves as recommended by the turbine manufacturer. These valves will be tested on a monthly basis as recommended by the turbine manufacturer.

STPEGS UFSAR 10.2-11 Revision 14 10.2.2.8.4 Overspeed Protection Safety Evaluation: The Overspeed Protection System meets the single failure criteria by providing independent means described above to maintain the turbine speed within acceptable limits. 10.2.2.9 Turbine Protective Devices. Turbine protective devices and control room annunciations are provided as follows: 1. Thrust-bearing wear pressure switches for trip and alarm 2. Atmospheric relief diaphragms in each LP turbine outer casing

3. Water spray system to avoid excessive exhaust temperature
4. Low bearing oil pressure switches for trip and alarm
5. Low vacuum pressure switches for trip and alarm
6. Excessive TG vibration monitors for alarm
7. Water detection thermocouples for alarm
8. Overspeed pickup for trip and alarm The following are the turbine protective trips which are independent of the EHC system and , when initiated, cause tripping of all turbine admission valves, reheat stop valves, and interceptor valves. 1. Overspeed trip
2. Condenser low-vacuum trip
3. Excessive thrust-bearing wear trip
4. Reactor trip (The reactor trip system is discussed in Section 7.2.)
5. Remote trip which includes electrical equipment protection trip and loss of stator cooling water trip 6. Low bearing oil pressure trip
7. Manual turbine trip from control room
8. Manual turbine trip at turbine CN-2821 10.2.3 This Section Deleted 10.2.4 Inservice Inspection STPEGS UFSAR 10.2-12 Revision 14 The inservice inspection program for the turbine assembly includes the disassembly of the turbine and complete inspection of parts that are normally inaccessible, such as couplings, coupling bolts, turbine shafts, low pressure turbine buckets, low pressure wheels, and high pressure rotors. The turbine inspection will be done in sections during the refueling outages so that in 10 years a total inspection has been completed at least once. This inspection consists of visual and surface examinations. At approximately 36- to 39-month intervals, at least one throttle valve, one governing control valve, one reheat stop valve, and one interceptor valve shall be dismantled. Visual and surface examinations shall be conducted on valve stems, seats, and discs. In the event that excessive corrosion or flaws are found in a valve, all other turbine valves of that type will be dismantled and examined. Valve bushings shall be inspected and cleaned, and bore diameters shall be checked for proper clearance. The turbine valve test will be performed on all turbine valves on periodic intervals consistent with the preventive maintenance strategies of Turbine Maintenance Program. This test will require each turbine valve to be cycled to demonstrate free operation as the valves close and reopen. This test will be run from the Main Control Room with an operator verifying valve operation by direct observation. The extraction steam valves, and their associated controls, will be functionally checked monthly. These tests are made with direct visual observation of the valves. This testing may be carried out with the turbine at any load. The pneumatic nonreturn valves incorporate a manual test valve in the pneumatic line to the actuator to permit inservice testing. The primary purpose of the extraction nonreturn valves is to provide protection against turbine overspeed on a turbine trip. 10.2.5 Evaluation The TG and its auxiliary systems are Non-Nuclear Safety (NNS) Class with the exception as noted in Section 10.2.2.8. Under normal operating conditions, there are no significant radioactive contaminants present in the secondary system. In the event of an SG tube leak radioactivity can be present in the secondary system. An estimate of the activity level in the secondary system due to SG tube leak is given in Section 11.1. During normal operating conditions, no radiation shielding or controlled access is required for the TG system. The safety evaluation with respect to radioactivity in the secondary system is discussed in Section 10.4.1.3.4.The most severe operational transients caused by operation of TG or distribution system protection equipment are analyzed in Chapter 15. Any number of component or system operational abnormalities can be postulated to produce a TG load transient. However, since the effects of such abnormalities can be no worse than a turbine or generator trip, these occurrences are not analyzed. Operating conditions which will result in a turbine trip are discussed in Sections 10.2.2.8 and 10.2.2.9. The effects of a turbine trip on the reactor are discussed in Section 15.2.3.

STPEGS UFSAR 10.3-1 Revision 18 10.3 MAIN STEAM SUPPLY SYSTEM 10.3.1 Design Bases The Main Steam (MS) System is designed to convey steam produced in the steam generators by the Reactor Coolant System (RCS) to the turbine-generator and auxiliary systems. The portion of the MS System from the steam generator (SG) through the main steam isolation valves (MSIVs) is safety-related and is required to function following a Design Basis Accident (DBA) to achieve and maintain a safe shutdown condition.

The following are the design bases for this portion of the MS System:

1. The safety-related portion of the MS System is protected from the effects of natural phenomena such as: earthquakes, tornados, hurricanes, floods, and external missiles.

2 Component redundancy is provided so that safety functions can be performed, assuming a single active component failure coincident with the loss of offsite power (LOOP).

3. The MS System is designed so that the active components are capable of being tested during plant operation. Provisions are made to allow for inservice inspection of components at appropriate times specified in the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel (B&PV) Code,Section XI.
4. The MS System provides isolation of the secondary side of the SG.
5. The MS System provides a means to dissipate heat generated in the RCS during safe shutdown and in the event of an accident.
6. The MS System provides steam from one steam line to operate the turbine-driven auxiliary feedwater pump. This line is connected upstream of the MSIV and is capable of supplying steam after closure of the MSIV.
7. The safety-related portion of the MS System is capable of withstanding the effects of internal flooding, internally generated missiles, pipe whip, and jet impingement forces associated with pipe breaks.
8. The failure of the nonsafety-related portion of the MS System does not affect the safety-related functions of the system.
9. The safety-related portion of the MS System is designed to meet the environmental design requirements in Section 3.11.
10. The MS System is designed in accordance with Safety Class 2 and seismic Category I requirements from the SG through the torsional restraint downstream of the MSIVs.
11. Assessment of Main Steam System Component Performance: A single-failure analysis employing failure modes and effects analysis (FMEA) methodology STPEGS UFSAR 10.3-2 Revision 18 was conducted for the Main Steam System. The analysis demonstrates that the Main Steam System can sustain the failure of any single active component and still meet the level of performance required. See Item 12 (below) for single failure exception following breaks in the IVC. Table 10.3-1 presents a component by component summary of this FMEA. 12. Assessment of Equipment Qualification Requirements for Main Steam Components in IVC using HELB FMEA Analysis: An evaluation of the main steam system equipment in the isolation valve cubicle was performed to determine which equipment required "harsh" environment qualifications. The evaluation used a failure modes and effects analysis approach to determine how main steam system equipment met the following 1OCFR50.49 requirements for high energy line breaks: The integrity of the reactor cooling pressure boundary The capability to shut down the reactor and maintain it in a safe shutdown condition The capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures. Also, in accordance with 10CFR50.59, the evaluation identified certain post-accident monitoring equipment required by Regulatory Guide 1.97. The evaluation considered the four sources of high energy in the IVC. These lines are: 1. main steam system 2. feedwater system 3. auxiliary feedwater system 4. steam generator blowdown system The evaluation takes credit for the fact that the main steam system and feedwater system piping in the IVC meets the Standard Review Plan 3.6.2 requirements for a break exclusion zone. Therefore, the size of the maximum break analyzed is limited to 1.0 ft2 . In addition, the evaluation does not consider the single failure criteria for the main steam and feedwater lines as discussed in Reference 10.4-6. However, single failure is considered for the auxiliary feedwater and steam generator blowdown line breaks in the IVC. The AFW and SGBD System piping in the IVC compartments are considered to rupture with full pipe area available for discharge from both sides. The environmental consequences of these breaks are assessed assuming single failures in the components used to mitigate the effects of such breaks. The evaluation considered only electrical equipment in the main steam system. Mechanical equipment meets the GDC-4 requirements using the STP Procurement and Maintenance/Surveillance program as discussed in Section 3.11.2. The evaluation shows that only electrical equipment for the main steam supply valve to the AFW turbine-driven pump require harsh environment qualification. The results of the FMEA evaluation are presented in Tables 10.3-1 and 10.3-1A. The MSIV solenoid valves are required to be environmentally qualified for radiation dose under harsh conditions as specified in 4E019NQ1009.

STPEGS UFSAR 10.3-3 Revision 18 Other Design Bases of the MS System are as follows:

1. The MS System is designed to deliver steam from the SGs to the Turbine Generator (TG)

System for a range of flows and pressures varying from warmup to rated conditions.

2. The MS System lines are headered upsteam of the turbine stop valves to maintain SG differential pressure within acceptable limits during stop valve testing and during normal operation. 3. The MS System provides the capacity to dump 40 percent of maximum calculated SG flow to the condenser, bypassing the main turbine. The steam dump flow to the condenser is equally divided between the three shells to ensure even heat loads.
4. Provisions are made to include adequate drains and vents on the main steam lines for startup, normal operation, and tests.
5. During low loads main steam is also supplied to the SG feed pump turbine. At higher loads low pressure (LP) steam is extracted from the hot reheat lines and supplied to the SG feed pump turbine.
6. The MS System also supplies steam to the main turbine gland seals, moisture separator-reheater (MSR), and pegging steam to the deaerator during startup and low-load operation.
7. The portion of the system which is non-nuclear safety (NNS) is designed to the requirements of ANSI B31.1.
8. The MS System of either unit can provide steam to the other unit during startup by providing steam to the common Auxiliary Steam System.

MS System design conditions are:

Pressure, psig 1,285 Temperature, F 600 Flow, lb/hr 17,431,819 10.3.2 System Description The MS Supply System piping diagram is shown on Figures 10.3-1 through 10.3-3. 10.3.2.1 Main Steam Lines. The four 30-in. MS lines conduct steam from the four SGs to the high pressure (HP) turbine valves (see Section 10.2.2.2). Each line includes five SG safety valves, one power-operated relief valve (PORV), one isolation valve and one associated bypass isolation valve, which are all located outside the Reactor Containment Building (RCB). Four MS lines, one from each 30-in. MS line, conducts steam to the MS header. Steam is conducted from the 24-in. header to the MSRs, SG feed pump steam-driven turbine, turbine gland steam system, auxiliary steam system, condensate deaerator, and the bypass to the condenser.

STPEGS UFSAR 10.3-4 Revision 18 10.3.2.2 Flow Restrictor. Each SG is provided with a flow restrictor having several small-diameter, venturi-type throats. The flow restrictors are designed to limit steam flow rate in the unlikely event of a steam line rupture. The flow restrictor is designed to minimize unrecovered pressure loss coincident with limiting accident flow rate to an acceptable value.

Although it is not considered to be part of the pressure vessel boundary, the restrictor is constructed of material specified in ASME B&PV Code,Section II.

10.3.2.3 Steam-Generator Safety Valves. There are five spring-loaded safety valves on each MS line, required for protection of the SGs and steam lines against overpressure (Figure 10.3-1).

To avoid lifting during pressure transients, set pressures for safety valves are as high as possible within the codes requirements. To prevent chattering during operation of the safety valves, the individual valves in each MS line are set at different pressures.

The set pressures and rated mass flow rates through the five safety valves on each SG are as follows (typical for valve on each SG): Set Pressure (psig) Rated Capacity (lb/hr) 1,285 1,032,645 1,295 1,032,645 1,305 1,032,645 1,315 1,032,645 1,325 1,032,645 The valve design is in accordance with ASME B&PV Code,Section III, Subsection NC and has a design pressure and temperature of 1,285 psig and 600F, respectively. The actual maximum capacity of the safety valves is limited to reduce the magnitude of a reactor transient should one of the safety valves open and remain open.

The safety valve exhaust lines are directed so that neither structures nor components can be damaged, nor people endangered, by the relieved steam.

Adequate provisions are made in the steam piping for the installation and support of the safety valves, with consideration being given to static and dynamic loads when operating and when subject to seismic shock.

Direct indication of the safety relief valves position, using an acoustic monitoring system, is provided in the control room with an input to the Emergency Response Facilities Data Acquisition and Display System (ERFDADS) computer. Inputs for the valve positions are also provided to the radiation monitoring system.

10.3.2.4 Power-Operated Relief Valves (PORVs). The PORVs, one for each MS line, are required for removal of heat from the Nuclear Steam Supply System (NSSS) during periods when the STPEGS UFSAR 10.3-5 Revision 18 condenser is not available as a heat sink or when the MSIVs are closed. The automatic operation of these valves is assumed in the safety analysis as discussed in Chapter 15. The valves are ASME Class 2 and are supplied with Class 1E power.

The design mass flow rate of each PORV (one per SG, four total) is 68,000 lb/hr saturated steam at 100 psia. The wide open condition does not exceed 1.05 x 106 lb/hr at 1,300 psia. The valve design is in accordance with ASME B&PV Code,Section III, Subsection NC and has a design pressure and temperature of 1,285 psig and 600F, respectively. The operation of these valves is not required to protect against SG overpressure or to provide the necessary safety relief capacity. The PORVs, which are equipped with electric-hydraulic actuators and controlled through the Qualified Display Processing System (QDPS) discussed in Section 7.5.6, are set to open below the lowest SG safety valve setting to preclude the operation of safety valves during transients when the condenser is unavailable as a heat sink. The opening of the valves is automatic, based upon steam line pressure. A remote pressure control station is provided for each PORV to permit setpoint adjustments of each valve over the entire pressure range up to the safety valve setting. Remote manual operation is provided for a safe shutdown at the control room and at the auxiliary shutdown panel. Local control is provided in case of complete loss of automatic control. Direct position indication is provided, with input also to the QDPS computer.

10.3.2.5 Main Steam Isolation Valves. The MSIVs are located in each MS line downstream of the PORV, and as close to the RCB as practicable (Figure 10.3-1). A small bypass valve at each isolation valve is provided for startup purposes.

Steam is conducted from each SG in a separate line through the RCB, each line being anchored at the Containment wall. Main steam line anchorage is covered in Section 3.8.1 and Containment isolation in Section 6.2.4. The lines have the capability to absorb thermal expansion. Testing of the MSIVs is discussed in Section 10.3.4.

The MSIVs and bypass isolation valves are provided with remote manual controls. Automatic signals which close the MSIVs and the small bypass isolation valves are the HI-2 Containment pressure, low steam line pressure, and the high negative steam line pressure rate signals. The MSIVs use piston actuators and the bypass valves use diaphragm actuators. The valves are held open by instrument air pressure on the bottom of the actuator. Spring pressure on the actuator acts as the driving force for valve closure.

The MSIV logic is shown in Figure 7.3-18. To assure safety function actuation, redundant actuation solenoid vent valves, powered from separate Class 1E power sources, open to vent air from the bottom of the piston actuator through two separate vent lines. Remote valve position indications are provided in the control room. An annunciator located in the control room alarms on MSIV closure.

Upstream of the MSIVs in the steam outlet line from one SG, a line is routed to supply steam to the auxiliary feed pump turbine. This assures a source of steam when the SGs are isolated and steam is being produced from reactor decay heat.

The MSIVs serve only a safety function and are not required for power operation. They are required to limit uncontrolled flow of steam from the SGs in the event of a break in the steam piping system.

The design criteria for the MSIVs are:

STPEGS UFSAR 10.3-6 Revision 18 1. They are designed to seismic Category I, Safety Class (SC) 2 requirements. 2. They must close in five seconds upon receipt of signal with or without steam flow. The valve is designed to stop forward flow and reverse flow. 3. They are a fail-closed design. The actuation logic is such that loss of instrument air will close the MSIVs. The actuation logic incorporates an "Energize-to-Actuate" scheme. Energizing either Train A or Train B solenoids will close the MSIVs. 4. They are installed in the individual MS lines to prevent that SG from blowing down on a break downstream of the valve. 5. They are installed in the individual MS lines to prevent Containment overpressurization from reverse flow on a break inside Containment. The design studies for the MSIVs consider several "worst case" conditions resulting from a postulated double-ended steam line break accident. During these accidents, the valves must function under the forward and reverse flow conditions against steam of both high and low quality.

The case that represents the upper bound of mass flow rate against which these valves must operate is a reverse flow condition with high moisture content. This condition occurs after the dry steam has been exhausted and low quality steam is discharged by the unfaulted SGs through their associated flow restrictors and interconnected MS piping. The mass flow rate through the valve preceding its closure is 33,600 lb/sec.

A drawing of an MSIV is shown on Figure 10.3-5.

The manufactured, accepted seat leakage criteria are 3 cm3/hr/in. of nominal seat diameter in the normal flow directions and 0.1 percent of design flow in the reverse direction of normal steam flow.

Each MSIV is provided with a 4-in. bypass line and bypass isolation valve for MS line warm-up. The bypass isolation valves are normally closed, fail closed valves with two separate solenoid valves, each supplied with power from a separate Class 1E source. Failure of either solenoid valve or loss of electrical signal to either will result in the closure of the MSIV bypass valve. Additionally, individual hand loaders allow the control room operator to gradually open each valve to prevent excessive SG cooldown during startup. 10.3.3 System Evaluation Failure of any MS line or malfunction of a valve installed therein or any consequential damage must: 1. Not reduce the flow rate of the Auxiliary Feedwater System (AFWS) below the minimum required

2. Not render inoperable any Engineered Safety Features (ESF) component
3. Not initiate a Loss-of-Coolant Accident (LOCA)
4. Not result in Containment pressure exceeding the design value STPEGS UFSAR 10.3-7 Revision 18 5. Not cause an uncontrolled flow from more than one SG Following postulated accidents, safety considerations with respect to the MS System are directed toward maintaining the capability of controlled reactor cooldown, minimizing release of radioactive material to the environment, and limiting the release of steam to the Containment. The failure of nonseismic category equipment will not preclude essential functions of the safety-related portions of the system. A steam line break inside Containment may result in a significant pressure rise in the RCB, so reverse flow protection is necessary to prevent uncontrolled blowdown of more than one SG into the RCB. Allowance is made for a single failure of an active component since all four MSIVs are designed to prevent reverse flow and are automatically closed by the protection system following a MS line break. Reverse flow must be interrupted within ten seconds to limit the RCB pressure rise to the acceptable percentage of design pressure. To achieve this in the case of the double-ended break, the closure signal is generated and reaches the valve actuator within five seconds following the incident; then the valve must fully close within five seconds from receipt of the initiating signal. For a MS line break outside the Containment, the ten-second closure time is sufficient to prevent excessive cooldown of the RCS.

Redundant Class 1E electrical power sources are supplied to control the MSIVs.

After a postulated accident, the PORVs and safety relief valves, in conjunction with the AFWs, are used to reduce the RCS temperature and pressure values such that the Residual Heat Removal System (RHRS) can be used to continue cooldown. Individual PORVs are provided with Class 1E power and controlled through the safety grade QDPS (described in Section 7.5.6) such that, combined with the fact that one PORV is provided for each MS line, adequate cooldown for the RCS is assured. The RHRS transfers heat from the RCS to the Component Cooling Water System (CCWS) to reduce the temperature of the reactor coolant to the cold shutdown temperature at a controlled rate during the second part of plant cooldown (Section 5.4.7).

Analyses of postulated accidents involving the MS System are provided in Chapter 15. The seismic design of the MS System is discussed in Sections 3.2 and 3.7. Loading combinations and design stress limits relating to the SC MS piping are listed in Section 3.9. Postulated high-energy line failures for the MS System are discussed in Section 3.6.

10.3.3.1 Failure Modes and Effects Analysis. A single-failure analysis employing failure modes and effects analysis (FMEA) methodology was conducted for the MS System. The analysis demonstrates that the MS System can sustain the failure of any single active component and still meet the level of performance required. Table 10.3-1 presents a component-by-component summary of this FMEA.

An evaluation of the MS System equipment in the IVC was performed to determine which equipment required qualification for a "harsh" environment. The evaluation used a FMEA approach to determine how MS System equipment met the following 10CFR50.49 requirements for high energy line break (HELB): Ensure the integrity of the reactor coolant pressure boundary; Ensure the capability to shut down the reactor and maintain it in a safe shutdown condition; or STPEGS UFSAR 10.3-8 Revision 18 Ensure the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures. Also, in accordance with 10CFR50.49, the evaluation identified certain post-accident monitoring equipment required by Regulatory Guide 1.97. The evaluation considered the four sources of high energy in the IVC: Main Steam System Feedwater (FW) System Auxiliary Feedwater System Steam Generator Blowdown (SGB) System The evaluation takes credit for the fact that the MS and FW piping in the IVC meet the Standard Review Plan 3.6.2 requirements for a break exclusion zone. Therefore, the size of the maximum break analyzed is limited to 1.0 ft2. In addition, the evaluation does not consider the single failure criteria for the MS and FW lines as discussed in Reference 10.4-6. However, single failure is considered for AFW and SGB line breaks in the IVC. The AFW and SGB piping in the IVC are considered to rupture with full pipe area available for discharge from both sides. The environmental consequences of these breaks are assessed assuming single failures in the components used to mitigate the effects of such breaks.

The evaluation considered only electrical equipment in the MS System. Mechanical equipment meets General Design Criterion (GDC) 4 requirements using the STP Procurement and Maintenance/Surveillance program as discussed in Section 3.11.2.

The evaluation shows that only electrical equipment for the MS supply valve to the turbine-driven AFW pump requires qualification for a "harsh" environment. The results of the FMEA evaluation are presented in Tables 10.3-1 and 10.3-1A. 10.3.4 Inspection and Testing Requirements The SC portions of the MS Supply System and their supports are designed to comply with the ASME B&PV Code,Section XI, "Inservice Inspection of Nuclear Reactor Coolant Systems."

Performance tests of individual components in manufacturers' shops, integrated preoperational tests of the whole system, and periodic performance tests of the actuating circuitry and mechanical components will assure reliable performance. Test procedures for initial tests and operation are discussed in Chapter 14.

The NNS class portions of the MS lines are examined prior to operation in accordance with ANSI B31.1. The MS lines are hydrostatically tested prior to operation.

Pipeline expansion and movement from the cold condition to the hot normal operating condition is checked by measuring movements from field bench marks, such as steel columns or pipe supports, as specified on design isometric piping drawings.

STPEGS UFSAR 10.3-9 Revision 18 Periodic in-plant tests are conducted to demonstrate the ability of the MSIVs to respond to a close signal. The testing can consist of any one of the following: 1. Each MSIV can be closure-tested and actuation-timed at a refueling shutdown. 2. Each MSIV can be full closure-tested and actuation-timed at the hot shutdown decay heat removal steam flow condition. 3. Each MSIV can be partial closure-tested using a valve travel of approximately 10 percent from the full open position. The steam safety valves located on the MS piping are individually tested during preoperational tests.

Pressure gages indicate the actual values of opening and closing pressures of the valves. These values are compared to the design values. 10.3.5 Water Chemistry Bulk water impurities of the FW secondary side and SG systems are kept at a minimum in order to avoid potential corrosion or scaling problems, and to ensure efficient heat transfer.

10.3.5.1 Chemistry Control Basis. Secondary water chemistry is controlled by the following methods:

1. Close control of the condensate and FW purity by means of impurity ingress control, condensate polishing demineralizers, and deaeration
2. Reduction of the SG bulk water impurities by continuous blowdown
3. Chemical addition to reduce general corrosion and to scavenge oxygen
4. Continuous sampling of the condensate, FW, steam, and SG blowdown to monitor key chemical constituents 5. Chemical addition to reduce or remove iron deposit inside the SG

10.3.5.2 Method of Chemistry Control.

10.3.5.2.1 Condensate and Feedwater Chemistry: Chemical feed to the secondary water is based on all volatile treatment (AVT) which involves injection of pH control reagent and hydrazine solutions. The pH control reagent solution is added for establishing and maintaining alkaline pH conditions throughout the secondary cycle. Hydrazine solution is added for scavenging dissolved oxygen present in the cycle and maintaining adequate residual concentration to ensure that a minimal amount of dissolved oxygen enters the SG. The use of the AVT method reduces general corrosion at elevated temperatures and minimizes the transport of corrosion products to the SG. Records and summaries of chemical additions and analyses are maintained.

STPEGS UFSAR 10.3-10 Revision 18 The exception of the AVT is the use of non-volatile Poly Acrylic Acid (PAA) to reduce or remove iron deposits from inside the SG. Once the PAA is injected in the FW line downstream of the venturi flow instrument it binds with iron particles and prevents the iron from attaching to SG tubes or support plates. The iron particles are then transferred from the SG through the SG blowdown system. The alkaline pH condition of the secondary water causes an increase in the retention of the radioiodines in the liquid. Therefore, in the event of a primary-to-secondary leak a majority of the radioiodine will remain entrained in the SG liquid and thus available for removal by the SG blowdown demineralizers.

The remaining radioiodines are found in the steam which is directed to the condenser where cooling and condensation occurs. The volatile portion of these radioiodines will be exhausted by the Main Condenser Air Removal System (MCARS) with the remainder being removed by the condensate demineralizers.

The use of the condensate polishing demineralizer system, described in Section 10.4.6, ensures that the required FW purity is maintained.

Removal of oxygen from the secondary water is essential to reduction of corrosion, particularly of carbon steel. Dissolved oxygen is removed from the cycle in the dearating section of the main condenser and in the deaerating heater.

10.3.5.2.2 Steam Generator Chemistry: In addition to the use of AVT chemicals, PAA, condensate polishing, and deaeration, continuous blowdown is also employed to limit the buildup of contaminants in the SG and maintain acceptable bulk water chemistry. Section 10.4.8 describes the SG blowdown system (SGBS). Implementation of these chemistry control procedures to maintain low solid levels is expected to minimize corrosion and scale forming tendencies within the cycle.

10.3.5.2.3 Monitoring and Controlling of Water Chemistry: A secondary water sampling and monitoring program is implemented to establish and maintain appropriate water chemistry conditions in the secondary system. The main objective of the water sampling and monitoring program is to inhibit SG corrosion and tube degradation by assuring chemistry excursions from control limits are quickly identified. The program provides for the monitoring and recording of critical chemistry parameters to assure proper control of water treatment additives, FW purity, and SG bulk water impurities. The water sampling and monitoring program involves both laboratory and continuous online analysis of secondary samples utilizing the process sample system described in Section 9.3.2. The program complies with the administrative requirements outlined for the Secondary Water Chemistry Program specified in the Technical Specifications. 10.3.6 Steam and Feedwater System Materials 10.3.6.1 Fracture Toughness. Ferritic Steel Base Materials The fracture toughness properties of ferritic steel materials meet the requirements of the ASME Code,Section III, Paragraphs NB, NC, and ND-2300, as appropriate. The test temperature on all materials is 40F or lower, except the test temperature for the MSIVs is 60F or lower.

STPEGS UFSAR 10.3-11 Revision 18 The ferritic steel welding filler materials meet the impact test requirements of the ASME Code,Section III, Paragraphs NB-2431 and NB-2321.2, in both the as-welded and postweld heat-treated (PWHT) conditions.

As required by the ASME Code,Section III, Paragraph NB, NC or ND 4335.1 and 4335.2 (b) (4,5, and 6), the weld procedure qualification includes impact testing of the heat-affected zone and weld metal.

