ML23193A885: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
 
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:Millstone Power Station Unit 3 Safety Analysis Report Chapter 7: Instruments and Controls
{{#Wiki_filter:}}
 
Table of Contents tion  Title                                                                                                          Page INTRODUCTION ...................................................................................... 7.1-1 1      Identification of Safety Related Systems.................................................... 7.1-3 1.1    Safety Related Systems............................................................................... 7.1-3 1.1.1  Reactor Trip System ................................................................................... 7.1-4 1.1.2  Engineered Safety Features Actuation System ........................................... 7.1-4 1.1.3  Instrumentation and Control Power Supply System................................... 7.1-4 1.2    Safety Related Display Instrumentation ..................................................... 7.1-4 1.3    Instrumentation and Control System Designers ......................................... 7.1-4 1.4    Plant Comparison........................................................................................ 7.1-4 1.5    Alarms......................................................................................................... 7.1-4 1.6    Communication Systems ............................................................................ 7.1-5 2      Identification of Safety Criteria .................................................................. 7.1-5 2.1    Design Bases............................................................................................... 7.1-5 2.1.1  Reactor Trip System ................................................................................... 7.1-5 2.1.2  Engineered Safety Features Actuation System ........................................... 7.1-6 2.1.3  Instrumentation and Control Power Supply System................................... 7.1-7 2.1.4  Emergency Power ....................................................................................... 7.1-7 2.1.5  Interlocks .................................................................................................... 7.1-7 2.1.6  Bypasses...................................................................................................... 7.1-7 2.1.7  Equipment Protection ................................................................................. 7.1-8 2.1.8  Diversity...................................................................................................... 7.1-8 2.1.9  Bistable Trip Set Points .............................................................................. 7.1-8 2.1.10 Engineered Safety Features Motor Specifications.................................... 7.1-10 2.2    Independence of Redundant Safety Related Systems............................... 7.1-10 2.2.1  General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974).................................................................................................. 7.1-10 2.2.2  Specific Systems ....................................................................................... 7.1-11 2.2.3  Fire Protection........................................................................................... 7.1-13 2.3    Physical Identification of Safety Related Equipment ............................... 7.1-13 2.4    Conformance to Criteria ........................................................................... 7.1-14 2.5    Conformance to Regulatory Guide 1.22 ................................................... 7.1-14 2.6    Conformance to Regulatory Guide 1.47 ................................................... 7.1-19 2.7    Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 ... 7.1-19 2.8    Conformance to Regulatory Guide 1.63 ................................................... 7.1-19
 
tion  Title                                                                                                          Page 2.9    Conformance to IEEE Standard 317-1972 ............................................... 7.1-19 2.10  Conformance to IEEE Standard 336-1971 ............................................... 7.1-19 2.11  Conformance to IEEE Standard 338-1971 ............................................... 7.1-20 3      Reference for Section 7.1.......................................................................... 7.1-21 REACTOR TRIP SYSTEM ....................................................................... 7.2-1 1      Description.................................................................................................. 7.2-1 1.1    System Description ..................................................................................... 7.2-1 1.1.1  Functional Performance Requirements....................................................... 7.2-2 1.1.2  Reactor Trips............................................................................................... 7.2-2 1.1.3  Reactor Trip System Interlocks ................................................................ 7.2-10 1.1.4  Coolant Temperature Sensor Arrangement .............................................. 7.2-12 1.1.5  Pressurizer Water Level Reference Leg Arrangement ............................. 7.2-12 1.1.6  Analog System .......................................................................................... 7.2-12 1.1.7  Solid State Logic Protection System ........................................................ 7.2-13 1.1.8  Isolators..................................................................................................... 7.2-14 1.1.9  Energy Supply and Environmental Variations ......................................... 7.2-14 1.1.10 Setpoints.................................................................................................... 7.2-14 1.1.11 Seismic Design ......................................................................................... 7.2-15 1.2    Design Bases Information......................................................................... 7.2-15 1.2.1  Generating Station Conditions.................................................................. 7.2-15 1.2.2  Generating Station Variables .................................................................... 7.2-15 1.2.3  Spatially Dependent Variables.................................................................. 7.2-16 1.2.4  Limits, Margins, and Setpoints ................................................................. 7.2-16 1.2.5  Abnormal Events ...................................................................................... 7.2-17 1.2.6  Minimum Performance Requirements...................................................... 7.2-17 1.3    Final Systems Drawings ........................................................................... 7.2-18 2      Analyses.................................................................................................... 7.2-18 2.1    Failure Mode and Effects Analyses .......................................................... 7.2-18 2.2    Evaluation of Design Limits ..................................................................... 7.2-18 2.2.1  Trip Setpoint Discussion........................................................................... 7.2-18 2.2.2  Reactor Coolant Flow Measurement ........................................................ 7.2-20 2.2.3  Evaluation of Compliance to Applicable Codes and Standards................................................................................................... 7.2-20 2.3    Specific Control and Protection Interactions ............................................ 7.2-29 2.3.1  Neutron Flux ............................................................................................. 7.2-29 2.3.2  Reactor Coolant Temperature ................................................................... 7.2-30
 
tion  Title                                                                                                            Page 2.3.3 Pressurizer Pressure .................................................................................. 7.2-30 2.3.4 Pressurizer Water Level............................................................................ 7.2-31 2.3.5 Steam Generator Water Level................................................................... 7.2-31 2.4  Additional Postulated Accidents............................................................... 7.2-32 3    Tests and Inspections ................................................................................ 7.2-33 4    References for Section 7.2 ........................................................................ 7.2-33 ENGINEERED SAFETY FEATURES SYSTEM ..................................... 7.3-1 1    Description.................................................................................................. 7.3-1 1.1  System Description ..................................................................................... 7.3-1 1.1.1 Function Initiation....................................................................................... 7.3-2 1.1.2 Analog Circuitry ......................................................................................... 7.3-4 1.1.3 Digital Circuitry .......................................................................................... 7.3-4 1.1.4 Final Actuation Circuitry ............................................................................ 7.3-5 1.1.5 ESF and Essential Auxiliary Support Systems ........................................... 7.3-5 1.2  Design Bases Information......................................................................... 7.3-58 1.2.1 Generating Station Conditions.................................................................. 7.3-58 1.2.2 Generating Station Variables .................................................................... 7.3-58 1.2.3 Spatially Dependent Variables.................................................................. 7.3-59 1.2.4 Limits, Margins, and Set points ................................................................ 7.3-59 1.2.5 Abnormal Events ...................................................................................... 7.3-59 1.2.6 Minimum Performance Requirements...................................................... 7.3-60 1.3  Final System Drawings ............................................................................. 7.3-60 2    Analysis .................................................................................................... 7.3-60 2.1  Failure Modes and Effects Analysis ......................................................... 7.3-61 2.2  Compliance with Standards and Design Criteria ...................................... 7.3-62 2.2.1 Single Failure Criteria............................................................................... 7.3-62 2.2.2 Equipment Qualification........................................................................... 7.3-62 2.2.3 Channel Independence .............................................................................. 7.3-62 2.2.4 Control and Protection System Interaction ............................................... 7.3-62 2.2.5 Capability for Sensor Checks and Equipment Test Calibration ................................................................................................ 7.3-63 2.2.6 Manual Resets and Blocking Features...................................................... 7.3-70 2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62) .......................................................................................................... 7.3-71 2.3  Further Considerations.............................................................................. 7.3-71 2.3.1 Instrument Air and Component Cooling .................................................. 7.3-71
 
tion    Title                                                                                                          Page 2.4      Summary ................................................................................................... 7.3-72 2.4.1    Loss-of-Coolant Protection....................................................................... 7.3-72 2.4.2    Steam Line Break Protection .................................................................... 7.3-73 3        References for Section 7.3 ........................................................................ 7.3-74 SYSTEMS REQUIRED FOR SAFE SHUTDOWN.................................. 7.4-1 1        Description.................................................................................................. 7.4-2 1.1      Monitoring Indicators ................................................................................. 7.4-2 1.2      Controls....................................................................................................... 7.4-3 1.2.1    General Considerations............................................................................... 7.4-3 1.2.2    Pumps and Fans .......................................................................................... 7.4-3 1.2.3    Emergency Generators................................................................................ 7.4-4 1.2.4    Valves and Heaters ..................................................................................... 7.4-4 1.3      Control Room Evacuation .......................................................................... 7.4-5 1.4      Equipment and Systems Necessary for Cold Shutdown............................. 7.4-5 1.5      Other Considerations .................................................................................. 7.4-6 2        Analysis ...................................................................................................... 7.4-7 SAFETY RELATED DISPLAY INSTRUMENTATION ......................... 7.5-1 1        Description.................................................................................................. 7.5-1 1.1      Safety Parameter Display System............................................................... 7.5-2 1.2      Emergency Response Facilities .................................................................. 7.5-2 2        Analysis ...................................................................................................... 7.5-2 3        Compliance with other Regulatory Requirements...................................... 7.5-2 PENDIX 7.5A MILLSTONE UNIT 3 DEVIATIONS TO REGULATORY GUIDE 1.97 REVISION 2 Table of Contents.............................................................................................. ii ALL OTHER SYSTEMS REQUIRED FOR SAFETY ............................. 7.6-1 1        Instrumentation and Control Power Supply System................................... 7.6-1 2        Residual Heat Removal Isolation Valves ................................................... 7.6-1 2.1      Description.................................................................................................. 7.6-1 2.2      Analysis ...................................................................................................... 7.6-2
 
tion  Title                                                                                                              Page 3    Refueling interlocks .................................................................................... 7.6-2 4    Accumulator Motor-Operated Valves ........................................................ 7.6-2 5    Reactor Coolant System Loop Isolation Valve Interlocks.......................... 7.6-3 6    Fuel Pool Cooling and Purification System................................................ 7.6-4 6.1  Description.................................................................................................. 7.6-4 6.2  Analysis of Fuel Pool Cooling and Purification System ............................ 7.6-5 7    Containment Leakage Monitoring System (Containment Atmosphere Pressure and Temperature Monitoring Instrumentation) .......................................... 7.6-6 7.1  Description.................................................................................................. 7.6-6 7.2  Analysis ...................................................................................................... 7.6-7 8    Interlocks for RCS Pressure Control during Low-Temperature Operation.7.6-8 8.1  Description.................................................................................................. 7.6-8 8.2  Analysis of Interlock................................................................................... 7.6-8 8.3  Pressurizer Pressure Relief System............................................................. 7.6-9 9    Heat Tracing of Safety-Related Systems .................................................. 7.6-10 10    Shutdown Margin Monitor ....................................................................... 7.6-11 10.1  Description................................................................................................ 7.6-11 10.2  Function .................................................................................................... 7.6-11 11    References for Section 7.6 ........................................................................ 7.6-12 6 .................................................................................................................. 7.7-1 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY ....................... 7.7-1 1    Description.................................................................................................. 7.7-1 1.1  Reactor Control System .............................................................................. 7.7-3 1.2  Rod Control System.................................................................................... 7.7-4 1.2.1 Full Length Rod Control System ................................................................ 7.7-4 1.3  Plant Control Signals for Monitoring and Indicating ................................. 7.7-5 1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System......................................................................................................... 7.7-5 1.3.2 Rod Position Monitoring of Full Length Rods ........................................... 7.7-6 1.3.3 Control Bank Rod Insertion Monitoring..................................................... 7.7-7 1.3.4 Rod Deviation Alarm.................................................................................. 7.7-9
 
tion  Title                                                                                                          Page 1.3.5 Rod Bottom Alarm...................................................................................... 7.7-9 1.4  Plant Control System Interlocks ................................................................. 7.7-9 1.4.1 Rod Stops .................................................................................................. 7.7-10 1.4.2 Automatic Turbine Load Runback ........................................................... 7.7-10 1.4.3 Turbine Loading Stop ............................................................................... 7.7-10 1.5  Pressurizer Pressure Control ..................................................................... 7.7-11 1.6  Pressurizer Water Level Control............................................................... 7.7-11 1.7  Steam Generator Water Level Control ..................................................... 7.7-12 1.8  Steam Dump Control ................................................................................ 7.7-12 1.8.1 Load Rejection Steam Dump Controller .................................................. 7.7-13 1.8.2 Plant Trip Steam Dump Controller ........................................................... 7.7-13 1.8.3 Steam Header Pressure Controller ............................................................ 7.7-13 1.9  Incore Instrumentation .............................................................................. 7.7-14 1.9.1 Thermocouples.......................................................................................... 7.7-14 1.9.2 Movable Neutron Flux Detector Drive System ........................................ 7.7-14 1.9.3 Control and Readout Description ............................................................. 7.7-15 2    Analysis .................................................................................................... 7.7-15 2.1  Separation of Protection and Control System........................................... 7.7-17 2.2  Response Considerations of Reactivity .................................................... 7.7-17 2.3  Step Load Changes without Steam Dump ................................................ 7.7-19 2.4  Loading and Unloading ............................................................................ 7.7-20 2.5  Load Rejection Furnished by Steam Dump System ................................. 7.7-20 2.6  Turbine-Generator Trip With Reactor Trip .............................................. 7.7-21 2.7  Operational Transient Analysis ................................................................ 7.7-22 3    Reference for Section 7.7.......................................................................... 7.7-23 ANTICIPATED TRANSIENTS WITHOUT SCRAM MITIGATION SYSTEM ACTUATION CIRCUITRY............................. 7.8-1 1    Description.................................................................................................. 7.8-1 1.1  System Description ..................................................................................... 7.8-1 1.2  Equipment Description ............................................................................... 7.8-1 1.3  Functional Performance Requirements....................................................... 7.8-3 1.4  AMSAC Interlocks ..................................................................................... 7.8-3 1.5  Trip System................................................................................................. 7.8-3
 
tion  Title                                                                                                          Page 1.6    Isolation Devices......................................................................................... 7.8-4 1.7    AMSAC Diversity From the Reactor Protection Systems.......................... 7.8-4 1.8    Power Supply .............................................................................................. 7.8-4 1.9    Environmental Variations ........................................................................... 7.8-4 1.10  Set Points .................................................................................................... 7.8-5 2      Analysis ...................................................................................................... 7.8-5 2.1    Safety Classification/Safety Related Interface ........................................... 7.8-5 2.2    Redundancy ................................................................................................ 7.8-5 2.3    Diversity From the Existing Trip System ................................................... 7.8-5 2.4    Electrical Independence .............................................................................. 7.8-6 2.5    Physical Separation From the RTS and ESFAS ......................................... 7.8-6 2.6    Environmental Qualification....................................................................... 7.8-6 2.7    Seismic Qualification.................................................................................. 7.8-6 2.8    Test, Maintenance, and Surveillance Quality Assurance ........................... 7.8-6 2.9    Power Supply .............................................................................................. 7.8-7 2.10  Testability at Power .................................................................................... 7.8-7 2.11  Inadvertent Actuation ................................................................................. 7.8-7 2.12  Bypass ......................................................................................................... 7.8-8 2.12.1 Maintenance Bypasses ................................................................................ 7.8-8 2.12.2 Operating Bypasses..................................................................................... 7.8-8 2.12.3 Indication of Bypasses ................................................................................ 7.8-8 2.12.4 Means for Bypassing .................................................................................. 7.8-8 2.13  Completion of Mitigative Actions Once Initiated ...................................... 7.8-8 2.14  Manual Initiation......................................................................................... 7.8-8 2.15  Information Readout ................................................................................... 7.8-9 2.16  Compliance With Standards and Design Criteria ....................................... 7.8-9
 
List of Tables mber Title 1  Listing of Applicable Criteria 1  List of Reactor Trips 2  Protection System Interlocks 3  Reactor Trip System Instrumentation 4  Reactor Trip Correlation 1  Interlocks for Engineered Safety Features Actuation System 2  Engineered Safety Features Actuation System Instrumentation 3  Safety Injection Signal 4  Containment Isolation Phase A 5  Steam Line Isolation 6  Feedwater Isolation 7  Control Building Isolation 8  Containment Depressurization Actuation 9  Containment Isolation Phase B 10  Instrumentation and Control Systems for Engineered Safety Features and Essential Auxiliary Supporting Systems 1  Instruments and Controls Outside Control Room for Cold Shutdown 1  Accident Monitoring Instrumentation List 1  Plant Control System Interlocks
 
List of Figures mber Title 1  Solid State Protection System Block Diagram 2  Reactor Trip/ESF Actuation Mechanical Linkage for Dual Train Switches 1  (Sheets 1-19) P&IDs Functional Diagram, Reactor Trip System/Loop Stop Valve Interlocks/Pressurizer Pressure Relief System 2  Setpoint Reduction Function for Overpower and Over-temperature T Trips 1  Failure Modes and Effects Analysis Quench Spray System 2  Fault Tree Diagram Quench Spray System 3  Typical ESF Test Circuits 4  Engineered Safeguards Test Cabinet 1  Logic Diagram for RHS Isolation Valves 2  Functional Block Diagram of Accumulator Isolation Valves 3  Automatic RHS and QSS Pump Shutoff (Sheet 1) 4  Reactor Coolant System Loop with Loop Stop Valves 1  Simplified Block Diagram of Reactor Control System 2  Control Bank Rod Insertion Monitor 3  Rod Deviation Comparator 4  Block Diagram of Pressurizer Pressure Control System 5  Block Diagram of Pressurizer Level Control System 6  Block Diagram of Steam Generator Water Level Control System 7  Block Diagram of Main Feedwater Pump Speed Control System 8  Block Diagram of Steam Dump Control System 9  Basic Flux-Mapping System
-10  Not Used
-11  Not Used
-12  Not Used
-13  Not Used 14  Simplified Block Diagram of Rod Control System
 
List of Figures (Continued) mber Title 15  Control Bank B Partial Simplified Schematic Diagram of Power Cabinets 1 BD and 2 BD 1  Actuation Logic System Architecture
 
INTRODUCTION s chapter presents the various plant instrumentation and control systems by relating the ctional performance requirements, design bases, system descriptions, design evaluations, and s and inspections for each. The information provided in this chapter emphasizes those ruments and associated equipment which constitute the protection system as defined in IEEE ndard 279-1971 IEEE Standard: Criteria for Protection Systems for Nuclear Power erating Stations.
primary purpose of the instrumentation and control systems is to provide automatic ection and exercise proper control against unsafe and improper reactor operation during dy state and transient power operations (ANS Conditions I, II, III) and to provide initiating als to mitigate the consequences of faulted conditions (ANS Condition IV). ANS conditions discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes e instrumentation and control systems which are central to assuring that the reactor can be rated to produce power in a manner that ensures no undue risk to the health and safety of the lic.
shown that the applicable criteria and codes, such as General Design Criteria and IEEE ndards, concerned with the safe generation of nuclear power are met by these systems. See le 7.1-1 for a listing of applicable criteria.
initions minology used in this chapter is based on the definitions given in IEEE Standard 279-1971 ch is listed in Section 7.1.2. In addition, the following definitions apply:
: 1.      Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which when tripped, would cause an automatic system trip.
: 2.      Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited, or otherwise restricted by the Technical Specifications.
: 3.      Cold Shutdown Condition - A Technical Specifications operational mode where Keff 0.99 and Tavg is 200F.
: 4.      Hot Shutdown Condition - A Technical Specifications operational mode where Keff 0.99 and 350F Tavg 200F.
: 5.      Phase A Containment Isolation - Closure of all non-essential process lines which penetrate containment initiated manually or by the safety injection signal.
 
engineered safety features lines).
: 7. System Response Times:
: a.      Reactor Trip System Response Time The time interval from when the monitored parameter exceeds its trip set point at the channel sensor until loss of stationary gripper coil voltage.
: b.      Engineered Safety Features System Response Time The time interval from when the monitored parameter exceeds its ESF actuation set point at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.).
Times shall include diesel generator starting and sequence loading delays where applicable.
: 8. Reproducibility - This definition is taken from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology: the closeness of agreement among repeated measurements of the output for the same value of input made under the same operating conditions over a period of time, approaching from both directions. It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).
: 9. Accuracy - This definition is derived from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology. An accuracy statement for a device falls under Note 2 of the SAMA definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: reference accuracy includes the combined conformity, hysteresis, and repeatability errors. To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, trip accuracy and indicated accuracy etc., would include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.
 
around the transmitter and racks. Not included are accuracies under post-accident conditions.
: 11. Readout Devices - For consistency, the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable), and controllers.
: 12. Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field-mounted hardware. Rack environmental effects are included in the next two definitions to avoid duplication due to dual inputs.
: 13. Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.
: 14. Trip Accuracy - This definition includes comparator accuracy, channel accuracy, for each input, and rack environmental effects. This is the tolerance expressed in process terms (or percent of span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming. The term actuation accuracy may be used where the word trip might cause confusion (for example, when starting pumps and other equipment).
: 15. Control Accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This would include gain changes where the control span is different from the span of the measured variable.
Where controllers are involved, the control span is the input span of the controller.
No error is included for the time in which the system is in a nonsteady state condition.
1    IDENTIFICATION OF SAFETY RELATED SYSTEMS 1.1    Safety Related Systems instrumentation discussed in Chapter 7 that is required to function to achieve the system onses assumed in the safety evaluations, and those needed to shutdown the plant safely are n in this section.
 
reactor trip system (RTS) is a functionally defined system described in Section 7.2. The ipment which provides the trip functions is identified and discussed in Section 7.2. Design es for the RTS are given in Section 7.1.2.1. Figure 7.1-1 includes a single line diagram of this em.
1.1.2    Engineered Safety Features Actuation System engineered safety features actuation system (ESFAS) is a functionally defined system cribed in Section 7.3. The equipment which provides the actuation functions is identified and ussed in Section 7.3. Design bases for the ESFAS are given in Section 7.1.2.1.
1.1.3    Instrumentation and Control Power Supply System ign bases for the instrumentation and control power supply system are given in tion 7.1.2.1. Further description of this system is provided in Section 7.6.1.
1.2    Safety Related Display Instrumentation play instrumentation provides the operator with information to enable him to monitor the lts of engineered safety features actions following a Condition II, III, or IV event. Section 7.5, le 7.5-1 provides information required to maintain the plant in a hot shutdown condition, or to ceed to cold shutdown.
1.3    Instrumentation and Control System Designers systems discussed in Chapter 7 have definitive functional requirements developed on the basis he Westinghouse NSSS design. Figure 7.2-1, Sheet 8, defines Westinghouse NSSS scope; the aining support systems are balance-of-plant (BOP) scope. Regardless of the supplier, the ctional requirements necessary to assure plant safety and proper control are clearly delineated.
1.4    Plant Comparison tem functions for all systems discussed in Chapter 7 that are similar to those of the th Anna 1 and 2 applications are provided in the comparison table in Section 1.3.
1.5    Alarms unciators are provided on the main control board and on local panels. Each local panel has a mon trouble annunciator on the main control board that is alarmed when any annunciator is med on the local panel. The annunciators are nonsafety grade except for the emergency diesel erator and hydrogen recombiner local alarms which are safety grade. The safety grade systems nitored are not degraded by the annunciators since isolators are used to isolate safety grade uits from nonsafety grade circuits. The instrumentation section for each system list the unciators and the parameters monitored. Isolators are discussed in Section 7.2.
 
tion 8.3.1.1.3 for details.
h Hydrogen Recombiner local annunciator system has isolators to prevent these safety grade unciators from being degraded by their connection to a nonsafety grade annunciator in the n control room.
1.6    Communication Systems mmunication systems are discussed in Section 9.5.2.
2    IDENTIFICATION OF SAFETY CRITERIA tion 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1. Design bases for safety related systems are provided in the sections which describe the systems. Conservative siderations for instrument errors are included in the accident analyses presented in Chapter 15.
ctional requirements, developed on the basis of the results of the accident analyses, which e utilized conservative assumptions and parameters are used in designing these systems and a operational testing program verifies the adequacy of the design. Accuracies are given in tions 7.2 and 7.3.
documents listed in Table 7.1-1 were considered in the design of the systems given in tion 7.1.1. In general, the scope of these documents is given in the document itself. This rmines the systems or parts of systems to which the document is applicable. A discussion of pliance with each document for systems in its scope is provided in the referenced sections en in Table 7.1-1 for each criterion. Because some documents were issued after design and ing had been completed, the equipment documentation may not meet the format requirements ome standards. Justification for any exceptions taken to each document for systems in its pe is provided in the referenced sections.
2.1    Design Bases 2.1.1    Reactor Trip System reactor trip system acts to limit the consequences of Condition II events (incidents of derate frequency, such as loss of normal feedwater flow) by, at most, a shutdown of the reactor turbine with the plant capable of returning to operation after corrective action. The reactor trip em features impose a limiting boundary region to plant operation which ensures that the tor safety limits are not exceeded during Condition II events and that these events can be ommodated without developing into more severe conditions. Reactor trip set points are given he Technical Specifications.
design requirements for the reactor trip system are derived by analyses of plant operating and t conditions where automatic rapid control rod insertion is necessary in order to prevent or t core or reactor coolant boundary damage. The design bases addressed in IEEE Standard
: 1. As a result of any anticipated transient or malfunction (Condition II faults), the departure from nucleate boiling ratio (DNBR) shall not be less than the safety analysis limits (see Section 4.4).
: 2. Power density shall not exceed the rated linear power density for Condition II faults. See Chapter 4 for fuel design limits.
: 3. The stress limit of the reactor coolant system for the various conditions shall be as specified in Chapter 5.
: 4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault.
: 5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety.
2.1.2    Engineered Safety Features Actuation System engineered safety features actuation system acts to limit the consequences of Condition III nts (infrequent faults such as primary coolant spillage from a small rupture which exceeds mal charging system makeup and requires actuation of the safety injection system). The ineered safety features actuation system acts to mitigate Condition IV events (limiting faults, ch include the potential for significant release of radioactive material).
design bases for the engineered safety features actuation system are derived from the design es given in Chapter 6 for the engineered safety features. Design bases requirements of IEEE ndard 279-1971 are addressed in Section 7.3.1.2. General design requirements are given w.
: 1. Automatic Actuation Requirements The primary requirements of the engineered safety features actuation system is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the engineered safety features system.
: 2. Manual Actuation Requirements The engineered safety features actuation system must have provisions in the control room for manual initiation.
 
instrumentation and control power supply system provides continuous, reliable, regulated le phase AC power to all instrumentation and control equipment required for plant safety.
ails of this system are provided in Section 7.6. The design bases are given below:
: 1.      Each inverter has the capacity and regulation required for the AC output for proper operation of the equipment supplied.
: 2.      Redundant loads are assigned to different distribution panels which are supplied from different inverters.
: 3.      Auxiliary devices that are required to operate dependent equipment are supplied from the same distribution panel to prevent the loss of electric power in one protection set from causing the loss of equipment in another protection set. No single failure shall cause a loss of power supply to more than one distribution panel.
: 4.      Each of the distribution panels has access only to its respective inverter supply and a standby power supply.
: 5.      The system complies with IEEE Standard 308-1971, Paragraph 5.4.
2.1.4    Emergency Power ign bases and system description for the emergency power supply are provided in Chapter 8.
2.1.5    Interlocks rlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given ables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical ditions for either postulated or hypothetical accidents, the protective systems ensure that the SS will be put into and maintained in a safe state following an ANS Condition II, III or IV dent commensurate with applicable Technical Specifications and pertinent ANS Criteria.
refore the protective systems have been designed to meet IEEE Standard 279-1971 and are rely redundant and separate, including all permissives and blocks. All blocks of a protective ction are automatically cleared whenever the protective function is required in accordance h General Design Criteria 20, 21, and 22 and Paragraphs 4.11, 4.12, and 4.13 of IEEE Standard
-1971. Control interlocks (C) are identified in Table 7.7-1. Because control interlocks are not ty related, they have not been specifically designed to meet the requirements of IEEE tection System Standards.
2.1.6    Bypasses asses are designed to meet the requirements of IEEE Standard 279-1971, Paragraphs 4.11,
  , 4.13, and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.
 
criteria for equipment protection are given in Chapter 3. Equipment related to safe operation he plant is designed, constructed and installed to protect the plant from damage. This is omplished by working to accepted standards and criteria aimed at providing reliable rumentation which is available under varying conditions. As an example, certain equipment is mically qualified in accordance with IEEE Standard 344-1975. Independence and separation chieved, as required by IEEE Standard 279-1971, IEEE Standard 384-1974 and Regulatory de 1.75, either by barriers, physical separation or demonstration test. This serves to protect inst complete destruction of a system by fires, missiles or other natural hazards.
2.1.8    Diversity ctional diversity has been designed into the system. Functional diversity is discussed in AP-7706-L and WCAP-7706. The extent of diverse system variables has been evaluated for a e variety of postulated accidents.
arding the engineered safety features actuation system for a loss-of-coolant accident, a safety ction signal can be obtained manually or by automatic initiation from two diverse parameter surements:
: 1.      Low pressurizer pressure
: 2.      High containment pressure (Hi-1) a steam break accident, safety injection signal actuation is provided by:
: 1.      Low steamline pressure
: 2.      For a steam break inside containment, high containment pressure (Hi-1) provides an additional parameter for generation of the signal
: 3.      Low pressurizer pressure of the above sets of signals are redundant and physically separated and meet the requirements EEE Standard 279-1971.
2.1.9    Bistable Trip Set Points following parameters are applicable to reactor trip and engineered safety features actuation:
: 1.      Safety limit
: 2.      Allowable value
: 3.      Trip set point
 
ety limits such as those for reactor coolant system pressure are found in Section 2.0 of the hnical Specifications.
accommodate instrument drift which can occur between operational tests and the accuracy to ch set points can be measured and calibrated, allowable values for the reactor trip set points e been specified in the Technical Specifications. Operation with the set points less servative than the reactor trip or engineered safety features trip set point but within the wable value is acceptable since an allowance has been made in the safety analysis to ommodate these uncertainties.
set point limits specified in Technical Specifications are the nominal values at which the tor trips and/or engineered safety features trips are set for each functional unit. The trip set nts have been selected to ensure that the core and reactor coolant system are prevented from eeding their safety limits during normal operation and design basis operational occurrences, to support the mitigation of limiting accidents.
methodology used to derive the trip set points is based upon combining all of the ertainties in the channels. Inherent to the determination of the trip set points are the nitudes of these channel uncertainties. Sensors and other instrumentation utilized in these nnels are expected to be capable of operating within the allowances of these uncertainty nitudes.
rther discussion on set points is found in Sections 7.1.2.2.1 and 7.3.1.2.6.
only requirement on the uncertainty of an instrumentation channel is that over the instrument n, the uncertainty must always be less than or equal to the value allowed in the accident lysis. The instrument does not need to be the most accurate at the set point value as long as it ts the minimum accuracy requirement. The accident analysis accounts for the expected ertainties at the actual set point.
ge selection for the instrumentation covers the expected range of the process variable being nitored consistent with its application. The design of the reactor trip and engineered safety ures systems is such that the bistable trip set points are not set within 5 percent of the high and end of their calibrated span or range. Functional requirements established for every channel he reactor trip and engineered safety features systems stipulate the maximum allowable errors ccuracy, linearity, and reproducibility. The protection channels have the capability for, and are ed to ascertain that the characteristics throughout the entire span in all aspects are acceptable meet functional requirement specifications.
specific functional requirements for response time, set point, and operating span are based on results and evaluation of safety studies carried out using data pertinent to the plant. Emphasis laced on establishing adequate performance requirements under both normal and faulted ditions. This includes consideration of process transmitter margins such that even under a hly improbable situation of full power operation at the limits of the operating map (as defined
 
onse is available to ensure plant safety.
2.1.10 Engineered Safety Features Motor Specifications tors are discussed in Section 8.3.1.
2.2    Independence of Redundant Safety Related Systems safety related systems in Section 7.1.1.1 are designed to meet the independence and aration requirements of Criterion 22 of the 1971 General Design Criteria and Paragraph 4.6 of E Standard 279-1971. The electrical power supplies, instrumentation, and control conductors redundant circuits have physical separation to preserve the redundancy and to ensure that no le credible event will prevent operation of the associated function due to electrical conductor age. Critical circuits and functions include power, control and analog instrumentation ciated with the operation of the reactor trip system or engineered safety features actuation em. Credible events shall include, but not be limited to, the effects of short circuits, pipe ure, missiles, fire, etc and are considered in the basic plant design. In the control board, aration of redundant circuits is maintained as described in Section 8.3.1.4.
2.2.1    General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974) cription of separation is provided in Section 8.3, and compliance with Regulatory Guide 1.75 escribed in Section 1.8 for BOP Scope.
physical separation criteria for redundant safety related system sensors, sensing lines, eways, cables, and components on racks for the NSSS scope meet recommendations contained egulatory Guide 1.75 with the following comments.
: 1.      The design of the protection system relies on the provisions of IEEE-384-74 relative to isolation devices to prevent malfunctions in one circuit from causing unacceptable influences on the functioning of the protection system. The protection system uses redundant instrumentation channels and actuation trains and incorporates physical and electrical separation to prevent faults in one channel from degrading any other protection channel.
: 2.      Separation recommendations for redundant instrumentation racks are not the same as those given in Paragraph C16 of Regulatory Guide 1.75, Revision 1, for the control boards because of different functional requirements. Main control boards contain redundant circuits which are required to be physically separated from each other. However, since there are no redundant circuits which share a single compartment of an NSSS protection instrumentation rack, and since these redundant protection instrumentation racks are physically separated from each other, the physical separation requirements specified for the main control board do not apply.
 
could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection and control wiring within each rack. Regulatory Guide 1.75, Paragraph C-4 and IEEE-384-1974, Paragraph 4.5(3), provide the option to demonstrate by tests that the absence of physical separation could not significantly reduce the availability of Class 1E circuits.
Westinghouse test programs have demonstrated that Class 1E protection systems, Nuclear Instrumentation System (NIS); Solid State Protection System (SSPS); and 7300 Process Control System (7300 PCS), are not degraded by non-Class 1E circuits sharing the same enclosure. Conformance to the requirements of IEEE-279 and Regulatory Guide 1.75 has been established and accepted by the NRC based on the following which is applicable to these systems at Millstone.
Tests conducted on the as-built designs of the NIS and SSPS were reported and accepted by the NRC in support of the Diablo Canyon application (Docket Numbers 50-275 and 50-323). Westinghouse considers these programs as applicable to all plants, including Millstone. Westinghouse tests on the 7300 PCS were covered in a report entitled, 7300 Series Process Control System Noise Tests, subsequently reissued as WCAP-8892-A. In a {{letter dated|date=April 20, 1977|text=letter dated April 20, 1977}}, R.
Tedesco to C. Eicheldinger, the NRC accepted the report in which the applicability of the Millstone plant is established.
: 3. The physical separation criteria for instrument cabinets within the NSSS scope meet the recommendations contained in Paragraph 5.7 of IEEE-384-1974.
: 4. The core thermocouple system satisfies Regulatory Guide 1.75 separation requirement except for the two channels/trains inside the refueling cavity. The method of installation of the core thermocouples within the reactor cavity was completed prior to upgrading of the system to satisfy Regulatory Guide 1.97 requirements. The design within the refueling cavity is acceptable because:
* only a small, self generated signal exists in the cabling from the thermocouples to the reference junction boxes and therefore no chance exists for a postulated propagating fault, and
* due to the interference provided by the rod control mechanisms and rod position indicator stack, no likelihood exists for rendering all thermocouples inoperable.
2.2.2    Specific Systems ependence is maintained throughout the system, extending from the sensor through the devices ating the protective function. Physical separation is used to achieve separation of redundant
 
ipment is separated by locating modules in different protection rack sets. Each redundant nnel set is energized from a separate AC power feed.
re are four separate process analog sets. Separation of redundant analog channels begins at the cess sensors and is maintained in the field wiring, containment penetrations and analog ection cabinets to the redundant trains in the logic racks. Redundant analog channels are arated by locating modules in different cabinets or compartments of a cabinet. Since all ipment within any cabinets is associated with a single protection set, there is no requirement channel separation of wiring and components within the cabinets.
he nuclear instrumentation system, process instrumentation systems, and the solid state ection system input cabinets where redundant channel instrumentation are physically cent, there are no wire ways, or cable penetrations which would permit, for example, a fire lting from electrical failure in one channel to propagate into redundant channels in the logic
: s. Redundant analog channels are separated by locating modules in different cabinets or partments of a cabinet.
o reactor trip breakers are actuated by two separate logic matrices which interrupt power to the trol rod drive mechanisms. The breaker main contacts are connected in series with the power ply so that opening either breaker interrupts power to all full length control rod drive hanisms, permitting the rods to free fall into the core.
: 1. Reactor Trip System
: a.      Separate routing is maintained for the four basic reactor trip system channel sets analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets shall be maintained from sensors to instrument cabinets to logic system input cabinets.
: b.      Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained, and in addition, they shall be separated (by spatial separation or by provision of barriers or by separate cable trays or wireways) from the four analog channel sets.
: 2. Engineered Safety Features Actuation System
: a.      Separate routing is maintained for the four basic sets of engineered safety features actuation system analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets.
 
be separated by spatial separation or by provisions of barriers or by separate cable trays or wireways from the four analog channel sets.
: c.      Separate routing of control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.
: 3.      Instrumentation and Control Power Supply System For separation criteria presented applicable for the load centers and buses distributing power to redundant components and to the control of these power supplies, see Section 8.3.1.4.
Reactor trip system and engineered safety features actuation system analog circuits may be routed in the same wireways provided circuits have the same power supply and channel set identified (I, II, III or IV).
2.2.3    Fire Protection electrical equipment within the NSSS scope of supply the NSSS specifies noncombustible or retardant material and conducts vendor-supplied specification reviews of this equipment ch includes assurance that materials will not be used which may ignite or explode from an trical spark, flame, or from heating, or will independently support combustion. These reviews include assurance of conservative current carrying capacities of all instrument cabinet wiring, ch precludes electrical fires resulting from excessive overcurrent (I R) losses. For example, ng used for instrument cabinet construction has Teflon or Tefzel insulation and is adequately d based on current carrying capacities set forth by the National Electric Code. In addition, fire rdant paint is used on protection rack or cabinet construction to retard fire or heat propagation m rack to rack. Braided sheathed material is noncombustible.
ails of the plant's fire protection system including consideration within BOP scope are vided in Section 9.5.1.
2.3    Physical Identification of Safety Related Equipment re are four separate protection sets identifiable with process equipment associated with the tor trip and engineered safeguards actuation systems. A protection set may be comprised of e than a single process equipment cabinet. The color coding of each process equipment rack eplate coincides with the color code established for the protection set of which it is a part.
undant channels are separated by locating them in different equipment cabinets. Separation of undant channels begins at the process sensors and is maintained in the field wiring, tainment penetrations and equipment cabinets to the redundant trains in the logic racks. The d state protection system input cabinets are divided into four isolated compartments, each ing one of the four redundant input channels. Horizontal 1/8-inch thick solid steel barriers,
 
wireway for a particular compartment is open only into that compartment so that flame could propagate to affect other channels. A diagram of the input cabinet is given on Figure 7.1-2. At logic racks the protection set color coding for redundant channels is clearly maintained until channel loses its identity in the redundant logic trains. The color coded nameplates described w provide identification of equipment associated with protective functions and their channel association:
Protection Set                      Color Coding I                      RED with WHITE lettering II                    WHITE with BLACK lettering III                    BLUE with WHITE lettering IV                    YELLOW with BLACK lettering noncabinet mounted protective equipment and components are provided with an identification or nameplate. Small electrical components such as relays have nameplates on the enclosure ch houses them. All cables are numbered with identification tags. For ID of cables, cable trays conduits, see Section 8.3.1.2.4.
2.4    Conformance to Criteria sting of applicable criteria and the SAR Sections where conformance is discussed is given in le 7.1-1.
2.5    Conformance to Regulatory Guide 1.22 odic testing of the reactor trip and engineered safety features actuation systems, as described ections 7.2.2 and 7.3.2, complies with Regulatory Guide 1.22, Periodic Testing of Protection tem Actuation Functions.
ere the ability of a system to respond to a bona fide accident signal is intentionally bypassed the purpose of performing a test during reactor operation, each bypass condition is matically indicated to the reactor operator in the main control room by a separate annunciator the train in test. In accordance with Regulatory Guide 1.47, for an event that renders a safety em inoperable but does not automatically operate the system bypass indicator, capability to rate each bypass indicator manually has been provided to the reactor operator. Solid state ection system test circuitry does not allow two trains to be tested at the same time so that nsion of the bypass condition to the redundant system is prevented. Administrative controls vent both trains of the emergency generator load sequencer from being bypassed at the same e.
 
ipment is not tested during reactor operation it has been determined that:
: 1.      There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant.
: 2.      The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation.
: 3.      The equipment can routinely be tested when the reactor is shutdown.
list of equipment that cannot be tested at full power so as not to damage equipment or upset t operation is:
: 1.      Manual actuation switches
: 2.      Turbine
: 3.      Main steam line isolation valves (close)
: 4.      Main feedwater isolation valves (close)
: 5.      Feedwater control valves (close)
: 6.      Main feedwater pump trip solenoids
: 7.      Reactor coolant pump seal water return valves (close)
: 8.      Charging header to cold leg isolation valves
: 9.      Charging and letdown isolation valves (close)
: 10. Deleted by PKG FSC 07-MP3-024
: 11. CVCS suction valves - Normal (close)
: 12. Instrument air to containment isolation valves (close)
: 13. Chillwater supply and return containment isolation valves (close) justification for not testing the above 13 items at full power is discussed below.
: 1.      Manual Actuation Switches - These would cause initiation of their protection system function at power causing plant upset and/or reactor trip. It should be noted
 
The analog signals, from which the automatic safety injection signal is derived, is tested at power in the same manner as the other analog signals and as described in Section (10). The processing of these signals in the solid state protection system (SSPS) wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semi-automatic test provisions of the SSPS. The reactor trip breakers are tested at power as discussed in Section (10).
: 2. Turbine Mechanical and backup overspeed trip tests are performed periodically while carrying load without tripping the unit, by using special test provisions.
: 3. Closing the Main Steam Isolation Valves Main steam isolation valves are routinely tested during refueling outages. Testing of the main steam isolation valves to closure at power is not practical. As the plant power is increased, the coolant average temperature is programmed to increase. If the valves are closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator relief valves and possibly the steam generator safety valves. The steam pressure transient produced would cause shrinkage in the steam generator level, which would cause the reactor to trip on low-low steam generator water level. Testing during operation will decrease the operating life of the valve.
Based on the above identified problems incurred with periodic testing of the main steam isolation valves at power and since, (1) no practical system design will permit operation of the valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the actuated equipment during this test. Although the actual closing of these valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function.
It is noted that the solenoids work on the deenergize-to-actuate principle, so that the main steam isolation valves will fail close upon loss of electrical power to the solenoids.
Based on the above, the testing of the isolating function of main steam isolation valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.
: 4. Closing the Feedwater Isolation Valve The feedwater isolation valves are routinely tested during refueling outages.
Periodic testing of these feedwater isolation valves closing them completely at power would induce steam generator water level transients and oscillations which
 
variable-speed feedwater pump control system and the steam generator water level control system. Any operation which induces perturbations in the main feedwater flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided.
Based on these identified problems incurred with periodic testing of the feedwater isolation valves and since:
: a.      No practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant.
: b.      The probability that the protection system will fail to initiate the activated equipment is acceptably low due to final actuation, and
: c.      These valves are tested during refueling outages, meeting the guidelines of Section D.4 of Regulatory Guide 1.22.
: 5. Closing the Feedwater Control Valves These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of operability of feedwater control valves at power is assured by confirmation of proper operation of the steam generator water level system. The actual actuation function of the solenoids, which provides the closing function is periodically tested at power as discussed in Section 7.3.2.2.5. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test.
Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function. It is noted that the solenoids work on the de-energize-to-actuate principal, so that the feedwater control valves will fail close upon either the loss of electrical power to the solenoids or loss of air pressure.
Based on the above, the testing of the isolating function of feedwater control valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.
: 6. Main Feedwater Pump Trip Solenoids Main Feedwater Pump - No credit is taken in the analysis for tripping the main feedwater pumps, and therefore this function does not require periodic testing.
These functions are routinely tested during refueling outages.
: 7. Seal Water Return Valves (Close)
 
the possibility of valve chatter. Valve chatter would damage this relief valve.
Testing of these valves at power would cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. As above, additional containment penetrations and containment isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Section D.4 of Regulatory Guide 1.22 are met.
: 8. Charging Header to Cold Leg Isolation Valves (Open)
The opening of these valves during the test of the actuating protection channel would adversely affect the operability of the plant. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation and the valves are routinely tested during refueling outages.
: 9. Charging and Letdown Isolation Valves (Close)
The plant is designed for a limited number of letdown isolation thermal cycles, and exercising these valves during power operations can result in a thermal cycle to the charging path to the RCS. These valves are routinely tested during cold shutdowns and refueling outages.
: 10. Deleted by PKG FSC 07-MP3-024
: 11. CVCS Suction Valves - Normal (Close)
Actuating these valves in conjunction with RWST suction isolation injects a small amount of borated water from the RWST into the RCS, causing an increase in pressurizer level and possible outward rod motion. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.
: 12. Instrument Air to Containment Isolation Valves (Close)
Allowing the valves to close puts the plant risk of a loss of instrument air inside containment in the event that the valves do not reopen following testing. A loss of containment instrument air would disrupt RCS volume and pressure control systems and result in a letdown isolation. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.
: 13. Chillwater Supply and Return Containment Isolation Valves (Close)
Two valves are closed during each slave relay test - one supply and one return in opposite headers. Although the two headers are cross connected during testing,
 
Specification Limit within a short period of time. Exceeding the Technical Specification Limit places the plant outside safety analysis assumptions for containment pressure, and requires operators to commence plant shutdown if pressure is not restored to within the limit within one hour. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.
2.6    Conformance to Regulatory Guide 1.47 er to Section 1.8 and 7.5.3.
2.7    Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 principles described in IEEE Standard 379-1972 were used in the design of the protection em. The system complies with the intent of this standard and the additional guidance of ulatory Guide 1.53 although the formal analyses have not been documented exactly as ined. Westinghouse has gone beyond the required analyses and has performed a fault tree lysis (WCAP-7706-L and WCAP-7706).
referenced topical report provides details of the analyses of the protection systems previously e to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE ndard 279-1971. The interpretation of single failure criterion provided by IEEE Standard
-1972 does not indicate substantial differences with the Westinghouse interpretation of the erion except in the methods used to confirm design reliability. Established design criteria in junction with sound engineering practices form the bases for the Westinghouse protection ems. The reactor trip and engineered safeguards actuation systems are each redundant safety ems. The required periodic testing of these systems will disclose any failures or loss of undancy which could have occurred in the interval between tests, thus ensuring the availability hese systems.
2.8    Conformance to Regulatory Guide 1.63 mpliance to Regulatory Guide 1.63 is described in Section 1.8.
2.9    Conformance to IEEE Standard 317-1972 ulatory Guide 1.63 addresses IEEE Standard 317.
2.10 Conformance to IEEE Standard 336-1971 quality assurance requirements for installing, inspecting, and testing of instrumentation, and tric equipment conforms to IEEE Standard 336-1971.
 
periodic testing of the reactor trip system and engineered safety features actuation system forms to the requirements of IEEE Standard 338-1971 with the following comments:
: 1.      The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests demonstrate this capability for the system.
Overall protection systems response times are demonstrated by test. Sensors within the Westinghouse scope will be demonstrated adequate for this design by vendor testing, in-site tests in operating plants with appropriately similar design, or by suitable type testing. The nuclear instrumentation system detectors are excluded from time response testing since they exhibit response time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety. The reactor coolant pump speed sensors are exempt from time response testing since they will either operate with a short and predictable time response or fail in a safe direction, indicating lower than actual pump speed.
A periodic testing program exists to determine the time response of sensors which cause a reactor trip or the actuation of engineered safety features consistent with requirements given in the Technical Specifications and the Technical Requirements Manual. Time response testing of sensors (with the exception of neutron detectors and reactor coolant pump speed sensors) is performed per Technical Specifications section 4.3.1.2.
Each Reactor Trip System and Engineered Safety Features Actuation System response time test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18 months), where N is the total number of redundant channels in a specific protective function.
The measurement of response time at the specified time intervals provides assurance that the protective and engineered safety features action function associated with each channel is completed within the time limit assumed in the accident analyses.
: 2.      The reliability goals specified in Paragraph 4.2 of IEEE Standard 338-1971, have been developed and serve as a basis for adequate time intervals for testing of the protection system.
: 3.      The periodic test interval discussed in Paragraph 5.2, which is based on items outlined in Paragraph 4.3 of IEEE Standard 338-1971, is specified in the plant Technical Specifications. The initial test interval is conservatively selected to
: 4.      The test interval discussed in Paragraph 5.2 of IEEE Standard 338-1971, is verified and/or corrected based on past operating experience and surveillance test results.
Test interval may be modified, if necessary, to assure that system and subsystem protection is reliably provided. If any protection channel fails to meet its acceptance criteria during periodic testing, actions are taken as required by the Technical Specifications. Analytic methods for determining reliability have been used to determine test interval.
ed on the scope definition given in IEEE Standard 338-1971, no other systems described in pter 7 are required to comply with this standard. Regulatory Guide 1.97 is discussed in post-dent monitoring report.
3  REFERENCE FOR SECTION 7.1 1 WCAP-7706-L, (Proprietary) and WCAP-7706, 1973, Gangloff, W.C. and Loftus, W.D.,
An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.
2 WCAP-8892-A (Non proprietary) June 1977, Siroky, R.M. and Marasco, F.W.,
Westinghouse 7300 Series Process Control System Noise Tests.
3 Letter from R. Tedesco, Nuclear Regulatory Commission to C. Eicheldinger, Westinghouse, dated April 20, 1977.
 
TABLE 7.1-1 LISTING OF APPLICABLE CRITERIA
: 1. GENERAL DESIGN CRITERIA (GDC), APPENDIX A TO 10 CFR PART 50 Conformance Discussed Criteria                        Title                                  in C 1            Quality Standards and Records                3.1.2, 7 Design Bases for Protection Against Natural C 2                                                          3.1.2, 3.10, 7.2.1.1.11 Phenomena C 3            Fire Protection                              3.1.2, 7.1.2.2.3 C 4            Environmental and Missile Design Bases        3.1.2, 7.2.2.2 Sharing of Structures, Systems, and C 5                                                          3.1.2 Components C 10          Reactor Design                                3.1.2, 7.2.2.2 C 12          Suppression of Reactor Power Oscillations    3.1.2 C 13          Instrumentation and Control                  3.1.2, 7.3.1, 7.3.2 C 15          Reactor Coolant System Design                3.1.2, 7.2.2.2 C 17          Electric Power Systems                        3.1.2, 8.2.1 C 19          Control Room                                  3.1.2 C 20          Protection System Functions                  3.1.2, 7.2.2.2, 7.3.1, 7.3.2 C 21          Protection System Reliability and Testability 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 3.1.2, 7.1.2.2, 7.2.2.2, C 22          Protection System Independence 7.3.1, 7.3.2 C 23          Protection System Failure Modes              3.1.2, 7.2.2.2, 7.3.1, 7.3.2 Separation of Protection and Control C 24                                                        3.1.2, 7.2.2.2, 7.3.1, 7.3.2 Systems Protection System Requirements for C 25                                                        3.1.2, 7.3.2 Reactivity Control Malfunctions Reactivity Control System Redundancy and C 26                                                        3.1.2 Capability Combined Reactivity Control Systems C 27                                                        3.1.2, 7.3.1, 7.3.2 Capability C 28          Reactivity Limits                            3.1.2, 7.3.1, 7.3.2
 
Conformance Discussed Criteria                          Title                                in Protection Against Anticipated Operational C 29                                                      3.1.2, 7.2.2.2 Occurrences C 33          Reactor Coolant Makeup                      3.1.2 C 34          Residual Heat Removal                      3.1.2 C 35          Emergency Core Cooling                      3.1.2, 7.3.2 C 37          Testing of Emergency Core Cooling System    3.1.2, 7.3.2 C 38          Containment Heat Removal                    3.1.2, 7.3.1, 7.3.2 Testing of Containment Heat Removal C 40                                                      3.1.2, 7.3.2 System C 41          Containment Atmosphere Cleanup              3.1.2, 8.3.1.1 Testing of Containment Atmosphere Cleanup C 43                                                      3.1.2, 7.3.2 Systems C 44          Cooling Water                              3.1.2 C 46          Testing of Cooling Water System            3.1.2, 7.3.2 C 50          Containment Design Basis                    3.1.2 C 54          Piping Systems Penetrating Containment      3.1.2 Reactor Coolant Pressure Boundary C 55                                                      3.1.2 Penetrating Containment C 56          Primary Containment Isolation              3.1.2 C 57          Closed Systems Isolation Valves            3.1.2 INSTITUTE OF ELECTRICAL AND ELECTRONIC ENGINEERS (IEEE) STANDARDS:
Conformance Discussed Criteria                          Title                                in EE Std 279-1971 Criteria for Protection Systems for Nuclear 7.1, 7.2, 7.3, 7.6 NSI N42.7-1972) Power Generating Stations Criteria for Class IE Electric Systems for EE Std 308-1971                                            7.1.2.1.3 Nuclear Power Generating Stations
 
Conformance Discussed Criteria                            Title                                in Electric Penetration Assemblies in EE Std 317-1972  Containment Structures for Nuclear Power      7.1.2.9 Generating Stations IEEE Standard for Qualifying Class IE EE Std 323-1974  Equipment for Nuclear Power Generating        3.11, 1.8 (R.G. 1.89)
Stations Type Tests of Continuous-Duty Class I EE Std 334-1971  Motors Installed Inside the Containment of    1.8 (R.G. 1.40), 7.1.2.1.10 Nuclear Power Generating Stations EE Std 336-1971  Installation, Inspection, and Testing Requirements for Instrumentation and Electric NSI                                                            7.1.2.10 Equipment During the Construction of Nuclear 5.2.4-1972)      Power Generating Stations Criteria for the Periodic Testing of Nuclear 7.1.2.11, 1.8 EE Std 338-1971  Power Generating Station Protection (R.G. 1.118)
Systems Guide for Seismic Qualification of Class I EE Std 344-1975 Electrical Equipment for Nuclear Power        3.10 NSI N41.7)
Generating Stations Guide for the Application of the Single EE Std 379-1972                                                7.1.2.7, 1.8 Failure Criterion to Nuclear Power NSI N41.2)                                                      (R.G. 1.53)
Generating Station Protection Systems EE Std 382-1972  Type Test of Class I Electric Valve Operators 1.8 (R.G. 1.73)
Criteria for Separation of Class IE          7.1.2.2.1, 1.8 EE Std 384-1974 Equipment and Circuits                        (R.G. 1.75)
: 3. REGULATORY GUIDES (RG)
Conformance Discussed Criteria                            Title                                in Independence Between Redundant Standby 1.6            (Onsite) Power Sources and Between Their      Chapter 8 Distribution Systems Instrument Lines Penetrating Primary 1.11                                                          1.8, 6.2.4 Reactor Containment
 
Conformance Discussed Criteria                      Title                                  in Periodic Testing of Protection System          1.8, 7.1.2.5, 7.3.2.2.5, 1.22 Actuation Functions                            7.2.2.2.3 1.29      Seismic Design Classification                  1.8 Quality Assurance Requirements for the 1.30      Installation, Inspection, and Testing of        1.8 Instrumentation and Electric Equipment Use of IEEE Std 308-1971 Criteria for 1.32      Class IE Electric Systems for Nuclear Power    1.8, 8.1.7, 8.3.2 Generating Stations Bypassed and Inoperable Status Indication 1.47                                                      1.8, 7.1.2.6, 7.5.3 for Nuclear Power Plant Safety Systems Application of the Single-Failure Criterion to 1.53                                                      7.1.2.7, 1.8 Nuclear Power Plant Protection Systems 1.62      Manual Initiation of Protection Actions        1.8, 7.3.2.2.7 Electric Penetration Assemblies in 1.63      Containment Structures for                    1.8 Water-Cooled Nuclear Power Plants Preoperational and Initial Startup Test 1.68                                                      1.8, Chapter 14 Programs for Water-Cooled Power Reactors Standard Format and Content of Safety 1.70      Analysis Reports for Nuclear Power Plants      1.8, Chapter 7 Rev. 3 Qualification Test of Electric Valve 1.73                                                      1.8 Operators Installed Inside the Containment 1.75      Physical Independence of Electric Systems      1.8, 7.1.2.2.1 Assumptions for Evaluating the Habitability of a Nuclear Power Plant Control Room 1.78                                                      9.4.1.1, 6.4 During a Postulated Hazardous Chemical Release Qualification of Class IE Equipment for 1.89                                                      1.8, 3.11 Nuclear Power Plants Protection of Nuclear Power Plant Control 1.95      Room Operators Against an Accidental            1.8 Chlorine Release
 
Conformance Discussed Criteria                      Title                                in Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant 1.97                                                    1.8, 7.5 Conditions During and Following an Accident Seismic Qualification of Electric Equipment 1.100                                                    1.8 for Nuclear Power Plants 1.105      Instrument Spans and Setpoints                1.8, 7.5.3 Periodic Testing of Electric Power and 1.118                                                    1.8 Protection Systems Fire Protection Guidelines for Nuclear Power 1.120                                                    1.8 Plants
: 4. Branch Technical Positions (BTP) EICSB Conformance Discussed Criteria                      Title                                in Backfitting of the Protection and Emergency P ICSB 1                                                7, 8 Power Systems of Nuclear Reactors Isolation of Low Pressure Systems from the P ICSB 3                                                7.6.2 High Pressure Reactor Coolant System Requirements on Motor-Operated Valves in P ICSB 4                                                7.6.4 the ECCS Accumulator Lines 7.2.2.2.3 (Item 10),
Scram Breaker Test Requirements -            Technical Specifications P ICSB 5 Technical Specifications                    (Table 4.3-1, Items 21 and 18)
Table 4.3-1, Section 1, Definition and Use of Channel Calibration P ICSB 9                                                Definitions, in Technical
            - Technical Specifications Specifications Electrical and Mechanical Equipment P ICSB 10                                                3.10 Seismic Qualification Program Protection System Trip Point Changes for P ICSB 12  Operation with Reactor Coolant Pumps Out    7.2.2.2.1 of Service
 
Conformance Discussed Criteria                    Title                                  in Design Criteria for Auxiliary Feedwater P ICSB 13                                                10.4.9 Systems Spurious Withdrawals of Single Control        7.7.2.2, 15.4.1, 15.4.2, P ICSB 14 Rods in Pressurized Water Reactors            15.4.8 P ICSB 15  Reactor Coolant Pump Breaker Qualification 7.2.1.1.2 (4)
Control Element Assembly (CEA) Interlocks P ICSB 16                                                Not Applicable in Combustion Engineering Reactors Application of the Single-Failure Criteria to P ICSB 18  Manually Controlled Electrically Operated    Tech. Spec. 16. 3/4.5 Valves Acceptability of Design Criteria for P ICSB 19  Hydrogen Mixing and Drywell Vacuum            Not Applicable Relief Systems Design of Instrumentation and Control P ICSB 20  Provided to Accomplish Changeover from        6.3.2.2.2, Table 6.3-7 Injection to Recirculation Mode Guidance for Application of Regulatory P ICSB 21                                                7.1.2.6 Guide 1.47 Guidance for Application of Regulatory P ICSB 22                                                7.1.2.5 Guide 1.22 Qualification of Safety Related Display P ICSB 23  Instrumentation for Post-Accident            7.5 Conditions Monitoring and Safe Shutdown Testing of Reactor Trip System and P ICSB 24  Engineered Safety Features Actuation          7.1.2.11 System Sensor Response Time Guidance for the Interpretation of General Design Criterion 37 for Testing the P ICSB 25                                                3.1.2, 7.3.2 Operability of the Emergency Core Cooling System as a Whole Requirements for Reactor Protection System P ICSB 26                                                7.2.1.1.2 (Item 6)
Anticipatory Trips Design Criteria for Thermal Overload P ICSB 27  Protection for Motors of Motor-Operated      8.3.1.1.4 Valves
 
FIGURE 7.1-1 SOLID STATE PROTECTION SYSTEM BLOCK DIAGRAM FIGURE 7.1-2 REACTOR TRIP/ESF ACTUATION MECHANICAL LINKAGE FOR DUAL TRAIN SWITCHES 1    DESCRIPTION 1.1    System Description reactor trip system automatically keeps the reactor operating within a safe region by shutting n the reactor whenever the limits of the region are approached. The safe operating region is ned by several considerations such as mechanical/hydraulic limitations on equipment and heat sfer phenomena. Therefore, the reactor trip system keeps surveillance on process variables ch are directly related to equipment mechanical limitations such as pressure, pressurizer water l (to prevent water discharge through safety valves, and uncovering heaters) and also on ables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor lant temperatures). Still other parameters utilized in the reactor trip system are calculated from ous process variables. In any event, whenever a direct process or calculated variable exceeds a oint, the reactor will be shutdown in order to protect against either gross damage to fuel ding or loss of system integrity which could lead to release of radioactive fission products the containment.
following systems and equipment make up the reactor trip system (WCAP-7913; AP-8255; WCAP-7488-L and WCAP-7672):
: 1.      Process instrumentation and control system
: 2.      Nuclear instrumentation system
: 3.      Solid state logic protection system
: 4.      Reactor trip switchgear
: 5.      Manual actuation circuit reactor trip system consists of sensors which, when connected with analog circuitry sisting of two to four redundant channels, monitor various plant parameters, and digital uitry, consisting of two redundant logic trains, which receives inputs from the analog ection channels as well as other digital inputs to complete the logic necessary to open the tor trip breakers.
h of the two trains, A and B, is capable of opening a separate and independent reactor trip ker, RTA and RTB, respectively. The two trip breakers in series connect three phase AC er from the rod drive motor generator sets to the rod drive power cabinets, as shown on ure 7.2-1, Sheet 2. During plant power operation, a DC undervoltage coil on each reactor trip ker holds a trip plunger out against its spring, allowing the power to be available at the rod trol power supply cabinets. For reactor trip, a loss of DC voltage to the undervoltage coil, as l as energization of the shunt trip coil, trips open the breaker. When either of the trip breakers ns, power is interrupted to the rod drive power supply, and the control rods fall, by gravity,
 
kers BYA and BYB are provided to permit testing of the trip breakers, as discussed in tion 7.2.2.2.3.
1.1.1    Functional Performance Requirements reactor trip system automatically initiates reactor trip:
: 1.      Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II)
: 2.      To limit core damage for infrequent faults (Condition III)
: 3.      So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV) reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent reactivity insertion that would otherwise result from excessive reactor system cooldown to id unnecessary actuation of the engineered safety features actuation system.
reactor trip system provides for manual initiation of reactor trip by operator action.
1.1.2    Reactor Trips various reactor trip circuits automatically open the reactor trip breakers whenever a condition nitored by the reactor trip system reaches a preset level. To ensure a reliable system, high lity design, components, manufacturing quality control and testing are used. In addition to undant channels and trains, the design approach provides a reactor trip system which monitors erous system variables, therefore providing protection system functional diversity. The extent his diversity has been evaluated for a wide variety of postulated accidents.
le 7.2-1 provides a list of reactor trips which are described below:
: 1.      Nuclear Overpower Trips The specific trip functions generated are as follows:
: a.      Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.
There are two bistables, each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during
 
of the four power range channels read above approximately 10 percent power (P-10). Three out of the four channels below 10 percent power automatically reinstates the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks.
: b. Intermediate range high neutron flux trip The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint.
This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above approximately 10 percent power (P-10). Three out of the four power range channels below this value automatically reinstates the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup.
This bypass action is annunciated on the control board.
: c. Source range high neutron flux trip The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two out of four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control board mounted switches. Each switch will reinstate the trip function in one of the two protection logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.
: d. Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides RCS overpressure protection for inadvertent RCCA withdrawal events and
: e.          Power range high negative neutron flux rate trip This trip provided protection against the effects of two or more dropped control rods. Improved analysis techniques have shown the trip not to be required to provide a reactor trip function, and it is no longer included in the Technical Specifications. Rather than remove the trip, the trip setpoint has been increased sufficiently to prevent the trip from being actuated by most credible combinations of dropped control rods.
Figure 7.2-1, Sheet 3, shows the logic for all of the nuclear overpower and rate trips.
: 2.              Core Thermal Overpower Trips The specific trip functions generated are as follows:
: a.          Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation:
rtemperature T T  ---------------------
    ---------      1 + 1 S                  1 + 4 S
                                  -  K 1 - K 2 ---------------------
                                                                    -  T - T t + K 3  P - P  - f 1  I T 0  1 +  2 S                          1 + 5 S re:
T is measured Reactor Coolant System T, F; T0 is loop specific indicated T at RATED THERMAL POWER, F; 1 + 1 S
    ---------------------- is the function generated by the lead-lag compensator on measured T; 1 + 2 S 1 and 2 are the time constants utilized in the lead lag compensator for T, 1  [*] sec, 2  [*] sec; K1  [*]
K2  [*] /F;
 
1 + 5 S 4 and5 are the time constants utilized in the lead-lag compensator for Tavg 4  [*] sec, 5  [*] sec 7 is the time constant utilized in the lag compensator for the Thot filter, 7  4 sec T is measured Reactor Coolant System average temperature; F; T' is loop specific indicated Tavg at RATED THERMAL POWER,  [*] F; K3  [*] /psi P is measured pressurizer pressure, psia; P' is nominal pressurizer pressure,  [*] psia; s is the Laplace transform operator, sec-1; and f1 (I) is a function of the indicated difference between top and bottom detectors of the power range neutron ion chambers; with nominal gains to be selected based on measured instrument response during plant startup tests calibrations such that:
: 1.      For qt - qb between - [*]% and [*]%, f1(I) 0, where qt and qb are percent RATED THERMAL POWER in the upper and lower halves of the core, respectively, and qt + qb is the total THERMAL POWER in percent RATED THERMAL POWER;
: 2.      For each percent that the magnitude of qt - qb exceeds - [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER;
: 3.      For each percent that the magnitude of qt - qb exceeds [*]%, the T Trip Setpoint shall be automatically reduced by  [*]% of its value at RATED THERMAL POWER.
: a.      A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel. Increases in  beyond a pre-defined deadband result in a decrease in trip setpoint. Refer to Figure 7.2-2.
The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.2.2.3.3 for an analysis of this arrangement.
Figure 7.2-1, Sheet 5, shows the logic for overtemperature T trip function.
e values denoted with [*] are specified in the COLR.)
 