10.3.6.2 Material Selection and Fabrication. Materials used in the steam and FW Systems are in accordance with Section III of the ASME Code (refer to Table 10.3-2). No austenitic stainless steel or nonferrous materials are used in the safety-related portions of the MS system. 10.3.6.2.1 Ferritic Steels: All welding, welding procedure qualifications, and welder performance qualifications are in accordance with the ASME Code,Section III, Subsections NB, NC, and ND, with the following additional requirements.

Welding filler materials that are used in production welding meet all the requirements of the ASME Code,Section III, Subsection NB and applicable Section II, Part C filler material specification. Impact test requirements covering filler materials are outlined in Section 10.3.6.1.

During production welding, the preheat and interpass temperatures established by the qualified welding procedure are used. Welding is not performed on base material that is below 50F. When low-alloy ferritic steels requiring PWHT are welded, preheat is maintained throughout welding until the PWHT cycle begins. Alternatively, the weld is wrapped with insulation and allowed to cool slowly until ambient temperature is reached or until the minimum preheat temperature is reestablished. The complete weld is then nondestructively examined in accordance with the Code requirements. Conformance to Regulatory Guide (RG) 1.50, is found in Section 3.12.

The following process controls are employed to provide a degree of cleanliness and to minimize exposure to contaminants. Care is taken to avoid contamination of ferrous material with low melting point materials such as copper, lead, zinc, cadmium, zinc tin, antimony, mercury, bismuth, sulfur, and miscellaneous metals and their compounds. Tools, handling gear, and other equipment that may come in contact with ferritic materials are used in a manner that precludes contamination with these materials. Conformance to RG 1.37, ANSI N45.2.1-73, is found in Section 3.12. Expendable materials that may come into contact with metallic surfaces do not contain the following as a basic and essential chemical constituent: copper, zinc, lead, mercury, cadmium, and other low melting point metals, their alloys and/or compounds. 10.3.6.2.2 Satisfaction of RG 1.71 Requirements: Performance qualifications for personnel who weld under conditions of limited access, as defined in Regulatory Position C. 1, are maintained in accordance with the applicable requirements of ASME Sections III and IX. Additionally, responsible site supervisors are required to assign only the most highly skilled welders to limited access welding. Of course, welding conducted in areas of limited access is subjected to the required nondestructive testing. No waiver or relaxation of examination methods or acceptance criteria, because of the limited access, is permitted. (

Reference:

Paragraph C.1 of the RG.)

STPEGS UFSAR 10.3-12 Revision 18 Requalification is required when any of the essential variables of ASME Section IX are changed, or when any authorized inspector questions the ability of the welder to perform satisfactorily the requirements of ASME Sections III or IX. (

Reference:

Paragraph C.2 of the RG.)

Production welding is monitored and welding qualifications are certified in accordance with items 1 and 2, above. (

Reference:

Paragraph C.3 of the RG.)

10.3-13 Revision 18 STPEGS UFSAR TABLE 10.3-1 MAIN STEAM SYSTEM POWER SUPPLY FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method Of Failure Detection Failure Effect On System Safety Function Capability General Remarks Main Steam Power Operated Relief Valves (typical - 1per mainsteam line) (normally closed) Provide capability to perform controlled cooldown 1-3 Failure to open when the pressure is above the set-point Position indication provided; QDPS None - Pressure relief is available when the pressure rises to the setpoints of the safety relief valve(s) Steam line pressure indication None - Cooldown capability is maintained with two functional steam generators Maintain the steam line intergrity 1-3 Failure to remain closed or to close on signal None-Affected steam generator can be isolated by closure of the MSIV and all FW isolation valves Main steam Safety Relief Valves (typical - 5 per each steam line) (normally closed) Release steam to the atmosphere so long as the pressure is above the setpoint 1-3 Failure to open when the pressure is above the set-point Position indication provided Steam line pressure indication None - Redundancy is provided through the other safety relief valves and the PORVs None - Cooldown capability is maintained with two functional steam generators

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Start-up 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.3-14 Revision 18 STPEGS UFSAR TABLE 10.3-1 (Continued) MAIN STEAM SYSTEM POWER SUPPLY FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method Of Failure Detection Failure Effect On System Safety Function Capability General Remarks Maintain the steam line integrity 1-3 After opening, failure to reseat when the pressure is below the reset pressure None-Affected steam generator can be isolated by closure of the MSIV and all FW isolation valves Main Steam Isolation Valves (typical - 1 per steam line) (normally open) Steam line isolation and to prevent blowdown of more than one steam generator 1-3 Fail to close Steam line pressure Steam line flow Position indication ESF monitoring None - The other MSIVs will close thus allowing only one steam generator to blowdown. In addition, the valves downstream from the MSIV will isolate thus limiting blowdown to an acceptable level. Operator action is required to secure the steam flow path to the moisture separator reheater temperature control valves in the event of a loss of power to the controller of these valves or loss of instrument air. Note A: The MSIVs have two redundant solenoid valves powered by separate power sources Main Steam Isolation Bypass Valves (typical - 1 per steam line) (normally closed) To close or remain closed to contain steam flow for steam line isolation 1-3 Valve is open Position indication Steam line pressure ESF monitoring None - The other isolation valves will close thus allowing only one steam generator to blowdown. In addition, the valves downstream will isolate and limit the blowdown to an acceptable level. Operator action is required to secure the steam flow path to the moisture separator reheater temperature control valves in the event of a loss of power to the controller of these valves or loss of instrument air. Note A: The MSIVs have two redundant solenoid valves powered by separate power sources
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Start-up 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.3-15 Revision 18 STPEGS UFSAR TABLE 10.3-1 (Continued) MAIN STEAM SYSTEM POWER SUPPLY FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method Of Failure Detection Failure Effect On System Safety Function Capability General Remarks Class 1E AC Power Train A (Trains B & C analogous) Provide power to Train A AC Components (PORVs) (typical) 3, 4 Loss of power on bus Bus undervoltage alarms ESF status monitoring for ESF Diesel Generator System and components None - The minimum requirements of two PORVs available for plant cooldown are met Channel I DC Power (Train A) Provide DC power to Channel I components 1-6 Loss of DC power ESF monitoring on UPS failure, DC trouble alarm None - Loss of power will not prevent valves from assuming their safety position MSIVs are available to perform their safety function through redundant Channel III (Train B) powered solenoids. Channel II DC Power Provide DC power to Channel II components 1-6 Loss of DC power ESF monitoring on UPS failure, DC trouble alarm None - Loss of power results in valves assuming safety position
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Start-up 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.3-16 Revision 18 STPEGS UFSAR TABLE 10.3-1 (Continued) MAIN STEAM SYSTEM POWER SUPPLY FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method Of Failure Detection Failure Effect On System Safety Function Capability General Remarks Channel III DC Power (Train B) Provide DC power to Channel III components 1-6 Loss of DC power ESF monitoring on UPS failure, DC trouble alarm None - Loss of power will not prevent valves, from assuming their safety position MSIVs are available to perform their safety function through redundant Channel I (Train A) powered solenoids. Channel IV DC Power (Train C) Provide DC power to Channel IV components 1-6 Loss of DC power ESF monitoring on UPS failure, DC trouble alarm None - Loss of power results in valves assuming safety position ESF Actuation System Train A (analogous for Train B) Provides actuation signals as required to safety-related components 1-6 Fails to generate and send actuation signals Loss of power or actuation train in test is alarmed by ESF monitoring Individual bistables used to generate actuation signals are provided with lights, computer input and alarms on main control board None - System safety function is assured by actuation of other trains. Valves are sent signals to close by two actuation trains (Redundant signals cause closure of each valve). Instrument Air (non-safety) None 1-6 Instrument air lost Header pressure indication and alarms None - Loss of instrument air causes operated components to go to their safety position
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Start-up 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.3-17 Revision 18 STPEGS UFSAR TABLE 10.3-1A HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MS Line Break @ Full Power: NONE - Breaks 1.0 ft2 or less do not initiate closure signal. MS Line Break @ Full Power: NONE. MS Line Break @ Hot Zero Power: NONE - Pressure sensors in one of other three loops will initiate SI and MSIV closure signal. MS Line Break @ Hot Zero Power: NONE. Steam Line Pressure Sensors Detect MS Line pressure 1, 2, 3 Fails to initiate MSIV closure FW Line Break: NONE - Pressure sensors in one of three other loops will initiate MSIV closure signal. FW Line Break: NONE. MS-PT-0514 MS-PT-0524 MS-PT-0534 MS-PT-0544 AFW Line Break: NONE - Creates a small steam break, which is bounded by MSLB. AFW Line Break: NONE. SGBS Line Break: NONE - Creates a small steam or water break, which is bounded by MSLB or FWLB. SGBS Line Break: NONE. Radiation Dose Analysis: With the exception of the MSIV solenoid valves, equipment does not require radiation analysis, because it has already provided its safety function or no credit is taken in accident analysis. The MSIV solenoid valves are required to be environmentally qualified for radiation dose under harsh conditions as specified in 4E019NQ1009. Radiation Dose Analysis: The MSIV solenoid valves are required to be environmentally qualified for radiation dose under harsh conditions as specified in 4E019NQ1009.

10.3-18 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] Terry Turbine MS Supply MOV Operator (ORC) MS-MOV-0143 This valve is discussed in the AFWS FMEA. (Table 10.4-3A) N/A N/A N/A N/A Terry Turbine Trip/Throttle Valve MS-MOV-0514 This valve is discussed in the AFWS FMEA. (Table 10.4-3A) N/A N/A N/A N/A 10.3-19 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MS Line Break: NONE - Analysis assumes break upstream of MSIV. "Harsh" conditions affect only faulted SG loop. Isolation of other 3 SGs provided by MSIV in other 3 loops. MSLB: NONE. MSIVs These valves isolate the SGs. 1, 2, 3 Fail to close when signal is received FW Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Closure of MSIVs in non-faulted loops will terminate steaming through the faulted SG. FWLB: NONE. MS-FSV-7414 MS-FSV-7424 MS-FSV-7434 MS-FSV-7444 (TS 3.7.1.5) AFW Line Break: NONE - Creates small steam break. "Harsh" conditions affect only faulted SG loop. Single failure of one MSIV in non-faulted loop is bounded by single failure of one SI train assumed in safety analysis. Two intact SGs are available for cooldown. AFW: NONE. SGBS Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Creates either small steam break bounded by MSLB or small water break bounded by FWLB. Temperatures exceed "Abnormal" EQ temperature and MSIV fails in faulted loop. Another loop is lost due to single failure. Two SG loops remain. Since two are required for cooldown, this acceptable. SGBS: NONE. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: NONE.

10.3-20 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" EQ temperatures and valves fail. Single failure is not considered due to break exclusion area. Three SG trains remain, two are required for cooldown. MSLB: NONE. MS Isolation Bypass Valves The Mode 2 & 3 safety function is to isolate SGs.

2, 3 Fail to close when signal is received FWLB: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" EQ temperatures and valves fail. Single failure is not considered due to break exclusion area. Three SG trains remain, two are required for cooldown. FWLB: NONE. MS-FSV-7412 MS-FSV-7422 MS-FSV-7432 MS-FSV-7442 (Solenoid Valves) AFW Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" temperatures and valves fail. Another loop is lost as single failure. Two SG loops remain. Since two are required for cooldown, this is acceptable. AFW: NONE. SGBS Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" temperatures and valves fail. Another loop is lost due to single failure. Two SG loops remain. Since two are required for cooldown, this is acceptable. SGBS: NONE. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: NONE.

10.3-21 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MS Drain Valves MS-0543, MS-0544, MS-0545, MS-0546, MS-0463, MS-0464, MS-0465, MS-0466, MS-0467, MS-0468, MS-0469, MS-0470 These valves are normally locked closed. N/A N/A N/A N/A 10.3-22 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" EQ temperatures and valves fail. Single failure is not considered due to break exclusion area. Three SG trains remain, two are required for cooldown. MSLB: NONE.

MS PORVs

Maintain steamline integrity

1, 2, 3, 4*

Fails to open on demand FWLB: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" EQ temperatures and valves fail. Single failure is not considered due to break exclusion area. Three SG trains remain, two are required for cooldown. FWLB: NONE. MS-PV-7411 MS-PV-7421 MS-PV-7431 MS-PV-7441 Provide capability to perform controlled cooldown (TS 3.7.1.6) *When used to remove decay heat. AFW Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" temperatures and valves fail. Another loop is lost as single failure. Two SG loops remain. Since two are required for cooldown, this is acceptable. AFW: NONE. SGBS Line Break: NONE - "Harsh" conditions affect only faulted SG loop. Exceeds "Abnormal" temperatures and valves fail. Another loop is lost due to single failure. Two SG loops remain. Since two are required for cooldown, this is acceptable. SGBS: NONE. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: NONE.

10.3-23 Revision 18 STPEGS UFSAR TABLE 10.3-1A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF MAIN STEAM SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MS Safety Valves Maintain steamline integrity 1, 2, 3 Fails to open on demand EXEMPT - No electrical components. NONE MS-7410 to 7410D MS-7420 to 7420D MS-7430 to 7430D MS-7440 to 7440D Release steam to the atmosphere as long as the pressure is above the setpoint. (TS 3.7.1.1)

1 - Plant Modes: 1. Power Operation 2. Startup 3. Hot Standby 4. Hot Shutdown 5. Cold Shutdown 6. Refueling 2 - Includes solenoid and all other components associated with component operability. Does not include mechanical equipment as discussed in UFSAR Section 3.11.2.

STPEGS UFSAR 10.3-24 Revision 18 TABLE 10.3-2 MATERIALS IN THE STEAM AND FEEDWATER SYSTEMS Materials used in the fabrication of the secondary side of the steam generator including the following: Pressure-retaining base materials SA 508 Class 3a, SA 533 Type B Class 2 (Note 1) Pressure-retaining welding materials ASME Specifications SFA 5.3, SFA 5.5, SFA 5.23 Non-pressure-retaining base materials SA 36 bar material; SA 106 Grade B; SA 285 Grade C and ASTM A514 Grade B (Note 2) Non-pressure-retaining welding materials ASME Specifications SFA 5.1, SFA 5.18, SFA 5.20, and SFA 5-28 (Note 3) Feed ring base materials SA 234 Grade WP11, SA 335 Grade P11 and SB 167 UNS N06690 (Note 4) Feed ring welding materials ASME Specifications SFA 5.11, SFA 5.14 and SFA 5-28 (Note 5)

NOTES: 1) The pressure boundary (PB) base materials also include rolled plates (SA 533) for some upper shell barrels and for access covers. 2) ASTM A514 or A517 plate is used for upper internals items in areas of high velocity flow to minimize corrosion-erosion degradation. 3) SFA 5.28 Class ER100S-1 weld filler is used for joining ASTM A514/A517 material. 4) 1-1/4 Cr alloy steel is used for the feedwater piping and fittings. Alloy 690 is used for spray pipes and piping safe ends. 5) Low alloy (E8018-B2) and nickel base (ENiCrFe-7 or ERNiCrFe-7) is used as appropriate.

STPEGS UFSAR TABLE 10.3-2 (Continued) MATERIALS IN THE STEAM AND FEEDWATER SYSTEMS 10.3-25 Revision 18 The following valves in the steam and feedwater systems are supplied by Westinghouse: Main steam isolation valves Steam dump valves (to condenser) Feedwater control valves Feedwater bypass control valves Materials used in the fabrication of these valves include the following: Bodies, bonnets, and discs SA 181 Grade II; SA 105; SA 216 Grade WCB or WCC; SA 350 Grade LF1; SA 352 Grade LCB: SA 487 GR CA6NM Pressure-retaining bolting SA 193 Grade B7; SA 540 Grade B23 Class 5; SA 479 Grade 410 Pressure-retaining nuts SA 194 Grade 2H; SA 540 Grade B23 Class 5 The following valves in the steam and feedwater systems are not supplied by Westinghouse: Main feedwater isolation Feedwater isolation bypass Steam generator preheater bypass Auxiliary feedwater pump discharge Steam generator feedwater bypass Auxiliary feedwater turbine steam isolation Main steam power operated relief Main steam safety Main steam isolation bypass Main steam vents and drains isolation Auxiliary feedwater pump recirculation STPEGS UFSAR TABLE 10.3-2 (Continued) MATERIALS IN THE STEAM AND FEEDWATER SYSTEMS 10.3-26 Revision 18 Materials used in the fabrication of these valves include the following: Bodies, bonnets, and discs SA-216 grade WCC SA-487 grade CA6NM w/stellite No. 6 SA-217 grade WC6/WC9 SA-182 grade F11 SA-350 grade LF2 SA-216-WCB SA-105 SA-479-316 w/stellite No. 6 SA-564 grade 630 A 565 grade 616 SA 479-316 SB-637 UNS N07750 Pressure-retaining bolting SA-193 grade B7 Pressure-retaining nuts SA-194 grade 2H SA-194 grade 7 Materials used in the fabrication of piping include the following: Piping 26 in. and greater SA-155 Class 1, Grade KCF 70 12 in. through 24 in. SA-333 Grade 6 SA-508 Grade 2 Class 2 SA-336 F22 normalized and tempered with PWHT of 1275F25F for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Less than 12 in. SA-106 Grade B SA-106 Grade C Fittings 12 in. and greater SA-420 Grade WPL 6 SA-336 F22 normalized and tempered with PWHT of 1275F25F for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 2-1/2 in. through 10 in. SA-234 Grade WPB, SA-516 Grade 65/70 SA-234 Grade WPC Less than 2-1/2 in. SA-350 Grade LF2 Flanges SA-350 Grade LF2 Bolts and Nuts SA-320 Grade L7, SA-193 grade B7, SA-194 Grade 7, SA-194 grade 2H Welding Materials SFA 5.1, SFA 5.4, SFA 5.5, SFA 5.9, SFA 5.18 CN-3127 STPEGS UFSAR 10.4-1 Revision 18 10.4 OTHER FEATURES OF THE STEAM AND POWER CONVERSION SYSTEM 10.4.1 Condenser 10.4.1.1 Design Bases. The condenser provides the heat sink for the main turbine and the steam generator feed pump (SGFP) turbines, the turbine bypass, and other heat cycle flows. The condenser also provides condensate storage for transient operations. The design and performance data are given in Table 10.1-1.

The condenser is also designed:

1. To condense steam released by the Turbine Bypass System (Section 10.4.4) during unit startup and cooldown.
2. To condense turbine exhaust steam and turbine bypass steam under large load reductions (Section 10.4.4). 3. To deaerate the condensate. The condenser hotwell provides approximately 108,000 gallons of condensate storage, equivalent to the storage required for approximately 5 minutes of operation at maximum load.

The extraction steam piping located internally to the condenser is designed in accordance with American National Standards Institute (ANSI) Code B31.1, "Power Piping." Following a 50 percent load reduction, the condenser accepts 40 percent of the main steam design flow through the turbine bypass valves. This transient is accommodated without increasing the condenser pressure to the turbine trip setpoint or exceeding the allowable turbine exhaust temperature. For more discussion on this see Section 10.2.1. The condenser may be used as a heat sink via the turbine bypass valves only with sufficient condenser vacuum. The turbine bypass valves are not allowed to open if condenser pressure is greater than 5 in. Hg abs. Figure 7.7-8 provides the logic for turbine bypass control.

The condenser is designed to remove dissolved gases from the condensate, limiting the oxygen content to not more than 7ppb.

A discussion of flooding resulting from failure of either the condenser or the Circulating Water System (CWS) is provided in Section 10.4.5.

10.4.1.2 System Description. The surface condenser is of the deaerating, single-pass, divided waterbox, floor-supported type. Main condenser data are provided in Table 10.4-5. Each of the three shells is connected to the exhaust opening of a low-pressure (LP) turbine by an expansion joint. Equalizing lines between the shells limit turbine exhaust pressure difference to 2-1/2 in. Hg abs. when one-half of the water side of a condenser shell is out of service.

STPEGS UFSAR 10.4-2 Revision 18 De-superheating hood sprays are provided to protect the exhaust hoods from overheating. The condenser is cooled by the CWS, described in Section 10.4.5. Valves are provided in the CWS to permit either half of each condenser shell to be available for condenser tube maintenance. Circulating water inleakage into the condensate is detected and alarmed in the secondary sample room by monitoring the cation conductivity and sodium concentration of the condensate leaving the condenser hotwells. Each of the hotwell outlets has a separate monitoring point (total of six), thus the leakage can be identified with a specific tube bundle. When circulating water inleakage is detected, the appropriate one-half condenser shell is isolated and the waterboxes and tubes are dewatered to allow for locating and plugging of the leaking tubes. During the period of time between initial detection of the circulating water inleakage and plugging of the leaking tubes, the condensate polishing demineralizers are used to control the condensate water quality within acceptable limits. If the condensate polishing demineralizers are unable to control the condensate water quality, the unit is shutdown and main feedwater is terminated to the steam generators (SGs). Main feedwater (FW) is not reinitiated to the SGs until condensate water quality can be restored within acceptable limits.

The Condensate Polishing Demineralizer System (CPDS) can operate continuously with a 0.2-gal/min cooling water inleakage rate to maintain condensate/FW quality within operating limits (Section 10.4.6.1.2).

The condenser is shown on Figures 10.3-3, 10.3-4, 10.4.2-1, 10.4.5-1, 10.4.7-1, 10.4.7-2, 10.4.7-3, 10.4.7-7, and 10.4.7-8. The general arrangements are listed in Table 1.2-1.

Impingement baffles are provided to protect the tubes from incoming drains and steam dumps. The turbine bypass condenser nozzles are provided with thermal sleeves and internal spray pipe to protect the condenser during steam dump operation. Two LP extraction FW heaters are mounted in the neck of each shell.

To prevent corrosion/erosion of condenser tubes and components, titanium tubes and aluminum bronze tube sheets are utilized. Impingement baffles are fabricated from SS304 to provide resistance to erosion. Additionally the water boxes are lined with neoprene.

10.4.1.3 Safety Evaluation. The condenser is not required to perform any safety function.

10.4.1.3.1 Vacuum Loss: There is no direct influence of the condenser-operation on the main steam isolation valves (MSIVs). Partial loss of condenser vacuum is annunciated. Should vacuum continue to decay, the turbine automatically trips. Upon loss of vacuum, the SG power-operated relief valves (PORVs), and if required the safety valves, provide the required relief capacity. The effects on the reactor of a turbine trip are analyzed in Chapter 15.

The turbine bypass valves to the condenser open automatically (on demand from the steam dump control system) only if sufficient vacuum can be maintained.

STPEGS UFSAR 10.4-3 Revision 18 10.4.1.3.2 Air Leakage: The condenser is designed to minimize air leakage. Welded construction is used for the condenser shells. Equipment and piping connected to the condenser shell are designed to minimize air leakage to the condenser. The Main Condenser Air Removal System (MCARS) (Section 10.4.2 is designed for two-pump operation, exhausting 50 scfm at a condenser backpressure of 1 in. Hg abs. or 75 scfm with three pumps operating at a backpressure of 1 in. Hg abs.

10.4.1.3.3 Hydrogen Buildup: No hydrogen buildup in the condenser is anticipated. The amount of hydrogen carried over to the condenser in the event of a SG tube leak is insignificant when compared to the capacity of the MCARS, which removes all noncondensible gases from the condenser.

10.4.1.3.4 Radioactive Contaminants: Major streams entering the condenser are the turbine exhaust and the SG blowdown water. Either stream could contain fission products due to SG tube leakage. The amount of this activity is dependent upon primary-to-secondary leak rate, moisture carryover, blowdown rates, SG blowdown demineralizer efficiency, and partition factors in the SG.

Table 11.1-7 lists the expected secondary coolant SG equilibrium fission and corrosion product activities. Radiation monitors are provided for both of these streams to detect radioactive leakage.

Radiation monitoring is provided for the SG outlet lines. One common radiation monitor is provided in the SG blowdown system to detect radioactivity at the flash tank liquid outlet and the mixed-bed demineralizer outlet. Thus, radioactive leakage into the condenser can be detected. High radioactivity levels for the steam lines and blowdown lines are annunciated in the control room.

Potential paths of radioactive leakage from the condenser to the environment are via the MCARS and the regenerant waste from the CPDS. A radiation monitor is provided to monitor the condenser vacuum pump discharge prior to release to the unit vent. Radiation monitoring, control, and processing of the regenerant waste from the CPDS system is discussed in Section 10.4.6.

The Condensate Polishing System, described in Section 10.4.6, helps to control the activity in the secondary system. The SG blowdown demineralizers can be operated at full design capacity to reduce radioactive contamination of the secondary cycle.

10.4.1.4 Tests and Inspections. Each condenser shell receives a field hydrostatic test prior to initial operation. This test consisted of filling the condenser shell with water up to the expansion joints and, with the resulting static head maintained, inspecting all accessible welds and surfaces for visible leakage and excessive deflection. The condenser waterboxes also receive a field hydrostatic test before initial operation.

Manways provide access to waterboxes, shells, and hotwells for purposes of inspection, repair, or tube plugging.

Inservice inspection is performed as follows: Cooling water inleakage is detected by monitoring the cation conductivity and sodium ion concentration of each individual hotwell. When cooling water inleakage is detected, the leaking section of the condenser is removed from service and helium leak detection or other appropriate methods used to identify the source of inleakage.

STPEGS UFSAR 10.4-4 Revision 18 Excessive air inleakage is detected by measuring condenser vacuum pump exhaust flow and by monitoring the concentration of dissolved oxygen in the condensate. When excessive air inleakage is detected, helium leak detection is used to identify the source of inleakage. 10.4.1.5 Instrumentation Application. The controls associated with the condenser are designed to function automatically without operator action. The condenser hotwell makeup and overflow valves control the minimum and maximum levels. The exhaust hood spray valves limit the temperature of each turbine exhaust hood to provide protection from overheating. The quality of the condensate in each hotwell is measured and indicated in the secondary sample room.

Condenser vacuum is maintained by the MCARS (Section 10.4.2). Condenser heat removal is controlled by the CWS (Section 10.4.5).

Local indicators are provided to monitor the various process parameters of the condenser. Remote indication of process parameters by indicators, by recorders, or by the computer in the main control room is provided for the following:

1. Temperature at each discharge nozzle of the condenser hotwells 2. Level in the operating condenser hotwells 3. Cation conductivity at each discharge nozzle of the condenser hotwells 4. Vacuum of each condenser shell 5. Temperature of the circulating water inlet and outlet for each condenser waterbox
6. Radiation level of the condenser exhaust gases Alarms indicating high cation conductivity at the condenser hotwell discharge nozzles, high and low levels in each condenser hotwell section, low condenser vacuum, and high radiation level in the condenser exhaust gas header are provided in the secondary sampling room and/or the control room. To protect the condenser from excess temperatures, turbine bypass to the condenser is not permitted if two of three condenser shells do not have adequate vacuum and no circulating water pumps are running.

10.4.2 Main Condenser Air Removal System 10.4.2.1 Design Bases. The MCARS System is designed on the basis of the following performance requirements for startup and normal operation: 1. To remove air and to establish a condenser pressure of 25 in. Hg vac. during unit startup.

STPEGS UFSAR 10.4-5 Revision 18 2. To remove noncondensible gases and associated water vapor during normal operation to maintain a condenser pressure range of 26.5 to 29 in. Hg vac. over the range of condenser circulating water inlet temperatures. 3. The condenser vacuum pumps are sized in accordance with the recommendations of the Heat Exchanger Institute standards for steam surface condensers (Ref. 10.4-1).

10.4.2.1.1 Design Codes. The MCARS performs no function related to safe shutdown (SSD) of the reactor plant. All components are classified as non-nuclear safety (NNS) and are of nonseismic Category I design. All pressure vessels are fabricated, tested, and stamped in accordance with the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel (B&PV)

Code Section VIII. Piping and valves are designed in accordance with ANSI B31.1.

10.4.2.2 System Description. The piping and instrument drawing (P&ID) for the MCARS is shown on Figure 10.4.2-1. Three two-stage, motor-driven vacuum pumps with associated components are provided to remove noncondensible gases from the condenser. The vacuum pumps take suction from the condenser shells through inlet separators, and pump the noncondensible gases through vapor mist entrainment separators and silencers before discharging to the unit vent. The vacuum pump suction and discharge connections are headered to maintain condenser vacuum with any one or two pumps during normal operation. The system design capacity of 75 scfm is divided equally among the three pumps.

A radiation monitor, described in Section 11.5, is used to monitor radiation level in the condenser vacuum pump discharge prior to release to the unit vent. The monitor alarms in the control room in the event of high radiation thus allowing the operator to take appropriate action. The estimated annual gaseous discharge rate to the environment is discussed in Section 11.3.

10.4.2.3 Safety Evaluation. The MCARS is not required to perform any safety function. Consequently, the system is designed as NNS and nonseismic. The condenser vacuum pump effluent radiation monitor is designed to operate during and after an Operating Basis Earthquake (OBE) in accordance with Regulatory Guide (RG) 1.45 (Section 5.2.5). There is no potential for an explosive mixture to exist (see Section 10.4.1.3.3 for details).

The safety evaluation with respect to radioactive contaminants, hydrogen buildup, and the influence of the system operation on the Nuclear Steam Supply System (NSSS) is discussed in Section 10.4.1.3. The radiation level in the offgas is continuously monitored by the condenser vacuum pump discharge radiation monitor and indication and alarms are provided in the control room. This monitor is discussed in detail in Section 11.5.2. Provisions for grab sampling the noncondensible gases are made in order to confirm the detection of a high radiation level. An evaluation of radioactivity discharged to the environment during operation with SG tube leaks is provided in Section 11.3. If the activity of the secondary coolant is high enough to alarm on the Condenser Air Removal System Discharge Header Radiation Monitor (CARSDHRM), appropriate actions will be taken in accordance with the ODCM to limit offsite dose releases.

10.4.2.4 Tests and Inspections. The vacuum pumps are cleaned, inspected, and tested in accordance with applicable codes at the vendor's plant. System preoperational tests were performed prior to plant startup.

STPEGS UFSAR 10.4-6 Revision 18 The MCARS is in operation at all times during plant operation, and it is regularly inspected and monitored to ensure proper functioning and performance in accordance with its design bases. The MCARS standby equipment is cycled periodically to ensure availability. Installed instrumentation permits the operators to monitor system performance. 10.4.2.5 Instrumentation Application. For normal operation, one or two vacuum pumps are in operation with one or two pumps in standby, depending on plant conditions. Local indicating devices such as pressure, temperature, and flow indicators are provided as required for monitoring the system operation. Pressure switches are provided for automatic operation of the standby vacuum pump during normal operation. In the event of excessive leakage into the condensers, the vacuum pump selected for standby operation starts automatically when the condenser vacuum falls below the pump starting setpoint. Once started, the vacuum pumps must be manually stopped. When any vacuum pump is started, the required cooling water valve automatically opens.

As long as the MCARS is functional its operation does not affect the Reactor Coolant System (RCS). Should the air removal system fail completely a gradual reduction in condenser vacuum would result from buildup of noncondensible gases.

Loss of adequate vacuum in two of three condenser shells or loss of circulating water flow blocks steam dump to the condensers. Extremely low condenser vacuum trips the main turbine and all three feed pump turbines. Turbine trip in turn trips the reactor (see Section 7.2.1.1.3 for details). The vacuum pump exhausts are monitored for gaseous radiation. Refer to Section 11.5.2 for a detailed description of the condenser vacuum pump discharge radiation monitor and its alarm capability. Alarms are provided at the basement operator panel for vacuum pump trip, and condenser pump trouble. Indication of vacuum in each condenser shell is provided in the control room through the computer. An alarm for low condenser vacuum is provided in the control room.

10.4.3 Turbine Gland Sealing System 10.4.3.1 Design Bases. The system is designed to provide a means of sealing the main turbine shaft and the SG feed pump turbine shafts. The purpose of sealing is to prevent inleakage of air to turbines or outleakage of steam. Main steam (MS) is employed as sealing steam and is normally uncontaminated. Sealing steam is taken from the Auxiliary Steam (AS) System when MS is not available. The Turbine Gland Sealing System is not designed to seismic Category I requirements and is NNS Class.

10.4.3.2 System Description. The Turbine Gland Sealing System, shown schematically in Figure 10.4.3-1, consists of the seal steam supply and exhaust headers, the gland steam condenser, and associated piping and valves.

During normal operations the gland steam header is supplied with steam through a pressure reducing valve from the normally uncontaminated main steam header. When the main steam supply is insufficient, the seal steam is supplied from the AS System which is described in Section 9.5.9.

Thus, the gland steam header is supplied with team for all phases of operation.

STPEGS UFSAR 10.4-7 Revision 18 The seal steam passes through another set of pressure reducing valves when flowing from the steam supply header to the labyrinth seals. One valve supplies the seal steam from the supply header to both high pressure (HP) turbine glands. These glands also receive steam from the HP stem leakoffs of the throttle and control valves and from the turbine itself as HP steam leaks through the seals when HP cylinder pressure exceeds the pressure of the sealing steam. Since these latter two sources at times provide steam in excess of the Hp turbine seal requirements, a spillover valve is supplied which dumps this excess steam to the main condenser. The LP turbine glands have only one source of sealing steam. The gland steam supply header provides steam to each seal through a separate pressure reducing valve.

The steam and air mixture from each of the turbine seals and the various valve stem leakoffs is drawn into the gland steam condenser by a slight negative pressure which is maintained by the gland steam vapor extractors. Condensate from the condensate pumps passes through the tubes of the gland steam condenser and thus serves as the cooling medium for condensing the gland steam. The gland steam condenser is provided with two desuperheaters and two gland steam exhausters. The smaller of the gland steam exhausters is provided to remove noncondensible gases during normal operation. The larger exhauster is designed to be used in conjunction with the two desuperheaters to condense the gland steam during full condensate bypass of the gland steam condenser. The condensate that is formed in the gland steam condenser drains to the seal leakoff tank and from there to the main condenser.

10.4.3.3 Safety Evaluation. The Turbine Gland Sealing System is not required to perform any safety function. The analysis of radioactivity discharge, in the event of primary to secondary leakage, to the environment during operation with SG tube leaks is provided in Section 11.3.

10.4.3.4 Tests and Inspections. Prior to turbine startup, seal steam control and regulating valves are calibrated and functionally tested in accordance with the turbine manufacturer's requirements. Seal system piping is visually inspected for defects and leakage.

Turbine seals are inspected whenever a turbine is dismantled for annual inspection.

10.4.3.5 Instrumentation Application. The Turbine Gland Sealing System requires manual initiation. When sufficient main steam pressure has been established, the AS source is closed and the MS source is opened so that MS provides sealing steam. After this switch of steam sources, the system is designed to function automatically during all phases of plant operation from plant startup to full-power conditions. In the event that MS is not available at sufficient pressure to seal the turbine, AS is supplied to the turbine through a remotely operated valve. Local manual controls are provided in case of failure of any automatic controls in the system. The motor-operated valves in the system have provisions for remote manual control, with status-indicating lights in the control room.

Local monitoring equipment is provided to indicate process parameters and equipment performance.

The following process parameters are also indicated in the control room:

1. Gland steam seal supply header pressure STPEGS UFSAR 10.4-8 Revision 18 2. Gland steam seal spillover pressure 3. Gland steam seal header temperature 10.4.4 Turbine Bypass System 10.4.4.1 Design Bases. To enable the NSSS to follow turbine load reductions which may exceed 10 percent step or 5 percent/minute (Section 10.2.1), the capability of creating an artificial steam load is incorporated in the Steam and Power Conversion System. This load is created by dumping steam from the MS equalizing header upstream of the turbine valves to the condenser, thus bypassing the turbine.

The Turbine Bypass System is rated at 40 percent of the rated NSSS steam flow rate. This bypass flow capacity permits the turbine to take a 50 percent load reduction without reactor trip. This system also allows a reactor trip to occur from full load without lifting the SG safety valves.

The Turbine Bypass System piping is designed in accordance with ANSI B31.1.

10.4.4.2 System Description. The Turbine Bypass System is shown on the MS diagram, Figures 10.3-1 and 10.3-3. All condenser shells are always available during MS bypass operation. The bypass steam is equally distributed to the condenser shells. The condensers are protected from the high energy steam by spargers which reduce the velocity and momentum of the incoming steam.. The steam is discharged to the shells through partial capacity, automatically controlled, turbine bypass (also called steam dump) valves. There are a total of 12 turbine bypass valves, 6 on each side of the condenser. The valves are arranged in parallel so that when combined they accommodate the required bypass flow. This arrangement limits the steam bypassed to the condenser should a valve open accidentally or stick open, thereby minimizing the potential hazard of an uncontrolled cooldown rate of the primary system. This arrangement also permits the turbine bypass flow to be shared evenly among the condenser shells, thus preventing uneven turbine exhaust backpressures.

The bypass valves are designed to be capable of 1) going from full closed (normal position) to full open within 3 seconds after receiving an open signal, 2) going from full open to full closed within 5 seconds after receiving a close signal, and 3) being modulated with a maximum full stroke time of 20 seconds. Design pressure and temperature conditions are 1,285 psig, and 600F, respectively. All bypass valves fail closed on loss of control power/instrument air. They are prevented from opening if the condenser is not available. Condenser availability is defined as adequate vacuum in at least two of the condenser shells and when at least one circulating water pump is running. If the condenser is not available, excess steam pressure is relieved to the atmosphere through the SG power relief valves and /or safety valves. Turbine Bypass System control is discussed in Section 7.7.1. An adequate drainage system is provided upstream of each bypass valve. The bypass lines are normally stagnant and therefore produce condensate continuously. This condensate is automatically removed to permit proper system operation. Each turbine bypass line has a 10-inch-diameter drip leg extending approximately 5 ft below the line. Each drip leg has two level switches. One switch automatically opens an air-operated valve to dump water at a predetermined level. A manual bypass STPEGS UFSAR 10.4-9 Revision 18 valve around the dump valve is provided as an alternate. The second level switch operates a high alarm in the control room in the event the dump valve fails to operate. 10.4.4.3 Safety Evaluation. The Turbine Bypass System is designed as a NNS class system. It is not required for any safety function, but it is included to provide operational flexibility and to minimize steam relief to the atmosphere.

The effects of a malfunction of the Turbine Bypass System equipment and the effects of such failures on other systems and components are analyzed in Section 15.1. A component failure mode and effects analysis is presented in Table 10.4-4.

10.4.4.4 Tests and Inspections. The vendor recommendation is to test and inspect the Turbine Bypass System at least once every 18 months. This frequency may be revised based on evaluations of factors such as plant operating experience, industry experience, and vendor recommendations. The isolation valves are closed and the bypass valves checked for performance and timing with remote operation. The bypass valves are also operated during startup and during shutdown.

The turbine bypass lines are examined prior to operation (Chapter 14) according to ANSI B31.1. The turbine bypass lines are hydrostatically tested to confirm leaktightness.

10.4.4.5 Instrumentation Application. The turbine bypass control is discussed in Section 7.7.1.8, and a block diagram of the control system is shown on Figure 7.7-8.

Provisions have been made to control the steam dump valves from the control room by utilizing a steam dump control mode selector switch. A steam header pressure controller is provided to modulate the dump valves during startup, cooldown, or hot standby operation. A control switch in the control room provides for bypassing the low RCS Tavg interlock during cooldown. Load rejection and turbine trip controllers are provided to reduce the effects of the transient imposed upon the RCS during sudden load rejections or turbine trips. Each steam dump valve is provided with status lights in the control room to indicate when the valve is fully opened or closed. Interlocks are provided to block the bypass of steam to the condenser through the dump valves when inadequate condenser vacuum in two of three condenser shells exists or circulating water flow is lost. 10.4.5 Circulating Water System 10.4.5.1 Design Bases. The objective of the CWS is to supply cooling water from the Main Cooling Reservoir (MCR) to the condenser to remove the steam cycle rejected heat (Section 2.4.11.5) and return the water to the MCR in the form of heated cooling water. The CWS is designed to operate continuously during unit startup, power generation, and shutdown. The design of the MCR is given in Section 2.4.8.

10.4.5.2 System Description. The CWS P&ID is shown on Figure 10.4.5-1. Cooling water between 50F and 95F enters the CWS through steel trash bars and then through traveling water screens that prevent debris larger than 3/8-inch in diameter from entering the system. The STPEGS UFSAR 10.4-10 Revision 18 intake chamber depth and width are sufficient to provide a low velocity through the traveling water screens and to provide adequate submersion to ensure maximum pump life and proper operating conditions. Screen wash pumps and seal water pumps are provided in a separate bay at the intake structure. Four 25-percent-capacity vertical wet pit circulating water pumps take suction from the intake structure. The pumps located in their individual bays are oriented with respect to each other to exclude the adverse effects of vortices and to provide a proper flow path and suction velocities. The cooling water is supplied to a common condenser distribution header by two lines. This arrangement allows equal cooling water flow to each of the three condenser shells. Section 10.4.1 describes the design of the condensers. The heated cooling water then discharges from the condensers to a common discharge collection header, and is returned to the MCR outfall by two lines. The location of the discharge structure and the design of the MCR prevent recirculation of the heated cooling water back to the intake structure.

The condenser waterboxes are located at a lower elevation than the MCR maximum water level. To provide capability for condenser waterbox isolation, isolation valves are located on the circulating water inlet and outlet to each condenser waterbox.

The CWS return piping to the MCR is routed through the MCR embankment above high water level but below the road surface. Vacuum priming tanks, vacuum pumps connected to the circulating water piping at this high point, and condenser waterbox priming pumps are provided to remove air from the CWS during system filling and normal operation. Water ejectors on the circulating water pump discharge piping remove air from the piping immediately downstream of the pump discharge valves during system filling. The open-loop auxiliary cooling water pumps are also used to aid in filling the system during initial startup.

The Hypochlorination System periodically chlorinates the CWS to control biological fouling of the condenser tubes and circulating water piping. Liquid sodium hypochlorite is employed, thereby eliminating the potential gaseous chlorine hazards. The Hypochlorination System for the CWS has the capability to inject a sodium bromide solution, with or without a biodispersant in conjunction with sodium hypochlorite for improved biological fouling control.

Materials selected for use in the CWS are those which withstand long-term corrosion, such as concrete or cement-lined steel piping, neoprene lined waterboxes, etc.

10.4.5.3 Safety Evaluation. The CWS is not required to perform any safety function. Consequently, the CWS is not designed to seismic Category I requirements. Section 9.2.5 provides a description of the ultimate heat sink, which is designed to perform safety-related functions.

Provisions are made to equalize the circulating water flow through the condenser tubes. The condenser design ensures that the pressure on the tube side is always maintained higher than the pressure on the shell side, thus eliminating the possibility of leakage of condensate into the system, should tube failure occur. Thus, the design of the CWS precludes the possibility of radioactive leakage into the system and its subsequent unmonitored release to the environment.

STPEGS UFSAR 10.4-11 Revision 18 Flooding of any Engineered Safety Features (ESF) equipment due to a condenser failure or complete rupture of a CWS expansion joint is not considered possible. All ESF equipment, including electrical cables and pipe chases, are protected against the probable maximum flood (Section 3.4) by floodproof structures. The design flood level is higher than the flood level which could be caused by a circulating water expansion joint failure. If a failure of a circulating water expansion joint does occur, it will be detected by a high-level alarm in the Turbine Generator Building (TGB) condenser pits. In this event, the operator will be able to shut down the circulating water pumps thus reducing the quantity of water released. There are no passageways, pipe chases, or cableways from the TGB to areas containing safety-related equipment that are below plant design flood level or that are not floodproof, so flooding the TGB has no effect on operability of safety-related equipment. See Table 1.2-1 for a listing of general arrangement drawings of the TGB.

10.4.5.4 Tests and Inspections. The CWS is accessible for inspection and maintenance. System components were functionally tested prior to startup.

Each circulating water pump is provided with an isolation valve. The pump is of a pullout design to allow for removal of any pump for inspection or maintenance. The circulating water pumps are performance tested in accordance with Chapter 14.

The circulating water motor-operated butterfly valves are tested in accordance with American Water Works Association standard and Chapter 14.

The circulating water piping is provided with manholes to allow for dewatering and inspection.

10.4.5.5 Instrumentation Application. Provisions have been made to control the circulating water pumps from the main control room and a local control panel. Each circulating water pump is interlocked with its respective discharge valve so that a pump is started against a closed valve with the valve opening after the pump column is primed. A pump stop signal initiates valve closing. Status-indicating lights are provided in the main control room for the circulating water pumps and their discharge valves. Interlocks are provided in the pump control circuits to permit turbine bypass to the condenser only if at least one circulating water pump is running (one of the permissive conditions discussed in Section 10.4.4.5). The design of the circulating water pumps and discharge valve control logic is intended to minimize or eliminate water hammer and pump runout in the CWS.

The Auxiliary Cooling Water (ACW) open-loop system normally provides sealing and lubrication for the circulating water pumps and ACW open-loop pumps1. Upon low seal water header pressure, a backup seal water pump automatically starts to meet the seal water demand.

Two seal water pumps provide sealing and lubrication for the circulating water pumps and Auxiliary Cooling Water (ACW) open-loop pumps1. One seal water pump normally supplies the seal water 1 Note: ACW open-loop pumps of the product-lubricated configuration do not require external seal water.

STPEGS UFSAR 10.4-12 Revision 18 subsystem. Upon low seal water header pressure or loss of the primary seal water pump, a backup pump automatically starts to meet the seal water demand. The vacuum priming pumps at the CWS return piping are automatically controlled by level switches installed on the vacuum priming tank. A local control switch is provided for manual control of each vacuum pump during system fill and pump testing. The condenser waterbox priming pumps are automatically controlled by pressure switches on a vacuum control tank to maintain a vacuum in the tank. Local manual control for the waterbox priming pumps is provided. A traveling screen wash control system automatically initiates the cycling and cleaning of the traveling screens when high differential level is sensed across a screen. The screen wash control system shuts down on loss of spray header pressure.

Level indication is provided in the main control room for the MCR level and the level in each circulating water pump bay. Traveling screen differential levels are recorded locally.

Local pressure gauges are furnished throughout the CWS, and temperature instruments with inputs to the plant computer are furnished on the inlet and outlet circulating water lines to the condenser waterboxes. Local level gauges are provided for each condenser waterbox and on the vacuum priming tanks.

10.4.6 Condensate Polishing Demineralizer System The function of the CPDS is to remove impurities from the condensate stream and to produce a high-quality effluent capable of meeting feedwater and SG chemistry specifications. The CPDS is shown on Figures 10.4.6-1 through 10.4.6-5.

10.4.6.1 Design Bases. The design bases of the CPDS are described below.

10.4.6.1.1 Design Requirements:

1. The CPDS is not safety-related and is classified NNS.
2. The system is sized to accommodate l00 percent of the maximum condensate flow from the condenser at guaranteed power, (54 percent of total FW flow when heater drains are pumped forward or 68 percent when heater drains are cascaded to the condenser).
3. The system is a two stage design, employing a cation exchanger section followed by a mixed bed exchanger section. The cation section removes cations and acts as a filter to enhance the efficiency and extend the capacity of the mixed bed section.

Each section has one spare demineralizer service vessel in the standby mode. In addition, each section maintains a fully regenerated spare resin charge in a holding vessel for immediate transfer to an exhausted service vessel after the exhausted resin is transferred.

STPEGS UFSAR 10.4-13 Revision 18 4. The system is designed to maintain secondary side chemistry as specified by the NSSS supplier. 10.4.6.1.2 Operating Modes: The system is capable of operating in the following modes: 1. Normal Operating Conditions a. The SG blowdown system is in operation per Section 10.4.8.2.

b. There is little primary-to-secondary leakage in the SGs.

c. Cation vessels are regenerated as needed based on chemistry conditions. Mixed-bed vessels are regenerated based on service time or effluent quality.

d. Condenser leakage is not significant. 2. Condenser Leakage At guaranteed power operation, the system design allows for meeting the effluent water quality requirements with condenser leaks up to 0.2 gal/min when the reservoir total dissolved solids (TDS) concentration is 10,860 ppm and heater drains are pumped forward. The limiting factor for operation of the CPDS during a condenser leak is the increased regeneration frequencies because of the additional ion loading on the exchange resins. The estimated service run of the cation demineralizers is three days and will require regeneration of two cation beds per day. The estimated service run of mixed-bed demineralizers is twelve days and will require generation of one mixed-bed every two days.

3. Bypass High CPDS pressure drop causes a bypass valve to open and an alarm to actuate in the control room. 10.4.6.1.3 Safety Evaluation: The CPDS performs no function related to safe shutdown of the reactor plant. All components are classified as NNS and are of nonseismic Category I design. All pressure vessels are fabricated, tested, and stamped in accordance with the ASME B&PV,Section VIII. Piping and valves are designed in accordance with ANSI B31.1. The CPDS is designed to comply with the Branch Technical Position MTEB 5-3.

Section 9.3.2 discuss the complete Process Sampling System (PSS) and Table 9.3-3 lists sample points, sample type (continuous or grab) and parameters analyzed for use in monitoring and controlling the CPDS.

10.4.6.2 System Description. The CPDS is located between the condensate pump discharge and the gland steam condenser and consists of a section of seven cation and a section of seven mixed-bed demineralizers (six operating, one in standby for each section) and their associated STPEGS UFSAR 10.4-14 Revision 18 regeneration equipment. A motorized bypass valve is provided to allow routing of the condensate flow around the CPDS during startup or in the event of high differential pressure across the system. Under normal operating conditions, the condensate is polished by six cation and six mixed-bed demineralizers. Each demineralizer is sized to handle one-sixth of the maximum condensate flow. Suspended solids and cations are removed by the cation demineralizers. The balance of the dissolved solids (including sodium, chloride, and silica) are removed by the mixed-bed demineralizers. Cation demineralizers are regenerated as needed based on chemistry conditions. In the event that pressure drop criteria across a vessel are exceeded, capability is provided for surface backwash to reduce the pressure drop without regeneration.

Mixed-bed demineralizers are regenerated at volumetric end-of-run, when cation conductivity rises upon evidence of sodium or silica leakage or when pressure drop criteria are exceeded.

The cation demineralizer resins are regenerated externally. The resins from the exhausted demineralizer are hydropneumatically transferred to the cation regeneration vessel. The regenerated resins from the cation holding vessel is transferred to the emptied cation demineralizer which then becomes the standby spare. The resins in the cation regeneration vessel are back-washed, regenerated, rinsed, and then transferred to the cation resin holding vessel.

The mixed-bed demineralizer resins are externally regenerated. The exhausted resins are sluiced to the resin separation and anion regeneration vessel where the resins are hydraulically classified. The cation resin is drawn from the bottom of the vessel and transferred to the cation regeneration vessel where it is regenerated. The anion resin remains in the resin separation and anion regeneration vessel where it is regenerated. After regeneration, the anion and cation resins are transferred to the mix and hold vessel where they are given a final rinse and mixed. The mixed resins are held in the mix and hold vessel until needed in a mixed-bed service vessel. The regenerant wastes will be segregated and transferred to the high and low TDS tanks and monitored for radioactivity.

The water used for resin sluice, backwash, displacement, initial rinse, final rinse, and spent regenerant are collected in the TDS tanks. The waste streams may be segregated between the High TDS tanks and Low TDS tank based upon specific conductivity. The contents of the High TDS tanks can be mixed and neutralized prior to transfer to the non-radioactive chemical waste system for further processing as necessary.

Sampling is performed, and, based on the activity level of the sample analysis, the waste is transformed to either the Liquid Waste Processing System (LWPS) for processing or discharge, or, directly to the plant neutralization basin. In the event the radioactive liquid waste storage tank cannot handle regenerant wastes, the system has the capability to discharge resins containing radioactivity for disposal as solid waste.

10.4.6.3 Tests and Inspections. The CPDS may be in continuous operation whenever the Condensate System is in operation. Even with no condenser inleakage, each demineralizer is regenerated with sufficient frequency to demonstrate operability of the demineralizers and the regeneration system.

STPEGS UFSAR 10.4-15 Revision 18 System equipment is tested for leakage and proper automatic operation before initial startup of the plant. The conductivity of the condensate leaving the condenser hotwells and of the demineralizer effluent are monitored continuously during plant operation, thus providing a method of evaluating system performance and determining the need for demineralizer regeneration. 10.4.6.4 Instrumentation Application. A local control panel is provided with the instruments, controls, and alarms necessary for the automatic and manual operation of the CPDS.

The conductivity of the influent condensate to the condensate demineralizers, of the effluent from each demineralizer, and of the condensate returning to the condensate header is continuously measured and recorded. An alarm signal is furnished on the local control panel for each measured conductivity point.

Differential pressure indicators are provided to monitor the differential pressure across the CPDS and each demineralizer. Alarm signals are provided on the local control panel to indicate high differential pressure. A differential pressure switch across each mixed-bed condensate polishing resin trap signals an alarm on the local control panel upon sensing high differential pressure.

Problem and malfunction alarms for the CPDS are shown on the local control panel annunciator.

Only the following alarms for the Condensate Polishing System trouble are shown in the main control panel.

1. Condensate inlet temperature - High
2. CPDS differential pressure - High
3. Mixed-bed effluent header cation conductivity - High The temperature of the CPDS condensate inlet header is continuously monitored. A high temperature signals an alarm on the annunciator. Flow balancing is included for operation of the cation and mixed-bed demineralizers to ensure equalized flow rates through the demineralizer vessels.

Flow transmitters, recorders, and flow-indicating totalizers are provided to monitor the flow from each demineralizer and through the condensate return piping. Flow indicators and flow switches are supplied on the acid and caustic dilution water lines. The flow switches automatically start the acid and caustic regenerant feed pumps, respectively, after dilution flow is established.

A radiation monitor is provided on the piping from the regenerant waste tanks to the waste pond. A high-radiation signal automatically closes the valve to the neutralization basin and activates an alarm in the main control room. The high TDS waste transfer pump recirculation valve, is manually opened. Refer to Section ll.5 for a description of this radiation monitor.

Local pressure, flow, temperature, and level instruments are provided in the CPDS to monitor the performance of the demineralizers and resin regeneration.