This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated using the following equation:
erpower T T  ---------------------
          --------- 1 + 1 S
                                        -  K4 - K6  T - T T 0  1 +  2 S ere:
is measured Reactor Coolant System T, F; is loop specific indicated T at RATED THERMAL POWER, F;
+ 1 S
-------------- is the function generated by the lead-lag compensator on measured T;
+ 2 S nd 2 are the time constants utilized in the lead lag compensator for T, 1  [*]sec, 2  [*] sec;
[*];
s the time constant utilized in the lag compensator for the Thot filter, 7  4 sec measured Reactor Coolant System average temperature; F; s loop specific indicated Tavg at RATED THERMAL POWER,  [*] F;
[*]/F when T  T" and K6  [*]/F when T  T";
the Laplace transform operator, sec-1 e values denoted with [*] are specified in the COLR.)
The source of temperature information is identical to that of the overtemperature T trip and the resultant T setpoint is compared to the same T. Figure 7.2-1, Sheet 5, shows the logic for this trip function.
: 4.          Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows:
: a.                Pressurizer low pressure trip
 
measured in the pressurizer. Above P-7 the reactor is tripped when the pressurizer pressure measurement fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.
The trip logic is shown on Figure 7.2-1, Sheet 6.
: b.      Pressurizer high pressure trip The purpose of this trip is to protect the reactor coolant system against system overpressure.
The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-
: 1. There are no interlocks or permissives associated with this trip function.
The logic for this trip is shown on Figure 7.2-1, Sheet 6.
: c.      Pressurizer high water level trip This trip is provided as a backup to the pressurizer high pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.
The trip logic for this function is shown on Figure 7.2-1, Sheet 6.
: 5. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation. Figure 7.2-1, Sheet 5 shows the logic for these trips. The means of sensing the loss of coolant flow are as follows:
: a.      Low reactor coolant flow The parameter sensed is reactor coolant flow. Four elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three bistables in a loop would indicate a low flow in that loop.
: b. Reactor coolant pump underspeed trip This function protects the reactor core from DNB in the event of loss of flow in more than one loop by tripping the reactor when the speeds on two out of the four reactor coolant pumps fall below the setpoints. Loss of flow in more than one loop could be caused by a voltage or frequency transient in the plant power supply such as would occur during a loss of offsite power, or by accidental opening of more than one RCP circuit breaker.
There is one speed detector mounted on each reactor coolant pump. The trip is blocked below P-7 to permit plant startup.
RCP speed is detected by a probe mounted on the reactor coolant pump frame. The speed signal is transmitted to the Process Instrumentation and Control System which convert the signal to a bistable output to the solid state protection system to provide the trip logic function described above.
The RCP underspeed trip replaces the undervoltage and underfrequency reactor trips used previously. The principle reason for this change is to improve plant availability during voltage dip transients which do not result in violations of plant safety limits. The undervoltage trip setpoint was chosen to trip the reactor if the RCP motor pull out torque dropped below nominal due to low voltage. This event could cause a pump speed decrease and a consequent flow reduction. The basis for the undervoltage trip setpoint and time response was the demonstration of acceptable results for the complete loss of flow accident. Transient voltage reductions below the undervoltage trip setpoint followed by subsequent voltage recovery could result in an undervoltage reactor trip even though pump speed and flow reductions would not violate safety limits.
The RCP underspeed trip provides a more direct measurement of the parameter of interest, and will permit the plant to ride through many postulated voltage dip transients without reactor trip if safety limits are not violated. Selection of the underspeed trip setpoint and time response provide for the timely initiation of reactor trip during the complete loss of flow accident and the limiting frequency decay event, consistent with the analysis results reported in Chapter 15.
The logic for this trip is shown on Figure 7.2-1, Sheet 5. The development of P-7 is shown on Figure 7.2-1, Sheet 4.
The capability for sensor checks and for test and calibration of the RCP underspeed trip are in accordance with Sections 4.9 and 4.10 of IEEE-279-1971.
 
complete loss of flow accident and the limiting frequency decay event) in an environment (i.e., temperature, humidity, pressure, chemical, and radiation) no more severe than the environment in which they are required to perform their normal function. Therefore, it is not necessary to impose environmental qualification requirements on these detectors that are more restrictive than those imposed for use under rated conditions. The RCP speed detectors will be qualified for use under rated conditions with their performance verified by actual on-line operation in the plant. The RCP speed detectors will also require qualification to the worst vibrations to which they could be subjected and required to operate.
: 6. Steam Generator Low-Low Level Trip This trip protects the reactor from loss of heat sink. This trip is actuated on two out of four low-low water level signals occurring in any steam generator.
The logic is shown on Figure 7.2-1, Sheet 7.
: 7. Reactor Trip on a Turbine Trip (anticipatory)
The reactor trip on a turbine trip is actuated by two out of three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. Below P-9 the turbine trip to reactor trip signal is blocked. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the safety analysis (Chapter 15) for this trip.
The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint. Digital isolators (Section 7.2.1.1.8) have been used to isolate these contacts from the reactor protection system cabinets which receive the inputs from these contacts.
One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are shut during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip. This design functions in a deenergize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do
 
sensors are, of course, seismically qualified as discussed in Section 3.10.) The anticipatory trips thus meet IEEE-279-1971 and BTP ICSB-26, including redundancy, separation, single failure, etc. Seismic qualification of the contacts sensors is not required.
The logic for this trip is shown on Figure 7.2-1, Sheet 16.
: 8. Safety Injection Signal Actuation Trip A reactor trip occurs when a safety injection signal is initiated. The means of actuating the safety injection system are described in Section 7.3. This trip protects the core against a pipe rupture in the secondary system, an inadvertent secondary system depressurization, an inadvertent operation of the ECCS during power operations, or any other accident which results in a safety injection signal before a reactor trip is generated by the reactor trip system.
Figure 7.2-1, Sheet 8, shows the logic for this trip.
: 9. Manual Trip The manual trip consists of two switches. Each trip switch actuates the undervoltage and shunt trip attachments of the Train A and Train B reactor trip breakers and, when one of them is racked-in for surveillance testing, the Train A or Train B reactor trip bypass breakers.
There are no interlocks which can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown on Figure 7.1-1.
1.1.3  Reactor Trip System Interlocks
: 1. Power Escalation Permissives The overpower protection provided by the out of core nuclear instrumentation consists of three discrete, but overlapping ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.
One of two intermediate range permissive signals (P-6) is required prior to source range trip blocking and detector high voltage cutoff. Source range trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) setpoint. There are two manual reset switches for administratively reactivating the source range level trip and detector
 
above the permissive P-10 setpoint.
The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection.
The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 4.
Both of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.
: 2. Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent of full power) on a low reactor coolant flow in more than one loop, reactor coolant pump underspeed, pressurizer low pressure, pressurizer high water level. See Figure 7.2-1, Sheets 5, 6, and 16, for permissive applications. The low power signal is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 4 and 16, for the derivation of P-7.
The P-8 interlock blocks a reactor trip when the plant is below the P-8 setpoint listed in Technical Specifications Table 2.2-1, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor has the capability to operate with one inactive loop and trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for applicable logic.
The P-9 interlock blocks a reactor trip when the plant is below 51 percent of full power, on a turbine trip. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. See Figure 7.2-1, Sheet 4, for the derivation of P-9 and Sheet 16 for applicable logic.
See Table 7.2-2 for the list of protection system blocks.
 
individual narrow range hot and cold leg temperature signals required for input to the reactor circuits and interlocks are obtained using RTDs installed in each reactor coolant loop.
hot leg temperature measurement on each loop is accomplished with three fast-response, ow-range, single-element RTDs mounted in thermowells, spatially located approximately around the hot leg. One wide range RTD is installed in each hot leg. One fast response, ow range, dual element RTD is located in each cold leg at the discharge of the reactor coolant
: p. One wide range RTD is installed in each cold leg. Temperature streaming in the cold leg is imized due to the mixing action of the RCP; hence, only one narrow range cold leg RTD is uired.
narrow range cold leg temperature measurement, together with the average obtained from the e narrow range hot leg temperatures, is used to calculate reactor coolant loop delta-T and vg which are used in the reactor control and protection system.
1.1.5    Pressurizer Water Level Reference Leg Arrangement design of the pressurizer water level instrumentation employs a tank level arrangement using erential pressure between an upper and a lower tap on a column of water. A reference leg nected to the upper tap is kept full of water by condensation of steam at the top of the leg.
1.1.6    Analog System analog system consists of two instrumentation systems; the process instrumentation system the nuclear instrumentation system.
cess instrumentation includes those devices (and their interconnection into systems) which sure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and occasional siochemical parameters such as fluid conductivity or chemical concentration. Process rumentation specifically excludes nuclear and radiation measurements. The process rumentation includes the process measuring devices, power supplies, indicators, recorders, m actuating devices, controllers, signal conditioning devices, etc., which are necessary for
-to-day operation of the nuclear steam supply system (NSSS) as well as for monitoring the t and providing initiation of protective functions upon approach to unsafe plant conditions.
primary function of nuclear instrumentation is to protect the reactor by monitoring the tron flux and generating appropriate trips and alarms for various phases of reactor operating shutdown conditions. It also provides a secondary control function and indicates reactor us during startup and power operation. The nuclear instrumentation system (NIS) uses rmation from three separate types of instrumentation channels to provide three discrete ection levels. Each range of instrumentation (source, intermediate, and power) provides the essary overpower reactor trip protection required during operation in that range. The overlap nstrument ranges provides reliable continuous protection beginning with source level through intermediate and low power level. As the reactor power increases, the overpower protection
 
ucing power.
ious types of neutron detectors, with appropriate solid-state electronic circuitry, are used to nitor the leakage neutron flux from a completely shutdown condition to 120 percent of full er. The power range channels are capable of recording overpower excursions up to 200 ent of full power. The neutron flux covers a wide range between these extremes.
nuclear instrumentation providing reactor trip functions utilizes multiple-range detectors (i.e.,
detectors to monitor source range, compensated ion chambers for intermediate range, and ompensated ion chambers for power range). Compliance to requirements of Regulatory Guide
  , Revision 2, (post-accident) and Appendix R to 10 CFR 50 (safe shutdown instrumentation) chieved through the use of dual-redundant channels of extended range fission chambers able of monitoring twelve decades of reactor power. The extended range fission chambers vide input to shutdown monitors which detect and annunciate a loss of shutdown margin, such nadvertent boron dilution during shutdown or refueling. The extended range fission chambers ot interface with the solid state protection system described in Section 7.2.1.1.7.
lowest range (source range) covers six decades of leakage neutron flux. The lowest erved count rate depends on the strength of the neutron sources in the core and the core tiplication associated with the shutdown reactivity. This is generally greater than two counts second. The next range (intermediate range) covers eight decades. Detectors and rumentation are chosen to provide overlap between the higher portion of the source range and lower portion of the intermediate range. The highest range of instrumentation (power range) ers approximately two decades of the total instrumentation range. This is a linear range that rlaps with the higher portion of the intermediate range.
system described above provides control room indication and recording of signals portional to reactor neutron flux during core loading, shutdown, startup and power operation, ell as during subsequent refueling. Start-up-rate indication for the source and intermediate ge channels is provided at the control board. Reactor trip, rod stop, control and alarm signals transmitted to the reactor control and protection system for automatic plant control.
ipment failures and test status information are annunciated in the control room. See AP-7913 and WCAP-8255 for additional background information on the process and nuclear rumentation.
1.1.7    Solid State Logic Protection System solid state logic protection system takes binary inputs (voltage/no voltage) from the process nuclear instrument channels corresponding to conditions (normal/abnormal) of plant meters. The system combines these signals in the required logic combination and generates a signal by interrupting voltage to the undervoltage trip attachments and by supplying voltage he shunt trip auxiliary relay coils of the reactor trip breakers when the necessary combination ignals occur. The system also provides annunciator, status light and computer input signals ch indicate the condition of bistable input signals, partial trip and full trip functions and the
 
AP-7672).
1.1.8    Isolators log Isolators ertain applications, Westinghouse considers it advantageous to employ control signals derived m individual protection channels through isolation amplifiers contained in the protection nnel, as permitted by IEEE Standard 279-1971.
ll of these cases, analog signals derived from protection channels for non-protective functions obtained through isolation amplifiers located in the analog protection racks. By definition,
-protective functions include those signals used for control, remote process indication, and puter monitoring. Refer to Section 7.1.2.2.1 for discussion of electrical separation of control protection functions.
ital Isolators ital isolators provide separation between safety and non safety related control circuits. They located in the process instrumentation and control system, the nuclear instrumentation system, the solid state protection system. The isolators meet all the requirements of Regulatory des 1.75 and 1.89 for Class IE isolation devices.
ator cabinets are located in various places throughout the plant and provide an interface ween Class IE equipment and Non-Class IE equipment. All the wiring and devices in the ator cabinets associated with Class IE equipment are separated from those associated with
  -Class IE equipment by a barrier panel so that any credible failure of Non-Class IE equipment not prevent the proper functioning of the Class IE system. The isolators consist of a coil on side of the barrier and a magnetically operated read switch on the other side.
1.1.9    Energy Supply and Environmental Variations energy supply for the reactor trip system, including the voltage and frequency variations, is cribed in Section 7.6 and Chapter 8. The environmental variations, throughout which the em performs, is given in Section 3.11 and Chapter 8.
1.1.10 Setpoints setpoints that require trip action are given in the Technical Specifications. A detailed ussion on setpoints is found in Section 7.1.2.1.9.
 
seismic design considerations for the reactor trip system are given in Section 3.10. This gn meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).
1.2    Design Bases Information information given below presents the design bases information requested by Section 3 of E Standard 279-1971.Functional logic diagrams are presented on Figure 7.2-1.
1.2.1  Generating Station Conditions reactor trip system limits the generating station conditions to:
: 1.      DNBR not less than the safety analysis limits (see Section 4.4).
: 2.      Power density (kilowatts per foot) not greater than the rated value for Condition II faults (see Section 4.1).
: 3.      Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.
1.2.2  Generating Station Variables following are the variables and conditions required to be monitored in order to provide tor trips (Table 7.2-1):
: 1.      Neutron flux.
: 2.      Reactor coolant temperature.
: 3.      Reactor coolant system pressure (pressurizer pressure).
: 4.      Pressurizer water level.
: 5.      Reactor coolant flow.
: 6.      Reactor coolant pump operational status (shaft speed).
: 7.      Steam generator water level.
: 8.      Turbine-generator operational status (trip fluid pressure and stop valve position).
: 9.      Automatic safety injection signals.
: 10.      Manual reactor trips.
: 12. SSPS N-1 misalignment.
N-1 operation is no longer within the Millstone Unit 3 Design Bases. Previously installed SSPS equipment to support N-1 operation still exists within the plant.
Therefore, the mis-alignment SSPS N-1 reactor trip has been maintained and remains operational should the selector switches be inadvertently actuated.
1.2.3    Spatially Dependent Variables
: 1.      The measurement of reactor coolant hot leg temperature has significant spatial dependence. The effect on the measurement is limited by taking three temperature measurements spaced approximately 120 apart around the hot leg.
: 2.      Reactor core power exhibits a spatial dependence across the plane of the core (i.e.,
radial power distribution) as well as along the length of the core (i.e., axial power distribution). The core safety limits, for which the Overpower and Overtemperature T reactor trips provide protection, are developed assuming a reference core power distribution. A compensating term, f1() is then added to the Overtemperature T reactor trip to account for axial core power distributions more severe than the reference core power distribution. Upper and lower sections of each power range neutron flux channel provide the measurements required to synthesize the f1() function.
1.2.4    Limits, Margins, and Setpoints parameter values that would require reactor trip are given in the Technical Specifications, the e Operating Limits Report (COLR) and in Chapter 15, Accident Analyses. Chapter 15 proves the setpoints used in the Technical Specifications are conservative.
setpoints for the various functions in the reactor trip system have been analytically rmined such that the operational limits so prescribed will prevent fuel clad damage and loss of grity of the reactor coolant system as a result of any ANS Condition II incident (anticipated function). As such, during any ANS Condition II incident, the reactor trip system limits the owing parameters to:
: 1.      DNBR not less than the safety analysis limits (see Section 4.4)
: 2.      Maximum system pressure not greater than 2750 psia
: 3.      Fuel rod maximum linear power not greater than the design limit (see Section 4.1) accident analyses described in Chapter 15 demonstrate that the functional requirements as cified for the reactor trip system are adequate to meet the above considerations, even when ming, for conservatism, adverse combinations of instrument errors (Table 15.3-1). A
 
1.2.5  Abnormal Events malfunctions, accidents or other unusual events which could physically damage reactor trip em components or could cause environmental changes are as follows:
: 1.      Earthquakes (Chapters 2 and 3)
: 2.      Fire (Section 9.5)
: 3.      Explosion (hydrogen buildup inside containment) (Section 6.2)
: 4.      Missiles (Section 3.5)
: 5.      Flood (Chapters 2 and 3)
: 6.      Wind and tornadoes (Section 3.3) reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic ection and to provide initiating signals to mitigate the consequences of faulted conditions. The tor trip system relies upon provisions made by the owner and operator of the plant to provide ection against destruction of the system from fires, explosions, missiles, floods, wind, and adoes (see each item above).
1.2.6  Minimum Performance Requirements
: 1.      Reactor trip system response times Reactor trip system response time is defined in Section 7.1. Maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. (See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.)
: 2.      Reactor trip accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Section 7.1.2.1.9.
: 3.      Reactor trip system ranges Reactor trip system ranges are tabulated in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Reactor trip setpoints are at least 5 percent from the end of the instrument span.
 
ctional block diagrams, electrical elementaries and other drawings required to assure trical separation and perform a safety review are provided in the safety related drawing kage (Section 1.7).
2    ANALYSES 2.1    Failure Mode and Effects Analyses analysis of the reactor trip system has been performed. Results of this study and a fault tree lysis are presented in WCAP-7706-L and WCAP-7706.
2.2    Evaluation of Design Limits ile most setpoints used in the reactor protection system are fixed, there are variable setpoints, t notably the overtemperature T and overpower T setpoints. All setpoints in the reactor trip em have been selected on the basis of engineering design or safety studies. The capability of reactor trip system to prevent loss of integrity of the fuel cladding and/or reactor coolant em pressure boundary during Condition II and III transients is demonstrated in Chapter 15.
se accident analyses are carried out using those setpoints determined from results of the ineering design studies. Setpoint limits are presented in the Technical Specifications and the LR. A discussion of the intent for each of the various reactor trips and the accident analyses ere appropriate) which utilizes this trip is presented below. It should be noted that the selected setpoints all provide for margin before protection action is actually required to allow for rument and process uncertainties. The design meets the requirements of Criteria 10 and 20 of 1971 GDC.
2.2.1    Trip Setpoint Discussion discussed in Section 4.4, the departure from nucleate boiling (DNB) design basis is that there be at least a 95 percent probability (at a 95 percent confidence level) that DNB will not occur to Condition I and II events. If the DNBR were to decrease below the safety analysis limits ng these events, the probability of local fuel cladding failure would be unacceptable. The BR existing at any point in the core for a given core design can be determined as a function of core inlet temperature, power output, operating pressure and flow. Consequently, core safety ts which are based on the DNBR safety limits (see Section 4.4) are developed as a function of T, Tavg and pressure, for a specified flow as illustrated by the solid lines on Figure 15.0-1.
o shown as a dashed line on Figure 15.0-1 are the loci of conditions equivalent to 121 percent ower as a function of T and Tavg representing the overpower (kW/ft) limit on the fuel (see pter 4). The dashed lines indicate the maximum permissible setpoint (T) as a function of g and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in equation representing the dashed lines are as given in the COLR. These values are servative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, and 29, of the 1971 GDC.
 
vidually result in violation of a core safety limit; whereas the combined variations, over icient time, may cause the overpower or overtemperature safety limit to be exceeded. The gn concept of the reactor trip system takes cognizance of this situation by providing reactor s associated with individual process variables in addition to the overpower/overtemperature ty limit trips. Process variable trips prevent reactor operation whenever a change in the nitored value is such that a core or system safety limit is in danger of being exceeded should ration continue. Basically, the high pressure, low pressure and overpower/overtemperature T s provide sufficient protection for slow transients as opposed to such trips as low flow or high which will trip the reactor for rapid changes in flow or flux, respectively, that would result in damage before actuation of the slower responding T trips could be affected.
refore, the reactor trip system has been designed to provide protection for fuel cladding and tor coolant system pressure boundary integrity where:
: 1.      A rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit
: 2.      A slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded.
Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding technical specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.
resetting of the reactor trip system instrumentation setpoints as listed in the Technical cifications will be carried out under prescribed administrative procedures, under the direction uthorized supervision, and with the plant conditions prescribed in Section 3.4.1.1 of the hnical Specifications.
RTS design meets the requirements of Criterion 21 of the 1971 GDC.
operational testing is performed on reactor trip system components and systems to determine ipment readiness for startup. This testing serves as a further evaluation of the system design.
lyses of the results of Condition I, II, III, and IV events, including considerations of rumentation installed to mitigate their consequences, are presented in Chapter 15. The rumentation installed to mitigate the consequences of load rejection and turbine trip is given in tion 7.4.
 
elbow taps used on each loop in the primary coolant system are instrument devices that cate the status of the reactor coolant flow. The basic function of this device is to provide rmation as to whether or not a reduction in flow has occurred. The correlation between flow elbow tap signal is given by the following equation:
W- 2 P- =  ------
    ---------                                                                        (7.2-3)
P o        W o ere Po is the pressure differential at the reference flow Wo, and P is the pressure differential e corresponding flow, W. The full flow reference point is established during initial plant tup. The low flow trip point is then established by extrapolating along the correlation curve.
expected absolute accuracy of the channel is within 10 percent of full flow and field results e shown the repeatability of the trip point to be within 1 percent.
2.2.3        Evaluation of Compliance to Applicable Codes and Standards reactor trip system meets the criteria of the general design criteria as indicated. The reactor system meets the requirements of Section 4 of IEEE Standard 279-1971, as indicated below:
: 1.        General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level. Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and levels; Section 7.2.1.2.5 discusses abnormal events; and Section 7.2.1.2.6 presents minimum performance requirements.
: 2.        Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train does not prevent protective action at the system level when required. Loss of input power, the most likely mode of failure, to a channel or logic train, will result in a signal calling for a trip. This design meets the requirements of Criterion 23 of the 1971 GDC.
To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design, production, installation and operation, are employed, as discussed in WCAP-7706-L and WCAP-7706. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.
 
For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.
: 4. Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.
: 5. Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform are given in Section 3.11.
: 6. Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate AC power feed. This design meets the requirements of Criterion 21 of the 1971 GDC.
Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full-length control rod drive mechanisms, permitting the rods to free fall into the core. See Figure 7.1-1.
The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur (see Table 15.0-6). This design meets the requirements of Criterion 22 of the 1971 GDC.
: 7. Control and Protection System Interaction
 
derived from individual protective channels through isolation amplifiers. The isolation amplifiers are classified as part of the protection system and are located in the analog protective racks. Non-protective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit, i.e., the non-protective side of the circuit, does not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of Criterion 24 of the 1971 GDC and Paragraph 4.7 of IEEE Standard 279-1971.
The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.
: 8. Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.
: 9. Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have read-outs available. Channel checks are discussed in Technical Specification 3/4.3 and Table 4.3-1 of the Technical Specifications.
: 10. Capability for Testing The reactor trip system is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Section 7.1.2.5.
The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode in order to avoid
 
Analog Channel Tests Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, de-energizes the associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any reason (test, maintenance purposes, or removed from service) will cause that portion of the logic to be actuated (partial trip), accompanied by a partial trip alarm and channel status light actuation in the control room. Each channel contains those switches, test points, etc., necessary to test the channel (WCAP-7913; WCAP-8255).
The following periodic tests of the analog channels of the protection circuits are performed:
: a.      Tavg and T protection channel testing.
: b.      Pressurizer pressure protection channel testing.
: c.      Pressurizer water level protection channel testing.
: d.      Steam generator water level protection channel testing.
: e.      Reactor coolant low flow, underspeed protection channels.
: f.      Impulse chamber pressure channel testing.
Nuclear Instrumentation Channel Tests Prior to testing, the power range channels of the Nuclear Instrumentation System (NIS) may be calibrated on a tripped channel with the channel detector disabled to eliminate live channel interference. Because the power range channel reactor trip logic is two out of four, channel trip bypass is not required. The channel is tripped by removing the control power fuses in the channel under test. This results in a one out of three logic to cause a reactor trip.
To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action, operation of which initiates the CHANNEL TEST annunciator in the control room. The channel may be tested with the channel tripped or by restoring the channel to operation. It should be noted that if testing is performed after the channel is restored to operation, a valid trip signal would cause
 
by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.
A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.
The nuclear instrumentation system periodically in accordance with Table 4.3-1 of the Technical Specifications.
Any deviations noted during the performance of the tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures for the nuclear instrumentation system. Reactor trip setpoints are indicated in the Technical Specifications.
For additional background information on the nuclear instrumentation system, refer to WCAP-8255.
Solid State Logic Testing The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the Train A and Train B logic rack test panels.
This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and non-trip logic. The reactor trip undervoltage and shunt trip relay coils are pulsed in order to check logic. During logic testing of one train, the other train can initiate any required protective functions. Door limit switches on each door of each train assembly provide remote indication of open solid state protection system doors. Annunciation is also provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes.
Logic testing is one of the SSPS surveillances. Refer to Technical Specifications Section 3/4.3.1 for Reactor Trip System surveillance requirements and limiting conditions for operation.
A reactor trip resulting from underspeed of the reactor coolant pumps is provided as discussed in Section 7.2.1 and shown on Figure 7.2-1. The logic for this trip is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided.
 
The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given in Tables 7.2-2 and 7.3-3 and designated protection or p interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standard 279-1971 and 338-1971.
Testing of all protection system interlocks is provided by the logic testing and semi-automatic testing capabilities of the solid state protection system. In the solid state protection system, the undervoltage trip attachment and shunt trip auxiliary relay coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (2 out of 4 loops showing 2 out of 3 low flow) is tested to verify operability of the trip above P-7 and non-trip below P-7 (Figure 7.2-1, Sheet 5). Interlock testing may be performed at power.
Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:
: a.      Check of input relays During testing of the process instrumentation system and nuclear instrumentation system channels, each channel bistable is placed in a trip mode causing one input relay in Train A and one in Train B to de-energize.
A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions.
Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation lights the status lamp and annunciator.
Each train contains a multiplexing test switch. At the start of a process of nuclear instrumentation system test, this switch (in either train) is placed in the A  B position. The A  B position alternately allows for information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp means that the input relays in the two trains did not both de-energize. Contact inputs to the logic protection system such as turbine stop valve limit switches operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays.
Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and
 
example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.
: b. Check of logic matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. At the completion of the logic matrix tests, the bistable status lights on the main control board section 4 (3IHA-ANNMB4G) will be checked to ensure the closure of the input error inhibit switch contacts. The tripped condition of the bistable status lights for Power Range P-10 Permissives channel 1 through 4 or Turbine Stop Valves 1 through 4 will be checked depending on the plant thermal power level (above 10% or below 10% respectively) during the test. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically (Figure 7.1-2).
Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.
The testing capability meets the requirements of Criterion 21 of the 1971 GDC.
Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). The following procedure describes the method used for testing the trip breakers:
: a. With bypass breaker 52/BYA racked out in the Test position, manually close and trip it to verify its operation.
 
Block pushbutton on the automatic shunt trip panel. This verifies operation of the undervoltage trip attachment (UVTA) when the breaker trips. After reclosing RTA, trip it again by operation of the Auto Shunt Trip Test pushbutton on the automatic shunt trip panel. This is to verify tripping of the breaker through the shunt trip device.
: c.      Close 52/RTA.
: d.      Trip and rack out 52/BYA.
: e.      Repeat above steps a through d to test reactor trip breaker 52/RTB using bypass breaker 52/BYB.
Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers automatically trip.
Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers automatically trip.
The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate separate annunciators in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches would result in audible and visual indications.
The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a technical specification, 3/4.3, defining the minimum number of operable channels has been formulated. This technical specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met.
: 11. Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. Additional information is given in Section 7.2.2.2.
: 12. Operating Bypass
 
whenever permissive conditions are not met (see Table 7.2-2). Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section.
: 13. Indication of Bypasses Bypass indication is further discussed in Section 7.1.2.5.
Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.
: 14. Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions.
: 15. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.
: 16. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator.
: 17. Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment.
: 18. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.
 
Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in Item 20 below.
: 20. Information Readout The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents).
The only transmitted signal that is not indicated or recorded is the reactor coolant pump shaft speed. This speed does not need to be indicated or recorded because it is a parameter that the operator can neither control nor is it credible for the sensor to fail in ways to indicate erroneously high speed.
Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level.
Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.
: 21. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Item 10 above.
2.3    Specific Control and Protection Interactions 2.3.1    Neutron Flux r power range neutron flux channels are provided for overpower protection. An isolated tioneered high signal is derived by auctioneering of the four channels for automatic rod trol. If any channel fails in such a way as to produce a low output, that channel is incapable of per overpower protection but will not cause control rod movement because of the auctioneer.
o out of four overpower trip logic will ensure an overpower trip if needed even with an pendent failure in another channel.
ddition, channel deviation signals in the control system will give an alarm if any neutron flux nnel deviates significantly from the average of the flux signals. Also, the control system will ond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated
 
2.3.2    Reactor Coolant Temperature accuracy of the narrow range resistance temperature detector loop temperature measurements emonstrated during plant startup tests by comparing temperature measurements from all loop ow range resistance temperature detectors with one another as well as with the temperature surements obtained from the wide-range resistance temperature detector located in the hot leg cold leg piping of each loop. The comparisons are done with the reactor coolant system in an hermal condition. The linearity of the T measurements obtained from the hot leg and cold leg ow range loop resistance temperature detectors as a function of plant power is also checked ng plant startup tests. The absolute value of T versus plant power is not important, per se, as as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of indicated T at nominal full power rather than on absolute values of T. This is done to ount for loop differences which are inherent. Therefore the percent T scheme is relative, not olute, and therefore provides better protective action without the expense of accuracy. For this on, the linearity of the T signals as a function of power is of importance rather than the olute values of the T. As part of the plant startup tests, the narrow range loop resistance perature detector signals will be compared with the core exit thermocouple signals.
ctor control is based upon signals derived from protection system channels after isolation by ation amplifiers such that no feedback effect can perturb the protection channels.
ce control is based on the average temperature of the loop with the highest temperature, the trol rods are always moved based upon the most pessimistic temperature measurement with ect to margins to DNB. A spurious low average temperature measurement from any loop perature control channel will cause no control action; additionally, rod control cannot matically withdraw rods. A spurious high average temperature measurement will cause rod rtion (safe direction).
nnel deviation signals in the control system will give an alarm if any temperature channel iates significantly from the auctioneered (highest) value. Turbine runback (power demand uction) will also occur if any two of the four overtemperature or overpower T channels cate an adverse condition.
2.3.3    Pressurizer Pressure pressurizer pressure protection channel signals are used for high and low pressure protection as inputs to the overtemperature T trip protection function and power-operated relief valves.
ated output signals from these channels are used for pressure control. These are used to trol pressurizer spray and heaters. Pressurizer pressure is sensed by fast response pressure smitters.
 
logic for safety injection to ensure low pressure protection.
rpressure protection is based upon the positive surge of the reactor coolant produced as a lt of turbine trip under full load, assuming the core continues to produce full power. The
-actuated safety valves are sized on the basis of steam flow from the pressurizer to ommodate this surge at a setpoint of 2500 psia and an accumulation of 3 percent. Note that no it is taken for the relief capability provided by the power-operated relief valves during this e.
ddition, operation of any one of the power-operated relief valves can maintain pressure below high pressure trip point for most transients. The rate of pressure rise achievable with heaters is
  , and ample time and pressure alarms are available to alert the operator of the need for ropriate action.
undancy is not compromised by having a shared tap for two of the four pressurizer pressure smitters (Section 7.2.1.1.2) since the logic for this trip is two out of four. If the shared tap is gged, the affected channels remain static. If the impulse line bursts, the indicated pressure ps to zero. In either case the fault is easily detectable, and the protective function remains rable.
2.3.4      Pressurizer Water Level ee pressurizer water level channels are used for reactor trip. Isolated signals from these nnels are used for pressurizer water level control. A failure in the level control system could or empty the pressurizer at a rate that allows the operator to mitigate the transient.
high pressurizer water level trip setpoint provides sufficient margin such that the undesirable dition of discharging liquid coolant through the safety valves is avoided. Even at full power ditions, which would produce the worst thermal expansion rates, a failure of the water level trol would not lead to any liquid discharge through the safety valves. This is due to the rators taking manual action and the automatic high pressurizer pressure reactor trip, a function rse to the high pressurizer water level trip, actuating at a pressure sufficiently below the safety e setpoint to prevent liquid discharge.
control failures which tend to empty the pressurizer, ample time and alarms exist to alert the rator of the need for appropriate action. If action is not taken, letdown will isolate on low surizer level, reducing RCS outflow. Should low pressurizer pressure occur, safety injection actuate.
2.3.5      Steam Generator Water Level basic function of the reactor protection circuits associated with low-low steam generator er level is to preserve the steam generator heat sink for removal of long-term residual heat.
uld a complete loss of feedwater occur, the reactor would be tripped on low-low steam
 
m generators are dry. This reduces the required capacity, increases the time interval before iliary feedwater pumps are required, and minimizes the thermal transient on the reactor lant system and steam generators. Therefore, a low-low steam generator water level reactor circuit is provided for each steam generator to ensure that sufficient initial thermal capacity is ilable in the steam generator at the start of the transient. Two-out-of-four low-low steam erator water level trip logic ensures a reactor trip if needed even if the protection channel used control fails and a second protection channel experiences a postulated random failure.
purious low signal from the feedwater flow channel being used for control would cause an ease in feedwater flow. The mismatch between steam flow and feedwater flow produced by spurious signal would actuate alarms to alert the operator of the situation in time for manual ection. If the condition continues, a two-out-of-four high-high steam generator water level al in any loop, independent of the indicated feedwater flow, will cause feedwater isolation and the turbine. The turbine trip will result in a subsequent reactor trip if power is above the P-9 oint. The high-high steam generator water level trip is an equipment protective trip preventing essive moisture carryover which could damage the turbine blading.
ddition, a high-high steam generator water level turbine trip and feedwater isolation or a low-steam generator water level reactor trip may be avoided in the event of a steam or feedwater instrument channel failure since the steam generator water level input to the three element m generator water level controller will attempt to restore water level to its nominal setpoint.
purious high steam generator water level signal from the protection channel used for control tend to close the feedwater valve. A spurious low steam generator water level signal will tend pen the feedwater valve. Before a reactor trip would occur, two-out-of-four channels in a loop ld have to indicate a low-low water level. Any slow drift in the water level signal will permit operator to respond to the level alarms and take corrective action.
omatic protection is provided in case the spurious high level reduces feedwater flow iciently to cause low-low level in the steam generator. Automatic protection is also provided ase the spurious low level signal increases feedwater flow sufficiently to cause high level in steam generator. A turbine trip and feedwater isolation would occur on two-out-of-four h-high steam generator water level in any loop.
2.4    Additional Postulated Accidents s of plant instrument air or loss of component cooling water is discussed in Section 7.3.2.
d rejection and turbine trip are discussed in further detail in Section 7.7.
control interlocks, called rod stops, that are provided to prevent abnormal power conditions ch could result from excessive control rod withdrawal are discussed in Section 7.7.1.4.1 and d on Table 7.7-1. Excessively high power operation, if allowed to continue, might lead to a ty limit (as given in the Technical Specifications) being reached. Before such a limit is hed, protection will be available from the reactor trip system. Rod block setpoints are reached
 
3    TESTS AND INSPECTIONS reactor trip system meets the testing requirements of IEEE Standard 338-1971, as discussed ection 7.1.2.11. The testability of the system is discussed in Section 7.2.2.2.3. The initial test rvals are specified in the Technical Specifications. Written test procedures and documentation, forming to the requirements of IEEE Standard 338-1971, will be available for audit by onsible personnel. Periodic testing complies with Regulatory Guide 1.22 as discussed in tions 7.1.2.5 and 7.2.2.2.3.
4    REFERENCES FOR SECTION 7.2 1 WCAP-7488-L, 1971 (Proprietary) and WCAP-7672, 1971 (Non proprietary), (Additional background information only) Katz, D. N., Solid State Logic Protection System Description.
2 WCAP-7706-L, 1971 (Proprietary) and WCAP-7706, 1971 (Non proprietary), Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.
3 WCAP-7913, 1973, (Additional background information only) Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply Systems.
4 WCAP-8255, 1974, (Additional background information only) Lipchak, J. B., Nuclear Instrumentation System.
5 DNC Letter 07-0450I, Dominion Nuclear Connecticut, Inc. Millstone Power Station Unit 3 Stretch Power Uprate License Amendment Request Additional Information in Connection with the NRC Audit Held on May 13, 2008 in Rockville, Maryland, dated May 21, 2008.
 
Reactor Trip          Coincidence Logic                  Interlocks                          Comments High neutron flux (Power                          Manual block of low setting permitted Automatic reset of lowm setting
: 1. Range)                      2 -out-of-4          at or above P-10 (high setting has no below P-10 (high and low settings)                            interlocks)
Intermediate range neutron                        Manual block permitted at or above P-
: 2.                              1-out-of-2                                                  Automatic reset below P-10 flux                                              10 Manual block permitted at or above P- Manual reset permitted below
: 3. Source range neutron flux    1-out-of-2
: 6. Automatic block at or above P-10. P-10. Automatic reset below 6.
Power range high positive
: 4.                                2 -out-of-4          No interlocks                        Manual reset neutron flux rate Power range high negative
: 5.                                2 -out-of-4          No interlocks                        Manual reset neutron flux rate
: 6. Overtemperature T            2 -out-of-4          No interlocks
: 7. Overpower T                  2 -out-of-4          No interlocks
: 8. Pressurizer low pressure      2 -out-of-4          Interlocked with P-7                  Blocked below P-7
: 9. Pressurizer high pressure    2 -out-of-4          No interlocks
: 10. Pressurizer high water level 2-out-of-3            Interlocked with P-7                  Blocked below P-7 Low flow in two loops will caus reactor trip when at or above P-2-out-of-3 in 2 -out-
: 11. Low reactor coolant flow                          Interlocked with P-7                  Blocked below P-7. Low flow i of-4 loops one loop will cause a reactor tri when at or above P-8.
2-out-of-3 in any Interlocked with P-8                  Blocked below P-8 loop
 
Reactor Trip        Coincidence Logic                Interlocks            Comments Reactor coolant pump shaft                                              Low speed on all pumps permitt
: 12.                              2 -out-of-4        Interlocked with P-7 underspeed                                                              below P-7 Low-low steam generator      2 -out-of-4 in any
: 13.                                                No interlocks water level                loop Coincident with                              (See Section 7.3 for Engineered
: 14. Safety injection signal    actuation of safety No interlocks            Safety Features actuation injection                                    conditions)
: 15. Turbine (anticipatory) trip a) Low trip fluid pressure  2-out-of-3          Interlocked with P-9    Blocked below P-9 b) Turbine stop valve close 4-out-of-4          Interlocked with P-9    Blocked below P-9
: 16. Manual                      1-out-of-2          No interlocks            Reactor Trip or SIS SSPS General Warning
: 17.                            2-out-of-2          No interlocks            Both trains simultaneously Alarm N-1 Misalignment (see section
: 18.                            N/A                No interlocks            N-1 switches in SSPS misaligne Section 7.2.1.2.2, item 12, for details)
 
esignation              Derivation                              Function Power Escalation Permissives:
Presence of P-6: 1-out-of-2 neutron Allows manual block of source range P-6    flux (intermediate range) above reactor trip.
setpoint.
Absence of P-6: 2-out-of-2 neutron Defeats the block of source range reactor flux (intermediate range) below trip setpoint.
Allows manual block of power range (low set-point) reactor trip.
Allows manual block of intermediate Presence of P-10: 2-out-of-4 range reactor trip and intermediate range P-10  neutron flux (power range) above rod stops (C-1).
setpoint.
Automatically blocks source range reactor trip (back-up for P-6).
Input to P-7.
Defeats the block of power range (low set-point) reactor trip.
Defeats the block of intermediate range Absence of P-10: 3-out-of-4 neutron reactor trip and intermediate range rod flux (power range) below setpoint. stops (C-1).
Input to P-7.
Allows reset of block of source range reactor trip.
Blocks of Reactor Trips:
Absence of P-7: 3-out-of-4 neutron Blocks reactor trip on: Low reactor flux (power range) below setpoint coolant flow in more than one loop, P-7    (from P-10) and 2-out-of-2 turbine underspeed, pressurizer low pressure, impulse chamber pressure below and pressurizer high level.
setpoint (from P-13).
Absence of P-8: 3-out-of-4 neutron  Blocks reactor trip on low flux reactor P-8 (power range) below setpoint.      coolant flow in a single loop.
Absence of P-9: 3-out-of-4 neutron P-9                                        Blocks reactor trip on turbine trip.
flux (power range) below setpoint.
Absence of P-13: 2-out-of-2 turbine P-13  impulse chamber pressure below      Input to P-7 setpoint.
 
Reactor Trip Syste Reactor Trip Signal            Process Measurement Range        Total Allowance  (1)    (2) Response Tim Power range high neutron flux 0 to 120 percent of full power      Hi - 6.3% of span        0.5 second (3)
: 1. (High and low settings)
Lo - 8.3% of span 8 decades of neutron flux overlapping Intermediate range high neutron                                            (4)                        (4)
: 2.                                  both source and power ranges (10-11 to flux 10-3 amperes)
: 3. Source range high neutron flux      6 decades of neutron flux (1 to 106  (4)                        (4) counts/sec)
Power range high positive neutron
: 4.                                      0 to 120 percent of full power    1.08% of span (5)          0.5 seconds (5) flux rate Power range high negative neutron                                          (4)                        (4)
: 5.                                      0 to 120 percent of full power flux rate Overtemperature T                  THOT 530 to 650F                  11.3 percent of T span    11.0 seconds TCOLD 510 to 630F TAVG 530 to 630F
: 6.                                      PPZR 1700 to 2500 psia f() -60 to +60                                              (4)
T setpoint 0 to 150of full power T
 
Reactor Trip Syste Reactor Trip Signal                        Process Measurement Range                    Total Allowance      (1)          (2) Response Tim Overpower T                                      THOT 530 to 650F                              4.9 percent of T span                11.0 seconds TCOLD 510 to 630F
: 7.                                                      TAVG 530 to 630F T setpoint 0 to 150 of full power T
: 8. Pressurizer low pressure                          1700 to 2500 psia                              5.0 percent of span                  2.0 seconds
: 9. Pressurizer high Pressure                          1700 to 2500 psia                              5.0 percent of span                  2.0 seconds Span between level taps ( 520
: 10. Pressurizer high water level                                                                      11.0 percent of span                  2.0 seconds inches) 0 to 120 percent of thermal design
: 11. Low reactor coolant flow                                                                          4.2 percent of span                  1.0 seconds flow Reactor coolant pump shaft under
: 12.                                                    960 to 1260 RPM                                1.6 percent of span                  0.6 seconds (6) speed Low-low Steam generator water                  Span between narrow range level taps
: 13.                                                                                                    18.1 percent of span                  2.0 seconds level                                          ( 128 inches)
: 14. Turbine trip                                      N/A                                            N/A                                    (7)
NOTES:
(1)  Refer to Technical Specifications Section B 3/4.3.1 for a discussion of Total Allowance.
(2)  Reactor Trip System Response Time is defined by Technical Specification 1.28 as: ...the time interval from when the monitored parameter exceeds its tr setpoint at the channel sensor until loss of stationary gripper coil voltage.
(3)  Neutron detectors are exempt from time response testing.
(4)  Information not applicable since Trip(s) are not required by safety analysis per FSAR Table 15.0-4.
(5)  Credited in generic Westinghouse analysis applicable to MPS-3 (Reference 7.2-5).
(6)  RCP speed sensors are exempt from time response testing.
(7)  The FSAR Chapter 15 safety analysis does not credit reactor trip due to turbine trip in demonstrating that the acceptance criteria is met. Therefore, time response testing for this function is not required.
 
Trip(a)                                          Accident (b)                                Tech Spec. (c)
: 1. Power range high neutron                                                                              2.2.1 flux trip (low setpoint)    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a
: 1.                                                                          Table 2.2-1 #2 Subcritical or Low Power Startup Condition (15.4.1)
See Note (d)
: 2. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8)
Chemical and Volume Control System Malfunction that Results in a 3.
Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)
Excessive heat removal due to feedwater system malfunctions (15.1.1 and 4.
15.1.2)
: 2. Power range high neutron                                                                              2.2.1 flux trip (high setpoint)    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a          Table 2.2-1 #2 1.
Subcritical or Low Power Startup Condition (15.4.1)
See Note (d)
Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.
(15.4.2)
Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.1 and 3.
15.1.2)
: 4. Excessive Increase In Secondary Steam Flow (15.1.3)
Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 5.
Depressurization of the Main Steam System (15.1.4)
: 6. Steam System Piping Failure (15.1.5)
: 7. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8)
Chemical and Volume Control System Malfunction that Results in a 8.
Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)
 
Trip(a)                                          Accident (b)                              Tech Spec. (c)
: 3. Intermediate range high      Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a        2.2.1 neutron flux trip        1.
Subcritical or Low Power Startup Condition (15.4.1)                    Table 2.2-1 #5
: 4. Source range high neutron    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a        2.2.1 1.
flux trip                    Subcritical or Low Power Startup Condition (15.4.1)                    Table 2.2-1 #6 Chemical and Volume Control System Malfunction that Results in a 2.
Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)
: 5. Power range high positive    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power and 2.2.1 neutron flux rate trip    1. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.2 and Table 2.2-1 #3 15.4.8)
Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a 2.
Subcritical or Low Power Startup Condition (15.4.1)
: 6. Power range high negative flux rate trip                                                                                      See Note (e)
 
Trip(a)                                            Accident (b)                              Tech Spec. (c)
: 7. Overtemperature T trip    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power      2.2.1 1.
(15.4.2)                                                                Table 2.2-1 #7 Chemical and Volume Control System Malfunction that Results in a 2.
Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)
: 3. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)
Excessive Heat Removal Due to Feedwater System Malfunctions 4.
(15.1.1 and 15.1.2)
: 5. Excessive Increase In Secondary Steam Flow (15.1.3)
: 6. Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1)
: 7. Rod Cluster Control Assembly Misalignment (15.4.3)
: 8. Loss of Normal Feedwater Flow (15.2.7)
: 9. Steam Generator Tube Failure (15.6.3)
: 10. Feedwater System Pipe Break (15.2.8)
 
Trip(a)                                                Accident (b)                              Tech Spec. (c)
: 8. Overpower T trip                Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power        2.2.1 1.
(15.4.2)                                                                  Table 2.2-1 #8 Excessive Heat Removal Due to Feedwater System Malfunctions 2.
(15.1.1 and 15.1.2)
: 3. Excessive Increase In Secondary Steam Flow (15.1.3)
Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 4.
Depressurization of the Main Steam System (15.1.4)
: 5. Steam System Piping Failure (15.1.5)
: 6. Rod Cluster Control Assembly Misalignment (15.4.3)
: 7. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)
: 9. Pressurizer low pressure trip                                                                              2.2.1
: 1. Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1)
Table 2.2-1 #9 Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping 2.
Breaks within the Reactor Coolant Pressure Boundary (15.6.5)
: 3. Excessive Increase In Secondary Steam Flow (15.1.3)
: 4. Steam Generator Tube Failure (15.6.3)
Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 5.
Depressurization of the Main Steam System (15.1.4)
: 6. Steam System Piping Failure (15.1.5)
: 7. Rod Cluster Control Assembly Misalignment (15.4.3)
Inadvertent Operation of the Emergency Core Cooling System During Power 8.
Operation (15.5.1)
 
Trip(a)                                                Accident (b)                              Tech Spec. (c)
: 10. Pressurizer high pressure      Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power      2.2.1 1.
trip                            (15.4.2)                                                                Table 2.2-1 #10
: 2. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)
: 3. Loss of Normal Feedwater Flow (15.2.7)
: 4. Feedwater System Pipe Break (15.2.8)
: 11. Pressurizer high water level    Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power      2.2.1 1.
trip                            (15.4.2)                                                                Table 2.2-1 #11
: 12. Low reactor coolant flow                                                                                2.2.1
: 1. Partial Loss of Forced Reactor Coolant Flow (15.3.1)
Table 2.2-1 #12
: 2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)
: 3. Complete Loss of Forced Reactor Coolant Flow (15.3.2)
: 4. Reactor Coolant Pump Shaft Seizure (Locked Rotor) (15.3.3)
: 13. Reactor coolant pump                                                                                    2.2.1
: 1. Complete Loss of Forced Reactor Coolant Flow (15.3.2) underspeed trip                                                                                          Table 2.2-1 #15
: 14. Low-low steam generator                                                                                  2.2.1
: 1. Loss of Normal Feedwater Flow (15.2.7) water level trip                                                                                          Table 2.2-1 #13
: 2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)
: 3. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)
: 4. Feedwater System Pipe Break (15.2.8)
: 5. Steam System Piping Failure (15.1.5)
 
Trip(a)                                                                  Accident (b)                                    Tech Spec. (c)
: 15. Reactor trip on turbine trip                Excessive Heat Removal Due to Feedwater System Malfunctions                          2.2.1 1.
(15.1.1 and 15.1.2)                                                                  Table 2.2-1 #16
: 2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)
: 16. Safety injection signal                      Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a            2.2.1 1.
actuation trip                                Depressurization of the Main Steam System (15.1.4)                                    Table 2.2-1 #17
: 2. Steam System Piping Failure (15.1.5)
Inadvertent Operation of the Emergency Core Cooling System During Power 3.
Operation (15.5.1)
: 4. Feedwater System Pipe Break (15.2.8)
: 17. Manual trip                                                                                                                        2.2.1
: 1. Available for all accidents (Chapter 15)
Table 2.2-1 #1 NOTES:
(a)    Trips are listed in order of discussion in Section 7.2.
(b)    References refer to accident analysis presented in Chapter 15.
(c)    References refer to Technical Specifications presented in Chapter 16.
(d)    The power range high neutron flux trip is not required to be OPERABLE in MODES 3, 4 or 5. Administrative controls have been implemented to preclud uncontrolled rod/bank withdrawal from occurring in these MODES when plant conditions are not bounded by the accident assumptions.
(e)    A Technical Specification reference is not required because this trip is not assumed to function in the accident analysis.
 
IGURE 7.2-1 (SHEETS 1-19) P&IDS FUNCTIONAL DIAGRAM, REACTOR TRIP YSTEM/LOOP STOP VALVE INTERLOCKS/PRESSURIZER PRESSURE RELIEF SYSTEM figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-3 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.
 
FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVER-TEMPERATURE T TRIPS ddition to the requirements for a reactor trip for anticipated abnormal transients, the facility is vided with adequate instrumentation and controls to sense accident situations and initiate the ration of necessary engineered safety features. The occurrence of a limiting fault, such as a
-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or more he engineered safety features in order to prevent or mitigate damage to the core and reactor lant system component and ensure containment integrity.
rder to accomplish these design objectives, the engineered safety features system has proper timely initiating signals which are to be supplied by the sensors, transmitters, and logic ponents making up the various instrumentation channels of the engineered safety features ation system. The engineered safety features actuation system as discussed in Section 7.3 is sistent with Technical Specification Table 3.3-3.
1    DESCRIPTION engineered safety features actuation system (ESFAS) uses selected plant parameters, rmines whether or not predetermined safety limits are being exceeded and, if they are, bines the signals into logic matrices sensitive to combinations indicative of Condition III or aults. In addition, some engineered safety features such as auxiliary feedwater may be ated for condition II faults such as loss of normal feedwater flow. Once the required logic bination is completed, the system sends actuation signals to the appropriate engineered safety ures components. The ESFAS meets the requirements of Criteria 13, 20, 27, 28, and 38 of the 1 General Design Criteria (GDC).
1.1    System Description ESFAS is a functionally defined system described in this section. The equipment which vides the actuation functions identified in Section 7.3.1.1.1 is listed and discussed in this ion (WCAP-7913, 1973; WCAP-7488-L, 1971; WCAP-7705, 1976):
: 1.      Process Instrumentation and Control System (WCAP-7913, 1973).
: 2.      Solid State Logic Protection System (WCAP-7488-L, 1971).
: 3.      Engineered Safety Features Test Cabinet (WCAP-7705, 1976).
: 4.      Manual Actuation Circuits.
: 5.      Emergency Generator Load Sequencer, Table 7.1-1, Logic Diagram Package.
: 6.      Control building inlet and containment purge air radiation monitoring channels.
ESFAS consists of two discrete portions of circuitry: (1) an analog portion consisting of two our redundant channels per parameter or variable to monitor various plant parameters such as
 
m the analog protection channels and perform the logic needed to actuate the engineered safety ures. Each digital train is capable of actuating the engineered safety features (ESF) equipment uired. Two channels of pressure switches are provided on the refueling water storage tank ST) to perform ESF functions. The intent is that any single failure within the ESFAS does not vent system action when required.
escription of the emergency generator load sequencer is found in Section 7.3.1.1.5. A cription of the applicable channels of the radiation monitoring system is in Section 11.5.2.2.
redundant concept is applied to both the analog and logic portions of the system. Separation edundant analog channels begins at the process sensors and is maintained in the field wiring, tainment vessel penetrations and analog protection racks terminating at the redundant guards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1 GDC.
variables are sensed by the analog circuitry as discussed in WCAP-7913 (1973) and in tion 7.2. The outputs from the analog channels are combined into actuation logic as shown on ure 7.2-1, Sheets 5, 6, 7, and 8. Refer to Technical Specification Table 3.3-3 for ESFAS rumentation channel requirements.
interlocks associated with the ESFAS are outlined in Table 7.3-1. These interlocks satisfy the ctional requirements discussed in Section 7.1.2.
nual actuation from the control board of containment isolation Phase A is provided by ration of either one of the redundant momentary containment isolation Phase A controls. The arate trains are thereby linked by mechanical means in a fashion similar to that shown on ure 7.1-2. Also on the control board is a manual actuation of safety injection by one of the undant controls and a manual actuation of containment isolation Phase B by either of the two of controls.
nual controls are also provided to switch from the injection to the recirculation phase after a
-of-coolant accident.
1.1.1    Function Initiation specific functions which rely on the ESFAS for initiation are listed below. In addition, see le 15.0-6 for the engineered safety features required for specific design basis plant conditions.
further information about the design of the functions discussed below, see appropriate Logic grams referenced in Table 1.7-1.
: 1.      A reactor trip, provided one has not already been generated by the reactor trip system.
 
of the reactor coolant system (Table 7.3-3).
: 3. Those pumps and associated valves which provide core, containment, and other safety-related cooling functions (e.g., service water and component cooling water pumps).
: 4. Motor-driven and steam-driven auxiliary feedwater pumps and associated valves to provide a heat sink for the removal of decay heat from the reactor.
: 5. Phase A containment isolation, whose function is to prevent fission product release. (Isolation of all lines not essential to reactor protection.) (Table 7.3-4).
: 6. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (Table 7.3-5).
: 7. Main feedwater line isolation, as required, to prevent or mitigate the effect of excessive cooldown (Table 7.3-6).
: 8. Start the emergency generators to assure backup supply of power to ESF and essential auxiliary supporting systems components.
: 9. Initiate pressurized filtration for the control room to meet control room occupancy requirements. (Table 7.3-7).
: 10. Containment depressurization actuation (CDA) which performs the following functions:
: a.      Initiates containment spray to reduce containment pressure and temperature following a loss-of-coolant accident or a main steam or feedwater line break accident inside of containment (Table 7.3-8).
: b.      Initiates Phase B containment isolation which isolates the containment following a loss of reactor coolant accident, or a main steam or feedwater line break within containment to limit radioactive releases. (Phase B isolation, together with Phase A isolation, results in isolation of all but emergency core cooling system and containment spray lines penetrating the containment.) (Table 7.3-9).
: 11. Stripping of electrical loads, blocking of manual starting and time delayed starting, when required, of safety related electrical loads by the Emergency Generator Load Sequencer.
 
accident per Section 15.7.4.
: 13. Ventilation and filtration fans and associated dampers and valves which provide ventilation for vital building areas and filtration of air discharged from building.
1.1.2      Analog Circuitry process analog sensors and racks for the ESFAS are generically discussed in WCAP-7913 73). Discussed in this report are typical parameters to be measured, including pressures, flows, and vessel water levels, and temperatures, as well as the measurement and signal smission considerations. These latter considerations include the transmitters, orifices and flow ments, resistance temperature detectors, as well as automatic calculations, signal conditioning, location and mounting of the devices.
sensors monitoring the primary system are located as shown on the piping and rumentation diagrams in Chapter 5, reactor coolant system. The secondary system sensor tions are shown on the steam and feedwater system piping and instrumentation diagrams n in Chapter 10.
1.1.3      Digital Circuitry ESF logic racks are discussed in detail in WCAP-7488-L (1971). The description includes the siderations and provisions for physical and electrical separation, as well as details of the uitry. WCAP-7488-L (1971) also covers certain aspects of online test provisions, provisions test points, considerations for the instrument power source, considerations for accomplishing sical separations. The outputs from the analog channels are combined into actuation logic as wn on Sheets 5, 6, 7, 8, 13, 14, 15 and 16 on Figure 7.2-1.
acilitate engineered safety features actuation testing, four cabinets (two per train) are provided ch enable operation, to the maximum practical extent, of safety features loads on a group-by-up basis until actuation of all devices has been checked. Final actuation testing is discussed in il in Section 7.3.2.
Emergency Generator Load Sequencer uses digital logic which is described in tion 7.3.1.1.5 and shown on the Logic Diagrams referenced in Table 1.7-1. Each channel (one train) of the radiation monitoring instrumentation associated with the Containment Purge ation function provides outputs directly to actuate equipment.
 
outputs of the solid state logic protection system (the slave relays) are energized to actuate, as most final actuators and actuated devices. These devices are listed as follows:
: 1.      Emergency core cooling system pump and valve actuators. See Chapter 6 for flow diagrams and additional information.
: 2.      Containment isolation (Phase A - T signal isolates all nonessential process lines on receipt of safety injection signal; Phase B - P signal isolates remaining process lines (which do not include safety injection lines) on receipt of 2-out-of-4 hi-3 containment pressure signal). For further information, see Section 6.2.4.
: 3.      Service water pump and valve actuations (Chapter 9).
: 4.      Auxiliary feed pumps start and valve actuators (Chapter 10).
: 5.      Diesel start (Chapter 8).
: 6.      Feedwater isolation valve actuators (Chapter 10).
: 7.      Ventilation isolation valve and damper actuators (Chapter 6).
: 8.      Steam line isolation valve actuators (Chapter 10).
: 9.      Quench spray and recirculation containment pumps and valve actuators (Chapter 6).
1.1.5    ESF and Essential Auxiliary Support Systems ineered Safety Features System tems that comprise the ESF and essential auxiliary supporting systems for Millstone 3 are d in Table 7.3-10. Their function and operation following ESFAS initiation are summarized his section. Additional information on these systems can be found in the referenced sections.
ergency Core Cooling System emergency core cooling system (ECCS) is described in Section 6.3 and is shown on ure 6.3-1. Development of the SIS and CDA is shown on Figure 7.2-1 (Sheet 8 of 19).
low pressure safety injection system, high pressure safety injection system, charging pumps he chemical and volume control system, containment recirculation system, and residual heat oval system perform the function of core cooling for both normal plant cooldown and rgency core cooling.
 