STPEGS UFSAR 10.4-16 Revision 18 10.4.7 Condensate and Feedwater Systems The primary function of the Condensate and FW Systems is to provide a reliable source of high-purity FW to the SGs during normal and anticipated transient conditions at the required SG pressure, temperature, quality, and flow rate. 10.4.7.1 Design Bases. Pertinent safety design bases are as follows:

1. The portion of the FW System from the SG FW inlet nozzle to the first piping restraint upstream of the isolation valve is designed in accordance with the requirements of Section III of the ASME B&PV Code for Class 2 components. This same portion of the system is designed to seismic Category I requirements.
2. The FW System is designed to isolate FW flow to prevent excessive Reactor Coolant System cooldown or Containment overpressurization following a steam line break.
3. The isolation of the FW System is accomplished by closure of the FW isolation valve(s) in combination with the following: FW flow control valve(s) closure and/or tripping of the SG feed pumps.
4. The FW lines are designed so that failure of any FW supply piping will not prevent safe shutdown of the reactor. 5. Feedwater flow is measured by Venturis or by an Ultrasonic Flow Meter System. These devices measure feedwater flow for each steam generator. Feedwater flow is an input into the Secondary Calorimetric which is used to fulfill the Technical Specification requirement to perform the Daily Power Range Nuclear Instrumentation calibration. The FW System is designed to eliminate or minimize the potential for water hammer in the steam generator and piping immediately upstream of it. This is accomplished through the following: Top discharge perforated spray tubes (functionally equivalent to J-tubes in acting to prevent draining of the feedring during transients in which the feedring may be uncovered). Welded thermal liner with no internal leak path at the feedwater nozzle. Minimized horizontal run of feedwater pipe external to the steam generator at the main feedwater nozzle (meeting the guidelines of References 10.4-4 and 10.4-5). Use of eccentric reducers in the horizontal feedwater distribution pipe internal to the steam generator feedwater nozzle, minimizing the potential for steam pocketing in the top of the horizontal pipe run. The feedring is located above the elevation of the nozzle to minimize the time required to fill the nozzle during a cold water addition transient. The main feedwater nozzle flowpath to the feedring is not used during low power operation, during the low power ranges of plant start-up, or during post-trip operation. The flowpath to the smaller, separate auxiliary feedwater nozzle is used in these plant conditions, supplied either with main feedwater that has been heated in the deaerator (preferred) or with auxiliary feedwater from the auxiliary feedwater storage tank. CN-3142 STPEGS UFSAR 10.4-17 Revision 18 The other design functions of the systems are: 1. Transporting The Condensate System transports condensate from the condenser hotwell, from the LP heater drips, and from the moisture separator drip pumps to the deaerator. The Heater Drips System (the FW heater shell condensate collection system) collects the HP heater drips and conveys them to the deaerator. The FW System then transports the combined flow to the SG. In addition, the condensate system transports condensate to and from the secondary make-up tank to maintain the proper inventory of water in the SG secondary side systems. 2. Heating The Condensate and FW Systems heat the condensate from saturation temperature corresponding to the condenser vacuum to the required SG FW inlet temperature using steam extracted from various stages of the main turbine. In the event of loss of extraction steam to the deaerator, back-up heating steam is provided from the MS header to assure the minimum required SG inlet temperature is met.
3. Providing Water Quality The condensate is initially deaerated in the condenser, then pumped through the CPDS (refer to Section 10.4.6) to the full flow deaerator for final oxygen and non-condensible gas removal before being pumped into the SGs.
4. Pressurizing The Condensate and the Heater Drips Systems change the pressure of their respective condensates to the deaerator operating pressure. The FW system increases the FW pressure to the required SG inlet pressure using the FW booster and SG feedpumps. The Condensate and the FW Systems are designed in accordance with the applicable requirements of ANSI B3l.1 and the ASME B&PV Code,Section III, "Nuclear Power Plant Components,"Section VIII, Division l, "Pressure Vessels," and Section XI, "Inservice Inspection" (including addenda).

10.4.7.2 System Description.

10.4.7.2.1 General

Description:

The P&IDs for the Condensate System are shown on Figures 10.4.7-1 and 10.4.7-2. The P&IDs for the FW System are shown on Figures 10.4.7-3 and 10.4.7-4. Because moisture separator reheater (MSR) and FW heater drips are pumped forward into the Condensate System, the Heater Drains (Heater Drips) System is integral to the Condensate System. The P&IDs for the HP and LP Heater Drips Systems are shown on Figures 10.4.7-5 through 10.4.7-9.

There are four main flow paths in the Condensate System which combine to supply the deaerator. In this context, the heater drips are considered to be part of the Condensate System.

STPEGS UFSAR 10.4-18 Revision 18 The individual sections are described as follows: l. The condensate pumps take suction from the condenser hotwells and pump the condensate through the condensate polisher, through the gland steam condenser, and through FW heaters no. l6, l5, l4, and l3 in that order, to the heating section of the deaerator.

2. The LP heater drip pumps take suction from the flash tanks, which receive the cascaded drips from heaters no. 13, 14, 15, and no. 16. The collected drips are pumped into the condensate header between heaters no. 15 and 16, where the temperatures of the condensate and of the drips are most nearly equal.
3. The HP heater drips, which cascade back to the deaerator, consist of reheater tube bundle drips and heater no. 11 shell side drips.
4. The moisture separator drip pumps take suction from the moisture separator drip tanks where the drips are collected. The collected drips are pumped into the condensate header immediately upstream of the deaerator.

From the deaerator, the FW flows through three separate suction lines to the booster pumps. The booster pumps increase the FW pressure to that required by the SG feed pumps. The booster pumps discharge into a single header which becomes the SG feed pump suction header. A separate line is provided between the suction header and each SG feed pump suction.

The SG feed pumps discharge to a header which distributes the flow to the two no. 11 heaters.

Another header downstream of the no. 11 heater branches into four lines, one to each SG. Each line contains a flow sensing element, main FW control valve, isolation valve, and check valve. Each line enters the Containment through a separate penetration. No FW valves are located inside the Containment. Each line contains a bypass FW control valve around the main FW control valve.

Upstream of the FW isolation valves, each FW line is provided with a cross-connect to the auxiliary feedwater (AFW) piping within the Isolation Valve Cubicle (IVC). This cross-connect, which bypasses the steam generator main feedwater nozzle, is provided for low-load, filling, and post-trip operations.

Each FW isolation valve is bypassed by a 3-in. line containing a flow measuring orifice and a FW isolation bypass valve for use during startup to purge cold water from the FW piping downstream of the FW isolation valve prior to opening the FW isolation valve.

FW system piping inside the Containment is designed so that it is not readily drained into the SGs in the event the FW inlet nozzle is uncovered. Loop seals are utilized at all SGs.

Dynamic effects of postulated FW pipe failures outside the Containment are provided in Section 3.6.

10.4.7.2.2 Condensate Pump: Three 50 percent capacity motor-driven condensate pumps are provided to deliver condensate to the deaerator. Valves are provided to isolate each of the six condenser hotwells, as well as each condensate pump, for maintenance. Minimum-flow STPEGS UFSAR 10.4-19 Revision 18 recirculation lines are provided at each pump discharge to protect the pump. In addition, a recirculation line is provided downstream of the gland steam condenser to maintain the required minimum flow through the gland steam condenser. All recirculation lines discharge to the condenser.

10.4.7.2.3 Feedwater Heaters: Six stages of FW heating are provided, consisting of five stages of condensing heat exchangers and one deaerating, direct contact heat exchanger. The two lowest pressure heaters, nos. 15 and 16, consist of three parallel strings each, one of each heater being mounted in each of three condenser necks. The remaining LP heaters are arranged in two parallel strings. The deaerator is designed for full FW flow. The two HP heaters are arranged in parallel.

Isolation and bypass valves are provided to allow heaters to be taken out of service as follows: One of the three condenser neck-mounted strings, consisting of one no. 15 and one no. 16 heater together One of the two strings of remaining LP heaters, no. 13, and no. 14 as a group One of the HP heaters, no. 11. In addition, the HP heater bypass valve may be throttled to maintain feedwater temperature as low as 390 F. Each condensing FW heater is a horizontal shell and U-tube heat exchanger. Four heaters are provided with integral drain coolers. Heater no. 16 is not furnished with a drain cooler.

FW heater no. 11 receives heating steam extracted from the HP turbine. FW heater no. 11 also receives the drips from the reheater tube bundles via the reheater drip tanks. The deaerator receives the drips from the no. 11 heater as well as heating steam extracted from the HP turbine exhaust.

The remaining four heaters receive heating steam extracted from the LP turbine. In addition, the no. 14 heater receives the no. 13 drips and the no. 15 heater in turn receives the no. 14 drips. The no. 15 and no. 16 heaters both drain individually to the flash tank.

All normal drip lines are provided with modulating level control valves except for the no. 16 heater drip, which is drained through a loop seal. All heaters, drip tanks, and flash tanks have alternate drip lines with independent, modulating level control valves discharging to the condenser. Since the no.

16 heater drip is not controlled, no alternate flow path is required. The operation of the level control valves is described in Section 10.4.7.5.

One full flow deaerating FW heater is provided in the FW system for the dual purpose of removing the free oxygen and non-condensible gases from the FW while heating the FW to the saturation temperature corresponding to the second stage extraction pressure. The deaerator receives condensate (including the LP heater drips and the moisture separator drips) from the Condensate System, HP heater drips, booster and feed pump recirculation flows and heating steam from the second stage extraction. In addition to extraction steam, the deaerator is provided with two sources of back-up heating steam, from the auxiliary boiler and the MS System, for use during startup and for STPEGS UFSAR 10.4-20 Revision 18 ensuring an adequate steam supply. The deaerator is provided with MS anytime the pressure drops below that corresponding to a saturation temperature of 275F (~45 psia.). 10.4.7.2.4 Heater Drip Pumps: Four moisture separator drip pumps and three LP heater drip pumps are provided. Each set is described separately, as follows: 1. The four moisture separator drip pumps are each sized to deliver 25 percent of the rated moisture separator drip flow. The pumps take suction from the moisture separator drip tanks. A recirculation line at each pump discharge is provided for pump protection.

2. The three LP heater drip pumps are each sized to deliver 40 percent of rated LP heater drip flow. Each pump takes suction from its associated flash tank. A recirculation line at each pump discharge is routed back to the flash tank.

An operating level in each flash tank to maintain adequate NPSH at each pump suction is controlled by a control valve in the pump discharge.

10.4.7.2.5 Steam Generator Feedwater Pumps: Three nominal 40-percent-capacity (normally operating at 33-1/3-percent-capacity), turbine-driven, single-stage FW pumps connected in parallel are provided to supply FW to the SGs. During normal operation all the pumps are running to supply the required flow of FW to the SGs. The flow to each SG is controlled independently by its own SG water level control system, which modulates a control valve in the piping to that SG. These valves are required only to adjust small flow imbalances due to steam flow variations between generators or differences in piping pressure drops. The gross flow adjustment is made by varying the speed of the pumps by controlling motive steam flow to the turbine driver. A minimum-flow recirculation line for each pump automatically diverts flow to the deaerator whenever pump flow drops below 4,000 gal/min.

In addition to the three turbine-driven (main) SGFPs, one motor-driven startup SGFP is provided. The startup SGFP has the dual purpose of supplying feedwater during fill-up and low-load conditions when steam is not available to drive the main feed pump turbines and to allow plant operation at valve wide open (VWO) with one main feedpump out of service. A minimum-flow recirculation line is connected to the startup steam generator feedwater pump discharge line to automatically divert flow to the deaerator whenever pump flow drops below 3,300 gal/min.

10.4.7.2.6 Feedwater Booster Pumps: Three 50-percent-capacity, motor-driven, signal stage booster FW pumps are connected in parallel to provide the steam generator feed pumps with their required suction pressure. Normally two of the three pumps are operating with one in a warmed condition to serve as back-up in the event of an operating booster pump, trip. A minimum flow recirculation line for each pump automatically diverts flow to the deaerator whenever the pump flow drops below 8000 gal/min.

10.4.7.2.7 Chemical Additives: Hydrazine and a pH control reagent are used for oxygen scavenging and pH control, respectively. The chemicals are metered into the deaerator downcomers and downstream of the condensate polishing demineralizer.

STPEGS UFSAR 10.4-21 Revision 18 Poly Acrylic Acid (PAA) is used to reduce or remove iron deposits from inside the SG. It is metered into the FW downstream of the FW flow venturi. Section 10.3.5 contains more details concerning control of water chemistry.

10.4.7.2.8 Materials of Construction: In general, piping and components are made of carbon steel. Care has been taken to minimize or eliminate alloys containing lead, mercury, copper, sulfur, or arsenic. Details of material used for Safety Class (SC) 2 piping and components are provided in Section 10.3.6.

10.4.7.3 Safety Evaluation. All piping within the Containment and outside the Containment up to the IVC wall, including the first isolation valve outside Containment, is designated as SC 2 and is designed to the requirements of seismic Category I. The remainder of the FW System and the Condensate and Heater Drips Systems are NNS.

Two valves are provided in each FW line entering the Containment. The one closest to the penetration is a swing check valve while the upstream valve is a hydraulically operated, fail-closed stop valve. This arrangement satisfies the requirements for isolation for postulated accident conditions (Chapter l5).

With loss of flow in the normal direction, the check valve closes to prevent outflow from the Containment until the stop valve can be closed. The stop valve is designed to close in 10 seconds or less. Thus, failure in the non-safety class portion of the FW system has no effect on the safety of the reactor, which can be shut down in an orderly manner; neither will it result in the release of a significant amount of radioactive material to the environment. In the unlikely event of a piping rupture in the FW system, with the resultant spillage of condensate in the TGB, a certain amount of water accumulation is expected to occur on the ground floor. Water could collect only to the extent that the flow from the break exceeded the capacity of the TGB drains. However, since no safety-related equipment is located on the ground floor of the TGB, the functioning of any Engineered Safeguards System is not affected.

A source of water supply to the SGs is required for decay heat removal in the event the condenser is not available as a heat sink. The AFW System serves this function. It is described in Section 10.4.9.

The AFW System does not depend on the normal FW or Condensate Systems for its water supply.

Rather it takes suction directly from the auxiliary feedwater storage tank (AFST) (Section 9.2.6), which is a Category I structure.

The results of a failure mode and effects analysis for the FW system can be found in Table 10.4-8.

Evaluation of Potential for Feedwater Water Hammer Significant flow instabilities due to steam void collapse (i.e., feedline water hammer) are not expected to occur in the main FW systems during normal operating transients due to the geometry of the system. The occurrence of water hammer in feedring-type steam generators was a significant concern in the 1970s. Extensive research into the causes of water hammer events that occurred in this time period led to the issuance of NUREG-0918 (Ref. 10.4-4) and Branch Technical Position ASB 10-2 (Ref. 10.4-5). The conclusion of Reference 10.4-4 states: "The recommended design STPEGS UFSAR 10.4-22 Revision 18 features set forth in NRC's Standard Review Plan (SRP), section 10.4.7, Branch Technical Position (BTP) ASB 10-2 appear to be effective in preventing (or minimizing) damaging steam generator water hammers." The STP design is evaluated below against the recommendations of the current revision of Reference 10.4-5 for top-feed steam generator designs: 1. BTP ASB 10-2 states: "Prevent or delay water draining from the feedring following a drop in steam generator water level by means such as top discharge J-tubes and limiting feedring seal assembly leakage." STP evaluation: Perforated spray tubes are used in lieu of J-tubes, significantly increasing the flow area for water exiting the feedring, reducing erosion-corrosion concerns, but maintaining the key feature of top-exit of feedwater flow from the feedring. Another measure that will help keep the feedring full when uncovered is the all-welded thermal sleeve. This eliminates a potential internal leakage path at the nozzle that existed in some older feedring steam generator designs where the internal attachment to the nozzle was by expansion rather than by welding.

2. BTP ASB 10-2 states: "Minimize the volume of feedwater piping external to the steam generator which could pocket steam using the shortest possible (less than seven feet) horizontal run of inlet piping to the steam generator feedring." STP evaluation: The feedwater piping design was evaluated, and in all cases, there is less than seven feet of horizontal pipe run external to the steam generator main feedwater nozzle before the piping turns down. The STP configuration most closely resembles configuration (d) in Figure 6 of Reference 10.4-4. 3. BTP ASB 10-2 states: "Perform tests acceptable to NRC to verify that unacceptable feedwater hammer will not occur using the plant operating procedures for normal and emergency restoration of steam generator water level following loss of normal feedwater and possible draining of the feedring. Provide the procedures for these tests for approval before conducting the tests and submit the results from such tests."

STP evaluation: The testing described above is not considered to be necessary for STP. Extensive industry experience with feedring steam generators since the time when References 10.4-4 and 10.4-5 were developed has demonstrated the success of the design measures implemented in the industry and incorporated as applicable in the STP design. Damaging feedwater hammer events have not occurred with feedring SGs. The performance of such a test at high power levels would constitute an unnecessary challenge to plant systems, almost certainly resulting in a plant trip. Such a test is also not necessary because the STP design/operational response to a plant trip (normal or emergency) resulting from loss of feedwater or any other cause is to reestablish feed flow to the steam generators via the auxiliary feedwater nozzle flow path, preferably using water warmed in the deaerator supplied via the cross connect from the main feedwater system. This minimizes the likelihood of a water hammer in the feedwater piping at the main feedwater nozzle after a plant trip.

4. BTP ASB 10-2 states: "Implement pipe refill flow limits where practical."

STP evaluation: Feedwater pipe refill flow limits are not necessary because there are no anticipated operational scenarios within the STP design basis whereby feedwater flow is established to an STPEGS UFSAR 10.4-23 Revision 18 uncovered feedring. Normal steam generator levels are established by filling the steam generators to normal operating levels via the auxiliary feedwater nozzle before the Main Feedwater Isolation Valve is opened. Limiting flow to the main feedwater nozzle to low flow rates is also undesirable due to the increased potential for thermal stratification, causing undesirable stresses in the nozzle. 10.4.7.3.1 Failure Modes and Effects Analysis: A single-failure analysis employing FMEA methodology was conducted for the FW System. The analysis demonstrates that the FW System can sustain the failure of any single active component and still meet the level of performance required. Table 10.4-8 presents a component-by-component summary of this FMEA.

An evaluation of the FW System equipment in the IVC was performed to determine which equipment required qualification for a "harsh" environment. The evaluation used a FMEA approach to determine how FW System equipment met the following 10CFR50.49 requirements for high energy line break (HELB): Ensure the integrity of the reactor coolant pressure boundary; Ensure the capability to shut down the reactor and maintain it in a safe shutdown condition; or Ensure the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures.

Also, in accordance with 10CFR50.49, the evaluation identified certain post-accident monitoring equipment required by RG 1.97.

The evaluation considered the four sources of high energy in the IVC: Main Steam System Feedwater System Auxiliary Feedwater System Steam Generator Blowdown (SGB) System The evaluation takes credit for the fact that the MS and FW piping in the IVC meet the Standard Review Plan 3.6.2 requirements for a break exclusion zone. Therefore, the size of the maximum break analyzed is limited to 1.0 ft2. In addition, the evaluation does not consider the single failure criteria for the MS and FW lines as discussed in Reference 10.4-6. However, single failure is considered for AFW and SGB line breaks in the IVC. The AFW and SGB piping in the IVC are considered to rupture with full pipe area available for discharge from both sides. The environmental consequences of these breaks are assessed assuming single failures in the components used to mitigate the effects of such breaks.

The evaluation considered only electrical equipment in the FW System. Mechanical equipment meets GDC 4 requirements using the STP Procurement and Maintenance/Surveillance program as discussed in Section 3.11.2.

The evaluation shows that all main FW isolation valves, FW isolation bypass valves, and associated components located in the IVC require qualification for a "harsh" environment. The results of the FMEA evaluation are presented in Tables 10.4-8 and 10.4-8A.

STPEGS UFSAR 10.4-24 Revision 18 10.4.7.4 Tests and Inspections. Each item of equipment receives a shop hydrostatic test and other nondestructive tests and inspections in accordance with the applicable codes. The tube-to-tubesheet joints of the FW heaters are hydrostatically tested at the vendor's shop. Prior to initial plant operation, the completed FW system received a field hydrostatic test and weld joint inspections in accordance with the applicable codes. Preoperational or acceptance tests were performed for the FW, Condensate, and Heater Drip Systems as discussed in Section 14.2.12.2. Periodic tests and inspections are performed during operation and during maintenance outages.

Inservice inspection is required for all SC 2 piping and valves in accordance with ASME B&PV Code,Section XI, including addenda.

10.4.7.5 Instrumentation Application. SG water level control is discussed in Section 7.7.1.7. Feedwater isolation by the Engineered Safety Features Actuation System (ESFAS) is discussed in Section 7.3. The condensate pumps are manually started from the control room during startup to transport condensate to the deaerator. The SG feed pumps must be put on turning gear at the local turbine console, but may be subsequently operated from the control room. Automatic recirculation controls are provided at each pump for low-flow protection. Indicating instruments for condensate, FW and MS flow, deaerator and SG level, and MS line pressure are provided in the control room to guide the operator in maintaining the proper SG and deaerator levels.

The deaerator normal level is controlled by two level control valves in the Condensate System which receive input from a three-element control system. This control system compares the condensate flow into the deaerator to a set proportion of the FW flow. The actual deaerator storage tank level is used as a final adjustment for the level control valves. At loads below approximately 20 percent power the deaerator level is controlled by a single element (level only) control system.

The deaerator is provided with high-high-high water level switches which simultaneously close incoming HP heater drains, condensate, and extraction steam valves. High-high level switches open the deaerator high level dump valves to the condenser.

Automatic FW control utilizing the main and bypass FW control valves is provided over the load range from zero to full rated power. This control is accomplished with a low-power FW control system covering the load range from 0 to 25 percent of rated power and a main FW control system over the range of 20 to l00 percent of rated power. The transfer from one system to the other occurs in the 20- to 25-percent overlap of full rated power and is performed manually by the operator. The low-power FW control system maintains each SG water level by modulating each bypass FW valve up to 25 percent of rated FW flow. Control signals to the low-power system include SG water level, turbine impulse stage pressure, and nuclear power. When the SG level is equal to the reference level (determined by turbine impulse stage pressure), the control system maintains FW flow proportional to nuclear power. At plant loads above 25 percent, the main FW control system, using a three-element controller, automatically modulates the main FW control valve to each SG to maintain proper SG water level. The main FW control valve logic is shown in Figure 7.3-19. A block diagram of the SG level control system is provided as Figure 7.7-6.

The water level in each FW heater shell (except heater no. 16) is automatically controlled by two level controllers on each heater. Heater drips from heaters 11, 13, and 14 are cascaded to the next STPEGS UFSAR 10.4-25 Revision 18 lower pressure heater by the normal level control system. Heater drips from three heaters are dumped to the condenser by the emergency level control system in the event of high heater level. In the event of extreme high heater level, valves in extraction steam lines and heater drip lines leading to the heater(s) in question (11, 13, or 14) are automatically closed. On a high-high heater level for heaters 15 and 16, the tube sides of the heaters are isolated and the condensate system is automatically bypassed. Heater drips from these heaters are directed to flash tanks.

Instrumentation is provided to measure all necessary process parameters at pertinent stages of the system, such as at pump suction and discharge lines and FW heater inlet and outlet nozzles, to determine, calculate, and monitor system and component performance. Alarms are provided to warn the operator of abnormal conditions. Automatic trips are provided to protect the equipment from failure due to unsafe operating conditions. Fluid analysis is performed at critical points by the PSS.

10.4.8 Steam Generator Blowdown System Blowdown of the secondary side of the SGs is performed to maintain the SG secondary side water chemistry within specification, to prevent buildup of corrosion products, to reduce SG radioactivity levels, and provide the means of draining the SG secondary side. Normally, the blowdown fluid is fractionated in a flash tank, the resulting vapor being used as a heat source for FW LP heaters. The liquid from the flash tank is treated and returned to the main condenser.

10.4.8.1 Design Bases. Secondary side water chemistry control specification requires blowdown from each SG to achieve optimum effectiveness from the SG chemistry control program. The Steam Generator Blowdown System (SGBS) is designed to accommodate the blowdown under a wide range of conditions. The safety-related portions of the SGBS are protected from the effects of postulated hazards such as fire, internal missiles, and pipe break. 10.4.8.1.1 Performance Requirements: The SGBS is sized for a continuous blowdown rate of one percent of the maximum steaming rate.

10.4.8.1.2 Sampling Criteria: Sampling of blowdown fluid for radioactive isotopes is based on the criteria presented in Section 9.3.2. Additional sampling of blowdown fluid for chemistry control purposes is performed.

10.4.8.1.3 Environmental Design Bases: There are no specific environmental design requirements for this system.

10.4.8.1.4 Primary-to-Secondary Leakage: The radioactivity level resulting from primary-to-secondary leakage does not limit operation of the SGBS. The radioactivity level in the secondary system is a function of the percent of failed fuel as well as leakage rates and blowdown. The maximum permissible radioactivity levels are delineated in the Technical Specifications.

10.4.8.1.5 Design Codes: The SGBS performs no function related to safe shutdown of the reactor plant. All components downstream of the blowdown isolation valves are classified as NNS and are nonseismic Category I (Section 3.2). The flash tank and the demineralizers are designed, fabricated, tested, and stamped in accordance with ASME B&PV Code,Section VIII. Piping and valves classified as NNS are designed in accordance with ANSI B3l.1. Piping and valves between STPEGS UFSAR 10.4-26 Revision 18 the SG and the Containment isolation valves are seismic Category I and are classified as SC 2. These components are designed, fabricated, and tested in accordance with ASME B&PV Code,Section III, Class 2, and Section XI. In addition, the system is designed to conform with RGs l.26, l.29, and l.48. Process instrumentation and controls are described in Section 10.4.8.4.

10.4.8.2 System Description and Operation. The system P&IDs are shown on Figures 10.4.8-1, 10.4.8-2, and 10.4.8-3. The general arrangement drawings are listed in Table 1.2-1.

During full power operation the SGBS can be operated in one of several modes depending upon the type and level of contamination in the blowdown. The operator determines the extent of processing required by the blowdown system based on prior knowledge of secondary cycle water chemistry conditions and radioactivity levels in conjunction with the Technical Specification limitations and state and local discharge permit restrictions.

The SGBS is normally operated utilizing the full processing capability of the system with heat recovery. The flow of blowdown fluid from each of the four SGs is flashed through throttle valves located in each blowdown line between the containment isolation valves and the flash tank. The four SG blowdown lines enter the flash tank tangentially at equally spaced distances around the tank.

The blowdown flash tank pressure is maintained at 150 psia by a backpressure control valve in the flash tank vent line. Approximately 30 percent of the blowdown flow will be flashed into vapor.

This flow, containing more than half of the total blowdown heat energy, is returned to the FW System via the no. 13 FW heater shell. If the FW heater is not available, the steam can be directly discharged to condenser no. 13.

The regenerative heat exchangers (HXs) cool the remaining saturated fluid from the flash tank to a temperature below 140oF to protect the demineralizer resin or 170oF when bypassing the demineralizers. Level control valves in each of the processing flow paths (to the condenser or to the demineralizer beds) maintain a level in the flash tank that provides an elevation head on the fluid entering the HXs for suppression of further fluid flashing. The regenerative HXs use less than 3 percent of condensate flow for cooling water. This condensate flow is diverted from the condensate system downstream of the condensate polisher demineralizers and is returned upstream of the fourth stage FW heater. The condensate outlet temperature for the regenerative HX will be at or below 275oF. If the HXs are not available, the blowdown fluid from the flash tank is routed directly to the condenser.

Following the flash tank and HXs, the liquid portion of the blowdown is processed through the mixed-bed demineralizers. In addition, filters are provided upstream of the demineralizers to remove particulate matter and extend the operating life of the demineralizer resins. The filters may be operated without the filter elements. Without the filter elements installed, particulates will be removed from condensate by the SGBS demineralizers. A Y-strainer is provided downstream of the two demineralizers.

Two mixed-bed demineralizers are provided in the blowdown treatment train. Conductivity monitors provided downstream of each demineralizer (located in the secondary side sampling system) signal exhaustion of the resin. Differential pressure across each demineralizer is also monitored STPEGS UFSAR 10.4-27 Revision 18 continuously and a high differential pressure alarm may necessitate resin replacement in that demineralizer. When the resin in one demineralizer is being replaced, the blowdown water is processed by the other demineralizer. Upon replacement of the resin, both demineralizers are brought on line. The exhausted resin may be transferred to either the spent resin storage tank or to portable containers for disposal, depending on contamination/radiation levels. If necessary, the filters and demineralizers may be bypassed and the blowdown fluid can be returned directly to the condenser, provided that the FW remains within chemistry specifications.

During periods of normal plant operation with the condensate demineralizers in service and with insignificant radioactive contaminants in the system, the processing portion of the system (i.e., filters and demineralizers) can be bypassed and the fluid returned directly to the condenser, provided the FW remains within the chemistry specifications. Also during normal operating conditions, with no radioactive contaminants in the system and where chemistry of the blowdown fluid meets the Technical Specification limitations for release restrictions, the demineralizers can be bypassed and the fluid can be directly discharged to the neutralization basin. The radiation monitor on the liquid line downstream of the flash tank will alarm on high radiation and automatically terminate the discharge. The SG wet layup system is used during cold wet layup to maintain correct pH and hydrazine concentrations in the secondary side water inside the SG. The recirculation pumps, one for each SG, are used to achieve complete mixing of the injected chemicals and FW by recirculating the contents of the SG. The recirculation pump takes suction through the AFW connection (bypassing the AFW check valve) through the main FW bypass line and recirculation flow is returned to the blowdown connection (150 gallons/minute). Recirculation by taking suction from the blowdown connection and return via the AFW connection is also possible. The pumps can also be used to drain the SGs.

The blowdown sample system is provided with individual grab samples from each SG, grab samples at the inlet and outlet of the SGBS prefilters, continuous sample at each blowdown line, and continuous sample at each demineralizer outlet.

The secondary sampling system is normally used to continuously determine the chemical composition of the liquid in each of the SGs.

A strap-on type continuous radioactivity monitor is provided in the blowdown line to detect the presence of radioactivity which would indicate a large primary-to-secondary leak. When excessive radioactivity is indicated, samples may be taken at the primary sample panel and analyzed to ascertain the affected SG and to monitor any increase in primary-to-secondary leakage. In addition to the radioactivity monitors on the blowdown lines, a common radioactivity monitor with alarm is provided on the total blowdown flow at the flash tank and at the demineralizer outlet. The primary sampling system is capable of receiving intermittent or continuous samples from each of the SGs and from each of the individual blowdown lines.

Instrumentation and controls are further discussed in Section 10.4.8.4.

STPEGS UFSAR 10.4-28 Revision 18 10.4.8.2.1 Component

Description:

Design parameters for the SGBS components are listed in Table 10.4-1. The functions of these components are discussed in Section 10.4.8.2. 10.4.8.3 Safety Evaluation.

10.4.8.3.1 System Failure Analysis: The SGBS is not required for the safe shutdown of the plant or to mitigate the consequences of an accident. However, the piping and valves between the SGs and the SG isolation valves are classified as SC 2. The system components located downstream of the SG isolation valves are classified as NNS. A failure in the NNS system piping or the flash tank would result in an increase in the blowdown rates that would activate an alarm in the main control room. The system then would be shut down manually by the use of remotely operated valves. The results of a failure mode and effects analysis can be found in Table 10.4-9 for the SGBS. 10.4.8.3.1.1 Failure Modes and Effects Analysis - A single-failure analysis employing FMEA methodology was conducted for the SGB System. The analysis demonstrates that the SGB System can sustain the failure of any single active component and still meet the level of performance required. Table 10.4-9 presents a component-by-component summary of this FMEA.

An evaluation of the SGB System equipment in the IVC was performed to determine which equipment required qualification for a "harsh" environment. The evaluation used a FMEA approach to determine how SGB System equipment met the following 10CFR50.49 requirements for HELB: Ensure the integrity of the reactor coolant pressure boundary; Ensure the capability to shut down the reactor and maintain it in a safe shutdown condition; or Ensure the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures. Also, in accordance with 10CFR50.49, the evaluation identified certain post-accident monitoring equipment required by RG 1.97. The evaluation considered the four sources of high energy in the IVC: Main Steam System Feedwater System Auxiliary Feedwater System Steam Generator Blowdown System The evaluation takes credit for the fact that the MS and FW piping in the IVC meet the Standard Review Plan 3.6.2 requirements for a break exclusion zone. Therefore, the size of the maximum break analyzed is limited to 1.0 ft2. In addition, the evaluation does not consider the single failure criteria for the MS and FW lines as discussed in Reference 10.4-6. However, single failure is considered for AFW and SGB line breaks in the IVC. The AFW and SGB piping in the IVC are considered to rupture with full pipe area available for discharge from both sides. The environmental consequences of these breaks are assessed assuming single failures in the components used to mitigate the effects of such breaks.

STPEGS UFSAR 10.4-29 Revision 18 The evaluation considered only electrical equipment in the SGB System. Mechanical equipment meets GDC 4 requirements using the STP Procurement and Maintenance/Surveillance program as discussed in Section 3.11.2.

The evaluation shows that the SGB System components do not require qualification for a "harsh" environment. The results of the FMEA evaluation are presented in Tables 10.4-9 and 10.4-9A.

10.4.8.3.2 Radioactivity Discharge Rate: In the event radioactivity is transmitted to the secondary side of the SG, it will be in the blowdown fluid. In the event of primary-to-secondary system leakage, it is expected that the blowdown fluid will be processed and returned to the main condenser. Any discharge of radioactive fluid from this system is considered unlikely.

Provision is made to divert the SG fluid directly to the neutralization basin during wet layup. This route will not be used normally.

The operating criteria for the secondary side blowdown system are dictated by the need for limiting the secondary side buildup of dissolved solids. The equilibrium secondary radioactivity concentrations based on assumed primary-to-secondary leak rates are given in Section 11.1. 10.4.8.3.3 Maximum Expected Primary-to-Secondary Leakage: Under conditions of maximum expected leakage resulting in detectable activity, the SGBS will be used to maximize the cleanup capability. With the design leakage rate of 1 gal/min maximum for all four SGs or 500 gallons-per-day for any one SG, the blowdown rate of 35,166 lbs/hr would be sufficient to maintain the SG chemistry within specifications. In the event of primary-to-secondary leakage on the order of 0.25 gal/min per SG, the resulting water chemistry would be compatible with SGBS piping and flash tank materials. Section 5.4.2.1.3 discusses compatibility of SG tubing with both primary and secondary coolants. Primary coolant chemistry is provided in Table 5.2-4.

10.4.8.4 Instrumentation Application. Provisions have been made to control the SGBS Containment isolation valves, SG blowdown flow control valves, flash tank level, and flash tank steam discharge valves from the control room. The SG blowdown and sample Containment isolation valves are closed automatically by the signals initiating the start of the AFW System. See Section 10.4.9.5 for a discussion of AFW control. The SG blowdown Containment isolation valves are also closed automatically by a Reactor Trip with the Source Range Blocked and the isolation valves can be reopened after the Source Range Block is reset. The SG blowdown inlet flow control valves are controlled automatically by flow transmitters and controllers which maintain the blowdown flow rate from each SG to the flash tank.

Flash tank level is maintained by controlling the flash tank condensate drain to the condenser with a flow override to prevent excessive flow through the blowdown demineralizers when the blowdown flow rate is increased above normal. Flash tank pressure is maintained by controlling flash tank steam flow to FW heater 13, with a provision of bypassing this steam to the condenser if the heater is out of service and also on turbine trip. Blowdown water temperature to the demineralizers is STPEGS UFSAR 10.4-30 Revision 18 regulated by a control valve in the cooling water outlet line from the SG blowdown regenerative HX. A blowdown flash tank safety relief valve provides overpressure protection. Blowdown flow rate from each SG, blowdown flash tank pressure and temperature, and steam and liquid flow rate from the flash tank are displayed in the control room. High and low water levels in the flash tank are alarmed on a control room annunciator. High blowdown flow rate, and high and low flash tank pressures are displayed on the plant computer and on an annunciator. High blowdown water temperature at the SG blowdown regenerative HX outlet is alarmed in the control room. When the mixed-bed demineralizers are inservice, high temperature terminates the blowdown water to the demineralizers. To optimize thermal efficiency, high blowdown water temperature will be raised when bypassing the mixed-bed demineralizers. On high level in the flash tank, the control valve at the flash tank outlet line (which goes directly to the condenser, bypassing the HXs and the demineralizers) is modulated to maintain proper flash tank water level. Local pressure gauges are furnished throughout the system and a level gauge is installed on the blowdown flash tank.

10.4.8.5 Tests and Inspections. Periodic tests and recalibration are performed on flow, pressure, and temperature indicators. The system isolation valves are periodically tested to check operability in accordance with ASME B&PV Code,Section XI, except for those exempted in accordance with UFSAR section 13.7.3. In addition, periodic inspection and preventive maintenance are conducted on components as required. Valving and system arrangement make all components available for inspection. Active components are designed so that they can be tested during plant operation. 10.4.9 Auxiliary Feedwater System 10.4.9.1 Design Bases. The function of the Auxiliary Feedwater System (AFWS) is to supply FW to the secondary side of the SGs whenever the normal FW supply is not available. Causes and analyses for conditions which require the use of the AFWS, including loss of coolant from small breaks, are discussed in Chapter l5.

The AFWS is designed to perform the following safety functions:

l. Supply the SGs with water required for decay heat removal.
2. Start and deliver design flow automatically following any incident causing loss of FW. Under any condition, the AFWS is capable of starting and operating unattended for at least ten minutes.
3. Function within a SG pressure range from approximately 100 psia up to a pressure equivalent to the lowest set SG safety-valve relief pressure plus accumulation (1,338 psia). The lower value corresponds to the point at which the Residual Heat Removal System (RHRS) can be operated for continuing cooldown.

STPEGS UFSAR 10.4-31 Revision 18 4. Function under the following conditions: loss of main FW; various environmental occurrences; a main FW line break or a MS line break; with or without offsite power available considering at the same time any single failure.

5. Supply FW in the unlikely event the control room must be evacuated.
6. Be tested during normal plant operation.
7. Meet safety class (refer to the AFWS, piping diagram, Figure 10.4.9-1, for SC 2 and SC 3 divisions) and seismic Category I requirements as defined in Section 3.2.
8. Function as required for ATWS mitigation (Section 7.8).

The AFWS is designed to deliver 500 gal/min within one minute of automatic initiation to at least one SG after a feedwater line rupture or steam line break. The AFWS is designed to deliver 500 gal/min within one minute of automatic initiation to each of at least two SGs after a loss of FW accident. The AFWS is designed to deliver 500 gal/min within one minute of automatic initiation to at least two SGs after loss of offsite power (LOOP). The motor-driven AFW pumps are automatically started by the load sequencers, though when the pumps are started they are in a recirculation mode, and no flow will enter the SGs until a SG low-low water level signal, an AMSAC signal, or safety injection (SI) signal initiates flow.

The AFWS is designed to prevent the possibility of hydraulic instability (i.e., water hammer) by incorporation of the following: 1. A separate nozzle is provided for the introduction of AFW to the SG. (This AFW nozzle does not incorporate a feedring design). 2. The length of horizontal piping immediately upstream of the AFW nozzle is minimized. 3. The AFW inlet piping within the SG is designed to be self venting.

4. The outlet of the AFW nozzle is designed to be below the normal SG water level.

The combination of the above prevents the formation of steam voids in the inlet piping which is susceptible to condensation upon the introduction of AFW.

The AFWS is also designed for the following normal plant operations.

10.4.9.1.1 Plant Cold Startup: The AFWS is designed to back up the main FW system during plant startup in the event the main FW system and/or the startup SGFP is unavailable.

10.4.9.1.2 Plant Hot Shutdown: The AFWS is designed to back up the main FW system during plant hot shutdown (or hot standby) in the event the main FW system and/or the startup SGFP is unavailable. The AFWS can be used as a means of continuous FW supply even if this condition is maintained for extended periods. FW is continuously supplied from the AFST, which during normal STPEGS UFSAR 10.4-32 Revision 18 operation receives required makeup from the demineralized water storage tank (DWST). The DWST in turn is supplied by water from wells through the demineralizers, as shown on Figures 9.2.3-1 and 9.2.6-1. 10.4.9.1.3 Plant Cold Shutdown: The AFWS is designed to back up the main FW system when achieving plant cold shutdown.

10.4.9.2 System Description. One AFWS is provided for each unit. The piping diagram is shown on Figure 10.4.9-1. The system includes an adequate water storage, redundant pumping capacity to supply the SGs, associated piping, valves, and instrumentation.

The AFWS supplies water to the SGs, where it is converted into steam by the heat transferred from the primary coolant that removes decay heat from the reactor core and heat generated in the primary coolant loop by the reactor coolant pumps.

The AFST provides water to the AFW pumps. It is a concrete, stainless steel lined, tank with a Technical Specification required volume of 485,000 gallons which is significantly more than the required volume. The required volume is based on the following, plus a margin for contingencies; maintaining the plant in hot standby for four hours, then cooling down the primary system to 350F The AFWS has the capability to cool down the reactor coolant system at an average rate of 50F/hr. Four AFW pumps, each with independent motive power supplies, are provided to comply with redundancy requirements of the safety standards, both for equipment and power supplies. Pump characteristics are given in Table 10.1-1.

Three horizontal, centrifugal, multistage, electric motor-driven pumps supply one SG each. Each pump motor is supplied power from a separate engineered safety bus, and the power supply is separated throughout. The fourth pump is a horizontal, centrifugal, multistage, noncondensing steam turbine-driven unit which supplies AFW to the fourth SG. A steam line connection is taken from the SC 2 section of the MS line of the fourth SG upstream of the MSIV (Figure 10.3-1). The AFW steam line is provided with steam inlet valves which function as containment isolation valves. The turbine discharge steam exhausts directly to the atmosphere.

Each SG is supplied by a separate AFW train. Normally closed, fail-closed cross-connections are provided between the four trains to permit flow from any pump to any SG.

Each of the four pumps is provided with a minimum-flow automatic recirculation system. The recirculation flow returns to the upper section of the AFST.

STPEGS UFSAR 10.4-33 Revision 18 Each pump recirculation line is designed to SC 3 requirements inside the IVC. The recirculation lines from the IVC to the AFST are designed to NNS class requirements. Water losses through credible failures of recirculation lines are included in the storage tank inventory requirements. Each AFW supply line is provided with a regulator valve controlled by the Qualified Display Processing System (QDPS). The AFW regulator valves are controlled by the QDPS to limit the flow (at all times) into the SG to below a preset high value. After a two-out-of-four low-low water level signal from any SG, an ATWS (Anticipated Transient Without Scram) Mitigation System Actuation Circuitry (AMSAC) signal, or an SI signal, flow is maintained between upper and lower limits using the QDPS, until manually reset. These valves may be manually controlled from the control room (subject to high flow limitation) or from the auxiliary shutdown panel. The control logic for an AFW regulator valve is shown on Figure 7.3-21B. The AMSAC system is described in Section 7.8. The QDPS is described in Section 7.5.6.

The AFW line to each SG (one per AFW pump) is provided with a remote manual containment isolation valve (Section 6.2.4). Each line connects directly to the upper shell of the SG.

The AFW pumps are located in a seismic Category I building and are physically separated from each other in individual compartments. These compartments are designed to preclude coincident damage to redundant equipment in the event of a postulated pipe rupture, equipment failure, or missile generation.

Figures 1.2-21 and 1.2-25 show the AFWS component arrangements. The steam supply pipe to the turbine-driven AFW pump is routed directly to the turbine pump compartment located immediately beneath the MS line piping. This piping is routed such that it does not penetrate any of the AFW motor-driven pump compartments.

10.4.9.3 Safety Evaluation. The AFWS is designed to seismic Category I requirements, and will withstand a single failure and still perform its design requirements. The loss of one motor-driven pump or the turbine-driven pump will not limit the design safety function of the system. In the event that the makeup water to the AFST is lost, the minimum quantity of water within the AFST is sufficient for a safe shutdown of the reactor. Therefore, failure of any one AFW component will not preclude safe shutdown of the reactor. To demonstrate the capability to meet the single-failure criterion, a component failure mode and effects analysis is presented in Table 10.4-3. In addition, the AFWS has been analyzed to determine its reliability and the results of the analysis are provided in Appendix 10A. The system is SC 3 from the AFST (Figure 9.2.6-2) up to the Containment isolation valves. The steam line to the AFW pump turbine is SC 2 to the steam inlet valves and SC 3 to the turbine. The isolation valves and piping from the Containment isolation valves to the SG are SC 2 (Figure 10.4.9-1).

The AFWS water supply is from the AFST which is designed to seismic Category I SC 3 requirements and the applicable codes discussed in Section 3.8.4. The AFST is designed to withstand environmental design conditions, including flood, earthquake, hurricane, tornado loadings, and tornado missiles. The AFST is designed to retain a sufficient quantity of water for AFWS use. The AFST is designed such that no single active failure will preclude the ability to provide water to the AFWS. The AFW suction and discharge lines are routed separately to prevent coincident damage.

STPEGS UFSAR 10.4-34 Revision 18 For vacuum protection, the AFST is provided with a water loop seal fabricated of SC piping physically located within the AFST seismic Category I, SC 3 concrete structure. In addition, redundant non-safety vacuum breakers are provided.

The AFWS is provided with controls at the auxiliary shutdown panel in addition to those in the control room, so operation is possible in the unlikely event the control room is inaccessible. 10.4.9.3.1 Failure Modes and Effects Analysis. A single-failure analysis employing FMEA methodology was conducted for the AFW System. The analysis demonstrates that the AFW System can sustain the failure of any single active component and still meet the level of performance required. Tables 10.4-3 and 10.4-3A present a component-by-component summary of this FMEA.

An evaluation of the AFW System equipment in the isolation valve cubicle (IVC) was performed to determine which equipment required qualification for a "harsh" environment. The evaluation used a FMEA approach to determine how AFW System equipment met the following 10CFR50.49 requirements for HELB: Ensure the integrity of the reactor coolant pressure boundary; Ensure the capability to shut down the reactor and maintain it in a safe shutdown condition; or Ensure the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures. Also, in accordance with 10CFR50.49, the evaluation identified certain post-accident monitoring equipment required by RG 1.97. The evaluation considered the four sources of high energy in the IVC: Main Steam System (MS) Feedwater System (FW) Auxiliary Feedwater System (AFW) Steam Generator Blowdown System (SGBS) The evaluation takes credit for the fact that the MS and FW piping in the IVC meet the Standard Review Plan 3.6.2 requirements for a break exclusion zone. Therefore, the size of the maximum break analyzed is limited to 1.0 ft2. In addition, the evaluation does not consider the single failure criteria for the MS and FW lines as discussed in Reference 10.4-6. However, single failure is considered for AFW and SGBS line breaks in the IVC. The AFW and SGBS piping in the IVC are considered to rupture with full pipe area available for discharge from both sides. The environmental consequences of these breaks are assessed assuming single failures in the components used to mitigate the effects of such breaks.

The evaluation considered only electrical equipment in the AFW System. Mechanical equipment meets GDC 4 requirements using the STP Procurement and Maintenance/Surveillance program as discussed in Section 3.11.2.

STPEGS UFSAR 10.4-35 Revision 18 The evaluation shows that only the electrical equipment associated with the AFW outside containment isolation valves, SG preheater bypass valves, AFW flow transmitters, steam supply isolation valve to the turbine-driven AFW pump, and the turbine-driven AFW pump discharge pressure transmitter require qualification for a "harsh" environment. The results of the FMEA evaluation are presented in Tables 10.4-3 and 10.4-3A. 10.4.9.4 Tests and Inspections. The AFWS may be tested and inspected while the plant is in operation. Only one pump at a time may be tested. A test line is provided on each pump discharge back to the AFST to allow for performance testing of each pump. AFW pumps are periodically performance tested to verify pump operability in accordance with Technical Specification surveillance requirements and ASME B&PV Code Section XI inservice testing requirements (refer to Section 3.9.6.1). An AFW pump must develop a discharge pressure of 1485 psig at a flow rate of 500 gpm to be considered operable (these numerical values do not include the instrument uncertainties noted in the applicable calculation of record and included in the test methodology). The pumps are tested to demonstrate this capability.

Leakage can be detected by visual inspection and by loss of tank inventory.

The AFWS was tested in accordance with Section 14.2.

10.4.9.5 Instrumentation Application. The control logic for the AFWS is described in Sections 7.3.1 and 7.4.1.1.

The AFWS is capable of starting automatically and supplying the SGs with water required for decay heat removal. Each motor-driven AFW pump is started automatically by two out of four low-low water level signals from any SG, an AMSAC signal, or by an automatic load sequencer signal based upon a LOOP or an SI signal. The turbine-driven AFW pump is automatically started by opening the turbine trip and throttle valve (supplied with the pump turbine), which is opened by a two-of-four low-low water level signal from any SG, an AMSAC signal, or an SI signal. The turbine trip and throttle valve may be manually opened from the control room or the auxiliary shutdown panel. The steam inlet valve, located upstream of the trip and throttle valve, is a normally open valve. It receives a confirmatory open signal on SG low-low water level in any SG, an AMSAC signal, or an SI signal. All AFW pumps may be manually controlled from the control room and the auxiliary shutdown panel. Status lights are provided at both locations to monitor the performance of each AFW pump.

The two-of-four low-low water level signal in any SG, an AMSAC signal, or the SI signal closes the SG blowdown valves, sample line valves, and AFW crossover isolation valves, and initiates control of the AFW regulator valves between preset high and low flow values by the QDPS. It also allows the stop check valves to function normally. Thus on a LOOP, the motor-driven AFW pumps start and recirculate water to the AFST until an SI signal, an AMSAC signal, or a two-of-four low-low water level signal in any SG occurs. Each AFW regulator valve may be manually reset and remotely positioned by manual switches in the control room to allow throttling of flow below the minimum value which QDPS ensures after any of these signals. Manual control switches are also provided at the auxiliary shutdown panel for jogging operation. The control logic for an AFW regulator valve is shown on Figure 7.3-21B. An automatic recirculation system is proved for the turbine-driven AFW pump and the motor-driven AFW pumps.

STPEGS UFSAR 10.4-36 Revision 18 Control room instrumentation is provided to monitor major AFWS parameters, such as the discharge pressure of each AFW pump, turbine-driven AFW pump inlet steam pressure available through the plant computer, and AFW flow to each SG. Turbine-driven pump discharge pressure is available at a control room indicator and through the QDPS; the motor-driven pump discharge pressures are available through the Emergency Response Facilities Data Acquisition and Display System [ERFDADS]. This instrumentation, in combination with the SG level indication described in Section 7.5, provides the operator with reliable indication of the AFWS performance. If evacuation of the control room becomes necessary, AFWS monitoring and control is available to the operator at the auxiliary shutdown panel. For a detailed description of the auxiliary shutdown panel, refer to Section 7.4. AFST level indication is provided in the control room (through the use of QDPS and the level recorder in the control room) and at the auxiliary shutdown panel (via the QDPS).

Alarms indicating high and low AFST water levels are provided in the control room.

Remote manual level control is utilized to maintain the minimum operating storage capacity in the AFST. A level control valve is manually controlled to add demineralized water to the AFST.

The AFWS is provided with temperature elements upstream of the AFW isolation valves (AF0019, AF0048, AF0065, AF0085) for detecting check valve backleakage which could potentially disable an AFW train.

10.4-37 Revision 18 STPEGS UFSAR REFERENCES Section 10.4: 10.4-1 Standards for Steam Surface Condensers, 6th Edition, Heat Exchanger Institute (1970).

10.4.2 NUREG-0291, "An Evaluation of PWR Steam Generator Water Hammer by Creare, Inc.", Dec. 31, 1976.

10.4-3 Not Used.

10.4-4 NUREG 0918, "Prevention and Mitigation of Steam Generator Water Hammer Events in PWR Plants," November 1982.

10.4-5 Branch Technical Position ASB-10-2, "Design Guidelines for Avoiding Water Hammers in Steam Generators," Revision 3, April 1984.

10.4-6 NRC memo from H. R. Denton to V. Stello, "Position on a MSLB in Superpipe with a Single Active Failure," dated April 29, 1985.

10.4-7 Regulatory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident", Rev. 3, 5/1/1983. 10.4-8 USQE 95-0044, "Elimination of Mechanical Equipment Qualification (MEQ) Program", Rev. 0. 10.4-9 10 CFR 50.49, "Environmental Qualification Of Electric Equipment Important To Safety For Nuclear Power Plants".