RCS pressure condition exist (P-19), will discharge to the reactor coolant cold leg.
component interlocks used in different modes of system operation are described in tion 6.3.2.1.
RHS Pump Interlock from Injection to Recirculation details of achieving cold leg recirculation following safety injection are given in tion 6.3.2 and in Table 6.3-7. Figure 7.6-3 shows the logic which is used to automatically trol RHS pumps.
Sequenced Safeguard Signals equenced safeguard signal is generated by the emergency generator load sequencer for the ty injection pump, RHS pump, or charging pump whenever the signals listed with the ciated pumps exist.
: 1.      Safety Injection Pump
* SIS or SIS and LOP
* CDA or CDA and LOP
* SIS recirculation mode then LOP
* CDA recirculation mode then LOP
: 2.      Residual Heat Removal Pumps
* SIS or SIS and LOP
* CDA or CDA and LOP
: 3.      Charging Pumps
* SIS or SIS and LOP
* CDA or CDA and LOP
* SIS recirculation mode and then LOP
* CDA recirculation mode and then LOP
: 1. Residual Heat Removal System Pumps The RHS pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. A low-low RWST level is directly annunciated in the control room and interlocks with the SI signal to trip the RHR pumps. The pumps are started automatically on receipt of a sequenced safeguard signal. When a safety injection signal exists, the pumps are stopped automatically on low-low RWST level.
Ammeters and indicator lights are located on the main control board and at the switchgear for the RHS pumps. ESF status lights on the main control board indicate when the RHS pumps are running. RHS pump AUTO trip and overcurrent is alarmed in the control room. Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
There are two residual heat removal pumps powered from separate emergency buses. No single failure at the system level will prevent operation of at least one residual heat removal system train.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
One train of the residual heat removal system at a time is taken out of service and periodically tested in accordance with the Technical Specifications.
This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
 
A RHR pump low pressure safety injection system Train A or Train B bypass annunciator is alarmed in the control room when any of the following conditions exist for Train A or B:
* Residual heat removal pump control switch in pull to lock.
* Loss of control power to RHS pump.
* RHS pump circuit breaker racked out.
* RWST to RHR pump valve not full open.
* RHR pump to charging pump valve not full closed.
* ESF ACU breaker open or control power not available.
* RHR to hot leg isolation valve not full closed.
* RHR heat exchanger flow control valve not full open.
* Reactor plant CCW system bypass.
* RHR to cold leg isolation valve not full open.
: e.      IEEE Standard 279-1971, Paragraph 4.16:
Once a safety signal is received, the residual heat removal system will go to completion. Deliberate operator action is required to stop the RHR pumps.
The safety signal must be reset and manual controls used.
: f.      IEEE Standard 279-1971, Paragraph 4.17:
The residual heat removal pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.
: 2. Safety Injection Pumps The safety injection pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. The pumps are started automatically on receipt of a sequenced safeguard signal. Ammeters and indicator lights are located on the main control board and at the switchgear for the safety injection pumps. ESF status lights on the main control board indicate when a safety injection pump is running. Safety injection pump AUTO Trip or overcurrent is alarmed in the control room. Bypass
 
Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
There are two safety injection pumps powered from separate emergency buses. No single failure at the system level will prevent safety injection.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:
* Safety injection pump control switch in pull to lock.
* SI pump loss of control power or breaker racked out.
* Bypass push button depressed.
* RWST to safety injection pump valve not full open and valve circuit breaker open or control power not available.
* ESF ACU breaker open or control power not available.
* Safety injection cross connect valve not full open and valve circuit breaker open.
* Safety injection pump to hot leg valve not full closed and valve circuit breaker open or control power not available.
* Safety injection pump to cold leg valve not full open and valve circuit breaker open or control power not available.
* Safety injection pump suction valve not full open and valve circuit breaker open or control power not available.
* Containment recirculation injection system bypassed.
* Safety Injection Pump Cooling Pump Circuit Breaker Open or Control Power Not Available or Motor Thermal Overload.
 
The safety injection pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.
: e.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
One train at a time is taken out of service and periodically tested in accordance with the Technical Specifications.
This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
: 3. Charging Pumps Normally, one charging pump is running. During a loss-of-coolant accident (LOCA), two charging pumps operate as part of the safety injection system. The third pump is an installed spare pump with a breaker cubicle on each emergency bus that is normally empty. The installed spare pump uses the breaker of the pump which is not in service. Mechanical and keylock switches prevent the pump from being placed on Train A and Train B emergency buses at the same time.
On a loss-of-power (LOP) signal the charging pump that is running is not stripped from the emergency bus; therefore, the pump starts immediately when power is restored. The pumps are started automatically on receipt of a sequenced safeguard signal.
Manual controls are provided on the main control board and at the switchgear for the charging pumps. An annunciator is alarmed on the main control board when local control is selected. ESF status lights indicate when a charging pump is running.
Ammeter and indicator lights are located at the switchgear and on the main control board.
Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.
Each charging pump has an auxiliary lube oil pump with a local STOP-AUTO control switch. The auxiliary lube oil pumps start automatically when AUTO is selected on low lube oil pressure, or when the associated charging pump is stopped. The auxiliary lube-oil pump stops automatically when AUTO is selected
 
Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
There are three charging pumps, 3CHS*P3A, B, and C. The C pump is an installed spare pump. Normally, two charging pumps (3CHS*P3A and B) have their breakers racked in and one of the two is running. In the event that the A or B pump fails, its breaker is racked out and racked into the C pump cubicle (Train A or B). Mechanical and electrical interlocks prevent the C pump from being connected to two buses at the same time.
Power is supplied to the charging pumps from two separate emergency buses. No single failure at the system level will prevent charging pump safety injection.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:
* Charging pump A, B, or C control switch in pull to lock or loss of control power or breaker racked out.
* Charging pump cubicle ventilation system bypassed.
(Auxiliary circuits associated with the inlet and outlet ventilation dampers for the charging pump cubicles do not provide input to bypass annunciator.)
* Bypass push button depressed for charging pumps safety injection.
* Charging pump header isolation valve not full open.
* RWST to charging pump valve circuit breaker open.
* VCT to charging pump valve circuit breaker open.
* Charging pumps to reactor cold legs isolation valve circuit breaker open.
* Charging pump cooling pump control switch in PULL TO LOCK or circuit breaker open.
* Charging pump to reactor coolant system isolation valve circuit breaker open.
* Containment recirculation injection system bypassed.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once a safety signal is initiated, the charging pumps go to completion.
Deliberate operator action is required to stop a charging pump. The safety signal must be reset and the pump stopped by manual controls.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The charging pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
One charging pump at a time can be taken out of service and periodically tested in accordance with the Technical Specifications.
: g.      This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
: 4. Refueling Water Storage Tank to Charging Pump Valve Redundant RWST to charging pump valves have manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. REMOTE/
LOCAL transfer switches are on the transfer switch panels. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when the valves are open. Open and closed valve positions are monitored by the plant computer. The valves open automatically on receipt of an SIS or when the volume control tank level is low-low.
Analysis
 
The RWST to charging pump valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Circuit breaker for valve open.
* Loss of control power to valve.
* Valve motor thermal overload.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS is initiated, the RWST to charging pump valves go to the fully open position. Deliberate operator action is required to close the valves.
The SIS must be reset and the valves closed by manual controls.
: e. IEEE Standard 279-1971, Paragraph 4.17:
The RWST to charging pump valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.
: f. IEEE Standard 279-1971, Paragraph 4.10:
The RWST valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.
: 5. Volume Control Tank Outlet Isolation Valves Redundant volume control tank (VCT) outlet isolation valves have manual controls and indicator lights on the main control board and on the auxiliary shutdown panel. REMOTE/LOCAL transfer switches are on the transfer switch
 
alarmed in the control room when a VCT outlet isolation valve is closed. Open and closed valve positions are monitored by the plant computer. The valves close automatically on receipt of an SIS or VCT low-low level signal, provided the associated RWST to the charging pump valve is open.
Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
The VCT outlet isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent VCT outlet isolation.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Circuit breaker for valve open.
* Loss of control power to valve.
* Valve motor thermal overload.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS or VCT low-low level signal is received, the VCT outlet isolation valves go fully closed. The SIS must be reset and the VCT low-low level signal cleared and the valves opened by manual controls.
: e. IEEE Standard 279-1971, Paragraph 4.17:
The VCT outlet isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.
: f. IEEE Standard 279-1971, Paragraph 4.10:
 
engineered safety actuation system.
: 6. Charging Pump to Reactor Cold Leg Isolation Valves Redundant charging pump to reactor cold leg isolation valves have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are open. An annunciator is alarmed in the control room when an isolation valve is open. The valves open automatically on receipt of an SIS in conjunction with the cold leg injection permissive (P-19).
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
The charging pump to reactor cold leg isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Circuit breaker for valve open.
* Loss of control power to valve.
* Valve motor thermal overload.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS is initiated and the cold leg injection permissive (P-19) is enabled, the charging pump to cold leg isolation valves go to fully open.
Deliberate operator action is required to close the valves. The SIS must be reset and the valves closed by manual controls.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The charging pumps to reactor cold leg isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.
: 7. Charging Pump to Reactor Coolant System Isolation Valves Redundant charging pump to reactor coolant system isolation valves (normal charging flow path) have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are closed. The valves close automatically on receipt of an SIS.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
The charging pump to reactor coolant system isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent isolation of normal charging to reactor coolant system.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Circuit breaker for valve open.
* Loss of control power to valve.
* Valve motor thermal overload.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS is initiated, the charging pump to reactor coolant isolation valves go to the fully closed position. Deliberate operator action is required
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The charging pump to reactor coolant isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.
The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The charging pump to reactor coolant system isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.
: 8. Charging Pump Miniflow Isolation Valves (Train B)
The miniflow isolation valve for each charging pump has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel.
REMOTE/LOCAL control transfer switches are on a transfer switch panel. An annunciator is alarmed in the control room when LOCAL control is selected. An annunciator is alarmed in the control room when a valve is closed. ESF status lights indicate when a valve is closed. Open and closed positions are monitored by the plant computer. The valves close automatically on receipt of an SIS.
: 9. Charging Pump Miniflow Isolation Valve (Train A)
The charging pump combined miniflow isolation valve has manual control and indicator lights on the main control board. An annunciator alarms in the control room when the valve is closed. An ESF status light indicates when the valve is closed. The valve is closed automatically on receipt of an SIS.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
There are three Train B miniflow isolation valves and one combined Train A miniflow isolation valve. The Train A and Train B valves are powered from separate emergency buses. No single failure at the system level will prevent charging pump miniflow isolation.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
 
The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Circuit breaker for valve open.
* Loss of control power to valve.
* Valve motor thermal overload.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS is initiated, the charging pump to miniflow isolation valves go to the fully closed position. Deliberate operator action is required to open the valves. The SIS must be reset and the valves opened by manual controls.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The Train B charging pump miniflow isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.
The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The charging pump miniflow isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.
: 10. Accumulator Isolation Valves Two accumulator isolation valves are powered from the Train A emergency bus; the other two are powered from the Train B emergency bus. Each valve has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when a valve is closed. An annunciator is alarmed in the control room when a valve is closed. Open and closed positions are monitored by the plant computer. Signals from the ESFAS are provided to the valve(s) upon initiation of SIS or high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function.
(See Section 6.3.2.2.6).
: a. IEEE Standard 279-1971, Paragraph 4.2:
The Train A and B accumulator isolation valves are powered from separate emergency buses.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The accumulator tank low pressure safety injection bypass annunciator is alarmed in the control room whenever an accumulator isolation valve is not fully open.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS is initiated, the accumulator isolation valves would go to the fully open position if power were available and if the valves were closed.
Since these valves are locked open during normal operation with their power removed, the signal performs no actual function. (See Section 6.3.2.2.6). Deliberate operator action is required to close a valve.
The SIS must be reset, power must be restored and the valves closed by manual controls.
: e. IEEE Standard 279-1971, Paragraph 4.17:
The accumulator isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.
: f. IEEE Standard 279-1971, Paragraph 4.10:
The accumulator isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of the engineered safety features actuation system.
tainment Depressurization System containment depressurization systems design is described in Section 6.2.2, and the flow rams are shown on Figures 6.2-37 and 6.2-38. The containment depressurization systems sist of the quench spray system and the containment recirculation spray system.
 
p suction lines and discharge headers are open. To ensure proper position of these valves, the A signal actuates the valves to open and to override a possible close-test position. The motor-rated isolation valves in the quench spray system are closed during normal unit operation. The ation valves in the quench spray discharge headers open upon receipt of a CDA signal. The noid pilot air-operated valves in the suction line from the RWST to the refueling water rculation pumps close on a safety injection signal (SIS), thus isolating the nonsafety related ion of the suction piping downsteam of the second isolation valve.
quench spray pumps are started automatically on receipt of a CDA signal. On receipt of a A signal combined with a LOP signal, the quench spray pumps are sequenced on by the rgency generator load sequencer. The quench spray pumps are stopped automatically on ipt of a RWST empty signal.
containment recirculation pumps are sequenced on automatically on receipt of a RWST Low-Level signal coincident with a CDA signal.
Containment Recirculation System Instrumentation following instrumentation is provided in the control room to monitor the system ormance.
: 1.      Redundant level indicators for the containment sump. One level channel is recorded.
: 2.      Containment recirculation pump discharge pressure indicators.
: 3.      Containment recirculation pump seal head tank low level alarm which detects seal water leakage or seal failure.
: 4.      Containment recirculation cooler recirculation water outlet temperature.
: 5.      Redundant containment sump temperature indicators.
: 6.      Containment recirculation cooler service water outlet flow indicators.
: 7.      Containment recirculation pump flow indicators.
: 8.      Containment recirculation pump low discharge pressure annunciators interlocked with pump running signal.
ressure transmitter in the common test line from the RWST and a pressure transmitter in the harge line of each containment recirculation pump are utilized by the plant computer to verify ormance of the containment recirculation pumps.
: a. IEEE Standard 279-1971, Paragraph 4.2:
The containment recirculation system is divided into two separate, redundant mechanical and electrical trains. This provides redundancy to prevent a failure of an active or passive component from impairing the system capability to supply water for the containment depressurization system.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The containment recirculation system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):
* Containment recirculation pump loss of control power or breaker racked out.
* Containment recirculation pump control switch in pull to lock.
* Service water system bypassed.
* Containment recirculation pump area air conditioning unit - loss of control power or circuit breaker open.
* Service water valve to reactor plant component cooling water heat exchanger not fully closed and circuit breaker open or loss of control power.
* Service water valve to containment recirculation coolers not fully open and loss of control power or circuit breaker open.
* Service water outlet valve for containment recirculation coolers not fully open.
* Service water valve to turbine plant component cooling heat exchangers not fully closed and loss of power or circuit breaker open.
* Service water valves to reactor plant component cooling heat exchangers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).
* Service water inlet valves for containment recirculation coolers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).
 
Equip.).
* Recirculation spray header isolation valve not fully open and loss of power or circuit breaker open.
* Cross-connect valve to low pressure safety injection system not fully closed.
* Recirculation spray pump suction valve not fully open and loss of power or circuit breaker open.
* Manual bypass push button depressed.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once a CDA signal coincident with an RWST Low-Low signal is received, the containment recirculation pumps are started automatically. Deliberate operator action is required to stop the pumps.
: e.      IEEE Standard 279-1971, Paragraph 4.10:
The containment recirculation system is periodically tested in accordance with the Technical Specifications.
: f.      IEEE Standard 279-1971, Paragraph 4.17:
Controls and indicators are provided in the control room for manual operation of the containment recirculation system. REMOTE/LOCAL control selector switches are provided for the containment recirculation pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.
tchover from the injection to recirculation phase for the recirculation system is described in tion 6.3. Logic for the RWST signals is found in Section 6.3.5.4.
Quench Spray System Instrumentation following instrumentation is provided in the control room to monitor the quench spray em.
: 1.      Quench spray pump discharge flow indicators and low flow annunciators.
: 2.      RWST (level indication and level alarms).
 
High and low RWST temperature is alarmed on the main control board.
: 4. The refueling water recirculation pumps and the associated coolers operate only during normal unit operation. One refueling water recirculation pump is normally in AUTO and starts on a predetermined RWST high temperature signal. The second pump can be placed in service manually. Both pumps are stopped by a low temperature signal - RWST temperature or refueling water recirculation pump suction line temperature. The objective of the instrumentation associated with the refueling water recirculation pumps is to maintain the temperature of the refueling water within design limits.
Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
The quench spray system is divided into two separate, redundant mechanical and electrical trains. This dual concept provides redundancy to prevent a failure of an active component or a passive component at the system level to supply water for the containment depressurization system.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The quench spray pump bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):
* Quench spray pump in pull to lock.
* Quench spray header isolation valve loss of control power or circuit breaker open.
* Quench spray pump loss of control power or breaker racked out.
* Quench spray pump area air conditioning unit loss of control power or circuit breaker open.
* Manual bypass push button depressed.
 
Quench spray pump operation is automatically initiated on receipt of a Sequenced Safeguard Signal which is initiated by a CDA signal. The pumps stop automatically on receipt of an 'RWST Empty' signal. Deliberate operator action is required to stop the pumps prior to receipt of this signal.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
Controls and indicators are provided in the control room for manual operation of the quench spray system. REMOTE/LOCAL control selector switches are provided for the quench spray pumps outside the control room at the switchgear.
An annunciator is alarmed in the control room when LOCAL control is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The quench spray pumps are periodically tested in accordance with the Technical Specifications.
The testing and calibration of the level switches used for the detection of the RWST level is accomplished by taking one logic Train (A or B) out of service for a short duration.
The testing of the RWST level switches used for tripping the quench spray pumps will be used as an example. The switches may be tested in either of two ways:
* In the first method, the circuit breakers in the train under test are racked to the TEST position and left in TRIP. The level switches for the train are then isolated from the RWST at the isolation valve in the safeguard building. A pressure test signal is injected to simulate level in the RWST above the reset point of the switch. The breaker is then closed and the test pressure is slowly decreased until the trip point is reached. Breaker indicating lights, annunciators, and computer points in the control room are verified to indicate the breaker tripped/empty condition and that the quench spray pump discharge valve goes shut.
* In the second method, the quench spray pump for the train in test is manually started. Test pressure is then varied and indications are verified as stated above.
Verification that the test pressure connections have been removed and manifold valves have been reopened is accomplished by the use of alarms, valve position lights, and administrative procedures.
ting and inspections of the containment heat removal and depressurization systems are cribed in Section 6.2.2.4.
 
initiation signals for the containment isolation system are a part of the engineered safety ures actuation system. Penetration types and containment isolation valve arrangements are cribed in detail in Section 6.2.4.
safety function of the containment isolation system is to isolate automatically appropriate s penetrating the containment structure in order to limit the uncontrolled release of radioactive erials to the environment, following an accident.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
Containment isolation valves are located inside and outside of the containment structure, ensuring containment integrity. The containment isolation system provides two barriers between the atmosphere outside the containment structure and 1) the atmosphere inside the containment structure, 2) the reactor coolant system, and 3) the systems connected to Items 1 or 2 as a result of or subsequent to a DBA signal provided by safety injection, containment isolation Phase A (CIA),
containment isolation Phase B (CIB), feedwater isolation (FWI), or steam line isolation (SLI).
These signals open or close containment structure penetrations for ESF systems which function to mitigate the consequences of an accident.
Containment isolation valves are actuated by electrically powered solenoid valves, by solenoid-operated air pilot valves or by motor operators. Valves controlled by electrically powered solenoid valves or solenoid-operated air pilot valves are designed to fail in the closed position upon loss of power or instrument air.
Operators for motor-operated valves are designed for fast closure so as to ensure containment isolation in the shortest possible time. Motor-operated valves fail in the as is position. Torque and limit switches ensure proper valve setting.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
A containment isolation Phase A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Reactor coolant pump seal water return valve - loss of power or circuit breaker open or motor thermal overload.
* Loss of AC power to auxiliary relay control circuit.
* Manual bypass push button depressed.
* Containment atmosphere monitoring discharge isolation valve - loss of power or circuit breaker open, or thermal overload (Train B only).
A containment isolation Phase B bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Reactor plant component cooling isolation valves - loss of power or circuit breaker open or motor thermal overload.
* Manual bypass push button depressed.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Any automatic containment isolation action, once initiated, will go to completion.
The return to normal operating conditions requires deliberate operator action.
Consistent with IE Bulletin 80-06 which allows actions other than modification or design change to ensure safety related equipment remains in its emergency mode upon reset of an ESF signal, procedural steps are prescribed to ensure the main steam pressure relieving valves remain closed upon SLI reset.
: e. IEEE Standard 279-1971, Paragraph 4.17:
The operator has the means for manual initiation of the containment isolation system independent of automatic actuation. Manual controls and visual indication for the containment isolation valves are described in Sections 7.5 and 6.2.4.
: f. IEEE Standard 279-1971, Paragraph 4.10:
Containment isolation valves are tested to ensure they are capable of closing by operating manual switches in the control room and by observing the position lights. Periodic testing during normal operation is performed on all containment isolation valves except those where the test would interrupt or upset normal operation. Testing of these valves is performed during refueling shutdowns.
Refer to Section 6.2.4.4 for testing and inspection procedures of containment isolation valves in various systems. Table 6.2-65 lists design, operating, and functional parameters of all containment isolation valves.
design bases for the controls of the containment isolation system are:
 
of the containment isolation valve controls from affecting the controls of the redundant valve.
: 2.      The controls of the containment isolation system are designed to withstand seismic loads and to operate in adverse environmental conditions in accordance with requirements described in Sections 3.10 and 3.11, respectively.
us lights monitoring the status of containment isolation valves enable the operator, during rgency conditions, to make sure all isolation valves are in the required position, or to take ective action if necessary.
mbustible Gas Control System in Containment (HCS) combustible gas control system is described in Section 6.2.5 and its piping and rumentation diagram is shown on Figure 6.2-36.
hydrogen recombiner system, though currently installed, is not used to provide any gating function. The hydrogen recombiner system, associated controls, alarms (including ulatory Guide 1.47 bypass alarms) and ventilation dampers have been isolated awaiting ndonment. The system discussion describes the system as originally installed and operated.
h of the redundant trains in the hydrogen recombiner system is completely instrumented to ure the system performs its function following any single failure. Because the hydrogen mbiner is connected to safety related electrical busses, the hydrogen recombiners are safety-ted.
ydrogen analyzer is permanently installed in each train to provide the capability of analyzing hydrogen content in the gas being drawn from the containment atmosphere.
e the hydrogen burn-off process has started, a temperature controller maintains the mbiner chamber temperature at approximately 1,300F. Flow, temperature, and pressure cation is provided at each hydrogen recombiner blower discharge. Temperature indication is vided at the discharge of each electric preheater and a pressure indicator is provided at the harge of each hydrogen recombiner.
h set of instrumentation and controls requiring electric power is supplied from an independent rce. 120 VAC power is supplied from the 120 VAC vital buses and 125 VDC power from the VDC buses.
Analysis
: a.      Deleted:
 
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
A DBA hydrogen recombiner system bypassed annunciator is alarmed in the control room whenever any of the following conditions exists (Train A or B):
* Recombiner building inlet and outlet ventilation damper loss of control power.
(Auxiliary power circuits associated with the inlet and outlet ventilation dampers do not provide input to bypass annunciator.)
* Manual bypass push button depressed.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
The DBA hydrogen recombiner system is manually initiated and monitored locally in the hydrogen recombiner building. After the initial heatup of the system, the system operates automatically with common alarms located in the control room to alert the operator of a malfunction.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The DBA hydrogen recombiner system operating parameters are monitored, indicated, and controlled locally. In addition, recombiner bypassed and common trouble alarms are annunciated in the control room. Indicators and a recorder (Channel A only) for hydrogen gas concentration are located on the main control boards. The system bypass push button and loss of control power to the system cubicle ventilation dampers are monitored by the plant computer.
: f.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
The hydrogen analyzer is tested, by injecting sample gases, to verify zero and span calibration.
plementary Leak Collection and Release System supplementary leak collection and release system (SLCRS) is described in Section 6.2.3; its diagram is shown on Figure 9.4-2.
SLCRS consist of two exhaust fans, each supplied from a separate emergency bus, two filter ks, and the associated ductwork and dampers.
 
ation within 120 seconds upon receipt of an SIS or when manually started.
owing a LOCA, the SIS signal 1) opens the SLCRS Train A and B filter bank inlet and 2) ts the SLCRS Train A and B exhaust fans h differential pressure across the roughing filter, high efficiency particulate air (HEPA) filter, on absorber, and HEPA filter of each filter bank is alarmed in the control room.
filtered exhaust is monitored for radiation (Section 11.5) prior to discharge to atmosphere via Millstone 1 stack.
Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
The supplementary leak collection and release system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the system capability to maintain a negative pressure of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The SLCRS bypassed annunciator is alarmed in control room whenever any of the following conditions exists (Train A or B):
* SLCRS fan control switch in pull to lock position.
* SLCRS fan loss of power or circuit breaker open.
* Manual bypass push button depressed.
* Reactor plant component cooling pump cubicle ventilation system bypass.
* Auxiliary Building filter system exhaust fan control switch in pull to lock, or circuit breakers open, or loss of control power.
* Auxiliary Building filter system exhaust fan damper circuit breaker open, or loss of control power.
 
Once an SIS is received, the SLCRS exhausts, creates, and maintains a partial vacuum of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds. Deliberate operator action is required to release the SLCRS from maintaining this vacuum.
: e.      IEEE Standard 279-1971, Paragraph 4.10:
The SLCRS is periodically tested in accordance with the Technical Specifications.
Fans, air operated dampers, and controls for the supplementary leak collection system are tested by automatically starting on a simulated SIS signal and allowing them to reach operating speed with all dampers in the operating position before being shut down.
iliary Feedwater System auxiliary feedwater system, except for ESFAS initiation signals, is described in tion 10.4.9. The safety related portions of the auxiliary feedwater system are shown on ure 10.4-6.
turbine-driven auxiliary feedwater pump and two motor-driven pumps are provided. Each or-driven pump has half the capacity of the turbine-driven pump. Power is supplied to the or-driven pumps from separate emergency buses. Steam supply to the turbine-driven pump is wn on Figure 10.3-1. A branch line from three main steam lines (A, B, D) is connected into a mon header to supply steam to the turbine. A normally closed air-operated valve is installed ach branch line (A,B,D). Each air-operated valve is controlled by two solenoid-operated es connected in series in the air supply line. The solenoid-operated valves are supplied power m separate emergency 125 VDC buses. Loss of DC power to either solenoid-operated valve ts air to open the associated air-operated valve. A motor-operated stop check valve is installed ach line. These valves are normally in the open position. Power for each of the motor-operated check valves is supplied from an emergency bus.
ing normal operation, the operability of all valves in the auxiliary feedwater system is verified emote manual action. The three air-operated valves are exercised similarly by isolating the m supply to the turbine-driven auxiliary feedwater pump by closing the motor-operated stop ck valves in the steam lines.
he auxiliary feedwater system, the motor-driven pumps are started automatically by the owing signals: (These signals also close the blowdown isolation and sample line valves for all m generators.)
Safety injection or containment depressurization (from the Emergency Generator Load sequencer).
 
AMSAC actuation signal (from AMSAC system).
Emergency bus loss of power (LOP signal).
motor-driven pumps are also started manually.
ting the turbine-driven pump is initiated automatically by:
Two out of four (2/4) low-low level in two or more steam generators (from solid state protection system).
Emergency DC bus loss of power (not actually an initiation signal but, rather, a failure mode of the solenoid valves for the turbine-driven auxiliary feedwater pump steam supply valves).
AMSAC actuation signal (from AMSAC system).
turbine-driven pump is also started manually.
cation and controls required for the auxiliary feedwater system in the event of inaccessibility he control room are provided on the auxiliary shutdown panel described in Section 7.4.
rumentation required for post-accident monitoring is described in Section 7.5. The solenoid-rated modulating valves in the auxiliary feedwater supply line to each steam generator are ually-operated from the main control board or from the auxiliary shutdown panel.
motor-operated valves in the auxiliary feedwater lines from the motor-driven auxiliary water pumps discharge are manually operated from the main control board or from the iliary shutdown panel. The valves associated with any one auxiliary feedwater line are ered from different emergency buses. The valves are normally open so that loss of power to emergency bus does not prevent the isolation or control of auxiliary feedwater to a steam erator. An air-operated valve is provided for each motor-driven steam generator auxiliary water pump, and a hand control valve is provided for the turbine-driven auxiliary feedwater p between the pump suction and the condensate storage tank to allow pump suction to be n from the tank. The condensate storage tank suction valves for the motor-driven pumps can perated from the main control board or from the auxiliary shutdown panel, or close matically on receipt of an SIS, CDA, auxiliary feedwater pump AUTO start (any steam erator 2/4 low-low level), AMSAC, or LOP signal. The condensate storage tank suction valve the turbine-driven auxiliary feedwater pump is administratively locked closed. These valves normally closed, and the air-operated valves fail closed on loss of control air or electric power.
m generator auxiliary feedwater pump suction and discharge pressure is indicated in the trol room and monitored by the plant computer. Flow in each steam generator auxiliary water supply line is indicated by flow indicators in the control room and on the auxiliary
 
litate safe shutdown from shutdown locations following a fire as described in Section 6.2.11 he Fire Protection Evaluation Report.)
correct operation of the auxiliary feedwater system is verified in conjunction with the steam erator auxiliary feedwater pump test described in Section 10.4.9.4. The steam generator iliary feedwater pumps are operated during this test. Testing of actuated devices and ciated control is performed periodically to ensure reliability and performance.
undant demineralized water storage tank (DWST) level transmitters with redundant level cators are provided on the main control board and on the auxiliary shutdown panel. Level is rded for one channel and the other channel provides high, low, and low-low level unciation on the main control board.
DWST temperature is maintained above a minimum temperature automatically by a ineralized water storage tank electric heater and circulating pump. Low temperature is med on the main control board.
ass indication is provided in the control room and is isolated such that it does not degrade the ection function of the auxiliary feedwater system.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
There are two motor-driven auxiliary feedwater pumps with power supplied from separate emergency buses. The motor-driven pumps each supply auxiliary feedwater to two steam generators.
A turbine-driven auxiliary feedwater pump supplies auxiliary feedwater to all four steam generators. The turbine is supplied steam from three separate steam generators (3RCS*SG1A, B, or D). Each steam supply line to the auxiliary feed pump turbine has an air-operated valve normally closed and a motor-operated valve normally open. Each air-operated valve has two solenoid valves, each supplied power from separate emergency DC buses. Loss of power to either solenoid valve vents air from the associated air-operated valve and cause it to open. Two of the normally open motor-operated valves are powered from the Train A emergency bus and the other is powered from the Train B emergency bus. No single failure at the system level will prevent the auxiliary feedwater pumps from supplying auxiliary feedwater to the steam generators.
Each auxiliary feedwater line from a motor-driven pump has a normally open solenoid valve that fails open and a motor-operated valve normally open that fails as is on loss of power. The valves are powered from separate emergency buses; the motor-operated valve is powered from the opposite electrical train as the motor-
 
Each auxiliary feedwater line from the turbine-driven pump has two normally open solenoid valves that fail open. The valves are powered from separate emergency buses. No single failure will prevent the control of auxiliary feedwater flow to a steam generator.
Each auxiliary feedwater line to a steam generator has a Train A and a Train B feedwater flow transmitter that is powered from separate power supplies. One auxiliary feedwater flow transmitter has an associated main control room indicator and the other displays on plant computer. Two Train A and two Train B auxiliary feedwater flow indicators, one for each steam generator, are on the main control board and on the auxiliary shutdown panel. No single failure will prevent at least two auxiliary feedwater flow indicators from indicating at the main control board and at the auxiliary shutdown panels. There is a Train A and Train B steam generator level indicator for each steam generator on the main control board and at the auxiliary shutdown panel that can be used as backup indication for the flow indicators.
There are two trains of DWST level indicators on the main control board and at the auxiliary shutdown panel. The Train A level is recorded on the main control board.
The trains are powered from separate buses. No single failure will prevent DWST level indication on the main control board or at the auxiliary shutdown panel.
No single failure at the system level will prevent auxiliary feedwater from being supplied to the steam generators.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
The motor-driven auxiliary feedwater system bypass (Train A) annunciator is alarmed in the control room whenever any of the following conditions exist:
* Any auxiliary feedwater control or isolation valve for motor-driven pumps not fully open.
* Auxiliary feedwater pump ventilation system bypassed.
* Either feed pump motor loss of control power or breaker racked out.
* Either pump motor control switch in pull to lock position.
 