10.4-38 Revision 18 STPEGS UFSAR TABLE 10.4-1 STEAM GENERATOR BLOWDOWN SYSTEM COMPONENT DESIGN PARAMETERS Steam Generator Blowdown Flash Tank Type Vertical Number required 1/unit Volume, gal 2350 Design temperature, F 410 Operating temperature, F 360 Design pressure, psig 250 Operating pressure, psig 135 Steam Generator Blowdown Regenerative Heat Exchanger Type Horizontal Number required 4/unit Design Flow, lb/hr tube 119,800 shell 256,500 Design temperature, F tube 410 shell 410 Design pressure, psig tube 250 shell 800 Steam Generator Blowdown Mixed-Bed Demineralizer Type Deep bed Number required 2/unit Design Flow, gal/min 250 Resin volume, ft3 31 Design temperature, F 410 Design pressure, psig 250 Design pressure drop, psi fouled 31.5 @ 250 gpm 10.4-39 Revision 18 STPEGS UFSAR TABLE 10.4-1 (Continued) STEAM GENERATOR BLOWDOWN SYSTEM COMPONENT DESIGN PARAMETERS Steam Generator Recirculation Pumps Type Inline centrifugal Number required 4/unit Rated flow, gal/min 150 Design temperature, F 250 Total discharge head, ft 210 Steam Generator Prefilters Type Disposable cartridge (all micron mesh sizes are acceptable. Installation of filter element is optional) Number required 2/unit Design temperature, F 410 Design pressure, psig 250 Design pressure drop, psi normal 5 fouled 25 STPEGS UFSAR 10.4-40 Revision 18 TABLE 10.4-3 AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Motor driven AFW pump (typical - 1 in three of the four trains) Required to start and provide AFW to the SG automatically 1-3 Fails to start or stop running when required Pump status light ESF monitoring (1 only) Pressure indication (via QDPS) None - The other operating AFW pumps will provide adequate AFW flow Spurious start or failure to stop on command None - If AFW is not required the affected AFW line can be isolated Turbine driven AFW pump (Train D DC-controls) Start and provide AFW to SG D automatically 1-3 Fails to start or stop running when required Pressure indication Flow indication None - The motor driven AFW pumps will be operating providing adequate AFW flow AFW pump turbine trip and throttle valve (MOV-0514) normally closed DC powered Open and control steam admission to the AFW turbine 1-3 Fails closed or fails to open on initiation Position indication Pressure indication ESF monitoring (1 only) None - The motor driven AFW pumps will be operating providing adequate AFW flow

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR STPEGS UFSAR 10.4-41 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Fails open or fails to close on initiation None - If AFW is not required the line can be isolated by MOV-0019 If Main Steam isolation is required MOV-0143 can be closed Steam Inlet Bypass Valve FV-0143 normally closed (DC powered) To stay closed 1-3 Fails open or fails to close on initiation Valve position indication None - If AFW is not required the affected train can be isolated using MOV-0514 Steam Supply Valve MOV-0143 normally open (DC powered) Stay open and admit steam to the AFW pump turbine. Also provides isolation of the steam line in the event of a line break 1-3 Fails to open on command or fails closed Fails to close on initiation Valve position indication ESF monitoring (1 only) Steam pressure via plant computer None - Motor driven AFW pumps will supply adequate AFW flow

None - If AFW is not required this line can be isolated by MOV-0019

Cross-connect valves normally closed (typical - one per AFW line) To stay closed or to close on signal 1-3 Valve fails open Position indication ESF monitoring None - Other cross connect valves will be closed These valves could be used to allow cross connection of the AFW trains

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-42 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks AFW control valve (typical - one per AFW line) To regulate AFW flow 1-3 Fails closed or fails to open on initiation Position indication Flow indication ESF monitoring (1 only) None - No flow will occur from this train. However, the other trains will provide adequate AFW flow Normal position not specified Fails open or fails to close on initiation None - If the flow is not required or it is excessive the stop check isolation valve can be closed AFW isolation stop check valve normally closed (typical - one per AFW line) Open to allow flow to the SG 1-3 Fails closed or fails to open on initiation Position indication Flow indication ESF monitoring (1 only) None - No flow will occur from this train. However, the other trains will provide adequate AFW flow To isolate and prevent back flow from the SG Fails open or fails to close on a manual isolation signal None - If flow to the SG is not needed or isolation of the SG is required the flow control valve can be isolated
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-43 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks AFW Check Valves AF0119 AF0120 AF0121 AF0122 To allow flow to the SG and prevent blowdown of the SG 1-3 Fails closed when it should be open Flow indication None - Adequate AFW flow will be provided by the other 3 trains Fails open when it is acting as an SG isolation valve None None - The stop check valve will be isolated and provide a backup to the check valve AFW Turbine Governor Valve normally open (skid mounted) Controls the turbine speed 1-3 Fails closed Fails open Pump discharge pressure indication Flow indication None - The motor driven AFW pumps will supply adequate AFW flow

None - Potential for turbine overspeed exists which would cause turbine trip valve closure, however, the motor driven AFW pumps are available to supply adequate AFW flow. In any event Valve FV-7526 and associated controls will limit flow rate AFW turbine trip is alarmed on the main control panel .

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-44 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks ESFAS Train A Provide actuation signals as required to safety related components of AFW Trains A and D 1-3 Fails to generate and send actuation signals Loss of power or actuation train in test is alarmed by ESF monitoring Individual bistables used to generate actuation signals are provided with lights computer input, and alarms on main control board None - System safety function is assured by actuation of other trains. Flow to an adequate number of SGs is assured Operator is expected to see that two trains of equipment are not operating. Manual action is then possible to start the AFW trains EFSAS Train B (analogous for Train C) Provide actuation signals as required to safety related components of AFW Train B (AFW Train C for ESFAS Train C) 1-3 Fails to generate and send actuation signals Loss of power or actuation train in test is alarmed by ESF monitoring Individual bistables used to generate actuation signals are provided with lights, computer input, and alarms on the main control board None - system safety function is assured by actuation of other trains Operator is expected to see that a train is not operating.

Manual actuation is then possible to start the AFW train

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-45 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Class 1E AC Power Train A (Trains B & C analogous) Provide power to Train A AC components 1-3 Loss of power on bus Bus undervoltage alarms ESF status monitoring for ESF Diesel Generator System and components None - Trains B & C still available to provide system safety capability Pump status lights still on (green) AC valves status lights off ESF monitoring for AFW system and AC components Channel I DC Power (Train A) Provide DC power to Channel I components 1-3 Loss of DC power ESF monitoring of failure, DC trouble alarm, ESF monitoring for AFW pump (not running, no control power) None - Redundant trains provide system safety capability Pump status lights off. Crossover valve closes if open Channel II DC Power Provide DC power to Channel II components 1-3 Loss of DC power ESF monitoring of failure, DC trouble alarm None - redundant trains of AFW provide system safety capability All valve status lights for turbine driven AFW subsystem off
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-46 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Channel III DC Power (Train B) Provide DC power to Channel III components 1-3 Loss of DC power ESF monitoring of failure, DC trouble alarm. ESF monitoring for AFW pump (not running, no control power) None - Redundant trains provide system capability Pump status lights off. Crossover valve closes if open Channel IV DC Power (Train C) Provide DC power to Channel IV components 1-3 Loss of DC power ESF monitoring of failure, DC trouble alarm. ESF monitoring for AFW pump (not running, no control power) None - Redundant trains provide system safety capability Pump status lights off. Crossover valve closes if open Instrument Air (non-safety) None 1-3 Instrument air loss Header pressure indication and alarms None - Loss of instrument air causes air-operated components to go to their safety position Automatic Recirculation Control Valve (typical - one in each AFW line) Allows AFW flow to SGs as necessary.

Opens bypass automatically to ensure AFW pump minimum flow requirements 1-3 Main flow path fails open with bypass failing closed None None - If AFW required. If AFW not required, the pump minimum flow requirements will not be met, but the other AFW pumps are available to supply AFW

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-47 Revision 18 TABLE 10.4-3 (Continued) AUXILIARY FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Main flow path fails open with bypass failing open None None - Reduced flow available from pump if needed. Other AFW pumps are available to supply AFW Main flow path fails closed with bypass failing closed No AFW flow indicated on the main control panel None - If AFW not required. If AFW is required, other AFW pumps are available to supply AFW Pump minimum flow requirements will not be met Main flow path fails closed with bypass failing open No AFW flow indicated on main control panel None - If AFW not required. If AFW is required, other AFW pumps are available to supply AFW
  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling STPEGS UFSAR 10.4-48 Revision 18 TABLE 10.4-3A HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC [Note 4] Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Turbine-Driven Pump Main Steam Inlet Admits steam to power Train D AFW pump 1, 2, 3 Fails closed (fails to open on demand) when AFW start signal is received NONE - other AFW trains will supply adequate AFW flow. NONE AF-MOV-0143 MS Line Break: Single failure is not considered because MS line is classified as "superpipe." In order to maintain AFWST levels within calculated limits for long-term cooling, the AFW flow in the turbine driven pump must be terminated within 30 minutes by operator action after determining that AFW is being pumped to a faulted SG. AFW flow will be terminated by MOV0019. Three intact loops are available for cooldown. MS Line Break: Either MOV0019 or MOV0143 must be qualified to "harsh" environment conditions. FW Line Break: Single failure is not considered because FW line is classified as "superpipe." AFW system isolation is required for long-term cooling. Within 30 minutes when the operator tries to isolate the steam supply to the turbine, MOV0019 will be flooded and the only remaining means to isolate AFW Train D is by closing the AFW Pump Turbine Isolation Valve MOV0143. AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. FW Line Break: MOV0143 must be qualified to "harsh" environment conditions.

STPEGS UFSAR 10.4-49 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Turbine-Driven Pump Main Steam Inlet AF-MOV-0143 Isolates (cuts off steam flow) to Train D AFW pump 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted loop SG). AFW Line Break: Termination of turbine-driven flow is required for long-term cooling. MOV0143 is lost due to single failure.

All other AFW system isolation valves are flooded within maximum allowed time for operator action (before 30 minutes). AFW flow to SG spills through break and is lost. SG is not replenished with AFW. Faulted loop SG goes dry and starves turbine terminating AFW flow. Three intact loops remain available for cooldown. AFW Line Break: NONE SGBS Line Break: Termination of AFW flow to SG is required for long-term cooling. Operator action to isolate occurs within 30 minutes. Isolation Valves MOV0143 and MOV0019 are not flooded and are qualified to "harsh" environment. One valve is lost due to single failure and one valve closes to isolate system. (MOV0143 isolates turbine driven AFW pump or MOV0019 closes to terminate AFW flow to faulted SG). Three intact loops remain available for cooldown. SGBS Line Break: MOV0143 and MOV0019 require "harsh environment qualification. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: NONE Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. None STPEGS UFSAR 10.4-50 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Turbine-Driven Pump Trip/Throttle valve Admits steam to power Train D AFW pump 1, 2, 3 Fails closed (fails to open when AFW start signal is received). NONE - other AFW trains will supply adequate AFW flow. NONE AF-MOV-0514 Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. NONE Isolates (cuts off steam flow) to Train D AFW pump 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted loop SG). NONE - Either MOV0143 or MOV0019 will close to isolate system. NONE Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. NONE AFW Outside Containment Isolation Valve Admits AFW flow to SG Loop "D" 1, 2, 3 Fails closed (fails to open when AFW start signal is received). NONE - other AFW trains will supply adequate AFW flow. NONE AF-MOV-0019 AFW Outside Containment Isolation Valve (Train D) AF-MOV-0019 Isolates (cuts off AFW flow) to SG Loop "D" 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted loop SG MS Line Break: NONE Single failure is not considered because MS line is classified as "superpipe". In order to maintain AFWST levels within calculated limits for long term cooling, the AFW flow to the faulted SG must be terminated by operator action within 30 minutes of event initiation. AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. MS Line Break:

MOV0143 and MOV0019 must be qualified to "harsh" environment conditions.

STPEGS UFSAR 10.4-51 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Outside Containment Isolation Valve (Train D) AF-MOV-0019 FW Line Break: None Single failure is not considered because FW line is classified as "superpipe". AFW system isolation is required in the faulted SG for long-term cooling. Within 30 minutes after event initiation when the operator tries to isolate the steam supply to the AFW pump turbine, the valve may be flooded and the only remaining means to isolate AFW Train D is by closing the AFW Pump Turbine Isolation Valve MOV0143. AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. AFW Line Break: None Termination of faulted loop flow is required for long-term cooling. MOV0143 failure is the "single failure" as it may flood within the maximum allowed time for operator action (30 minutes). AFW flow to SG spills through break and is lost. Faulted loop SG goes dry and starves turbine terminating AFW flow. Three intact loops remain available for cooldown. SGBS Line Break: None Termination of AFW flow to faulted SG is required for long-term cooling. Operator action to isolate takes place within 30 minutes. MOV0143 and MOV0019 are not flooded and are qualified to "harsh" environment. One valve is lost due to single failure and one valve closes to isolate system.

MOV0143 isolates turbine driven AFW pump or MOV0019 closes to terminate AFW flow to faulted SG. Three intact loops remain available for cooldown. Radiation Dose Analysis: None Equipment has already provided its safety function or no credit is taken in accident analysis. FW Line Break: MOV0143 and MOV0019 must be qualified to "harsh" environment conditions.

AFW Line Break: NONE

SGBS Line Break: MOV0143 and MOV0019 must be qualified to "harsh" environment conditions.

Radiation Dose Analysis: None STPEGS UFSAR 10.4-52 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. Other Requirements: MOV0143 and MOV0019 must be qualified to "harsh" environment conditions. Motor-Driven AFW Pumps Trains A, B, C Pumps AFW to SG Loop A, B, C 1, 2, 3 Fails to start when AFW start signal is received. NONE - Other AFW trains will supply adequate AFW flow. NONE Isolates (cuts off AFW flow) to SG Train A, B, or C 1, 2, 3 Fails to trip on demand (in order to isolate faulted loop SG). NONE - If other safety grade MOV in faulted loop does not close and cut off AFW supply to SG, then the Operator will secure pump from Control Room, or isolate OCIV with 30 minutes. NONE Turbine-Driven AFW Pump Train D Pumps AFW flow to SG Loop D 1, 2, 3 Fails to start when AFW start signal is received. NONE - other AFW trains will supply adequate AFW flow. NONE MS Line Break: None. AFW flow will be terminated by MOV0019 or MOV0143. Three intact loops remain available for cooldown. MS Line Break: MOV-0143 and MOV-0019 require "harsh" environment qualification. FW Line Break: None AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. FW Line Break: NONE STPEGS UFSAR 10.4-53 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] Turbine-Driven AFW Pump Train D Isolates (cuts off AFW flow) to Loop D 1, 2, 3 Fails to trip on demand (in order to isolate faulted loop SG). AFW Line Break: None. AFW flow to SG spills through break and is lost. SG is not replenished with AFW. Faulted loop SG goes dry and starves turbine terminating AFW flow.

Three intact loops remain available for cooldown. AFW Line Break: NONE SGBS Line Break: None. AFW pump or MOV0019 closes to terminate AFW flow to faulted SG. Three intact loops remain available for cooldown. SGBS Line Break: MOV-0019 requires "harsh" environment qualification Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: NONE STPEGS UFSAR 10.4-54 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Cross-Connect Valves AF-FV-7515 AF-FV-7516 AF-FV-7517 AF-FV-7518 Permits distribution of AFW from one pump train to other SGs. 1, 2, 3 Fails closed NONE - other AFW trains will supply adequate AFW flow or other valves will open to permit flow to assigned SG. NONE Fails open None - Valve is subject to flooding. Consequential failure of valve is expected whether qualified to "harsh" environment or not. If single failure of valve in intact train combines with failure in faulted train, isolation is achieved by closure of MOV0143 (Train D) and operator securing pump (Trains A-C) from Control Room. This satisfies the long-term cooling requirements of isolating the faulted loop within 30 minutes. NONE AFW Auto Recirculation Valves AF-0091 AF-0058 AF-0036 AF-0011 Admits AFW flow to respective SGs 1, 2, 3 Fails closed EXEMPT - No electrical components NONE Recirculates flow to AFW storage tank 1, 2, 3 Fails open EXEMPT - No electrical components NONE STPEGS UFSAR 10.4-55 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Outside Containment AFW Isolation Valves Trains A, B, C AF-MOV-0048 AF-MOV-0065 AF-MOV-0085 Admits AFW flow to respective SGs 1, 2, 3 Fails closed (fails to open when AFW start signal is received). NONE - other AFW trains will supply adequate AFW flow. NONE Isolates (cuts off AFW flow) respective SGs 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted loop SG). MS Line Break: None Single failure is not considered because MS line is classified as "superpipe". In order to maintain AFWST levels within calculated limits for long term cooling, the AFW flow to the faulted SG must be terminated by operator action within 30 minutes of event initiation. AFW flow will be terminated by closing the OCIV or securing the AFW pump. Three intact loops remain available for cooldown. FW Line Break: None Single failure is not considered because FW line is classified as "superpipe". AFW system isolation to the faulted SG is required for long-term cooling.

Within 30 minutes after event initiation when the operator tries to isolate the valve, it may be flooded and the only remaining means to isolate AFW is by disabling the pump from the Control Room. Three intact loops remain available for cooldown. MS Line Break: None

FW Line Break: None

STPEGS UFSAR 10.4-56 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Outside Containment AFW Isolation Valves Trains A, B, C AF-MOV-0048 AF-MOV-0065 AF-MOV-0085 AFW Line Break: None Termination of AFW flow to faulted SG is required for long-term cooling. The OCIV is not flooded and is qualified to "harsh" environment, but is lost due to single failure. Within 30 minutes after event initiation, the operator isolates AFW by disabling the pump from the Control Room. Three intact loops remain available for cooldown. SGBS Line Break: None Termination of AFW flow to faulted SG is required for long-term cooling. The OCIV is not flooded and is qualified to "harsh" environment, but is lost due to single failure. Within 30 minutes after event initiation, the operator isolates AFW by disabling the pump from the Control Room. Three intact loops remain available for cooldown.

Radiation Dose Analysis: None Equipment has already provided its safety function or no credit is taken in accident analysis. Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. AFW Line Break: MOV0048, MOV0065, MOV0085 must be qualified to "harsh" environment conditions.

SGBS Line Break: MOV0048, MOV0065, MOV0085 must be qualified to "harsh" environment conditions.

Radiation Dose Analysis: None Other Requirements:

MOV0048, MOV0065, MOV0085 must be qualified to "harsh" environment conditions.

STPEGS UFSAR 10.4-57 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Reg Valve (MOV) (Train D) AF-FV-7526 Required to limit flow to between 550 and 675 gpm 1, 2, 3 Normally open. Fails to regulate flow when AFW start signal is received. MS Line Break: None. MSLB assumes the valve goes fully open and provides maximum flow at pump runout conditions. If valve fails to regulate, AFW system will be isolated using MOV0143 or MOV0019. Other AFW trains will supply adequate regulated AFW flow. MS Line Break: MOV0143 and MOV0019 must be qualified to "harsh" environment conditions. FW Line Break: None. The FWLB analysis assumes AFW flow in the faulted loop spills out the break. Operator isolates faulted SG within 30 minutes. FW Line Break: None AFW Line Break: None. As in MSLB, if valve fails to regulate, AFW system will be isolated using MOV0143. Other AFW trains will supply adequate regulated AFW flow. AFW Line Break: MOV0143 requires "harsh" environment qualification. SGBS Line Break: None. As in FWLB analysis, there is no consequence as it is assumed AFW flow in the faulted loop goes out the break. SGBS Line Break: None Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: None STPEGS UFSAR 10.4-58 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Reg Valve (Train D) AF-FV-7526 Isolates (cuts off AFW flow to SG Loop D) 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted SG) MS Line Break: Single failure is not considered becase MS line is classified as "superpipe." In order to maintain AFWST levels within calculated limits for long-term cooling, the AFW flow in the turbine-driven pump must be terminated within 30 minutes by operator action when it is determined that AFW is being pumped to a faulted SG. AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. MS Line Break: MOV0143 must be qualified to "harsh" environment conditions. FW Line Break: None Single failure is not considered because FW line is classified as "superpipe." AFW system isolation is required for long-term cooling. Within 30 minutes the Operator tries to isolate the steam supply to the turbine, FV7526 may be flooded and the only remaining means to isolate AFW Train D is by closing the AFW Pump Turbine Isolation Valve MOV0143. AFW flow will be terminated by MOV0143. Three intact loops remain available for cooldown. FW Line Break:

STPEGS UFSAR 10.4-59 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Reg Valve (Train D) AF-FV-7526 AFW Line Break: None. Termination of turbine-driven flow is required for long-term cooling. MOV0143 is considered as "single failure." FV7526 is considered unavailable. AFW flow to faulted SG spills through break and is lost. SG is not replenished with AFW. Faulted loop SG goes dry and starves turbine terminating AFW flow. Three intact loops remain available for cooldown. AFW Line Break: None SGBS Line Break: Termination of AFW flow to SG is required for long-term cooling. Operator action to isolate takes place within 30 minutes. MOV0143 and MOV0019 are not flooded. Isolation Valves MOV0143 and MOV0019 are qualified to "harsh" environment. One valve is lost due to single failure and one valve closes to isolate system. MOV0143 isolates turbine driven AFW pump or MOV0019 closes to terminate AFW flow to faulted SG). Three intact loops remain available for cooldown. SGBS Line Break: MOV0143 and MOV0019 require "harsh" environment qualification. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: None Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. None STPEGS UFSAR 10.4-60 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Reg Valves AF-FV-7525 AF-FV-7524 AF-FV-7523 Required to limit flow between 550 and 675 gpm. 1, 2, 3 Normally open. Fails to regulate flow when AFW start signal is received. MS Line Break: None. If valve fails to regulate, AFW system will be isolated. Operator will secure pump from Control Room. Other AFW trains will supply adequate regulated AFW flow. MS Line Break: None FW Line Break: None. The FWLB analysis assumes AFW flow in the faulted loop goes out the break. Operator will secure pump from Control Room within 30 minutes. Three other trains remain by which AFW can be supplied to the intact steam generators. FW Line Break: None AFW Line Break: None As in MSLB, if valve fails to regulate, AFW system will be isolated. Operator will secure pump from Control Room within 30 minutes. Other AFW trains will supply adequate AFW flow. AFW Line Breaks: None SGBS Line Break: None. As in FWLB analysis, there is no consequence as it is assumed AFW flow in the faulted loop goes out the break. SGBS Line Break: None Operator will secure pump from Control Room within 30 minutes. Three other trains remain by which AFW can be supplied to the intact steam generators. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: None Other Requirements: Required per commitment to RG 1.97, as stated in Table 7B.7-1. None STPEGS UFSAR 10.4-61 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Reg Valves AF-FV-7525 AF-FV-7524 AF-FV-7523 Isolates (cuts off AFW flow) to SG A, B, C 1, 2, 3 Fails open (fails to close on demand in order to isolate faulted loop SG). None - If other safety grade component (OCIV) does not isolate AFW supply to faulted SG, then the operator will secure the pump from the Control Room within 30 minutes. None AFW Flow Transmitters AF-FT-7523 AF-FT-7524 AF-FT-7525 AF-FT-7526 Provide signals to AF-FV-7523, 7524, 7525, 7526 and QDPS 1, 2, 3 Fails to transmit data. Required by RG 1.97 and NUREG-0737 section II.E.1.2. YES "Harsh" environment AFW Turbine-Driven Pump Discharge Pressure Transmitter AF-PT-7529 (Train D) Provide signals to QDPS 1, 2, 3 Fails to transmit data. Required by RG 1.97 and NUREG-0737 section II.E.1.2. YES "Harsh" environment AFW Motor-Driven Pump Discharge Pressure Transmitters AF-PT-7506 AF-PT-7507 AF-PT-7508 (Trains A-C) Provide signals to ICS 1, 2, 3 Fails to transmit data. This is not a required safety function for the motor-driven pumps. None STPEGS UFSAR CN-2823 10.4-62 Revision 18 TABLE 10.4-3A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF AUXILIARY FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Notes 2 and 3] AFW Temperature Elements AF-TE-7573 AF-TE-7574 AF-TE-7575 AF-TE-7576 Provide continuous monitoring of AFW piping to detect back-leakage from SG Fails to transmit data. None. The instruments have no safety function. None AFW pump discharge cross-tie close limit switch AF-ZSC-7515 AF-ZSC-7516 AF-ZSC-7517 AF-ZSC-7518 AFW valve status. Valve position sense switch. Closes when AFW crossover valve is fully closed. 1, 2, 3 N/A Required per commitment to RG 1.97, as stated in Table 7B.7-1. Must be qualified to "harsh" environment conditions. 1 - Plant Modes: 1. Power Operation 2. Startup 3. Hot Standby 4. Hot Shutdown 5. Cold Shutdown 6. Refueling 2 - Includes solenoid and all other components associated with component operability. Does not include mechanical equipment as discussed in UFSAR Section 3.11.2. 3 - "Harsh" environments are those that experience significantly more severe conditions than those that would occur during normal plant operation. Ambient room temperature of 125°F during Normal/Abnormal/Accident condition and/or total integrated radiation dose of 105 rads are designated as the break points between harsh and mild environments. The "harsh" environmental conditions are listed in Table 3.11-1. 4 - This table identifies the auxiliary feedwater system equipment in the ICV that requires "harsh" environment qualification. This table is developed using a failure modes and effects analysis for the following High Energy Line Breaks in the IVC. Main Steam Line Break (MSLB) Main Feedwater Line Break (FWLB) Auxiliary Feedwater (AFW) Line Break Steam Generator Blowdown (SGBS) Line Break STPEGS UFSAR CN-2823 10.4-63 Revision 18 TABLE 10.4-4 TURBINE BY PASS SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Turbine Bypass Control Valves (12) normally closed None 1) Allows steam to be bypassed to the condensers 1-3 A single valve fails to open on signal Position indicator Computer alarm None - Other valves serve as back-up 2) Maintain the steam line integrity 1-3 Failure to remain closed or to close on signal None - Steam generators can be isolated by closure of the MSIV and all FWIVs Each valve has redundant solenoid valves powered by separate power sources Instrument Air Loss of instrument air None - Valves fail closed and steam is dumped to the atmosphere through the relief valves

  • Plant Modes 1. Power Operation 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-64 Revision 18 STPEGS UFSAR TABLE 10.4-5 MAIN CONDENSER DESIGN DATA Design Data Turbine exhaust steam to condenser at VWO load, lb/hr 8,855,105 Total condensate outflow, lb/hr 9,325,017 Total condenser duty, Btu/hr 8.623 x 109 Maximum expected condenser operating pressure, in. Hg abs. 3.5 Condenser high operating pressure alarm, in. Hg abs. 5 Condenser loss of vacuum setpoint for bypass valves to close, in. Hg abs. 8 Turbine trip vacuum setpoint, in Hg abs 8.5 Circulating water design flow to condenser, gal/min 906,957 Physical Characteristics Number of condenser tubes 96,234 Condenser tube material Titanium Condenser tube sheet material Aluminum - bronze Total heat transfer surface, ft2 1,034,570 Overall dimensions (total of all three shells) 107 ft - 9 in. L; 75 ft - 3.75 in. W; 50 ft - 2.875 in. H Number of passes One Total hotwell capacity, gal 108,000 Special design features 3-Shell single pressure divided waterbox deaerating condenser STPEGS UFSAR TABLE 10.4-5 (Continued) MAIN CONDENSER DESIGN DATA 10.4-65 Revision 18 Physical Characteristics (Continued) Minimum heat transfer, Btu/hr-F-ft2 439 Turbine exhaust Steam flow Normal, lb/hr 8,722,610 Max, lb/hr 8,855,105 Circulating water temperature, F Normal (Inlet/Outlet) 72/91 Maximum (Inlet/Outlet) 95/114 Exhaust steam temperature, F Normal (avg.) 120.6 Maximum Without bypass flow 134 With bypass flow 134 Condensate oxygen content, cm3/liter (at normal circulating water temp.) 0.005 10.4-66 Revision 18 STPEGS UFSAR TABLE 10.4-8 FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks FW Isolation Valves (normally open) and FW Isolation Bypass Valves (normally closed) (typical one of each for each FW line) Isolate FW flow on actuation 1-4 Valves fail to close or fail to close completely Position indication ESF monitoring None - The FWIVs and FW isolation bypass valves are backed by closure of the FW control valves Valves fail to stay closed None - The FW control valves will be closed FW Control Valves (normally open) and FW Control Valve Bypass Valves (normally closed) (typical - one of each for each FW line) Isolate FW flow on actuation 1-4 Valves fail to close Valves fail to stay closed ESF monitoring None - The FW isolation valves and FW isolation bypass valves will isolate None - The FW isolation valves and FW isolation bypass valves will isolate
  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-67 Revision 18 STPEGS UFSAR TABLE 10.4-8 (Continued) FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Turbine Driven SGFPs (typical) None - stops on Safety Injection signal to stop FW flow 1-3 Pumps fail to trip Pump speed indication None - The FWIVs, FW isolation bypass valves, and FW control valves will be closed on the isolation signal Startup Steam Generator FW Pump (S/U SGFP) None - trips on Safety Injection signal to stop FW flow 1-4 Pumps fail to trip Pumps status indicating lights None - The FIVs, FIBVs, FCVs, FCBVs, and the FPBVs will be closed on isolation signal
  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-68 Revision 18 STPEGS UFSAR TABLE 10.4-8 (Continued) FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks ESF Actuation System Train A (analogous for Train B) Provide actuation signals as required to safety-related components 1-4 Failure to generate and send actuation signals Loss of power or actuation in test is alarmed by ESF monitoring None - System safety function is assured by sending actuation signal to redundant solenoid valve Individual bistables used to generate actuation signals are provided with lights, computer input, and alarms on main control board Train A AC Power Provide power to Train A AC components 1-4 Loss of power on bus Undervoltage alarms, ESF status monitoring for ESF diesel generator system and components None - Train B still available to cause valve to close Each valve has redundant solenoid valves receiving independent signals causing process valve to close Train B AC Power Provide power to Train B AC components 1-4 Loss of power on bus Undervoltage alarms, ESF status monitoring for ESF diesel generator system and components None - Train A still available to cause valve to close Each valve has redundant solenoid valves receiving independent signals causing process valve to close
  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-69 Revision 18 STPEGS UFSAR TABLE 10.4-8 (Continued) FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Train A Channel I, DC Power Provide DC power to Train A Channel I components 1-4 Loss of DC power ESF monitoring of failure or DC trouble alarm None - For Feedwater Control Valves and for Feedwater Isolation Valves, Train B is still available to close valves. For all other valves, loss of power de-energizes solenoid valves, which allows the process valves to close. Each valve has redundant solenoid valves receiving independent signals causing process valve to close Train B Channel III, DC Power Provide DC power to Train B Channel III components 1-4 Loss of DC power ESF monitoring of failure or DC trouble alarm For Feedwater Control Valves and for Feedwater Isolation Valves, Train A is still available to close valves. For all other valves, loss of power de-energizes solenoid valves, which allows the process valves to close. Each valve has redundant solenoid valves receiving independent signals causing process valve to close Instrument Air (non-safety) None 1-4 Instrument air lost Header pressure indication and alarms None - Loss of instrument air causes air operated components to go to their safety position
  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-70 Revision 18 STPEGS UFSAR TABLE 10.4-8 (Continued) FEEDWATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks FW System Check Valves: FW0062 FW0066 FW0067 FW0249

(Downstream of the FW Isolation Valves) Prevents blowdown of the SGs in the event of a high energy line break in the upstream piping 1-4 Fails to close None None - The FWIV and FIBV provide redundant isolation AFWS Check Valves Downstream of the FPBVS AF0308 AF0309 AF0310 AF0311 None - provides Backup functions 1) prevents blowdown of the SGs in the event of a high energy line break in the upstream piping 2) close to prevent backflow of AFW 1-4 Fails to close None None - The FPBV provides safety grade protection Blowdown of one steam generator is included in the accident analysis

  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-71 Revision 18 STPEGS UFSAR TABLE 10.4-8A HELB FAILURE MODES AND EFFECTS ANALYSIS OF FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: None - Feedwater Flow Control Valves will close. Single failure is not considered - "superpipe." MSLB: None FWLB: None - Feedwater Flow Control Valves will close. Single failure is not considered - "superpipe." FWLB: None FWIV Solenoid Valves FW-FY-7141 FW-FY-7141A FW-FY-7142 FW-FY-7142A FW-FY-7143 FW-FY-7143A FW-FY-7144 FW-FY-71414A FWIVs isolate SGs to prevent excessive RCS cooldown following a steam line break. The solenoids function to actuate the valves. 1 - 4 FWIVs Fail to close when signal is received AFW Line Break: None - Feedwater Flow Control Valves will close. MFIV is qualified to "harsh" environment and is a "single failure." SGBS Line Break: None - MFIV is qualified to "harsh" environment. A FWIV single failure will have no effect, as the associated SG Feedwater "REG" Valve will close. AFW Line Break: "Harsh" environment qualification required.

SGBS Line Break: "Harsh" environment qualification required. Radiation Dose Analysis: None - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: None 10.4-72 Revision 18 STPEGS UFSAR TABLE 10.4-8A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: None - Feedwater Flow Control Valves will close. Single failure is not considered - "superpipe." MSLB: None FWIBV Solenoid Valves FWIBVs are normally closed but are opened to permit purging of cold water from FW piping downstream of the MFIVs. FWLB: None - Feedwater Flow Control Valves will close. Single failure is not considered - "superpipe." FWLB: None FW-FY-7148A & B FW-FY-7147A & B FW-FY-7146A & B FW-FY-7145A & B The FWIBV safety function is to isolate SGs to prevent excessive cooldown following a steam line break. 1 - 4 FWIBVs Fail to close when signal is received AFW Line Break: None - Feedwater Flow Control Valves will close. FWIBV is qualified to "harsh" environment and is considered the single failure. AFW Line Break: "Harsh" environment qualification required. The solenoids function to actuate the valves SGBS Line Break: None - FWIBV is qualified to "harsh" environment. A Bypass Valve single failure will have no effect, as the associated SG Feedwater "REG" Valve will close. SGBS Line Break: "Harsh" environment qualification required. Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis: None SG Preheater Bypass Valve Solenoid Valves FW-FY-7189A & B FW-FY-7190A & B FW-FY-7191A & B FW-FY-7192A & B SG Preheater Bypass Valve isolates FW system from AFW system. The solenoids function to actuate the valves. 1, 2, 3 SG Preheater Bypass Valve fails closed (fails to open on demand). None - No safety function is served if the valves open during HELB. None 10.4-73 Revision 18 STPEGS UFSAR TABLE 10.4-8A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF FEEDWATER SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: None - Feedwater Flow Control Valves will close. Single failure is not considered - "superpipe." MSLB: None FWLB: None - Feedwater Flow Control Valve will close. Single failure is not considered - "superpipe." FWLB: None AFW Line Break: None - Feedwater Flow Control Valves will close. SG Preheater Bypass Valve is qualified to "harsh" environment and is a "single failure." AFW Line Break: "Harsh environment qualification required. SGBD Line Break: None - SG Preheater Bypass Valve is qualified to "harsh" environment. A SG Preheater Bypass valve single failure will have no effect as the associated Steam Generator Feedwater "Reg" Valve will close. SGBD Line Break: "Harsh environment qualification required. Radiation Dose Analysis: None - Equipment has already provided its safety function or no credit is taken in accident analysis. Radiation Dose Analysis" None 1 - Plant Modes: 1. Power Operation 2. Startup 3. Hot Standby 4. Hot Shutdown 5. Cold Shutdown, 6. Refueling 2 - Includes solenoid and all other components associated with component operability. Does not include mechanical equipment as discussed in UFSAR Section 3.11.2.

10.4-74 Revision 18 STPEGS UFSAR TABLE 10.4-9 STEAM GENERATOR BLOWDOWN SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Blowdown Isolation Valves 4150-4153 Close and isolate the blowdown 1-4 Fails to close Position indication ESF monitoring None - In the event of a loss of offsite power the flow control valve down stream will isolate the line Redundant powered solenoid provided to ensure closure of the valve None - The blowdown for one line is controlled and is acceptable Air-operated Sample Isolation valves (A0Vs 4186, 4187, 4188, 4189) Close and Isolate Sample Line (Containment) 1-4 Fails to Close Position indication ESF monitoring None - In the event of a loss of offsite power , the redundant SOVs or loss of instrument air causes the valve to close None-Blowdown through the sampling line is limited (smaller than Blowdown Isolation Valves 4150-4153) and is acceptable GDC57 (Closed System) Containment Isolation Valve. Each AOV has redundant solenoid valves (SOVs) which receive separate and independent signals and which cause the process AOVs to close (solenoid deenergized position).

Failure of Instrument Air causes AOV to go to closed (air vented) position Channel I DC Power (Train A) Provide DC power to Channel I components 1-6 Loss of DC power ESF monitoring of failure, DC trouble alarm.

ESF monitoring for pump (not running, no control power) None - Valves will fail in a position which isolate SG blowdown lines, and SG sample lines Channel III DC Power (Train B) Provide DC power to Channel III components 1-6 Loss of DC power ESF monitoring of failure, DC trouble alarm. ESF monitoring for pump (not running, no control power) None - Valves fail in a position which isolate SG blowdown lines, and SG sample lines

  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-75 Revision 18 STPEGS UFSAR TABLE 10.4-9 (Continued) STEAM GENERATOR BLOWDOWN SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Description of Component Safety Function Plant Operating Mode* Failure Mode Method of Failure Detection Failure Effect on System Safety Function Capability General Remarks Channel IV DC Power (Train C) Provide DC Power to Channel IV components 1-6 Loss of DC power ESF monitoring of failure, DC trouble alarm. ESF monitoring for pump (not running, no control power) None - Valves fail in a position which isolate SG blowdown lines, and SG sample lines ESFAS Train A (analogous for Trains B and C Provide actuation signals as required to safety related components 1-6 Fails to generate and send actuation signals Loss of power or actuation train in test is alarmed by ESF monitoring None - The sample line has a redundant valve in the sample line which receives an actuation signal from a separate ESF train Individual bistables used to generate actuation signals are provided with lights, computer input, and alarms on main control board None - The blowdown line has a redundant valve which receives a separate ESF signal in the pneumatic line of the blowdown valve to ensure closure Instrument Air (non-safety) None 1-6 Instrument air lost Header pressure indication and alarms None - Loss of instrument air causes air-operated components to go to their safety position which isolates SG blowdown lines from SGs 1A, 1B, 1C and 1D
  • Plant Modes 1. Full Power 4. Hot Shutdown 2. Startup 5. Cold Shutdown 3. Hot Standby 6. Refueling 10.4-76 Revision 18 STPEGS UFSAR TABLE 10.4-9A HELB FAILURE MODES AND EFFECTS ANALYSIS OF SGB SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] MSLB: None. MSLB exceeds "Abnormal" temperatures and Blowdown Isolation Valves are considered as consequential failures. Single failure is not considered since the MS piping in IVC is a "superpipe". "Harsh" environment exists only in broken loop and uncontrolled flow from one steam generator is permitted per Design Criteria. Three SGB trains isolate. MSLB: None Blowdown Isolation Valves (Located in IVC, Elevation = 22'-10") FWLB: None FWLB exceeds "Abnormal" temperatures and Blowdown Isolation Valves are considered as consequental failures. Single failure is not considered since the FW piping in IVC is a "superpipe." "Harsh" environment exists only in broken loop and uncontrolled flow from one steam generator is permitted per Design Criteria. Three SGB trains isolate. FWLB: None SB-FV-4153 SB-FV-4152 SB-FV-4151 SB-FV-4150 None.

If pipe breaks upstream of valve, then it cannot be isolated. 1 - 4 Fail to close when signal is received (Note:

Valves close on ESF signal). AFW Line Break: None AFWLB exceeds "Abnormal" temperatures and both Blowdown Isolation Valves and Blowdown Flow Control Valves are considered as consequential failures. "Harsh" environment exists only in broken loop and uncontrolled flow from one steam generator is permitted per Design Criteria. Single failures of MSIV in a non-faulted train fails the other train. Two SG trains remain. AFW Line Break: None 10.4-77 Revision 18 STPEGS UFSAR TABLE 10.4-9A (Continued) HELB FAILURE MODES AND EFFECTS ANALYSIS OF SGB SYSTEM ELECTRICAL EQUIPMENT IN IVC Description of Component [Note 2] Safety Function Plant Operating Mode [Note 1] Failure Modes Failure Effect on System Safety Function Capability Harsh Environmental Qualifications Required [Note 2] SGB Line Break: None. SGBLB exceeds "Abnormal" temperatures and both Blowdown Isolation Valves and Blowdown Flow Control Valves are considered as consequential failures. "Harsh" environment exists only in broken loop and uncontrolled flow from one steam generator is permitted per Design Criteria. Single failure of MSIV in a non-faulted train fails the other train. Two SG trains remain. SGB Line Break: None Radiation Dose Analysis: NONE - Equipment has already provided its safety function or no credit it taken in accident analysis. Radiation Dose Analysis: None Blowdown Flow Control Valves SB-FV-4157 SB-FV-4156 SB-FV-4155 SB-FV-4154 None. 1 - 4 Valve does not perform safety function Valve does not perform safety function Not Required 1 - Plant Modes: 1. Power Operation 2. Startup 3. Hot Standby 4. Hot Shutdown 5. Cold Shutdown 6. Refueling 2 - Includes solenoid and all other components associated with component operability. Does not include mechanical equipment as discussed in UFSAR Section 3.11.2.

STPEGS UFSAR 10A-1 Revision 14 APPENDIX 10A AUXILIARY FEEDWATER SYSTEM RELIABILITY EVALUATION 10A.1 INTRODUCTION 10A.1.1 Purpose This Appendix describes the reliability evaluation of the South Texas Project Electric Generating Station (STPEGS) Auxiliary Feedwater System (AFWS). The evaluation was performed in a manner consistent with NUREG-0611 to allow a comparison to other plants of the reliability of the STPEGS system for specific initiating events. The results of the evaluation show the system compares favorably with other designs and has a high reliability for the initiating events considered.

This reliability evaluation reflects the AFWS design at the time it was performed. Subsequent modifications will not result in revision of this appendix unless they could have a significant impact on the results presented.

10A.1.2 Objectives The objectives of the evaluation are: To perform an analysis to evaluate the reliability of the AFWS in accordance with the guidelines contained in NUREG-0611. To provide indication of the contributors of the AFWS unavailability for the initiating events described in NUREG-0611.

10A.1.3 Scope Three initiating events are analyzed:

Case I: Loss of main feedwater (LMFW)

Case II: Loss of main feedwater coincident with loss of offsite power (LMFW/LOOP) Case III: Loss of main feedwater coincident with loss of all AC power (LMFW/LOAC) 10A.1.4 General Approach The principal technique used in the quantitative evaluation is the construction and analysis of fault trees which represent the AFWS failure logic. A summary of the basic tasks in the evaluation is presented in Figure 10A-1.

Fault trees representing the AFWS failure logic are presented in Section 10A.3.2. AFWS unavailability is based on the Boolean logic associated with the system fault trees. The fault trees are reduced to a list of cut-sets to identify the failure modes. Failure rate data (Section 10A.3.4) are STPEGS UFSAR 10A-2 Revision 14 inserted to evaluate system unavailability. Although the failure data are derived primarily from NUREG-0611, secondary sources of failure data are WASH-1400 (Ref. 10A-2), NUREG/CR-1362 (Ref. 10A-3), and the Zion Probabilistic Safety Assessment (Ref. 10A-6). Fault tree development is consistent with the procedures and data available in NUREG-0611, and is limited to AFWS unavailability per demand. STPEGS Technical Specifications allow continued operation of the plant with AFWS Train A out-of-service for an indefinite period of time. The Train A pump is identical in design and installation to the Train B and C pumps and thus would have similar operating characteristics and failure modes. Operational needs (to minimize the potential for steam generator [SG] A to dry out) result in similar maintenance and outage practices. Thus, it is expected that Train A would have an availability similar to the other three trains of AFW. In this Appendix, unavailability is synonymous with unreliability, and the terms are used interchangeably. The importance of specific failure modes is examined, as are the interrelationships between and significance of hardware failure, test and maintenance outages, and human errors.

In addition to the quantitative evaluation described above, a qualitative evaluation is performed in a manner consistent with NUREG-0611. This evaluation rates system reliability based on design features such as equipment redundancy, manual versus auto actuation, single-point failure vulnerability, and technical specification limits on train outage time. The rating is done to compare the STPEGS design with other U.S. plants using a Westinghouse Nuclear Steam Supply System (NSSS).

The success criteria used for LMFW, LMFW/LOOP, and LMFW/LOAC require that there be a minimum flow of 500 gal/min delivered to at least one SG.

There are four AFW trains, each of which is dedicated to a single SG. Three of the AFW trains (Trains A, B, and C) are motor driven; the fourth (Train D) is turbine driven. Each AFW train is designed to deliver 500 gal/min within one minute of actuation. Only the train D is operable under LOAC. Translating the success criteria in the preceding paragraph into failure criteria for fault tree development, "failure" reduces to "no flow to any SG" in the case of LMFW and LMFW/LOOP, and "no flow to SG D" in the case of LMFW/LOAC.

10A.1.5 Assumptions Assumptions used in this evaluation are consistent with those specified in NUREG-0611. Specific assumptions used in the evaluation are:

1. Hardware and Human Error Failure Data The hardware and human error failure data, taken primarily from NUREG-0611, are used in the evaluation of basic events in this study. These data are presented in Section 10A.3.4.
2. Test and Maintenance Outage Contribution The study uses the calculational approach and the outage duration data presented in Table III-2 of NUREG-0611. These data are presented in Section 10A.3.4.
3. Power Availability STPEGS UFSAR 10A-3 Revision 14 Consistent with NUREG-0611, the following assumptions are used to model power availability. Offsite power is assumed to have availability equal to 1.0 for Case I and zero for Cases II and III. Diesel generator availability for Case I is not relevant, since offsite power availability is 1.0. For Case II, the unavailability of each diesel generator is calculated to be 4.8E-02 per demand (see Table 10A-1). For Case III, the components in Train D are independent of all AC power (the components are DC-powered). For Cases II and III, offsite and/or emergency onsite AC power is assumed to be available within a period of two hours. DC and battery-backed AC are assumed to have availability equal to 1.0 (Ref. 10A-1) for all three cases. 4. Sample and Test Lines The only sample or test line providing a significant flow diversion and/or leakage path is the pump test return line, which was considered in the human errors analysis. Since this 3-in. return line discharges to the Auxiliary Feedwater Storage Tank (AFST) at atmospheric pressure, significant flow may be diverted if this normally locked-closed valve is inadvertently left open after testing the pump. 5. Passive Piping Components All piping components (e.g., pipe sections, flanges, reducers, etc.) are assumed available with a probability of 1.0. They are not considered in the fault tree development.
6. Degraded Component Failures Degraded component failures are not considered in this evaluation; that is, components are assumed to operate properly or are treated as total failures. Component failures are assumed to occur instantaneously and completely.
7. Uncoupling of Human Errors This study assumes that test and maintenance activities are staggered. That is, redundant AFWS components are not tested by the same personnel on the same shift, but in general, tests and/or maintenance of redundant components involve time and/or personnel changes (e.g.,

different personnel and shifts, or the same personnel on a different day, etc.). In addition, a double-check procedure is assumed to assure the correct status of locked-open valves after test and maintenance. This significantly reduces the probability of human error in two or more trains simultaneously. Given that test and maintenance activities are staggered and the use of a double check procedure, it is reasonable to assume that human errors for test and maintenance are uncoupled.

STPEGS UFSAR 10A-4 Revision 14 For the above reasons, the evaluation does not consider concurrent disabling of multiple trains because of human error in conjunction with test or maintenance to be a credible failure scenario. 8. Technical Specification The AFWS design is evaluated in accordance with the STPEGS Technical Specifications (Ref. 10A-7). Train A - Availability is assumed to be degraded since there is no Technical Specification requirement on Train A. Train B, - Operable except for the scenarios illustrated in the fault trees in Section C, and D 10A.3.2. 9. Heating, Ventilating, and Air Conditioning (HVAC) Support The motor driven auxiliary feedwater (AFW) pump rooms are cooled by safety-related HVAC units powered by their respective trains. The turbine driven pump room is cooled by a Train A HVAC unit, however, the turbine driven pump is qualified for operation following the loss of all HVAC. Consistent with NUREG-0611 methodology, HVAC support to the pumps is not considered in this evaluation.

10. Auxiliary Feedwater Storage Tank The AFST capacity is sufficient to allow the Reactor Coolant System (RCS) to remain at hot standby for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and support a 14-hour cooldown followed by a depressurization period, at which point further RCS cooldown is performed by the Residual Heat Removal System (RHR).

If additional quantities are needed, water can be provided to the AFST from the demineralized water storage tank (DWST), the condenser hot well or an alternate onsite source. The AFST has level instrumentation with control room indication and annunciation to warn operators of low AFST water inventory. 10A.2 SYSTEM DESCRIPTION 10A.2.1 Introduction This AFWS description summarizes the more extensive description given in Section 10.4.9.

Emphasis is placed on operation following the three loss of normal feedwater (FW) events covered by this reliability evaluation. The water for the AFWS is supplied from the AFST. Water is supplied to the AFW inlet nozzles on the secondary side of the steam generators following a loss of normal FW flow as described in Section 10A.2.3. The AFWS serves as a backup to the Main FW System during normal startup and shutdown operations.

The AFWS maintains the steam generators' water inventory during periods when the main FW system is unavailable. The system is a safety-related system. The AFWS is activated by an auto-start and is designed to deliver flow water to the SGs within one minute. A minimum flow of 500 gal/min must be supplied to any one SG on a loss of FW transient.

STPEGS UFSAR 10A-5 Revision 14 Four pump trains are utilized, each taking suction from the AFST by separate suction lines. Piping and instrument diagrams (P&ID) for the AFWS are shown on Figures 9.2.6-2 and 10.4.9-1. As mentioned earlier, this analysis conservatively assumes that Train A is out of service more than the other three trains. Therefore by increasing the unavailability due to maintenance of the Train A pump, the train's availability is degraded. Trains A, B and C of the AFWS have motor-driven pumps. Train D has a steam-turbine pump. Initiation of the system is automatic upon actuation of two out of four low-low water level instrument channels in any SG. Although no credit for crossover lines was assumed in the analysis, crossover lines are provided downstream of the pumps to interconnect the trains and are operable from the control room when offsite power is available (Case 1). The valves connecting the crossover lines to the AFW pump discharge lines are normally closed, fail closed upon loss of instrument air and close on AFWS actuation. The crossover line valves can be opened manually from outside the control room. However, this action must be accomplished within thirty minutes after the initiating event. The ability to diagnose and implement this action outside the control room is highly unlikely; therefore, no credit is taken. The air-operated crossover valves are expected to remain operable from the control room after loss of offsite (LOOP) power for a period of time due to stored air in the instrument air receiver tanks. Thus, LOOP does not result in instantaneous loss of crossover valve operation from the control room. However, since the instrument air system is a nonsafety-related system which is not immediately operable following LOOP, no credit for remote manual operation of the crossover valves is taken in the Case II evaluation. For Case III (LMFW/LOAC), no crossover capability is assumed since there are three valves required to be opened locally to establish a flow path to a second SG.

Each AFW train provides FW to a single dedicated SG following an actuation signal. No hardware components are common between trains other than the aforementioned crossover lines. Each train, which consists of suction piping, pump/driver combination, discharge piping, cross-connect piping between trains and test and recirculation piping, is housed in a separate seismic Category I compartment.

Pump pressure and flow testing is accomplished through a 3-inch-diameter recirculation line connected to the 4-inch-diameter main flow line downstream of the flow element. Flow through this line is isolated by a normally locked-closed globe valve downstream of the recirculation connection to the mainline. Opening this valve allows recirculation to the AFST for pump testing.

10A.2.2 Component Description

1. Motor-Driven Pumps:

The motor-driven pumps are driven by AC-powered electric motors. Each motor receives power from an independent Class 1E power supply bus and its corresponding standby diesel generator (DG). The pumps are horizontal, centrifugal, multistage units.

2. Turbine-Driven Pump:

The turbine pump is a horizontal, centrifugal, multistage, noncondensing steam turbine-driven unit. A steam line connection is taken from the Safety Class (SC) 2 section of the SG D main steam (MS) line upstream of the main steam isolation valve (MSIV). The turbine steam inlet STPEGS UFSAR 10A-6 Revision 14 line is provided with remote manual isolation and throttle valves. The turbine discharge steam exhausts directly to atmosphere. Overspeed of the AFW pump turbine automatically trips the turbine. Once this occurs, the mechanical overspeed trip latching mechanism must be manually reset in order to restore the turbine to an operable status. Power for all controls, valve operators, trip solenoid and other support systems is from the Train D Class 1E DC system. The major support system is the lube oil pump and cooling system. The lube oil pump is direct driven off the turbine shaft. The cooling water supply for the turbine lube oil cooler comes from a first stage bleedoff point on the turbine-driven pump, passes through the lube oil heat exchanger, and is discharged to a drain. 3. Piping and Valves The safety-related AFWS piping is manufactured and installed in accordance with the American Society of Mechanical Engineers (ASME) Code. Motor-operated valves AF0048, AF0019, AF0065, XMS0514, and AF0085, and solenoid valve FV0143 are normally closed. Motor operated valve MS0143 is normally open. Valves AF0065, AF0048, and AF0085 are AC powered. Valves MS0143, FV0143, AF0019, and XMS0514 are DC powered. Since motor-operated valves 7523, 7524, 7525, and 7526 may be in any initial position prior to AFW actuation, the valves are assumed to be closed prior to actuation.

4. Auxiliary Feedwater Storage Tank The seismic Category I AFST provides water to the AFW pumps. It is a concrete, stainless steel lined tank, with a useable volume of 525,000 gallons. The tank has a Technical Specification required volume of 485, 000 gallons which is sufficient (including adequate margin) to allow the RCS to remain at hot standby for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and support a cooldown followed by a depressurization period, at which point further RCS cooldown is performed by the RHRS. The AFST is designed to withstand environmental design conditions, including floods, earthquakes, hurricanes, tornado loadings, and tornado missiles. The AFST is designed so that no single active failure will preclude the ability to provide water to the AFW system. Each train has a dedicated suction line from the AFST to the AFW pumps. The water level in the AFST is indicated in the control room as well as at the auxiliary shutdown panel (ASP). A low level alarm is also provided in the control room.

10A.2.3 Emergency Operation The AFWS is designed for automatic actuation in an emergency. Any of the following conditions automatically starts the three Class 1E motor-driven AFW trains: 1. Two out of four channels showing low-low water level in any SG

2. Safety injection (SI) signal
3. AMSAC actuation signal 4. 4.16 kV bus undervoltage. CN-2886 STPEGS UFSAR 10A-7 Revision 14 The AFW pump is started in conjunction with diesel generator starting and load sequencing. Water is not automatically fed to the SG until condition 1, 2 or 3, above, exists. The turbine-driven AFW train delivers flow to the associated SG automatically on any of the following signals: 1. Two out of four channels showing low-low water level in any SG
2. SI signal
3. AMSAC actuation signal Automatic jog control of the AFW flow control valves operates to limit the maximum flow to any SG; in addition, automatic jog control operates to initially maintain minimum flow to any SG when the system is started by an automatic signal. The operator may assume manual flow control after resetting the system to lower the AFW flow.