The auxiliary turbine-driven feed pump bypass (Train B) annunciator is alarmed in the control room whenever any of the following conditions exist:
* Any auxiliary feedwater control or isolation valve for turbine-driven pump not fully open.
* 3MSS*MOV17A, B, or D not fully open.
* Auxiliary feedwater pump ventilation system bypassed.
* Turbine-driven auxiliary feedwater pump trip and throttle valve not fully open.
* Manual bypass push button depressed.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Once an auxiliary feedwater pump start signal is received, the auxiliary feedwater pumps go to completion and run. Deliberate operator action must be taken to stop an auxiliary feedwater pump. The AUTO start signal must be cleared and the pumps stopped by manual controls. An exception is that the motor-driven pumps are stopped automatically by low lube oil pressure, and electrical protection trips; the Train A motor-driven pump is isolated from AUTO start and sequencer signals when in LOCAL control to facilitate safe shutdown from a remote shutdown location following a fire as described in Section 6.2.11 of the Fire Protection Evaluation Report. The turbine-driven auxiliary feedwater pump is stopped automatically by overspeed protection.
: e. IEEE Standard 279-1971, Paragraph 4.17:
The motor-driven auxiliary feedwater pumps have manual controls on the main control board and at the switchgear. REMOTE/LOCAL control transfer switches at the switchgear are alarmed in the control room when LOCAL is selected.
The turbine-driven auxiliary feedwater pump steam supply valves have manual controls on the main control board and at the auxiliary shutdown panel. REMOTE/
LOCAL control transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.
The turbine-driven auxiliary feedwater pump speed changer has manual controls on the main control board and local to the pump. REMOTE/LOCAL control transfer switch on the local control panel is alarmed in the control room when remote is selected.
 
transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
One motor-driven auxiliary feedwater pump at a time is taken out of service and periodically tested in accordance with the Technical Specifications.
This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
Refer to Section 10.4.9.4 for testing of turbine-driven auxiliary feedwater pump.
The auxiliary feedwater control and isolation valves are periodically tested in accordance with the Technical Specifications. The valves are operated manually with controls on the main control board and at the auxiliary shutdown panel.
The steam supply valves for the turbine-driven pump are periodically tested in accordance with the Technical Specifications.
: g.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
The DWST level transmitters and auxiliary feedwater flow transmitters are periodically tested in accordance with the Technical Specifications.
Filtration System ESF filtration system consists of the auxiliary building filter system (ABFS) which is cribed in Section 9.4.2 and its flow diagram is shown on Figure 9.4-2.
ABFS consists of two ABFS exhaust fans, each supplied from a separate emergency bus, two n filter banks, and the associated ductwork and dampers.
following areas are exhausted by the ABFS:
Waste disposal building Auxiliary building Containment purge air system
 
aust from the areas can be directed through the auxiliary building filters or bypassed to osphere. Both paths of exhaust are provided with redundant air-operated dampers with noid pilot valves, with the exception of the filter inlet from the charging pump and component ling water pump area. The redundant dampers are in series and fail closed on loss of power or filter inlet dampers from the charging pump and component cooling water area are in parallel one is fixed full open, the other fixed closed. Normally, the exhaust from the areas is bypassed he atmosphere. However, the exhaust from any or all of the areas can be manually directed ugh the filters. On receipt of a SIS, LOP, or CDA signal, the normal exhaust dampers from the rging pump and component cooling water pump area close automatically. All other inlet pers and filter bypass to atmosphere dampers are closed on receipt of a SIS, LOP, or CDA, or manual operation, the Train A filter inlet and exhaust fan discharge dampers open and start the n A filter exhaust fan. Train B is then on standby. The safeguard signal is initiated by a SIS or A signal. During LOP, the exhaust fans are sequenced in accordance with the emergency erator load sequence. The standby filter train is started automatically on a high plenum sure signal from the operating train.
ing refueling and in the event of high radiation from one of the areas exhausted by the ABFS, exhaust flows are manually diverted to the auxiliary building filter bank.
fuel building filter banks are normally bypassed by the unfiltered exhaust fan. During eling and in the event of high radiation, the fuel building exhaust is manually diverted to the building filter bank. Either Train A or Train B is operated with the other train in standby.
auxiliary building and fuel building filter banks have manual controls located on the main ting and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL trol selector switches are provided at the switchgear. An annunciator is alarmed in the control m when LOCAL control is selected.
h differential pressure across the prefilter, carbon absorber, and/or HEPA filter of each filter k is alarmed in the control room.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
There are two redundant ESF filtration Trains (A and B). The equipment in Train A is supplied from one emergency bus and Train B equipment is supplied from a separate emergency bus. No single failure at the system level will prevent the ESF filtration system from filtering the air system during an accident.
 
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
A charging pump high pressure safety injection system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Auxiliary building filter system fan in pull to lock position.
* Auxiliary building filter system fan loss of control power or breaker racked out.
* Auxiliary building filter system fan outlet damper loss of power or circuit breaker open.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once initiated by a safety signal, the ESF filtration system will go to completion.
Return to normal operation requires deliberate operator action by resetting safety signals and using manual controls.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The auxiliary building and fuel building filter banks have manual controls located on the main heating and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The ESF filtration system is periodically tested in accordance with the Technical Specifications.
ential Auxiliary Support Systems iliary support systems that are required to function upon initiation of ESFAS are listed in le 7.3-10. A summary description of these systems are provided in this section. Additional ils can be found in the referenced sections.
 
service water system is described in Section 9.2.1 and its flow diagram is shown on ure 9.2-1. For the purpose of instrumentation and control application, a recapitulation of the em design follows.
o service water headers, each supplied by two service water pumps, are provided. The power the two-train design is supplied from two separate emergency buses as shown on Figure 8.1-1.
er of the two redundant service water system trains has the capability to supply sufficient ntities of cooling water to the required equipment for safe shutdown. For the emergency mode peration, the supply lines to the nonsafety related equipment are isolated by automatic closure solation valves. A LOP, CDA, or service water low header pressure signal automatically closes ation valves in the supply line to the turbine plant component cooling heat exchangers. A LOP DA signal automatically closes isolation valves in the supply lines to the circulating water ps lube water. In addition to those closed on a LOP or CDA signal, the CDA signal matically closes the isolation valves in the supply lines to the reactor plant component ling heat exchangers and automatically opens supply valves to the containment recirculation lers. A LOP, SIS, or CDA signal causes automatic opening of the air-operated valves in the et lines from the diesel engine coolers. A LOP signal starts service water booster pumps that ply the MCC and rod control area air-conditioning units.
tinuous radiation monitoring is provided in the service water discharge headers ction 11.5). Following a DBA, continuous radiation monitoring (Section 11.5) is provided in discharge of each train of containment recirculation coolers. Each containment recirculation ler has a remotely operated valve in its supply and discharge line. On a high radiation alarm, operator can isolate the affected containment recirculation cooler train.
trol switches and indicating lights for the service water pump motors are provided on the n control board and at the switchgear. REMOTE/LOCAL control selector switches and AD/FOLLOW pump selector switches are located at the switchgear. An annunciator is med in the control room when LOCAL control is selected. One service water pump in each n is started manually. The standby pump is started automatically by a pressure switch detecting discharge pressure in the associated header. The action of these pressure switches is blocked LOP signal.
service water pumps are operated in the following manner under the indicated accident ditions:
: 1. LOCA with off site power available. All pumps that are operating prior to the accident continue to operate.
: 2. LOCA coincident with loss of off site power. Two pumps, one on each emergency bus, start automatically in accordance with the emergency generator loading sequence. Should one of the two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.
 
two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.
service water system is also a cooling source for the control building chilled water system.
er and slave valves in the chiller condenser outlet line and a temperature element/controller in booster pump discharge line provide temperature control for the chilled water system denser by means of a controlled bypass from the slave valve to the booster pump suction.
control building chilled water system service water booster pumps are interlocked to start and with the associated control building chilled water pump. Pressure in the service water ders is indicated in the control room. For reliability purposes, correct operation of the pressure suring loop in the service water header is verified by valving the pressure transmitter out of ice and applying a simulated signal. Similarly, the header low pressure annunciation is also fied during normal operation. These tests verify correct operation of the loops and of the cations provided in the control room.
vice water discharge flow indicators and high/low flow annunciators are provided on the main trol board for the containment recirculation coolers and reactor plant component cooling heat hangers. High/low service water outlet flow annunciators are provided on the main control rd for the diesel engine jacket water coolers. Correct operation of flow measuring loops is fied by valving the flow transmitter or switch out of service and applying a simulated signal.
operability of the service water system controls and indications common for both normal and rgency mode of operation is verified by their normal use. Instrumentation provided for the tainment recirculation coolers is tested in conjunction with the containment recirculation em test.
ass indication is provided in the control room for the service water system.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
There are two redundant service water trains (A and B) and there are two service water pumps in each train. Normally one pump in each train is running with the other in standby. The pumps in Train A are supplied from one emergency bus and Train B pumps are supplied from a separate emergency bus. No single failure at the system level will prevent the service water pumps from supplying service water.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
 
A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Service water pump loss of control power or breaker racked out or control switch in pull to lock and the other pump in the same train with loss of control power or breaker racked out or control switch in pull to lock.
* Service water pump area air conditioning unit circuit breaker open or loss of control power.
* Service water pump area air conditioning unit control switch in pull to lock.
* Manual bypass push button depressed.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once a safety signal is initiated, the lead service water pump in each Train (A and B) will start. In the event that the lead pump does not start, the follow pump will start one-half second later. To stop a running service water pump requires deliberate operator action; the safety signals must be reset and manual controls used to stop the pump.
: e.      IEEE Standard 279-1971, Paragraph 4.17:
The service water pumps have manual controls located on the main control board and at the switchgear. REMOTE/LOCAL control selector switches at the switchgear are alarmed in the control room when LOCAL control is selected.
: f.      IEEE Standard 279-1971, Paragraph 4.10:
The service water system is periodically tested in accordance with the Technical Specifications.
This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.
ctor Plant Component Cooling Water System reactor plant component cooling water system design is described in Section 9.2.2.1 and the diagram is shown on Figure 9.2-2.
 
provided at the switchgear; an annunciator is alarmed in the control room when LOCAL trol is selected. Normally, two pumps are operating with the third pump on stand-by in Train hree pump motor breakers are supplied for four breaker cubiclestwo for each train. The ps for Trains A and B are normally racked into their respective cubicles, with the third pump ker racked into its Train B cubicle. The third pump may be operated on Train A by first ing its breaker out of Train B and then racking it into the Train A cubicle. An electrical rlock prevents simultaneous operation of two pumps on the same train. A keylock switch is vided which allows the third pump to operate on one train or the other, but not on both at once.
tor overcurrent and auto trip are alarmed in the control room. Status lights and bypass cation are provided in the control room. Power to Trains A and B reactor plant component ling water pump motors is supplied from separate emergency buses.
reactor plant component cooling pumps are started automatically by an SIS or LOP signal.
pumps are sequenced on by the emergency generator load sequencer when an LOP signal ts.
undant level switches located on the surge tank for the reactor plant component cooling water em are set to detect a sudden drop in reactor plant component cooling water system surge tank l, which would result from a rupture of nonsafety-related system piping. These level switches matically close isolation valves, thus isolating the systems safety-related portions from the safety-related.
supply lines to reactor plant component cooling water users, both safety related and nonsafety ted, are provided with flow indicators and high flow alarms in the control room. Flow is led by the plant computer. Remote temperature indicators are provided in the suction lines of h reactor plant component cooling pump. Each compartment of the reactor plant component ling water surge tank is provided with a level sensing instrument. The makeup to the surge is automatically controlled by level in the compartment. The level in each compartment is cated, and low and high level extremes are alarmed in the control room.
diation monitor is utilized to monitor Train A or Train B outlet from the reactor plant ponent cooling water heat exchangers. Indication and alarm are provided locally; and cation, recording, and alarm are provided in the control room (Section 11.5).
containment isolation valves in the reactor plant component cooling water lines serving the ipment inside the containment structure are closed automatically on receipt of a CIB signal.
ns A and B cross-connect valves inside the containment are closed automatically on receipt of IS or surge tank low level signal.
owing a LOP or CIA signal, the cooling water source for the nonsafety-related components de the containment structure is automatically transferred from the chilled water system to the tor plant component cooling water system.
 
ms are provided on the main control board.
lysis of Reactor Plant Component Cooling Water System Analysis
: a. IEEE Standard 279-1971, Paragraph 4.2:
The reactor plant component cooling water system is divided into two separate, redundant mechanical and electrical trains. The system can be cross-connected; the cross-connect valves are closed automatically by an SIS supplied or surge tank low-level signal. The cross-connect valves are air-operated and fail close on loss of air or loss of power to the associated solenoid valve. No single failure at the system level will prevent the system from supplying reactor plant component cooling water for at least one train.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c. IEEE Standard 279-1971, Paragraph 4.13:
A reactor plant component cooling system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Reactor plant component cooling pump (A or B) control switch in pull to lock or circuit breaker racked out or loss of control power and reactor plant component cooling pump (C) control switch in pull to lock or circuit breaker racked out or loss of control power.
* Containment isolation valve not fully open.
* Service water system bypassed.
* Reactor plant component cooling heat exchanger service water supply valve not fully open.
* Manual bypass push button depressed.
* Reactor plant component cooling pump area vent system bypass.
 
Once an SIS is received, the reactor plant component cooling pumps are started automatically. When a LOP exists, the pumps are automatically started by the emergency generator load sequencer. Deliberate operator action must be taken to stop a pump. The SIS and LOP must be reset and manual control used to stop a pump.
The containment air recirculation cooling coil supply and return valves are opened automatically by a LOP or CIA signal. The LOP and CIA must be reset to close the valves manually. The valves close automatically on reactor plant component cooling water surge tank low-level. The surge tank low-level signal must be cleared and the CLOSE/AUTO push button depressed before the valves can be opened automatically or manually.
The nonsafety header supply and return isolation valves close automatically on receipt of a CIA or reactor plant component cooling surge tank low-level signal.
The CIA must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.
The reactor plant component cooling cross-connect valves close automatically on receipt of a SIS or reactor plant component cooling surge tank low-level signal.
The SIS must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.
The containment isolation valves close automatically on receipt of a CIB signal.
The CIB signal must be reset and manual controls used to open the valves.
The reactor plant component cooling heat exchanger service water supply valves close automatically on receipt of a CDA signal. The CDA signal must be reset and manual controls used to open the valves.
: e. IEEE Standard 279-1971, Paragraph 4.10:
The reactor plant component cooling system is periodically tested in accordance with the Technical Specifications.
: f. IEEE Standard 279-1971, Paragraph 4.17:
Controls and indicators are provided in the control room for manual operation of the reactor plant component cooling water system. REMOTE/LOCAL control selector switches are provided for the reactor plant component cooling water pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.
 
cription of instrumentation and controls is provided in Section 9.4.1.5.
ctrical cription of the onsite electrical system is found in FSAR Sections 8.1.4, 8.1.5 and 8.3.
ergency Generator Load Sequencer emergency generator loading sequencer (EGLS) is a solid-state digital system which provides y contact outputs to shed loads, block manual starts, and sequentially load the plant rgency AC buses during emergency conditions. The system is composed of two cabinets, one h for Train A and Train B. The primary purpose of the EGLS is to automatically control the ing of the emergency AC buses when a loss of offsite power has occurred and the buses are g re-energized by the emergency diesel generator.
EGLS accepts bus undervoltage (BUV), safety injection (SIS), containment depressurization ation (CDA), recirculation (RECIRC), auxiliary reserve breaker (AR BKR) status, and diesel erator breaker (DG BKR) status input signals in the form of contact closures and will provide edetermined sequence of outputs.
EGLS has seven operating modes. Five of these modes are for plant emergency conditions ch involve a loss of off site power. The other two are for plant emergency conditions which do involve a loss of off site power. The modes, in terms of which EGLS inputs are activated, are ollows.
: 1. SIS only
: 2. CDA only or SIS and CDA
: 3. LOP only
: 4. SIS and LOP
: 5. CDA and LOP or SIS and CDA and LOP
: 6. SIS, RECIRC, and LOP
: 7. CDA or SIS and CDA, RECIRC, and LOP modes are prioritized such that a CDA mode will always take precedence over a SIS mode n both inputs are present and such that a LOP mode will always take precedence over a non-P mode.
 
ty equipment. These signals effectively strip the bus, block closing of the DG BKR for a time od sufficient to strip the bus, and temporarily inhibit the operator from restarting any loads.
s allows the diesel generator time to start, achieve proper voltage and frequency and, via the BKR, be connected to the plant safety bus without incurring adverse loading conditions.
n receiving a signal confirming that the DG BKR has closed, the EGLS will begin generating e sequenced safeguard signals (SSS) and manual trip block (MTB) signals to plant equipment.
SSS and MTB signals, once initiated, are maintained until the EGLS is reset or a change in rating mode occurs. The EGLS automatically terminates individual LOP signals associated h the loads being started and terminates the remaining LOP signals and MSB signals matically, 40 seconds after the DG BKR has closed. Should a SIS or CDA input occur hout a LOP, the appropriate SSS and MTB signals are generated immediately without time uencing, and the LOP and MSB outputs remain reset. Start signals to the containment rculation pumps are delayed during a CDA only sequence, even if there is no LOP signal.
MTB signal inhibits the operator from retripping loads once they have been automatically ted.
P outputs also are generated for plant equipment which does not have an associated EGLS SSS put signal. In some cases, the LOP outputs are terminated at the end of the 40-second period.
ther cases, the LOP outputs are not terminated until the EGLS is manually reset. In some of cases, the LOP outputs are also generated by a SIS only or CDA only input.
iation of the RECIRC and LOP operating modes differs from the other LOP operating modes s much as that during recirculation, the SIS or CDA input must have occurred and been reset r to the loss of power. Otherwise, even though the RECIRC input is present, the EGLS will ond in a SIS and LOP or CDA and LOP operating mode. Internal memories, which must be ually reset, retain the information necessary to allow the EGLS to differentiate between CIRC and non-RECIRC operating modes.
ion LOP and sequencer LOP memories, which also must be manually reset, are used to retain rmation concerning the initial loss of power and re-energization of the bus by the diesel erator. Two memories are employed to prevent the EGLS from responding to transient voltage appearing on the bus during loading. Normally, the EGLS would not respond to a second loss ower if both memories had not been reset, but circuitry in the EGLS provides a subsequent P detection window between the sequencer LOP reset and station LOP reset during which the LS will respond to a second or subsequent LOP occurring during reset procedures.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2 The emergency generator load sequencers are divided into two separate, redundant mechanical and electrical trains. No single failure at the system level will prevent the system from sequentially loading the plant safety buses during emergency conditions.
 
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
An emergency generator load sequencer bypass annunciator will alarm in the control room whenever any of the following conditions exist (Train A or B):
* System is in manual Test 2.
* Control power not available.
* Manual bypass push button depressed.
: d.      IEEE Standard 279-1971, Paragraph 4.10:
The emergency generator load sequencer is tested periodically in accordance with the Technical Specifications.
following is a description of the various test modes that will be used to verify the operability he EGLS.
o Test auto test circuit (ATC) is an EGLS subsystem that is contained within the sequencer panel.
ATC is designed to run continuously having approximately 50 separate test states. Each test e is 10 m sec in duration with actual testing being performed during the last 1 m sec of each state. An exception to this is three test states where the test state timer is interrupted long ugh to verify the operability of the normal frequency clocks.
ATC verifies two basic types of EGLS responses. First, that no outputs occur when no Auto t Inputs (Otis) are applied. Second, that the proper outputs occur when ATIs are applied.
h odd numbered test state is used to verify that the proper output patterns occur when various binations of ATIs are injected into the front end (input buffers) of the sequencer logic.
versely, each even numbered test state verifies that no outputs occur when no ATIs are lied. The even test states also verify that the EGLS was reset following the last odd numbered each test, the ATC makes the assumption that the sequencer will fail. At the start of each test, layed EGLS fault signal is generated. This, in effect, leaves the sequencer with approximately illisecond in which to properly respond in order to reset the fault delay timer. A successful t delay reset will allow the ATC to begin the next test state. If a fault is detected, the ATC s testing the EGLS and provides main board annunciation. The ATC display on the EGLS t panel indicates the specific test state where the fault occurred.
: s. These tests will be performed during refueling outages as specified in the Surveillance quency Control Program. The loads which are actuated by output relays will be tested during EGLS integrated tests. In addition, if a real plant input is received by the EGLS requiring on, the ATC is automatically faulted to prevent it from interfering with EGLS operation.
ummation, the ATC verifies, on a continuing basis, all critical logic paths in which a failure ld prevent the EGLS from performing its complete safety function. The ATC may be used to nd the technical specifications actuation logic test requirements per Technical Specifications, le 4.3-2.
o Test Test auto test test panel is supplied with the EGLS system as test equipment that will be used on a rterly basis to verify the operability of the ATC.
auto test test panel has the ability to simulate an EGLS failure for ATC operational fication (the ability of the ATC to identify a failure). This is accomplished by creating auto outputs (ATOs) when they should not occur or by inhibiting ATOs when they should occur.
ry auto test fault circuit can be verified using the auto test test panel.
nual Test Features de 1 manual test features provide a means to simulate EGLS inputs and verify response to those uts. When initiated, Manual Test 1 inhibits all sequencer outputs except MSBs. Each vidual load, however, may be selectively unblocked using its associated TEST/INHIBIT tch; i.e., placing the switch into the TEST position. This allows the option of testing the EGLS c including sequence times or additionally testing selected output relay(s) by actually starting loads. The latter provides the means to satisfy the requirement of periodically testing safety-ted loads.
inputs to the EGLS are provided by front panel push buttons for LOP, SIS, CDA, and CIRC. These inputs can be applied at any time and in any order during a test to obtain any de of operation desired. A DG breaker push button is not provided; rather, a simulated DG ker closure is automatically generated approximately 10 seconds after the LOP push button is sed.
ting the EGLS using Manual Test 1 does not remove the sequencer from service. If at any time ng testing a real input is received, the EGLS resets itself to normal operation responding to the ut signal regardless of the TEST/INHIBIT switch positions.
 
nual Test 2 is identical to Manual Test 1 except that the EGLS is not reset when a real input al is received. Rather, the EGLS responds to the input condition taking into account the vidual load TEST/INHIBIT switches. Manual Test 2 provides the ability to perform integrated ems testing, inhibiting loads that are not desirable to operate.
LS Actuation Timer Test s test will be performed as specified in the Surveillance Frequency Control Program to verify em operation by actuating the input relays and monitoring the output logic indicating lights proper response. A calibrated timer and a video camera will be used to record the proper onse of all inputs and outputs and the response time for each output logic signal actuated tive to the beginning of the test. The tests that will be included within the EGLS actuation er test are listed below.
LOP                                  CDA RECIRC only SIS and LOP                          SIS followed by CDA CDA and LOP                          LOP followed by CDA SIS RECIRC and LOP                    LOP followed by SIS CDA RECIRC and LOP                    LOP followed by SIS RECIRC SIS only                              LOP followed by CDA RECIRC CDA only                              SIS and DG breaker without LOP SIS RECIRC only                      SIS followed by LOP SIS and Reserve Breaker              CDA followed by LOP CDA and Reserve Breaker              MSB Verification In Manual Test Mode 1, LOP only CDA followed by LOP prior to RSS Pumps Start Test LOP followed by subsequent LOP during Reset Test ergency Generator Fuel Oil System emergency generator fuel oil system design and operation are described in Section 9.5.4 and iping and instrumentation diagram is shown on Figure 9.5-2.
el controls and indicators are tested in conjunction with the diesel engine test described in tion 8.3. The frequency of this test is given in the Technical Specifications.
ergency Diesel Engine Cooling Water System emergency diesel engine cooling water system is described in Section 9.5.5 and its piping and rumentation flow diagram is shown on Figure 9.5-3.
instrumentation requirements for the emergency diesel engine cooling water system are cribed in Section 9.5.5.5.
 
emergency generator starting air system is described in Section 9.5.6 and its piping and rumentation diagram is shown on Figure 9.5-3.
instrumentation requirements for the emergency generator starting air system are described in tion 9.5.6.5.
ergency Diesel Engine Lubrication System emergency diesel engine lubrication system is described in Section 9.5.7 and its piping and rumentation diagram is shown on Figure 9.5-3.
instrumentation requirements for the emergency diesel engine lubrication system are cribed in Section 9.5.7.5.
ergency Generator Combustion Air Intake and Exhaust System emergency generator combustion air intake and exhaust system is described in Section 9.5.8 its piping and instrumentation diagram is shown on Figure 9.5-3.
instrumentation requirements for the emergency diesel engine combustion air intake and aust system are described in Section 9.5.8.5.
Analysis Note: Analysis addresses all preceding emergency generator auxiliary systems.
: a.      IEEE Standard 279-1971, Paragraph 4.2:
The emergency generator fuel oil system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the systems capability to supply fuel oil to at least one of the diesel engines.
Each emergency generator has the following associated systems: emergency diesel generator engine cooling water system, starting air system, engine lubrication system, and combustion air intake and exhaust system. The electrical equipment for these associated systems is supplied from separate emergency buses. Nonsafety related electrical equipment associated with the above systems is either disconnected from the emergency buses automatically by a SIS, CDA, or LOP signal or connected to the emergency buses by two Class 1E circuit breakers in series to prevent degrading the emergency buses. The equipment is not required for emergency generator operation. Each emergency generator and its associated system are completely independent and separate from each other with the exception of the fuel oil system. The ability to cross-connect the A and B train fuel
 
emergency bus.
: b. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11. The following electrical equipment does not perform an active safety function. The equipment is only required to maintain mechanical integrity:
* Emergency generator standby jacket coolant pump and heater.
* Prelube oil filter pump and heater.
* Rocker arm prelube oil pump.
: c. IEEE Standard 279-1971, Paragraph 4.13:
An emergency diesel generator system bypass annunciator is alarmed in the control room whenever any of the following conditions exist:
* Emergency generator breaker racked out or loss of control power.
* Emergency generator air compressor loss of control power or motor thermal overload.
* Emergency generator crankcase vacuum pump loss of control power or motor thermal overload.
* Emergency generator auxiliary fuel oil pump loss of control power or motor thermal overload.
* Remote voltage switch in MANUAL.
* Local voltage mode switch in MANUAL.
* Manual bypass push button depressed.
: d. IEEE Standard 279-1971, Paragraph 4.16:
Once a LOP, SIS, or CDA signal is received, the emergency generator will attempt to start. If engine speed does not reach a specified RPM within 7 seconds, the start signal is blocked and a diesel not ready for AUTO start annunciator will alarm in the control room and at the emergency generator local panel. An emergency diesel reset push button in the control room or at the emergency generator panel must be
: e. IEEE Standard 279-1971, Paragraph 4.10:
SIS, CDA, or LOP signals cause the emergency generator load sequencer to strip certain non-essential emergency generator auxiliary equipment and actuate the starting air system. These functions are periodically verified consistent with Technical Specification requirements.
: f. IEEE Standard 279-1971, Paragraph 4.17:
Manual controls and indication are on the main control board and at the emergency generator panels for manual operation of the emergency generators.
Conditioning, Heating, Cooling, and Ventilation Systems safety-related (QA Category I) air-conditioning, heating, cooling, and ventilation systems are d in Table 3.2-1.
system designs, flow diagrams, and instrumentation applications are given in Section 9.4.
design bases for the control and instrumentation of the safety-related air-conditioning, ting, cooling, and ventilation systems adhere to the following:
: 1. Automatic operation during normal and accident conditions.
: 2. Manual controls and indication of the status of all components in the control room.
: 3. Automatic controls as well as manual controls of redundant components are independent and electrically and physically separated.
: 4. Failure of an operating component and/or start of the redundant component is annunciated in the control room.
: 5. Redundant motors and motor-operated dampers have power supplied from separate emergency buses. Each redundant air-operated damper, with solenoid pilot valve, has power supplied from the separate DC bus. The dampers are designed to fail in the position of greater safety on loss of air and/or power supply.
safety objective of the instrumentation and control for safety-related air conditioning, ting, cooling, and ventilation systems is to maintain the temperatures within the specific areas serve, within the design limits required, during normal and accident conditions. The control m and instrument rack and computer rooms are automatically supplied air in the pressurized ation mode of operation upon receiving a control building isolation (CBI) signal. A CBI signal enerated whenever any one of the following conditions exist:
 
Containment pressure hi-1, 2 out of 3 (2/3) hi.
Manual SIS.
Manual CBI.
ifferential pressure indicator with a scale range from zero to 0.50 in WC is provided in the trol room to enable the operator to determine that the pressure in the control room is being ntained slightly above the atmospheric pressure following an accident.
ere high efficiency particulate air (HEPA) filters or carbon absorbers are provided in the em, differential pressure alarms are provided to alert the operator to excessive differential sure across the filter or absorber and to indicate that changeover to the standby train should be e.
trol Building Isolation control building isolation (CBI) logic receives automatic signals from one radiation monitor train located in the intake ventilation to the control building. A containment hi-1 pressure al (2/3 logic) is also utilized as an input to the CBI logic.
BI signal (Train A or B) can be manually initiated from CBI push buttons on the main control rd or from the main heating and ventilation panel in the control room. A CBI is also initiated manual SIS initiation.
CBI logic relays are located in auxiliary relay panels AR4 (Train A) and AR5 (Train B). The els are in the instrument rack room. The output relays have test push buttons in the auxiliary y panels. The CBI K1 relays are interlocked with the controls for the Control Building ergency Ventilating Fan 1A inlet damper and the chilled water pump. The CBI K2 relays are rlocked with the Control Building Emergency Ventilating Fan 1B inlet damper. This ngement allows for testing the emergency ventilation system and chilled water pumps for h Train (A or B). The logic relays are energized to initiate the pressurized filtration mode of ration of the Control Building Emergency Ventilation System. CBI RESET push buttons in A and B) are on the main control board.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.1:
A CBI signal is automatically initiated on receipt of a high radiation or containment hi-1 pressure high.
 
The CBI has redundant and separate trains supplied from separate safety-related 120 V AC and separate 125 V DC buses. No single failure will prevent a CBI at the system level.
: c. IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: d. IEEE Standard 279-1971, Paragraph 4.8:
The radiation monitors and containment pressure transmitters all derive signals that are direct measures of the variable being monitored.
: e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
Testing of the automatic CBI signals from the radiation monitor and containment hi-1 pressure signal (2/3 logic) will be performed by testing each signal for each train.
The inlet ventilation radiation monitors will be calibrated on a refueling basis using solid point calibration sources and a fixed geometry.
On a quarterly basis, an analog channel operational which verifies the alarm set point will be performed.
The individual signals shall automatically initiate the pressurized filtration mode of operation of the Control Building Emergency Ventilation System.
Testing the containment hi-1 pressure (2/3 logic) will be accomplished in accordance with Section 7.3.2.2.5.
: f. IEEE Standard 279-1971, Paragraph 4.13:
Bypass and inoperative alarms on the main control board for CBI Train A and B are in accordance with Regulatory Guide 1.47. A CBI bypass annunciator is alarmed on the main control board whenever any of the following conditions exist:
* CBI bypass push button depressed.
* Loss of control power to CBI logic relays.
 