10A.2.4 Power Sources The onsite AC Power Systems of Units 1 and 2 each consist of four major subsystems as follows:

1. 13.8 kV Auxiliary Power System (non-Class 1E) 2. 13.8 kV Standby Power System (non-Class 1E) 3. 138 kV Emergency Transformer Systems (non-Class 1E) 4. Onsite Standby Power System (Class 1E)

The arrangement of the AC Power Distribution Systems provides sufficient switching flexibility and equipment redundancy to ensure reliable power supply to the Class 1E and non-Class 1E plant loads during startup, normal operation, and shutdown following a design basis event.

The Onsite Standby Power Supply Systems of Units 1 and 2 each consist of three independent, physically separated, standby DGs supplying power to three associated load groups designated Train A, Train B, and Train C. Each load group consists of a 4.16 kV ESF bus and the electrical loads connected to that bus. The Onsite Standby Power Supply Systems of Units 1 and 2 operate independently of each other. Each standby DG and load group of a particular unit is also physically separated and electrically independent from the other two standby DGs and their load groups.

Each 4.16 kV ESF bus is provided with switching that permits energization of the bus by five alternate sources:

1. The respective unit auxiliary transformer 2. No. 1 standby transformer STPEGS UFSAR 10A-8 Revision 14 3. No. 2 standby transformer 4. Standby DG 5. 138 kV emergency transformer When neither standby transformer nor the respective unit auxiliary transformer is available, the standby DGs supply the power required by the ESF loads to safely shut down the reactor. The 138 kV emergency transformer provides an additional means for supplying power to these systems if for any reason the above power sources are unavailable. The 138 kV emergency transformer is immediately available; however, its use is operator controlled. Each standby DG is automatically started in the event of a LOOP or SI signal, and the required Class 1E loads connected to that ESF bus are automatically connected in a predetermined time sequence. Each standby DG is ready to accept load within 10 seconds after the start signal. The Class 1E 125 vdc battery systems of each unit consist of four independent, physically separated buses, each energized by one of the two available battery chargers and one battery. Emergency power required for plant protection and control is supplied without interruption by the batteries when the power from the Class 1E essential AC source is interrupted. Each battery system also supplies power to inverters, two each for channels I and IV and one each for channels II and III. The inverters convert DC power to AC power at 118 vac, 60 Hz single phase for the vital instrumentation and protection system. The six vital AC buses supply power to instrumentation channels I, II, III, and IV which are associated with electrical trains A, D, B, and C respectively. The two battery chargers associated with each of the four 125 vdc buses are connected to separate Class 1E buses of the same train to enhance the reliability of each DC bus in the event that offsite power is lost. Following a loss of offsite power, ac power to the battery chargers is supplied by the standby DGs. Components in the turbine-driven train are powered from the Train D Class 1E DC system. Consistent with NUREG-0611, it is assumed that offsite and/or onsite AC power are restored within two hours to supply power to the battery chargers to restore the Train D battery to full capacity.

In the motor-driven trains, the pump motors and valve actuators in each train are powered by the corresponding Class 1E train. Instrumentation and controls in each train are provided by DC or AC power from its associated Class 1E train.

10A.2.5 Testing The AFWS inservice testing and inspection frequencies assumed in this analysis are described below.

The frequencies are in agreement with Reference 10A-7 with the exception of automatic valve position verification which is indicated as at least once every 31 days in the Technical Specifications.

This increase in test frequency serves to decrease the AFWS hardware related unavailability without affecting human error and test and maintenance related unavailability. The calculated total AFWS unavailabilities are therefore conservative.

STPEGS UFSAR 10A-9 Revision 14 Component Test Test Frequency Motor-Driven Pumps Operability Recirculate to AFST at least once every 92 days Turbine-Driven Pump Operability Recirculate to AFST at least once every 92 days Automatic Valve Position Verify position at least once every 92 days Non-Automatic Valve Position Verify position at least every 31 days Automatic Valve Actuation Verify actuation to correct position during each refueling shutdown Motor-and Turbine-Driven Pump Actuation Verify pumps start on actuation signal during each refueling shutdown Train Operability Verify ability to establish flow path to each SG following cold shutdowns greater than 30 days 10A.3 METHODOLOGY This section presents the step-by-step procedure followed in performing the AFWS quantitative reliability evaluation.

10A.3.1 System Review In the first step, the various drawings, P&IDs, and schematics representing the AFWS were examined. Special attention was given to identifying:

1. Instrumentation systems required for system actuation 2. Fluid systems connected directly or indirectly to the AFWS 3. Power sources for each component 4. Any obvious single-point vulnerabilities The reliability information described in Appendix III of NUREG-0611 was then appraised, and AFWS studies of other facilities were reviewed. With this information, the evaluation boundaries were established.

10A.3.2 Fault Tree Development and Quantification Fault trees are constructed from the P&IDs. These trees include component failures (mechanical and control circuit), test and maintenance outages, and human errors (from testing, maintenance and accident response). The fault trees are constructed using a segment level approach. A segment is defined as the piping section between two points of intersection with other pipe segments. Failures STPEGS UFSAR 10A-10 Revision 14 within the segments are characterized and developed into the fault trees. The fault trees developed for each scenario are presented in Figure 10A-3. A list of the codes used in the fault trees is shown in Table 10A-5. Quantification of the AFWS fault trees is done by two computer codes, GRAFTER and WESCUT. Refer to Section 10A.3.5 for a description of these codes. Each fault tree is quantified. The results of this quantification include total system unavailability and the failure combinations (cutsets) that contribute to this unavailability.

10A.3.3 Common Cause Failure Evaluation The evaluation and design provisions of common cause factors such as floods (Section 3.4), fires (Section 9.5.1), earthquakes (Section 3.2), sabotage and high energy pipe breaks (Section 3.6) are outside the scope of this AFWS unavailability study. The only common cause factor considered is that resulting from human errors during test and maintenance.

This evaluation assumes that human errors are statistically independent. Tests and maintenance of redundant components will involve time and/or personnel changes; e.g., different personnel and shifts or the same personnel on a different day, etc. This assumption is also supported by Technical Specification limitations on plant operation associated with coincident test and maintenance activities that reduce train availability to an unacceptable level.

10A.3.4 Failure Data 10A.3.4.1 Failure Rate Data.

10A.3.4.1.1 Hardware: Hardware-related failure data used in this evaluation are presented in Table 10A-1. Unless otherwise indicated, all failure data are taken directly from NUREG-0611.

10A.3.4.1.2 Human Error: Since the AFWS is automatically actuated, the treatment of human error is limited to mispositioning manual valves based on the human error probabilities given in NUREG-0611. Valves considered are the manual valves in the recirculation lines to the AFST.

During maintenance, valves AF0024, AF0053, AF0073, AF0012, AF0031, AF0041, AF0059, and AF0078 must be closed in order to drain the water from pumps.

These valves may be inadvertently left closed. Due to the fact that this failure mode will only occur after maintenance, procedures require the position of these valves be double checked after maintenance as well as periodically checked (every 31 days), and flow tests on the pump are required after maintenance, this failure mode was assumed to be insignificant. During the testing of a pump, the manual valve in the recirculation line must be open. The manual valve may inadvertently be left open. A failure rate of 5 x 10-3 per demand is used in this calculation. For Train D, the trip and throttle valve overspeed trip mechanism must be manually reset after maintenance or a previous overspeed trip. A failure rate of 5 x 10-3 per demand is used for this calculation.

STPEGS UFSAR 10A-11 Revision 14 10A.3.4.1.3 Test and Maintenance: The approach presented in NUREG-0611 is used. Testing and maintenance activities that remove components and/or the system from service can be significant contributors to overall AFWS unavailability. The most common forms of valve main-tenance performed during power operation are packing adjustments and repairs to the motor-operated valve (MOV) and air-operated valve (AOV) control circuits and operators. Nearly all of these activities are performed with the valve in the safe position during the maintenance interval. Therefore, maintenance of MOVs and AOVs is not considered to contribute to valve unavailability.

Check valves and manual valves are expected to require very little maintenance. The low test and maintenance impact on this part of the AFWS is the basis for not including a human error contributor to unavailability for the manual valves in the individual SG flow paths. Although testing and maintenance contributions are not treated for the valves associated with the branch flowpaths to a specific SG, unavailability from testing and maintenance of the pump subsystem is treated.

In the subsystem part of the fault tree, testing and maintenance are treated as a distinct composite basic event. Unavailability due to testing and maintenance is calculated using outage durations from NUREG-0611 and the test frequencies as presented in Section 10A.2.5. Testing and maintenance unavailabilities for each train are comprised of contributions due to testing of the train, and maintenance of the pump. In order to decrease the availability of Train A relative to the other trains, the maintenance outage time for the Train A pump was increased from 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> to 336 hours0.00389 days <br />0.0933 hours <br />5.555556e-4 weeks <br />1.27848e-4 months <br /> (2 weeks) per maintenance activity. This assumption is in general agreement with the Technical Specifications and is conservative. Testing and maintenance unavailabilities are provided in Table 10A-2.

STPEGS Technical Specifications (Ref. 10A-7) do not allow coincident test or maintenance of components of more than one AFW pump train. Therefore, the analysis explicitly accounts for maintenance in one train and not in the other trains by use of the "not" gate.

10A.3.5 Computer Programs The following Westinghouse Electric Corporation computer programs are used in performing the evaluation of AFW system unavailability. 10A.3.5.1 GRAFTER. GRAFTER is a computer code written in FORTRAN and ASSEMBLER languages to construct fault trees interactively. It is used in conjunction with the WESCUT code to carry out fault tree analysis from the construction stage to the quantification.

The GRAFTER code can be used to construct, store, update and print fault trees interactively.

GRAFTER can construct fault trees containing up to 2064 boxes (gates or basic events). A menu of commands is provided to be used to construct the fault trees. The computer keyboard is used to move to different locations within the fault tree.

10A.3.5.2 WESCUT. WESCUT is a computer code written FORTRAN77. It identifies the minimal cutsets of a fault tree. It also quantifies the mean failure probability and variance of the top event and other specified lower level events.

For each gate specified when generating the input for cutset identification, the code will identify and print the cutsets. The cutsets are listed in order of decreasing probability. The mean probability and variance for the requested gate or gates is also calculated and printed.

STPEGS UFSAR 10A-12 Revision 14 The code can quantify fault trees containing up to 320 gates and 320 basic events. 10A.4 RESULTS OF THE RELIABILITY EVALUATION The results of the AFWS reliability evaluation are provided in two forms. The first is a general qualitative evaluation based on system design features. The second part is a quantitative evaluation based on the fault tree representation of the AFWS design. 10A.4.1 Qualitative Evaluation In the qualitative characterization of the reliability of AFW systems, NUREG-0611 assumes that the traits identified in Table 10A-3 exist for specific reliability ratings. These characterizations are reviewed for each of the three initiating events considered in NUREG-0611.

10A.4.1.1 Loss of Main Feedwater. In NUREG-0611, some of the plants whose AFWS are found to have low reliability have single-point vulnerabilities. This is due to a single manual valve through which all AFW flow passes, where a human error of failing to reopen the valve after maintenance is found to be the dominant failure contributor. The STPEGS design has four lines supplying water to the four pump trains. Thus, no single human error could disable the system. The only single failure that could disable the system is rupture of the AFST. The unavailability due to this failure is extremely small and this event would be readily detected by tank level indication and low level alarms in the main control room.

The NUREG-0611 plants classified in the high-reliability range for this transient generally have three AFW pumps (two motor-and one steam turbine-driven) which are actuated automatically, with manual backup signal.

Since the STPEGS AFWS design includes all these features and control room actuated crossover capability and has four AFW pumps, it receives a high reliability rating for this transient.

10A.4.1.2 Loss of Main Feedwater with Loss of Offsite Power. The major difference between this and the previous LMFW event is that offsite power sources are not available and the system must rely on onsite power sources; i.e., DGs, batteries, and steam.

The reliability of various AFWS designs for this event is generally found to be quite similar to those for the previous initiating event (LMFW). The major difference is that onsite AC power sources are required and the potential impact of degrading these power sources (e.g., the loss of one or more emergency DGs) on the AFWS reliability is evaluated.

Compared to other Westinghouse NSSS plants evaluated in NUREG-0611, the STPEGS AFWS contains a greater number of motor-driven pump trains (3 versus the typical 2). This redundancy reduces the likelihood of AFWS unavailability during a LMFW/LOOP event.

For this reason and the local manual crossover capability, the qualitative reliability rating given the STPEGS AFWS is comparable to that of other high reliability Westinghouse NSSS plants as reported in NUREG-0611.

STPEGS UFSAR 10A-13 Revision 14 10A.4.1.3 Loss of Main Feedwater with Loss of all AC Power. The major feature of this initiating event is the total dependency of the AFWS on steam power. Low and medium reliability classifications under this event are generally due to systems having AC power dependencies in the steam turbine-driven pump train. Such dependencies may include lube oil cooling, AC power to steam turbine admission valves, or air-operated valves which fail closed on loss of air. Those systems characterized as having a relatively high reliability are usually automatically actuated and have no potentially degrading AC power dependencies (except HVAC).

When comparing the STPEGS AFWS to the NUREG-0611 plants which have a high reliability characterization, the STPEGS design has comparably high reliability because the turbine pump train has no AC dependency in order to function. However, since no credit is taken for the steam turbine-driven pump to serve other than SG D (due to absence of control room activated crossover capability and the requisite manual actuation of the stop check isolation valves in the other trains), the STPEGS AFWS is rated slightly lower than some of the highest rated other Westinghouse NSSS plants as reported in NUREG-0611 (refer to Figure 10A-4). As noted earlier, it is possible to manually initiate crossover from outside the control room if the need should ever arise. The turbine-driven pump is qualified for operation in the environment resulting from a loss of HVAC.

10A.4.1.4 Qualitative Comparison with Other Design. Figure 10A-4 is a reproduction of the reliability characteristic chart presented in NUREG-0611 for AFWS designs in plants using the Westinghouse NSSS. An added row presents the results of a qualitative evaluation of STPEGS AFWS reliability. The figure shows the relative reliability ranking of STPEGS AFWS for each of the three cases studied and compares these results to those obtained by the Nuclear Regulatory Commission (NRC). This qualitative evaluation is included to complement the results of the quantitative analysis.

10A.4.2 Quantitative Evaluation The quantitative characterization of the STPEGS AFWS reliability is developed using the methods and data provided in NUREG-0611. The system's conditional unavailability is quantified for three initiating events: LMFW, LMFW/LOOP, and LMFW/LOAC. System unavailability is associated with hardware failure, human error, and test and maintenance downtime.

10A.4.2.1 Quantitative Results. The results of the quantitative evaluation are presented in Table 10A-4. System unavailability for the LMFW and LMFW/LOOP events is approximately 2.9x10-6 and 3.1 x 10-5 per demand, respectively. Even for the LMFW/LOAC event, where all AC power is lost and the system is totally dependent on the steam turbine-driven pump to supply water to the SGs, the system unavailability is approximately 3.9 x 10-2 per demand. These results demonstrate that the South Texas AFWS design is reliable when compared with other designs and the NRC acceptance criteria of 10-5 to 10-4 per demand for the LMFW transient (Ref. 10A-5).

10A.4.2.2 Failure Modes. There are many possible combinations of random hardware failures, component unavailabilities due to test or maintenance, and human error which can result in the unavailability of the AFWS. Since each system component (e.g., pump, valve) generally has a different failure rate, there are certain combinations of failure modes that contribute significantly more to the total unavailability of the AFWS than others. These are the most significant failure modes. Unavailability per demand of each of the possible combinations of failure modes is computed by the computer code "WESCUT". Once the unavailabilities associated with each minimal STPEGS UFSAR 10A-14 Revision 14 cutset have been computed, their percentage contribution to total AFWS unavailability can be determined, and significant failure modes identified. The AFWS reliability evaluation uses the computer code WESCUT to generate minimal cutsets based on Boolean expressions. In general, higher-order cutsets contribute less to the top event than do lower order cutsets if the failure rates of the basic events are similar. With four separate pump trains, the aggregate of fourth-order cutsets (representing various combinations of pump and valve failures affecting different trains) contribute significantly to the failure of the entire AFWS. Higher order cutsets (e.g., fifth-order) involve other basic events with much smaller failure rates, and their aggregate contribution to total AFWS unavailability is numerically small.

The following sections present a summary of failure modes associated with the LMFW, LMFW/LOOP, and LMFW/LOAC failure scenarios. 10A.4.2.2.1 Loss of Main Feedwater (Case I): For the LMFW scenario (Case I), the AFWS unavailability was calculated as 2.9 x 10-6. The dominant contributors to system unavailability are fourth-order cutsets. The dominating cutset is the motor-driven pumps B and C fail due to hardware faults, Train A pump is unavailable due to maintenance, and the governor valve in Train D fails. This cutset probability is approximately 7.8 x 10-8 and contributes 2.7 percent to the system unavailability. Other dominating contributors include combinations of a pump failure (either Train B or C), a motor-operated valve failure in Train B or C (the opposite train in which the pump failure occurred), the governor valve in Train D fails, and the Train A pump is unavailable due to maintenance. Each of these fourth-order cutsets has a cutset probability of 7 x 10-8 and contributes approximately 2.4 percent to the total AFWS unavailability.

When the basic events are examined, approximately 86 percent of the failures of the system can be attributed to the Train A pump unavailability due to maintenance in combination with other failures.

(This result is expected based on the restrictions applied in the analysis). Other dominant basic events are the trip and throttle valve fails (42 percent), the failure to start and run of motor-driven pumps in Trains B and C (30 percent), and the motor operated valves (failing to open) in the discharge lines of Trains B and C (25 percent). One first order cutset was determined for the LMFW event (failure of the AFST). However, the failure probability is 3.6 x 10-8 and its contribution to system unavailability is approximately one percent. Thus, the conclusion can be drawn from this analysis that the South Texas AFWS is highly reliable in the event of a loss of main feedwater.

10A.4.2.2.2 Loss of Main Feedwater Coincident with Loss of Offsite Power: For the LMFW/LOOP scenario (Case II) (unavailability equal to 3.1 x 10-5 per demand), most of the failure combinations involve pump or valve hardware failures coupled with failure of the DGs (DG operation is required during a LOOP). The top three cutsets contributing to AFWS unavailability are combinations of two DGs failing (for Trains B and C) with the Train A pump unavailable due to maintenance and a valve failure in Train D. The first cutset has a probability of 2.8 x 10-6 and contributes approximately 9.2 percent to the total system unavailability and the next two cutsets each have a probability of 1.66 x 10-6 and contribute 5.4 percent. Other top failure combinations determined in the evaluation include failure of three DGs coupled with a valve failure in Train D.

STPEGS UFSAR 10A-15 Revision 14 When the basic events involved in these failures are examined, the dominant contributors are the diesel generators (71 percent) followed by Train A motor-driven pump unavailable due to maintenance (59 percent), the trip and throttle valve (37 percent) and the MOVs in Train D (20 percent each). These basic events are coupled with other failures in cutsets that contribute that percentage to the system unavailability. From this analysis, it can be concluded that the failure of the DGs and not an actual AFWS failure is the most important factor affecting AFWS availability following a loss of main FW coincident with a LOOP.

10A.4.2.2.3 Loss of Main Feedwater Coincident with Loss of all AC Power. AFWS unavailability for the LMFW/LOAC scenario (Case III) (unavailability - 3.9 x 10-2 per demand) is attributable to any hardware-related failure, test or maintenance unavailability, or human error that could disable Train D, since this is the only AFW train which can operate independently of AC power. The percentage contribution of each to total AFWS unavailability for Case III is as follows: Train D MOV failure (36 percent), operator error in failing to reset the trip and throttle valves (31 percent) or failing to close a manual valve after test (13 percent) and the unavailability of the turbine-driven pump due to maintenance (15 percent). 10A.4.2.3 Conclusions. The quantitative evaluation of AFWS reliability concludes the system reliability is high and in accordance with the guidelines contained in Standard Review Plan 10.4.9, Rev. 2. The qualitative evaluation also shows the system reliability to compare favorably with that of other plants described in NUREG-0611. With the exception of the loss of AFST (an extremely low probability event), no single point vulnerabilities were identified in the system. Furthermore , no second-order cutsets were identified and no AC dependencies were found in Train D.

STPEGS UFSAR 10A-16 Revision 14 REFERENCES Appendix 10A: 10A-1 NUREG-0611, "Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants", by USNRC January 1980.

10A-2 WASH-1400, "Nuclear Reactor Safety Study", Appendix III, Failure Data, by USNRC October 1975. 10A-3 NUREG/CR-1362, "Data Summaries of Licensee Event Reports on Diesel Generators at U.S. Commercial Nuclear Power Plants; January 1, 1976 to December 31, 1978",

March 1980, by E.G.&G. Idaho, Inc. 10A-4 NUREG-0452, Revision 4, Standard Technical Specifications for Westinghouse Pressurized Water Reactors, USNRC, Fall 1981. A-5 10A-5 NUREG-0800, USNRC Standard Review Plan, Section 10.4.9, July 1981. 10A-6 Zion Probabilistic Safety Assessment; Pickard, Lowe, & Garrick; Newport Beach, CA. September 1981. 10A-7 Dewease, J. G. (Houston Lighting and Power) to Thompson, H. L. (USNRC), "South Texas Project Electric Generating Station Technical Specifications, Offsite Dose Calculation Manual, Process Control Program", ST-HL-AE-1548, January 15, 1986.

STPEGS UFSAR 10A-17 Revision 14 TABLE 10A-1 COMPONENT BASIC EVENT FAILURE PROBABILITIES (a, b) 1. Check valve. Failure to open. AF0122, AF0120, AF0121, AF0119 AF0011, AF0058, AF0091, AF0036 1 x 10-4/d(c) 2. Automatic actuation signal. ASA, ASB, ASC 7 x 10-3/d 3. Manual backup signal. (Conditional probability given automatic signal fails) MSB, MSC, MSD 1 x 10-2/d 4. Flow element plugging. FE7526, FE7524, FE7523, FE7525 (This failure rate was taken from WASH-1400 for plugging of the flow orifice Table III 4-1) 3 x 10-4/d 5. Gate valve. Plugging contribution. AF0014, AF0012, AF0024, AF0093, AF0061, AF0059, AF0053, AF0095, AF0080, AF0078, AF0073, AF0096, AF0041, AF0043, AF0031, AF0094 1 x 10-4/d 6. Motor-operated valve, failure to open. AF0019, AF0065, AF0085, AF0048 FV7523, FV7524, FV7526, FV7525 Mechanical components Plugging contribution Control circuit (local) Total 1 x 10-3/d 1 x 10-4/d 6 x 10-3/d 7.1 x 10-3/d 7. Motor-driven pump. MPA02, MPA03, MPA01 Mechanical components Control circuit (local) Total 1 x 10-3/d 7 x 10-3/d 8 x 10-3/d 8. Turbine-driven pump. MPA04 Mechanical components Overspeed Trip: Solenoid Valve Failure Orifice Plugged Total 1 x 10-3/d 7.1 x 10-3/d 3 x 10-4/d 8.4 x 10-3/d STPEGS UFSAR 10A-18 Revision 14 TABLE 10A-1 (Continued) COMPONENT BASIC EVENT FAILURE PROBABILITIES (a, b) 9. Motor-operated valve. MS0143 Plugging contribution. 1 x 10-4/d(c) 10. Auxiliary feedwater storage tank (unavailability per demand estimated from that given for condensate storage tank in WASH-1400) 3.6 x 10-8/d 11. Diesel generator. DG13 DG12 DG11 4.8 x 10-2/d 4.8 x 10-2/d 4.8 x 10-2/d The hardware failure rate of diesel-generators (4 x 10-2/demand) is taken from Reference 10A-3. Total diesel generator unavailability is the sum of unavailabilities due to hardware failure, test, and maintenance; i.e., total unavailability = 4 x 10-2 + 1.9 x 10-3 + 6.4 x 10-3 = 4.8 x 10-2 (Refer to Table 10A-2). 12. Governor valve. Plugging contribution 1 x 10-4/d Mechanical components 1 x 10-3/d Control circuit (local) Total 6 x 10-3/d 7.1 x 10-3/d

a. Data Source, NUREG-0611 except as noted. b. The median value presented here was calculated from the mean value and the variance contained in Reference 10A-6. c. d = demand STPEGS UFSAR 10A-19 Revision 14 TABLE 10A-2 UNAVAILABILITY OF COMPONENTS DUE TO TESTING OR MAINTENANCE Component Hrs/Test Test/Yr Hrs/Maint. Qtest(a) Qmaint(b) Pump B, C, D 1.4 4 19 6.39 x 10-4/d(c) 5.8 x 10-3/d Valve 7 -- 2.1 x 10-3/d Diesel Generator 1.4 12 21 1.9 x 10-3/d 6.4 x 10-3/d Pump A 1.4 4 336 6.39 x 10-4/d 1.03 x 10-1/d(d)

a. Qtest = (no. hrs/test) (no. tests/year) (no. hrs/year) (See NUREG-0611, Table III-2) b. Qmaint. = (0.22) (no. hrs/maintenance activity) 720 See NUREG-0611, Table III-2) c. d = demand d. See explanation in Section 10A.3.4.1.3 STPEGS UFSAR 10A-20 Revision 14 TABLE 10A-3 AFWS QUALITATIVE RELIABILITY CHARACTERIZATION TRAITS MAINTENANCE Low-Reliability Medium-Reliability High-Reliability a. Manual system actuation a. Auto actuation with manual backup a. Auto actuation with manual backup b. Two-pump system b. System with more than two pumps b. System with more than two pumps and reduced AC dependence c. Single-point vulnerabilities present c. Single-point vulnerabilities may be present c. No single-point vulnerabilities present d. Technical Specifications permit unlimited outage time for system maintenance, tests, etc. d. Technical Specifications permit unlimited outage time d. Technical Specifications do not allow unlimited outage time STPEGS UFSAR 10A-21 Revision 14 TABLE 10A-4 AFWS UNAVAILABILITY (PER DEMAND) LMFW LMFW/LOOP LMFW/LOAC Total 2.93 x 10-6 3.05 x 10-5 3.93 x 10-2 STPEGS UFSAR 10A-22 Revision 14 TABLE 10A-5 FAULT TREE COMPONENT IDENTIFICATION CODES Nine or ten character codes identify component failures in the fault trees. The format of component failures in the fault trees is STCCCXXXXF where: S is the system identification code. T is the identification of the train to which the component belongs. CCC is the component type identification code. XXXX is the number designating the single component in the P&IDs. F is the specific component failure. The following lists the codes used in this evaluation. SYSTEM A Auxiliary Feedwater TRAIN A Motor-driven pump train A B Motor-driven pump train B C Motor-driven pump train C D Turbine-driven pump train D COMPONENT AFST Auxiliary feedwater storage tank FL Flow element PM Motor-driven pump PT or TDP Turbine-driven pump CV Check valve MV Motor-operated valve XV Manual valve DG Diesel generator ESFAUTO Automatic ESF signal ESFMAN Manual ESF backup signal GV Governor valve FAILURE MODE P Plugging OE Operator error MAIN Maintenance TST Test