A CBI initiated on the system level will go to completion. The CBI signal can be reset manually on the main control board.
After a CBI has gone to completion, deliberate operator action is required to return to normal operation. The CBI signal must be manually reset. The emergency ventilation system must be manually stopped, and the control building ventilation realigned for normal operation.
: h. IEEE Standard 279-1971, Paragraph 4.17:
A CBI signal can be initiated manually with push buttons on the main heating and ventilation panel and on the main control board. A manual SIS signal also initiates a CBI signal. No single failure within the manual, automatic, or common portions of the CBI system will prevent a CBI initiation.
: i. IEEE Standard 279-1971, Paragraph 4.18:
The CBI radiation monitor set points are administratively controlled. The set point cannot be changed at the monitor until a permissive has been granted by a key at the radiation monitoring panel in the control room. The permissive key is administratively controlled.
: j. IEEE Standard 279-1971, Paragraph 4.19:
High radiation is alarmed on the main control board and on the radiation monitoring system workstations in the control room. An ESF status light indicates on the main control board when a CBI signal exists. Hi-1 containment pressure high is alarmed on the main control board by any channel. Indicator lights on the main control board indicate each channel that is alarmed and each is monitored for high pressure by the plant computer.
rging Pumps Cooling System charging pumps cooling system is a supporting system for the charging pumps and is required perate during normal unit operation and following a LOCA and/or loss-of-power. The system gn and description are given in Section 9.2.2.4 and its flow diagram is shown on Figure 9.2-5.
trol switches and indicator lights for the charging pump cooling pumps are provided on the n control board and on the auxiliary shutdown panel. REMOTE/LOCAL control selector tches are located on the transfer switch panels in the vicinity of the auxiliary shutdown panel.
annunciator is alarmed in the control room when local control is selected. For normal unit ration, one of the two pumps is required to operate. This pump is started manually and the er pump is placed on standby. The pump in standby is automatically started on low pressure by essure switch in the pumps discharge header.
 
et crossover automatically close, thus providing the two independent flow paths required ng these modes of operation. Each charging pumps cooling pump motors power supply is m a separate emergency bus, and the motors start automatically on loss of power and/or on an
. The air-solenoid, pilot-operated isolation valves are supplied from separate DC buses and on of air and/or loss of power fail closed.
charging pumps cooling surge tank is divided into two compartments with each compartment ing one charging pumps cooling pump, thus providing redundancy in the fluid system design.
rumentation is provided to monitor and control water level in each compartment of the surge at all times. The reactor plant component cooling water system automatically provides mal makeup to each surge tank compartment.
status lights are provided on the main control board to indicate charging pumps cooling p and crossover valve status.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
The charging pumps cooling system is normally cross-connected at the discharge and suction of the cooling pumps. On receipt of a SIS or LOP signal, the cross-connect valves are closed automatically to separate Train A from Train B. There are four normally open, air-operated, cross-connected valves that fail closed on loss of air or loss of power to the solenoid valves. Solenoid valves control air to the cross-connect valves; two are powered from the Train A emergency DC bus and two are powered from the Train B emergency DC bus.
A temperature control valve for each charging pump cooler is controlled by a temperature indicating controller and a safety-related solenoid valve powered from an emergency DC bus. The temperature control valve opens to the heat exchanger on loss of air, loss of power to the solenoid valve, or when the charging pump cooler outlet temperature is greater than a predetermined set point. The solenoid valves are powered from separate buses.
The charging pumps cooling pumps are powered from separate emergency buses.
Normally, one pump is running and the other on standby. On receipt of an SIS or LOP signal, both pumps are started automatically.
No single failure at the system level can prevent cooling water from being supplied to at least one charging pump.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
 
A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Charging pumps cooling control switch in pull to lock position.
* Charging pumps cooling pump loss of control power.
* Charging pumps cooling pump motor thermal overload.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once an SIS or LOP signal is received, the charging pumps cooling pumps are started and the cross-connect valves are closed. Deliberate operator action must be taken to open the valves or stop a pump. The SIS and LOP signals must be reset and manual control used by the operator.
: e.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
The charging pumps cooling system is periodically tested in accordance with the Technical Specifications.
: f.      IEEE Standard 279-1971, Paragraph 4.17:
Controls and indicators are provided in the control room for manual operation of the charging pumps cooling system. REMOTE/LOCAL control selector switches are provided at the transfer switch panels outside the control room, and manual controls and indication are on the auxiliary shutdown panels. An annunciator is alarmed in the control room when local control is selected.
ety Injection Pumps Cooling System safety injection pumps cooling system is a supporting system for the safety injection pumps is required to operate only following a LOCA.
system design and description are given in Section 9.2.2.5, and the flow diagram is shown on ure 9.2-4. The power supply for each train of the two-train system is from a separate rgency bus.
starting of the safety injection pumps cooling pumps is interlocked with the starting of the ty injection pumps; i.e., when a safety injection pump is started for testing purposes or due to S, its associated cooling pump is started automatically. The safety injection cooling pumps e tank is divided into two compartments, with each compartment serving a separate pump, providing redundancy in the fluid system design. Instrumentation is provided to monitor and
 
status lights are provided on the main control board to indicate status of the safety injection ps cooling pumps.
Analysis
: a.      IEEE Standard 279-1971, Paragraph 4.2:
The safety injection pumps cooling system is divided into two mechanical and electrical trains. The safety injection pumps cooling pumps are powered from separate emergency buses. No single failure at the system level can prevent the safety injection pumps cooling system from supplying cooling water to at least one safety injection pump.
: b.      IEEE Standard 279-1971, Paragraph 4.4:
Equipment qualifications are discussed in Sections 3.10 and 3.11.
: c.      IEEE Standard 279-1971, Paragraph 4.13:
A safety injection pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):
* Safety injection pump cooling pump circuit breaker open.
* Safety injection pump cooling pump loss of control power.
* Safety injection pump cooling pump motor thermal overload.
: d.      IEEE Standard 279-1971, Paragraph 4.16:
Once a safety injection pump is started, the cooling pump starts automatically.
Deliberate operator action must be taken to stop a cooling pump. The associated safety injection pumps must be stopped and manual controls used to stop the cooling pump.
: e.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:
The safety injection pumps cooling system is periodically tested in accordance with the Technical Specifications.
 
Controls and indicators are provided in the control room for manual operation of the safety injection pumps cooling system.
1.2    Design Bases Information functional diagrams presented on Figure 7.2-1, Sheets 5, 6, 7, 8, 13, 14, 15 and 16 provide a phic outline of the functional logic associated with requirements for the ESFAS. Requirements the ESF system are given in Chapters 6, 10, 11 and 15. Given below is the design bases rmation required in IEEE Standard 279-1971.
1.2.1    Generating Station Conditions following is a summary of those generating station conditions requiring protective action by ESFAS.
: 1.      Primary System:
: a.      Loss-of-coolant accident (LOCA).
: b.      Steam generator tube failure.
: c.      Dropped fuel assembly.
: 2.      Secondary System:
: a.      Inadvertent opening of a steam generator relief or safety valve.
: b.      Steam system piping failure.
: c.      Loss of feedwater events including feedwater system pipe break.
: 3.      Conditions Requiring Control Building Isolation:
: a.      High control building inlet ventilation radiation.
: b.      High containment pressure.
1.2.2    Generating Station Variables following list summarizes the generating station variables required to be monitored for the matic initiation of engineered safety features during each condition identified in the eding section. Post-accident monitoring requirements are given in Table 7.5.1.
: 1.      Primary System Accidents:
: b.      Containment pressure (not required for steam generator tube failure).
: c.      Containment purge air radiation.
: 2. Secondary System Accidents:
: a.      Pressurizer pressure.
: b.      Steam line pressures and pressure rate.
: c.      Containment pressure.
: d.      Steam generator water level.
: e.      Reactor coolant temperature.
: f.      Loss of Emergency Bus Power (LOP).
: 3. Control Building Isolation:
: a.      Control building inlet radiation high.
: b.      Containment pressure hi-1.
1.2.3  Spatially Dependent Variables only variable sensed by the ESFAS which has significant spatial dependence is reactor lant hot leg temperature. Its spatial dependence is discussed in Section 7.2.1.2.3.
1.2.4  Limits, Margins, and Set points dent operational limits, available margins, and set points before onset of unsafe conditions uiring protective action are discussed in Chapter 15 and the technical specifications.
1.2.5  Abnormal Events malfunctions, accidents, or other unusual events which could physically damage protection em components or could cause environmental changes are as follows.
: 1. Loss-of-coolant accident (Chapter 15)
: 2. Secondary system accidents (Chapter 15)
: 3. Earthquakes (Chapters 2 and 3)
: 5.      Explosion (hydrogen buildup inside containment) (Section 15.4)
: 6.      Missiles (Section 3.5)
: 7.      Flood (Chapters 2 and 3)
: 8.      LOP (Chapter 8)
: 9.      Wind and tornadoes (Section 3.3) 1.2.6    Minimum Performance Requirements imum performance requirements are as follows.
: 1.      Response times Required engineered safety features response time is defined in Section 7.1.2.1.9.
Maximum allowable ESFAS time delays are tabulated in Technical Requirements Manual Table 3.3.2-1. See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.
: 2.      ESFAS channel uncertainties and trip setpoints The method for determining ESFAS setpoints is discussed in Section 7.1.2.1.9.
The ESFAS setpoints, allowable values for use in surveillance testing and instrumentation channel uncertainty components are tabulated in Technical Specifications Table 3.3-4.
: 3.      Instrumentation ranges ESFAS instrumentation ranges are tabulated in Table 7.3-2. Range selection for ESFAS instrumentation encompasses the expected range of the process variable being monitored, for normal power operation and accident conditions, for which generating an ESFAS actuation signal is required.
1.3    Final System Drawings schematic diagrams for the systems discussed in this section are listed in Section 1.7 and are mitted in support of this application.
2    ANALYSIS ure mode and effects analyses have been performed on ESF systems equipment within the tinghouse scope of supply (WCAP-8584, Rev. 1). The Millstone ESF systems, although not
 
lyses of the instrumentation and control systems used to initiate the operation of the ESF ems and their essential auxiliary supporting systems have been made. For balance-of-plant ty systems, the assurance that safety-related instrumentation and control fulfill their functions uming a single failure) is achieved by the use of redundant channels, trains, components, and er supplies with the appropriate separation provided between them. Detailed documentation he form of the failure modes and effects analysis or fault tree analyses (based on actual wiring rams and components of the plant) are presented in a separate report described in tion 7.3.1.2. The analyses were made to assure that each system satisfies the applicable design eria and performs as intended during all plant operations and accident conditions for which its ction is required.
ESF and essential supporting systems are designed so that a loss of plant instrument air, the of cooling water to vital equipment, a plant load rejection, or a turbine trip does not prevent completion of the safety function under postulated accidents and failures. Evaluation of the vidual and combined capabilities of the ESF and supporting systems can be found in pters 6, 8, 9, 10 and 15 2.1    Failure Modes and Effects Analysis systematic, organized, analytical procedure for identifying the possible modes of failure and luating their consequences is called a failure modes and effects analysis (FMEA). Its purpose demonstrate and verify how the General Design Criteria (GDC) and IEEE Standard
-1971 requirements are satisfied. FMEAs that are performed on the Class 1E electric power instrumentation and control portions of the safety-related auxiliary supporting systems also rmine if they meet the single failure criteria.
FMEA is produced in the form of a computerized tabulation that identifies the component, its ure mode, the method of failure detection, and its effect on the safety-related system. This lation is derived from the fault tree analysis (FTA). Figure 7.3-1 shows a typical page from a EA.
FTA is a technique by which failures that can contribute to an undesired event are ematically and deductively organized from a top event down to subordinate events. It is orially represented by rectangular blocks connected via flow lines to logic gates, all placed ther in a tree-shaped configuration.
FTA identifies all failure modes that are significant to the failure of the safety-related system, failure paths from the failed items up through the fault tree to a single top failure event and single failures that may result in the failure of the system to perform its intended safety ction. It also provides a visual display of how the system can malfunction. See Figure 7.3-2 an example of a computer-plotted fault tree diagram.
 
ed the FMEA. The FMEAs for the systems listed in Table 7.3-10 are in a report titled Failure des and Effects Analysis, submitted as part of the documentation provided in Section 1.7.4.
2.2    Compliance with Standards and Design Criteria cussion of the GDC is provided in various sections of Chapter 7 where a particular GDC is licable. Applicable GDCs include Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, 46 of the 1971 GDC. Compliance with certain IEEE Standards is presented in tions 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11. Compliance with Regulatory Guide 1.22 is ussed in Section 7.1.2.5. The discussion given below shows that the ESFAS complies with E Standard 279-1971 (Institute of Electrical and Electronics Engineers, Inc. 1971).
2.2.1    Single Failure Criteria discussion presented in Section 7.2.2.2.3 is applicable to the ESFAS with the following eption.
he FSFAS, a loss of instrument power will cause the specific bistable or trip actuating device ch lost power to change to its actuated position with the exception of Hi-3 Containment sure which affects containment spray. The power supply for the protection systems is ussed in Section 7.6 and in Chapter 8. For containment spray, the final bistables are energized ip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous ation of two manual controls. This is considered acceptable because spray actuation on hi-3 tainment pressure signal provides automatic initiation of the system via protection channels.
reover, two sets (two switches per set) of containment spray manual initiation switches are vided to meet the requirements of IEEE Standard 279- 1971. Also, it is possible for all ESF ipment (valves, pumps, etc) to be individually manually actuated from the control board.
ce, a third mode of containment spray initiation is available. The design meets the uirements of Criteria 21 and 23 of the 1971 GDC.
2.2.2    Equipment Qualification ipment qualifications are discussed in Sections 3.10 and 3.11.
2.2.3    Channel Independence discussion presented in Section 7.2.2.2.3 is applicable. The ESF slave relay outputs from the d state logic protection cabinets are redundant, and the actuation signals associated with each n are energized up to and including the final actuators by the separate ac power supplies which er the logic trains.
2.2.4    Control and Protection System Interaction discussions presented in Section 7.2.2.2.3 are applicable.
 
discussions of system testability in Section 7.2.2.2.3 are applicable to the sensor, analog uitry, and logic trains of the ESFAS.
following discussions cover those areas in which the testing provisions differ from those for reactor trip system.
ting of Engineered Safety Features Actuation Systems ESFASs are tested to provide assurance that the systems operate as designed and are available unction properly in the unlikely event of an accident. The testing program meets the uirements of Criteria 21, 37, 40, 43 and 46 of the 1971 GDC and Regulatory Guide 1.22 as ussed in Section 7.1.2.8. The tests described in Section 7.3.2.2.3 and further discussed in tion 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37, except for the ration of those components that would cause an actual safety injection. The test, as described, onstrates the performance of the full operational sequence that brings the system into ration, the transfer between normal and emergency power sources, and the operation of ciated cooling water systems. After the safety injection and residual heat removal pumps are ted and operated, their performance is verified in a separate test discussed in Section 6.3.4.
en the pump tests are considered in conjunction with the ECCS test, the requirements of GDC n testing of the ECCS are met as closely as possible without causing an actual safety ction.
system design, as described in Sections 6.3.4, 7.2.2.2.3, and 7.3.2.2.3, provides complete odic testability during reactor operation of all logic and components associated with the CS. This design meets the requirements of Regulatory Guide 1.22 as discussed in the above ions. The program is as follows:
: 1. Prior to initial plant operations, ESF system tests are conducted.
: 2. Subsequent to initial startup, ESF system tests are conducted during regularly scheduled refueling outage. As specified in the Surveillance Frequency Control Program.
: 3. During on-line operation of the reactor, all of the ESF analog and logic circuitry can be fully tested. In addition, essentially all of the ESF final actuators can be fully tested. The remaining few final actuators, whose operation is not compatible with on-line plant operation, can be checked by means of continuity testing or other means.
: 4. During normal operation, the operability of testable final actuation devices of the ESF systems can be tested by manual initiation from the control room or, as indicated in 3 above, by actuation of the solid state protection system slave relays from the ESF test cabinets.
 
ing reactor operation, the basis for ESFAS acceptability will be the successful completion of overlapping tests performed on the initiating system and the ESFAS (Figure 7.3-3). Checks of cess indications verify operability of the sensors. Analog checks and tests verify the rability of the analog circuitry from the input of these circuits through to and including the c input relays except for the input relays associated with the containment spray function ch are tested during the solid state logic testing. Solid state logic testing also checks the digital al path from and including logic input relay contacts through the logic matrices and master ys and perform continuity tests on the coils of the output slave relays; final actuator testing rates the output slave relays and verifies operability of those devices which require safeguards ation and which can be tested without causing plant upset. A continuity check and/or other sures are performed on the actuators of the untestable devices. Operation of the final devices onfirmed by control board indication and visual observation that the appropriate pump kers close and automatic valves shall have completed their travel.
basis for acceptability for the ESF interlocks will be control board indication of proper ipt of the signal upon introducing the required input at the appropriate set point.
ipment which makes up the ESFAS is qualified for its required application. Equipment not lified for the life of the plant is periodically replaced or maintained consistent with equipment lification program requirements.
quency of Performance of Engineered Safety Features Actuation Tests ing reactor operation, complete system testing (excluding sensors or those devices whose ration would cause plant upset) is performed periodically as specified in the Technical cifications. Testing, including the sensors, is also performed during scheduled plant shutdown refueling.
ineered Safety Features Actuation Test Description following sections describe the testing circuitry and procedures for the online portion of the ing program. The guidelines used in developing the circuitry and procedures are:
: 1.      The test procedures must not involve the potential for damage to any plant equipment.
: 2.      The test procedures must minimize the potential for accidental tripping.
: 3.      The provisions for online testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.
 
eral systems, as listed in Section 7.3.1.1.1, comprise the total engineered safety features em, the majority of which may be initiated by different process conditions and be reset pendently of each other.
remaining functions are initiated by a common signal (safety injection) which in turn may be erated by different process conditions.
ddition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, ponent cooling, and service water, is initiated by the safety injection signal.
output of each of the initiation circuits consists of a master relay which drives slave relays for tact multiplication as required. The logic, master, and slave relays are mounted in the solid e logic protection cabinets designated Train A and Train B, respectively, for the redundant nterparts. The master and slave relay circuits operate various pump and fan circuit breakers or ters, motor-operated valve contractors, solenoid-operated valves, emergency generator ting, etc.
log Testing log testing methods are identical to those used for reactor trip circuitry and are described in tion 7.2.2.2.3.
exception to this is containment spray, which is energized to actuate 2-out-of-4 and reverts to ut-of-3 when one channel is in test.
odic tests of the following ESFAS instrumentation channels are performed:
: a.      Steam generator water level protection channels*
: b.      Steam pressure protection channels
: c.      Containment pressure protection channels
: d.      Pressurizer pressure protection channels *
: e.      TAVG protection channels *
: f.      Containment purge air radiation protection channels
: g.      Control building inlet radiation protection channels
: h.      Emergency AC bus undervoltage relays
* Also a part of reactor trip system (see Section 7.2.2.2.3)
 
ept for containment spray channels, solid state logic testing is the same as that discussed in tion 7.2.2.2.3. During logic testing of one train, the other train can initiate the required ineered safety features function. For additional details, see WCAP-7488-L (1971).
uator Testing his point, testing of the initiation circuits through operation of the master relay and its contacts he coils of the slave relays has been accomplished. The ESFAS logic slave relays in the SSPS put cabinets are subjected to coil continuity tests by the output relay tester in the SSPS inets. Slave relays (K601, K602, etc.) do not operate because of reduced voltage applied to r coils by the mode selector switch (TEST/OPERATE). A multiple position master relay ctor switch chooses different master relays and corresponding slave relays to which the coil tinuity is applied. The master relay selector switch is returned to OFF before the mode ctor switch is placed back in the OPERATE mode. However, failure to do so will not result efeat of the protective function. The ESFAS slave relays are activated during testing by the ne test cabinet so that overlap testing is maintained.
ESFAS final actuation device or actuated equipment testing is performed from the engineered guards test cabinets. These cabinets are located near the solid state logic protection system ipment. There is one test cabinet provided for each of the two protection Trains A and B. Each inet contains individual test switches necessary to actuate the slave relays. To prevent dental actuation, test switches are of the type that must be rotated and then depressed to rate the slave relays. Assignments of contacts of the slave relays for actuation of various final ices or actuators has been made such that groups of devices or actuated equipment can be rated individually during plant operation without causing plant upset or equipment damage. In unlikely event that an SIS is initiated during the test of the final device that is actuated by this
, the device will already be in its safeguards position.
ing this last procedure, close communication between the main control room operator and the rator at the test panel is maintained. Prior to the energizing of a slave relay, the operator in the n control room assures that plant conditions will permit operation of the equipment that will ctuated by the relay. After the tester has energized the slave relay, the main control room rator observes that all equipment has operated as indicated by appropriate indicating lamps, nitor lamps and annunciators on the control board, and records all operations. He then resets evices and prepares for operation of the next slave relay actuated equipment.
means of the procedure outlined above, all ESF devices actuated by ESFAS initiation circuits, h the exceptions noted in Section 7.1.2.5 under a discussion of Regulatory Guide 1.22 are rated by the automatic circuitry.
uator Blocking and Continuity Test Circuits ices that cannot be actuated during plant operation (discussed in Section 7.1.2.5) fall into two gories. These devices either have been assigned to slave relays for which additional test
 
t operation but were later removed from the on-line testing program. For the latter case, these ices have been assigned slave relays without the special test circuitry. Therefore, during the ormance of online slave relay testing, other measures are taken (i.e., jumpers, removal of or overloads, etc.) to prevent selected equipment from actuating. For devices which have been gned to slave relays with the additional test circuitry, operation of these slave relays, including tact operations, and continuity of the electrical circuits associated with the final devices trol are checked in lieu of actual operation. The circuits provide for monitoring of the slave y contacts, the devices control circuit cabling, control voltage, and the devices actuation noids. Interlocking prevents blocking the output from more than one output relay in a ection train at a time. Interlocking between trains is also provided to prevent continuity testing h trains simultaneously, therefore the redundant device associated with the protection train not er test will be available if event protection action is required. If an accident occurs during ing, the automatic actuation circuitry will override testing as noted above. One exception to is that if the accident occurs while testing a slave relay whose output must be blocked, those final actuation devices associated with this slave relay will not be overridden; however, the undant devices in the other train would be operational and would perform the required safety ction. Actuation devices which cannot be tested at full power so as not to damage equipment pset plant operation are identified in Section 7.1.2.5.
those components which cannot be actuated online and have been assigned slave relays with special test circuitry, the continuity test circuits are verified by test lights on the safeguards test inets.
ices 9-13 identified within Section 7.1.2.5 are blocked by administrative controls. If an dent occurs while testing, the redundant equipment in the other train would be operational and ld perform the required safety function.
typical schemes for blocking operation of selected protection function actuator circuits are wn on Figure 7.3-4 as details A and B. The schemes operate as explained below and are licated for each safeguards train.
ail A shows the circuit for contact closure for protection function actuation. Under normal t operation and equipment not under test, the test lamps DS* for the various circuits will be rgized. Typical circuit path will be through the normally closed test relay contact K8* and ugh test lamp connections 1 to 3. Coils X1 and X2 will be capable of being energized for ection function actuation upon closure of solid state logic output relay contacts K*. Coil or X2 is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a noid valve, auxiliary relay, etc. When the contacts K8* are opened to block energizing of X1 and X2, the white lamp is de-energized, and the slave relay K* may be energized to orm continuity testing. To verify operability of the blocking in both blocking and restoring mal service, open the blocking relay contact in series with lamp connections - the test lamp uld be de-energized; close the block relay contact in series with the lamp connections - the test p should now be energized, which verifies that the circuit is now in its normal, i.e., operable dition.
 
be energized, and the green test lamp DS* will be de-energized. Typical circuit path for te lamp DS* will be through the normally closed solid state logic output relay contact K*
through test lamp connections 1 to 3. Coils Y1 and Y2 will be capable of being de-rgized for protection function actuation upon opening of solid state logic output relay contacts
. Coil Y2 is typical for a solenoid valve coil, auxiliary relay, etc. When the contacts K8*
closed to block de-energizing of coils Y1 and Y2, the green test lamp is energized and the e relay K* may be energized to verify operation (opening of its contacts). To verify rability of the blocking relay in both blocking and restoring normal service, close the blocking y contact to the green lamp - the green test lamp should now be energized also; open this king relay contact - the green test lamp should be de-energized, which verifies that the circuit ow in its normal, i.e., operable position.
e Required for Testing log testing can be performed at a rate of several channels per hour. Logic testing of Trains A B can be performed in less than 30 minutes each. Testing of actuated components (including e which can only be partially tested) will be a function of control room operator availability. It uires several shifts to accomplish these tests. During this procedure, automatic actuation uitry will override testing, except for those few devices associated with a single slave relay se outputs must be blocked and then only while blocked. Continuity testing associated with a ked slave relay takes several minutes. During this time, the redundant devices in the other n would be functional.
mary of Online Testing Capabilities procedures described provide capability for checking completely from the process signal to logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve tractors, pilot solenoid valves, etc, including all field cabling actually used in the circuitry ed upon to operate for an accident condition. For those few devices whose operation could ersely affect plant or equipment operation, the same procedure provides for checking from the cess signal to the logic rack. To check the final actuation device, a continuity test of the vidual control circuits is performed, or other measures are taken such as installation of pers, removal of thermal overloads, etc.
procedures require testing at various locations:
: 1.      Analog testing and verification of bistable set point are accomplished at process analog racks. Verification of bistable relay operation is done at the main control room status lights.
: 2.      Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic rack test panel.
: 4.      Continuity testing for those circuits assigned that cannot be operated is done at the same test panel mentioned in 3 above.
reactor coolant pump essential service isolation valves consist of the isolation valves for the ponent cooling water return and the seal water return header.
main reason for not testing these valves periodically is that the reactor coolant pumps may be aged. Although pump damage from this type of test would not result in a situation which angers the health and safety of the public, it could result in unnecessary shutdown of the tor for an extended period of time while the reactor coolant pump or certain of its parts could eplaced.
ting During Shutdown CS tests will be performed periodically in accordance with the Technical Specifications with reactor coolant system isolated from the ECCS by closing the appropriate valve. A test SIS then be applied to initiate operation of active components (pumps and valves) of the ECCS.
s is in compliance with Criterion 37 of the 1971 GDC.
tainment spray system tests will be performed periodically. The pump tests will be performed h the isolation valves in the spray supply lines at the containment blocked closed and the es will be tested periodically with the pumps shutdown.
tem Performance Monitoring AS performance is monitored to ensure that the reliability of the system remains within blished performance criteria. Performance criteria is established for various aspects of ESFAS ration. A record is maintained of the functional failures which might cause one of the undant channels or trains to be unable to perform its safety function. Appropriate corrective on is required if the system fails to meet its established performance criteria. System ormance monitoring is performed for the following ESFAS equipment.
: 1.      Process instrumentation & control system
: 2.      Solid state protection system.
: 3.      Engineered safety features test cabinets.
: 4.      Analog sensor and digital contact inputs.
: 5.      Emergency generator load sequencer.
: 6.      Control building inlet and containment area radiation monitors.
 
cial attention in Section 7.5.
2.2.6      Manual Resets and Blocking Features manual reset feature associated with containment spray actuation is provided in the design of solid state protection system for two basic purposes. First, the feature permits the operator to t an interruption procedure of automatic containment spray in the event of false initiation of an ate signal. Second, although spray system performance is automatic, the reset feature enables operator to start a manual takeover of the system to handle unexpected events which can be er dealt with by operator appraisal of changing conditions following an accident.
nual control of the spray system does not occur, once actuation has begun, by just resetting the ciated logic devices alone. Components will seal in (latch) so that removal of the actuate al, in itself, will neither cancel nor prevent completion of protective action or provide the rator with manual override of the automatic system by this single action. In order to take plete control of the system to interrupt its automatic performance, the operator must berately unlatch relays which have sealed in the initial actuate signals in the associated or control center, in addition to tripping the pump motor circuit breakers, if stopping the ps is desirable or necessary.
manual reset feature associated with containment spray, therefore, does not perform a bypass ction. It is merely the first of several manual operations required to take control from the matic system or interrupt its completion should such an action be considered necessary.
he event that the operator anticipates system actuation and erroneously concludes that it is esirable or unnecessary and imposes a standing reset condition in one train (by operating and ding the corresponding reset switch at the time the initiate signal is transmitted) the other train automatically carry the protective action to completion. In the event that the reset condition is osed simultaneously in both trains at the time the initiate signals are generated, the automatic uential completion of system action is interrupted and control has been taken by the operator.
nual takeover will be maintained, even though the reset switches are released, if the original ate signal exists. Should the initiate signal then clear and return again, automatic system ation will repeat. No procedures or training direct the operator to manually interrupt matic actuation of the containment spray system using the containment spray manual reset tch.
e also that any time delays imposed on the system action are to be applied after the initiating als are latched. Delay of actuate signals for fluid systems lineup, load sequencing, etc., do not vide the operator time to interrupt automatic completion, with manual reset alone, as would be case if time delay was imposed prior to sealing of the initial actuate signal.
manual block features associated with pressurizer and steam line SISs provide the operator h the means to block initiation of safety injection and steam line isolation during plant startup shutdown. These block features meet the requirements of Paragraph 4.12 of IEEE Standard
 
2.2.7    Manual Initiation of Protective Actions (Regulatory Guide 1.62) re are four individual main steam isolation trip valve momentary control switches (one per p) mounted on the control board. Each switch, when actuated, isolates one of the main steam
: s. In addition, there are two system level switches. Operating either switch actuates all four n steam line isolation and bypass valves at the system level.
nual initiation of switchover to recirculation is in compliance with Section 4.17 of IEEE ndard 279-1971 with the following comment.
nual initiation of either one of two redundant safety injection actuation main control board unted switches provides for actuation of the components required for reactor protection and gation of adverse consequences of the postulated accident. Manual safety injection actuation initiate delayed actuation of sequenced started emergency electrical loads if a LOP signal is present. The safety injection mode is completed when the residual heat removal (RHR) ps automatically stop on receipt of a low-low RWST level signal. Refer to Section 6.3 for a ussion of the manual switchover from injection mode to cold leg recirculation mode. Manual ration of other components or manual verification of proper position as part of emergency cedures is not precluded nor otherwise in conflict with the above described compliance to graph 4.17 of IEEE Standard 279-1971 of the semi-automatic switchover circuits.
exception to the requirements of IEEE Standard 279-1971 has been taken in the manual ation circuit of safety injection. Although Paragraph 4.17 of IEEE Standard 279-1971 requires a single failure within common portions of the protective system shall not defeat the ective action by manual or automatic means, the standard does not specifically preclude the ing of initiated circuitry logic between automatic and manual functions. It is true that the ual safety injection initiation functions associated with one actuation train (e.g., Train A) res portions of the automatic initiation circuitry logic of the same logic train; however, a single ure in shared functions does not defeat the protective action of the redundant actuation train
., Train B). A single failure in shared functions does not defeat the protective action of the ty function. It is further noted that the sharing of the logic by manual and automatic initiation onsistent with the system level action requirements of the IEEE Standard 279-1971, Paragraph and consistent with the minimization of complexity.
2.3    Further Considerations 2.3.1    Instrument Air and Component Cooling ddition to the considerations given above, a loss of instrument air or loss of component ling water to vital equipment has been considered. Neither the loss of instrument air nor the of component cooling water (assuming no other accident conditions) can cause safety limits iven in the Technical Specifications to be exceeded. Likewise, loss of either one of the two not adversely affect the core or the reactor coolant system nor will it prevent an orderly
 
conservatism during the accident analysis (Chapter 15), credit is not taken for the instrument ystems nor for any control system benefit.
design does not provide any circuitry which will directly trip the reactor coolant pumps on a of component cooling water. Normally, indication in the control room is provided whenever ponent cooling water is lost to the reactor coolant pumps. The reactor coolant pumps can run ut 20 minutes after a loss of component cooling water. This provides adequate time for the rator to correct the problem or trip the plant if necessary.
2.4    Summary effectiveness of the ESFAS is evaluated in Chapter 15, based on the ability of the system to tain the effects of Condition II, III and IV faults, including loss-of-coolant and steam break dents. The ESFAS parameters of time response, channel uncertainty and range are based upon component performance specifications which are provided by the manufacturer and/or fied by test for each component. ESFAS setpoints are determined by the safety limits assumed he accident analyses as documented in Chapter 15 as well as appropriate allowances to ount for process measurement accuracy, drift, calibration, environmental effects and other ertainties.
ESFAS must detect Condition II, III and IV faults and generate signals which actuate the
. The system must sense the accident condition and generate the signal actuating the ection function reliably and within a time determined by, and consistent with, the accident lyses in Chapter 15.
ch longer times are typically associated with the actuation of the mechanical and fluid system ipment associated with engineered safety features than for the generation of actuation signals.
s includes the time required for switching, bringing pumps and other equipment to speed and time required for them to take load.
Technical Specifications establish the requirements for ESFAS operability. However, the undancy of system components is such that the system operability assumed for the safety lyses can still be met with certain instrumentation channels out of service. Channels that are of service are to be placed in the tripped mode or bypass mode in the case of HI-3 containment sure.
2.4.1    Loss-of-Coolant Protection analysis of LOCAs and in system tests, it has been verified that except for very small coolant em breaks which can be protected against by the charging pumps followed by an orderly tdown, the effects of various LOCAs are reliably detected by the low pressurizer pressure al which will ensure the ECCS is actuated in time to prevent or limit core damage.
 
ve ECCS phase and provides the high flow rate necessary to begin refilling the reactor vessel.
h containment pressure also actuates the ECCS. Therefore, emergency core cooling actuation be brought about by sensing this other direct consequence of a primary system break; that is, ESFAS detects the discharge and flashing of the coolant into the containment.
tainment spray provides emergency cooling and pressure control of containment and also ts fission product release upon sensing elevated containment pressure (hi-3) to mitigate the cts of a LOCA.
response times are periodically confirmed including the times associated with the generation ctuation signals by the ESFAS, sequencing time delays and the time for actuated equipment to rate. The response times confirmed are those specified in the Technical Requirements Manual.
eneral, ESFAS actuation signal time delays are short compared to sequencing time delays and time required for actuated equipment to operate.
analyses in Chapter 15 show that the diverse methods of detecting the accident condition and time for generation of the signals by the protection systems are adequate to provide reliable timely protection against the effects of loss-of-coolant.
2.4.2    Steam Line Break Protection ECCS is also actuated in order to protect against a steam line break. The response time for sing low steam line pressure and generation of the safety injection and steam line isolation ation signals are short compared to sequencing time delays and the time required for actuated ipment to operate. Analysis of steam break accidents assuming this delay for signal generation ws that the ECCS is actuated for a steam line break in time to limit or prevent further core age for steam line break cases. There is a reactor trip but the core reactivity is further reduced he highly borated water injected by the ECCS.
itional protection against the effects of steam line break is provided by feedwater isolation ch occurs upon actuation of the emergency core cooling system. Feedwater line isolation is ated in order to prevent excessive cooldown of the reactor vessel and thus protect the reactor lant system boundary and reduce reactivity addition to the core to limit the potential for core age. It also limits mass/energy release to the containment to reduce the pressure and perature transients in containment.
itional protection against a steam break accident is provided by closure of all steam line ation valves in order to prevent uncontrolled blowdown of all steam generators. The ESF onse time for steam line isolation which includes closing of the fast acting steam line isolation es is less than or equal to 11.8 seconds. ESF response times are provided in the Technical uirements Manual Table 3.3.2-1.
 
her reduced by the highly borated water injected by the ECCS.
analyses in Chapter 15 show that the diverse methods of detecting the accident condition and time for generation of the signals by the protection systems are adequate to provide reliable timely protection against the effects of steam line break accidents.
3  REFERENCES FOR SECTION 7.3 1 IEEE Standard 279-1971. The Institute of Electrical and Electronics Engineers, Inc. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations.
2 WCAP-7913, 1973, Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant using WCID 7300 Series Process Instrumentation).
3 WCAP-7488-L (Proprietary) and WCAP-7672, 1971 (Non proprietary) 1971.
4 WCAP-7705, Revision 2 (Information only; i.e., not a generic topical WCAP) 1976, Swogger, J. W., Testing of Engineered Safety Features Actuation System.
 
SYSTEM esignation            Input                          Function Performed Reactor trip              Actuates turbine trip Closes main and bypass feedwater valves on Tavg below setpoint Prevents opening of main and bypass feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Transfer steam dump control from the load rejection controller to the plant trip controller Reactor not tripped        Defeats the block preventing automatic reactuation of safety injection 1          2/3 Pressurizer pressure  Allows manual block of safety injection actuation below setpoint            on low pressurizer pressure signal Allows manual block of safety injection actuation and steam line isolation on low compensated steam line pressure signal, and allows steam line isolation on high steam line negative pressure rate 2/3 Pressurizer pressure  Defeats manual block above setpoint of safety injection actuation on low pressurizer pressure.
Defeats manual block of safety injection and steam line isolation on low steam line pressure and defeats steam line isolation on high steam line negative pressure rate. Provides open signal to accumulator isolation valves.
2          2/4 Tavg below setpoint    Blocks steam dump. Allows manual bypass of steam dump block for the cooldown valves only 3/4 Tavg above setpoint    Defeats the manual bypass of steam dump block 4          2/4 Steam generator water Closes all feedwater control valves and isolation level above setpoint on    valves any steam generator        Trips all main feedwater pumps which closes the pump discharge valves Actuates turbine trip 9          2/4 Pressurizer pressure  Allows charging pump safety injection to RCS below setpoint            cold leg
 
INSTRUMENTATION ESF Actuation Signal                        Process Measurement Range Pressurizer low pressure                              1700 to 2500 psia Reactor coolant average temperature THOT                                                530 to 650 F TCOLD                                                510 to 630 F TAVG                                                530 to 630 F Steam line low pressure                              0 to 1300 psig Steam line negative pressure rate                    0 to 1300 psig Steam generator low-low water level              Span between narrow range level taps (approximately 128 inches)
Steam generator high-high water level            Span between narrow range level taps (approximately 128 inches)
Containment high pressure                            0 to 60 psia Control building inlet radiation                      10-6 to 10-1 Ci/cc Containment purge exhaust and supply                10-2 to 105 R/hr valves radiation monitors
* Radiation monitors are not credited in Section 15.7.4 for post-accident mitigation of a fuel handling accident.
 
BOP/                        Accident                                                                Accid NSSS Train A Equip Mark No. Condition                Function                Train B Equip Mark No. Condi NSSS    3CHS*LCV112B          Closed  VCT outlet isol                        3CHS*LCV112C            Clos NSSS    3CHS*LCV112D          Open    RWST to charging pump                  3CHS*LCV112E          Ope NSSS    3CHS*MV8105          Closed  Charging pump to reactor clnt sys      3CHS*MV8106            Clos Isol NSSS    3CHS*MV8110          Closed  Charging pump mini-flow isol          3CHS*MV8111A, B, C        Clos NSSS    3CHS*MV8511A          Open    Charging pump alternate mini-flow      3CHS*MV8511B            Ope control valve NSSS    3SIH*MV8801A          Note 3  Charging pump to reactor cold leg      3SIH*MV8801B            Note isol NSSS    3SIL*MV8808C          Open    Accumulator isolation                  3SIL*MV8808D            Ope NSSS    3SIL*MV8808A          Open    Accumulator isolation                  3SIL*MV8808B            Ope BOP      3HVR*AOD85            Closed  Electrical tunnel area EXH dampers      3HVR*AOD86              Clos BOP      3HVR*FN12A          On      SLCR exhaust fan                        3HVR*FN12B            On BOP      3GWS*AOD78A          Closed  Gaseous wastes to Unit 1 stack          3GWS*AOD78B            Clos isolation vv BOP      3QSS*AOV27            Closed  Refueling water recirc pump suct isol  3QSS*AOV28              Clos BOP      3RPS*PNLESCA          Note 1  Emergency gen load sequencer            3RPS*PNLESCB            Note
 
BOP/                        Accident                                                                Accid NSSS Train A Equip Mark No. Condition              Function                  Train B Equip Mark No. Condi BOP      3HVV*FN1D            Stopped Main steam vlv bldg ventilation          3HVV*FN1C              Stop 3HVV*AOD50A2          Closed                                          3HVV*AOD50B2            Clos 3HVV*AOD50B1          Closed                                          3HVV*AOD50A1            Clos 3HVV*MOD50D          Closed                                          3HVV*MOD50C            Clos 3HVV*MOD51A          Closed                                          3HVV*MOD51B            Clos 3HVV*MOD51D          Closed                                          3HVV*MOD51C            Clos BOP      3CCP*AOV179A        Closed  Component cooling water cross            3CCP*AOV179B            Clos connect BOP      3CCP*AOV180A        Closed  Component cooling water cross            3CCP*AOV180B            Clos connect BOP  3HVQ*AOD41A, 40A,        Closed  ESF bldg ventilation                  3HVQ*AOD41B, 40B, 41D,    Clos 41C, 43A, 42A, 43C,                                                    43B, 42B, 43D, 42D, 40D 42C, 40C 3HVQ-FN1              Stopped                                          3HVQ-FN1                Stop BOP      3HVR*AOD33B          Closed  Aux bldg heating and ventilating        3HVR*AOD35B            Clos 3HVR*AOD33A          Closed                                          3HVR*AOD35A            Clos 3HVR-HVU2A            Stopped                                          3HVR-HVU2A              Stop 3HVR-HVU2B            Stopped                                          3HVR-HVU2B              Stop BOP      3HVR*AOD174A          Closed  Ctmt purge inlet dampers                3HVR*AOD55A            Clos 3HVR*AOD174B                                                          3HVR*AOD55B BOP      3FWA*AOV23A          Closed  Aux feedwater alternate suction valve    3FWA*AOV23B            Clos
 
BOP/                                      Accident                                                                            Accid NSSS      Train A Equip Mark No.        Condition                  Function                    Train B Equip Mark No.      Condi BOP            3FWA*AOV61A                  Open        DWST to aux feed-pump suction              3FWA*AOV61B                Ope valve BOP            3FWA*AOV62A                  Closed      Aux feed-pump discharge crossover          3FWA*AOV62B                Clos valve BOP
* Main turbine                  Tripped      Main turbine                                Main turbine                Trip BOP
* 3FWS-P1                      Tripped      Feedwater pumps                            3FWS-P1                    Trip 3FWS-P2A                      Tripped                                                  3FWS-P2A                    Trip 3FWS-P2B                      Tripped                                                  3FWS-P2B                    Trip Note 1: Equipment receiving an actuation signal from the EGLS is not listed in this table. Refer to drawing LSK-24-9.4.
Note 2: An SI signal also initiates Feedwater Isolation (Table 7.3-6), Containment Isolation Phase A (Table 7.3-4) and, on a manual SI signal only, Control Building Isolation (Table 7.3-7). Refer to FSAR Figure 7.2-1, Sheets 8, 13 and 14 for interaction among th ESFAS functions.
Note 3: 3SIH*MV8801A and B will open on SI coincident with a cold leg injection permissive (P-19).
The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table
* The Main Turbine and Feedwater Pumps listed receive their trip signals from SSPS slave relay K620A(B) through isolation relay K620X.
 
Train A Equip  Accident                                              Train B Equip  Accident BOP/NSSS    Mark No. Condition                      Function                Mark No. Condition NSSS    3CHS*CV8160    Closed    Letdown line isolation                      3CHS*CV8152    Closed NSSS    3SIL*CV8968    Closed    Accum nitrogen line isol                    3SIL*CV8880    Closed NSSS    3SIL*CV8890A Closed      RHR pp/cold leg test line NSSS    3SIL*CV8825    Closed    SI pp/ hot leg test line NSSS    3SIL*CV8890B Closed      RHR pump cold leg test line NSSS    3SIH*CV8871    Closed    Test line header isolation                  3SIH*CV8964    Closed NSSS    3SIH*CV8881    Closed    SI pp hot leg test line isol NSSS    3SIH*CV8823    Closed    SI pp/cold leg test line isol NSSS                              Accum fill line isolation                  3SIH*CV8888    Closed NSSS    3SIH*CV8824    Closed    SI pp/hot leg test line isol NSSS    3SIH*CV8843    Closed    Charging pp test line isolation NSSS    3CHS*MV8112 Closed        RCP seal water isolation                    3CHS*MV8100    Closed NSSS    3SSR*CV8026    Closed    PZR rel tank gas space sample isolation    3SSR*CV8025    Closed BOP      3SSR*CTV20    Closed    Pressurizer vapor space sample isolation    3SSR*CTV21    Closed BOP      3SSR*CTV26    Closed    Reactor coolant hot leg sample isolation    3SSR*CTV27    Closed BOP      3SSR*CTV32    Closed    Safety injection accumulator sample isol    3SSR*CTV33    Closed BOP      3SSR*CTV29    Closed    Reactor coolant cold leg sample isolation  3SSR*CTV30    Closed BOP      3IAS*PV15      Closed    Containment instrument air supply isolation 3IAS*MOV72    Closed BOP      3CCP*AOV10A Closed        Reac plnt comp cooling nonsafety header sup 3CCP*AOV10B    Closed and return isol 3CCP*AOV19A Closed                                                    3CCP*AOV19B    Closed
 
Train A Equip  Accident                                                Train B Equip  Accident BOP/NSSS    Mark No. Condition                      Function                    Mark No. Condition BOP      3CCP*MOV222 Open          Reac plant comp cooling x-conn to chilled wtr  3CCP*MOV226    Open 3CCP*MOV223 Open                                                        3CCP*MOV227    Open BOP      3CCP*MOV224 Open          Reac plant comp cooling x-conn to chilled wtr  3CCP*MOV228    Open 3CCP*MOV225 Open                                                        3CCP*MOV229    Open BOP      3CCP*AOV194 Closed        React plant comp cooling nonsafety header sup  3CCP*AOV194A Closed B                        and return isol 3CCP*AOV197 Closed                                                      3CCP*AOV197A Closed B
BOP      3CDS-AOV45C Closed        Containment air recirc coil chill wtr isol    3CDS-AOV45B    Closed 3CDS-AOV46C Closed                                                      3CDS-AOV46B    Closed BOP      3CDS*CTV39B Closed        Chilled water containment isolation            3CDS*CTV40B    Closed 3CDS*CTV38A Closed                                                      3CDS*CTV91A    Closed BOP      3CDS*CTV38B Closed        Chilled water con closed containment isolation 3CDS*CTV91B    Closed 3CDS*CTV39A Closed                                                      3CDS*CTV40A    Closed BOP      3GSN*CTV105    Closed    Pressurizer relief tank nitrogen sply isol    3GSN*CV8033    Closed NSSS    3PGS*CV8046    Closed    Pressurizer relief tank water sply isol        3PGS*CV8028    Closed BOP      3DAS*CTV24    Closed    Reactor plant aerated drains isol              3DAS*CTV25    Closed BOP      3CVS*CTV20A Closed        Containment vacuum system isol                3CVS*CTV21A    Closed 3CVS*CTV20B Closed                                                      3CVS*CTV21B    Closed BOP      3CMS*CTV20    Closed    Containment atmosphere monitoring sys isol    3CMS*CTV21    Closed 3CMS*CTV23    Closed                                                    3CMS*MOV24    Closed
 
Train A Equip  Accident                                              Train B Equip  Accident BOP/NSSS    Mark No. Condition                    Function                    Mark No. Condition BOP      3VRS*CTV20    Closed    Reactor plant gaseous vents isolation      3VRS*CTV21    Closed BOP      3DGS*CTV24    Closed    Reactor plant gaseous drains isolation      DGS*CTV25      Closed BOP      3FPW*CTV48    Closed    Containment fire protection water isolation 3FPW*CTV49    Closed BOP      3SSP*CTV7      Closed    Post-Accident Sample Valve BOP      3SSP*CTV8      Closed    Post-Accident Sample Return
 
Train A Equip Mark          Accident                                              Train B Equip Mark  Accident BOP/NSSS                  No.              Condition                  Function                          No.          Condition BOP              3MSS*HV28A                Closed        Main steam isolation bypass              3MSS*HV28A        Closed BOP              3MSS*HV28B                Closed        Main steam isolation bypass              3MSS*HV28B        Closed BOP              3MSS*HV28C                Closed        Main steam isolation bypass              3MSS*HV28C        Closed BOP              3MSS*HV28D                Closed        Main steam isolation bypass              3MSS*HV28D        Closed BOP            3MSS*CTV27A                Closed        Main steam isolation                    3MSS*CTV27A        Closed BOP            3MSS*CTV27B                Closed        Main steam isolation                    3MSS*CTV27B        Closed BOP            3MSS*CTV27C                Closed        Main steam isolation                    3MSS*CTV27C        Closed BOP            3MSS*CTV27D                Closed        Main steam isolation                    3MSS*CTV27D        Closed BOP            3DTM*AOV29A                Closed        Main steam line drain valve              3DTM*AOV61A        Closed BOP            3DTM*AOV29B                Closed        Main steam line drain valve              3DTM*AOV61B        Closed BOP            3DTM*AOV29C                Closed        Main steam line drain valve              3DTM*AOV61C        Closed BOP            3DTM*AOV29D                Closed        Main steam line drain valve              3DTM*AOV61D        Closed BOP            3DTM*AOV63A                Closed        Main steam line drain valve              3DTM*AOV64A        Closed BOP            3DTM*AOV63B                Closed        Main steam line drain valve              3DTM*AOV64B        Closed BOP            3DTM*AOV63D                Closed        Main steam line drain valve              3DTM*AOV64D        Closed BOP              3MSS*PV20B                Closed        Steam Generator atmospheric relief        3MSS*PV20A        Closed valve 3MSS*PV20D                Closed                                                  3MSS*PV20C        Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent actuation signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.
 
Train A Equip    Accident                                    Train B Equip    Accident BOP/NSSS    Mark No.      Condition                Function            Mark No.      Condition BOP    3FWS*FCV510    Closed      Main fdwtr flow control vv loop 1 BOP    3FWS*FCV520    Closed      Main fdwtr flow control vv loop 2 BOP    3FWS*FCV530    Closed      Main fdwtr flow control vv loop 3 BOP    3FWS*FCV540    Closed      Main fdwtr flow control vv loop 4 BOP                                Main fdwtr isolation vv loop 1    3FWS*CTV41A    Closed BOP                                Main fdwtr isolation vv loop 2    3FWS*CTV41B    Closed BOP                                Main fdwtr isolation vv loop 3    3FWS*CTV41C    Closed BOP                                Main fdwtr isolation vv loop 4    3FWS*CTV41D    Closed BOP    3FWS*LV550      Closed      Fdwtr cont vv bypass loop 1 BOP    3FWS*LV560      Closed      Fdwtr cont vv bypass loop 2 BOP    3FWS*LV570      Closed      Fdwtr cont vv bypass loop 3 BOP    3FWS*LV580      Closed      Fdwtr cont vv bypass loop 4 BOP    3SGF*AOV24A    Closed      Stm gen chem feed pp isol vv      3SGF*AOV24B    Closed BOP    3SGF*AOV24C    Closed      Stm gen chem feed isol vv        3SGF*AOV24D    Closed BOP
* Main Turbine    Tripped      Main Turbine                      Main Turbine  Tripped BOP
* 3FWS-P1        Tripped      Feedwater Pumps                  3FWS-P1        Tripped 3FWS-P2A        Tripped                                        3FWS-P2A      Tripped 3FWS-P2B        Tripped                                        3FWS-P2B      Tripped
 
Main Turbine and Feedwater Pumps are only tripped on Feedwater Isolation signals originating from Safety Injection or High-High steam generator level. The Main Turbine and Feedwater Pumps listed receive their trip signals from SSPS slave relay K620A(B) through isolation relay K620X.
The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.
 
Train A Equip                                                Train B Equip Mark BOP/NSSS    Mark No.        Accident Condition        Function                No.        Accident Conditio BOP      3HVC*AOD27A    Closed                Control bldg            3HVC*AOD27B        Closed ventilation makeup air damper BOP      3HVC*AOV20      Closed                Control room vent        3HVC*AOV21        Closed outlet air isol valve BOP      3HVC*AOV25      Open                  Control room vent        3HVC*AOV26        Open inlet air isol valve BOP      3HVC*AOV22      Closed                Control room purge      3HVC*AOV23        Closed outlet air isol valve BOP      3HVK*P1A        1 pump run and 1 pump  Control bldg chilled    3HVK*P1B          1 pump run and 1 standby (a)            water                                      pump standby (a)
BOP      3HVC*MOD33A Open                      Control building        3HVC*MOD33B        Open emergency ventilation fan inlet damper BOP      3HVC*AOD119    Open                  Control building        3HVC*AOD119B      Open A                                      emergency ventilation filter air return damper BOP      3HWS-MOD29      Closed                TSC Vent. Exhst. Air    3HWS-MOD29 (b)    Closed (b)                                    Damper BOP      3HWS-MOD31(b) Open                    TSC Vent. Recirc.        3HWS-MOD31 (b)    Open Damper.
BOP      3HWS-MOD30      Closed                TSC Vent. Outdoor        3HWS-MOD30 (c)    Closed (c)                                    Air Damper
 
Train A Equip                                                              Train B Equip Mark BOP/NSSS          Mark No.            Accident Condition              Function                    No.        Accident Conditio BOP            3HWS-MOD33            Closed                        TSC Vent. Outdoor        3HWS-MOD33 (b)      Closed (b)                                                  Air Damper (a)  Normal operation - one pump running, one pump in standby. Control Building Isolation signal prevents manual stop. In normal operation, the chilled water pumps are not affected by a CBI signal.
(b)    Damper is operated on both A and B Train Signals.
(c)    Damper is operated on both A and B Train Signals. Loop also includes a time delay to open damper if there is sufficient flo The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.
 
Train A Equip          Accident                                                        Train B Equip  Accident BOP/NSSS            Mark No.          Condition                        Function                          Mark No. Condition BOP            3SWP*MOV54A            Open          Containment recirc clr supply                    3SWP*MOV54B      Open BOP            3SWP*MOV54C            Open          Containment recirc clr supply                    3SWP*MOV54D      Open BOP            3RSS*MOV20A            Open          Containment recirc wtr spray hdr isol            3RSS*MOV20B      Open BOP            3RSS*MOV20C            Open          Containment recirc wtr spray hdr isol            3RSS*MOV20D      Open BOP            3SWP*MOV50A            Closed        Reactor plant comp clg hx supply valve            3SWP*MOV50B      Closed BOP            3SWP*MOV71A            Closed        Turbine plant component clg hx inlet              3SWP*MOV71B      Closed BOP            3RSS*MOV23A            Open          Containment recirc pump suct valve                3RSS*MOV23B      Open BOP            3RSS*MOV23C            Open          Containment recirc pump suct valve                3RSS*MOV23D      Open BOP            3QSS*MOV34A            Open          Quench spray header isol valve                    3QSS*MOV34B      Open BOP            3SWP*MOV115A            Closed        Circ wtr pp brg lube wtr supply valve            3SWP*MOV115B    Closed BOP            3WTC*AOV25A            Closed        Service wtr feed to chlorination system          3WTC*AOV25B      Closed BOP            3RPS*PNLESCA                          Emergency generator load sequencer                3RPS*PNLESCB BOP            3FWA*AOV23A            Closed        Aux feedwater alternate suction valve            3FWA*AOV23B      Closed BOP            3FWA*AOV61A            Open          DWST to aux feedpump suction valve                3FWA*AOV61B      Open BOP            3FWA*AOV62A            Closed        Aux feedpump discharge crossover valve            3FWA*AOV62B      Closed Note 1:Equipment receiving an actuation signal from the EGLS is not listed in this table. Refer to drawing LSK-24-9.4.
Note 2:A CDA signal also initiates Containment Isolation Phase B (Table 7.3-9). Refer to FSAR Figure 7.2-1, Sheet 8 for interaction between these ESFAS functions.
The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.
 
Accident                                                            Accident BOP/NSSS          Train A Equip Mark No.          Condition            Function            Train B Equip Mark No. Condition BOP              3CCP*MOV45A                      Closed          RPCCW Cont Isol valve 3CCP*MOV45B                    Closed BOP              3CCP*MOV48A                      Closed          RPCCW Cont Isol valve 3CCP*MOV49A                    Closed BOP              3CCP*MOV49B                      Closed          RPCCW Cont Isol valve 3CCP*MOV48B                    Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.
 
SAFETY FEATURES AND ESSENTIAL AUXILIARY SUPPORTING SYSTEMS FSAR Section Reference Engineered Safety Features Systems
: 1. Emergency core cooling system (ECCS)                                  6.3
: 2. Containment depressurization system                                    6.2.2
: a. Quench spray system
: b. Containment recirculation system
: 3. Containment isolation system:                                          6.2.4
: a. Main steam isolation                                          10.3
: b. Feedwater isolation                                            10.4.7
: 4. Hydrogen recombiner system                                            6.2.5
: 5. Supplementary leak collection and release system                      6.2.3
: 6. Auxiliary feedwater system                                            10.4.9
: 7. ESF filtration system
: a. Control room emergency ventilation system                      9.4.0
: b. Charging pump, component cooling water pump and heat          9.4.4 exchanger ventilation system (part of auxiliary building filter system)
Essential Auxiliary Support System
: 1. Service water system (heat removal portion)                            9.2.1
: 2. Reactor plant component cooling water system                          9.2.2
: 3. Chilled water system (control building only)                          9.4.0
: 4. Electrical system                                                      Chapter 8
: 5. Emergency generator fuel oil system                                    9.5.4
: 6. Emergency diesel engine cooling water system                          9.5.5
: 7. Emergency generator starting air system                                9.5.6
: 8. Emergency diesel engine lubrication system                            9.5.7
: 9. Emergency generator combustion air intake and exhaust system          9.5.8
: 10. Air conditioning, heating, cooling, and ventilation systems
: a. Diesel room ventilation                                        9.4.5
: b. Battery room cooling                                          9.4.0
 
FSAR Section Reference
: c. Switchgear area HVAC                  9.4.0
: d. ESF building ventilation              9.4.4
: 11. Charging and safety pumps cooling systems  9.2.2
 
COMPONENT      COMPONENT AND FAILURE FTSK                                        METHOD OF FAILURE DETECTION  EFFECT ON SYSTEM          OTHER REMARKS IDENTIFIER              MODE MB OR ASP TRIP CIRCUIT 27-12-X Q0115DG3    1A-3QSSA01                PERIODIC TEST ESTABLISHED CONTACT 3 FAILS CLOSED MB OR ASP TRIP CIRCUIT 27-12-X Q0125DG6    1A-3QSSA01                PERIODIC INSPECTION ESTABLISHED IN TRIP OPERATOR ERROR ESCA-TRIP BLOCK 27-12-E Q0135DG3    ESCA -                    PERIODIC TEST CONTACT CLOSED TRIP BLOCK CONT FAILS CLOSED ESCA-TRIP BLOCK 27-12-E Q0145DG3    ESCA -                    PERIODIC TEST                                      ESCA-VITRO INTERFACE CONTACT CLOSED NO TRIP BLOCK SIGNAL QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0155DG3    3QSS*P3A                  PERIODIC TEST TRAIN A FAILURE        TRAINS ACB CLOS MECH FAILURE QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0165DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS NO 4KV OPER PHR AVAILABLE QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0175DG3    52HL-3QSSA01              PERIODIC TEST TRAIN A FAILURE        TRAINS CONTACT 6 FAILS OPEN QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0185DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS 35A (+) FUSE FAILS OPEN QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0195DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS 35A (-) FUSE FAILS OPEN QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0205DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS CONTROL PCHER SHORT CIRCUIT QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0215DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS 15A (+) FUSE FAILS OPEN QUENCH SPRAY SYSTEM ONE OF TWO REDUNDANT 27-12-D Q0225DG1    CKT 3QSSA01              ANNUNCIATED IN CONTROL ROOM TRAIN A FAILURE        TRAINS 15A (-) FUSE FAILS OPEN
 
functions necessary for safe shutdown are available from instrumentation channels that are ciated with the major systems in both the primary and secondary systems of the nuclear steam ply system (NSSS). These channels are normally aligned to serve a variety of operational ctions, including startup and shutdown as well as protective functions.
wever, prescribed procedures for securing and maintaining the plant in a safe condition can be ituted by appropriate alignment of selected systems in the NSSS. The discussion of these ems together with the applicable codes, criteria and guidelines is found in other sections of the ety Analysis Report. In addition, the alignment of shutdown functions associated with the ineered safety features (ESF) which are invoked under postulated limiting fault situations is ussed in Chapter 6 and Section 7.3.
o kinds of shutdown conditions, both capable of being achieved with or without offsite power, addressed in this section: hot standby and cold shutdown. Hot standby is a stable condition of reactor achieved shortly after a programmed or emergency shutdown of the plant. Cold tdown is a stable condition of the plant achieved after the residual heat removal process has ught the primary coolant temperature below 200F. A description of systems required to ieve and maintain cold shutdown are described in Section 5.4.7, Residual Heat Removal tem.
either case of safe shutdown, i.e., hot standby or cold shutdown, the reactivity control systems ntain a subcritical condition of the core. The plant technical specifications explicitly define h hot standby and cold shutdown conditions.
a minimum, the electrically powered equipment necessary to be aligned for achieving and ntaining safety grade cold shutdown without offsite power, and with an event initiated by a le random failure, with limited operator action outside the control room, are:
: 1.      Emergency Class IE electrical power supply
: 3.      Residual heat removal (and isolation) system
: 4.      Borated water inventory supply to centrifugal charging pump suction via the gravity feed system
: 5.      Redundant discharge system from and including centrifugal charging pump system supplying RCS and RCP seals
: 6.      Pressure relief system for RCS
: 7.      Accumulator isolation or venting.
: 8.      Decay heat removal using steam generator PORVs and bypass
: 9.      Reactor head vent letdown system
: 10. Reactor protection system instrumentation and functions which are required to be aligned for maintaining hot standby
: 1.      Prevent the reactor from achieving criticality in violation of the technical specifications
: 2.      Provide an adequate heat sink such that design and safety limits are not exceeded
: 3.      Pressurizer pressure control
: 4.      Reactor coolant system inventory control 1    DESCRIPTION hot standby systems are identified in the following lists together with the associated rumentation and controls systems. The identification of the monitoring indicators ction 7.4.1.1) and controls (Section 7.4.1.2) are those necessary for maintaining a hot standby.
equipment and services for a cold shutdown are identified in Section 7.4.1.4. Instrumentation controls provided outside the control room for safe shutdown are listed in Table 7.4-1. Loss he auxiliary shutdown panel (ASP) and normal automatic systems are not assumed coincident h evacuation. For applicable drawings, see Section 1.7.
1.1    Monitoring Indicators characteristics of these indicators, which are provided outside as well as inside the control m, are described in Section 7.5. The necessary indicators are as follows:
: 2.      Pressure indicator for each steam generator
: 3.      Pressurizer water level indicator
: 4.      Pressurizer pressure indicator
: 5.      Reactor trip breaker indication
: 6.      Auxiliary feedwater flow rate
: 7.      Loop hot leg temperature
: 8.      Loop cold leg temperature
: 9.      DWST level
: 10. Emergency bus voltmeters
: 11. Boric acid tank level 1.2    Controls 1.2.1  General Considerations
: 1.      The turbine is tripped. (Note that this can be accomplished at the turbine as well as in the control room.)
: 2.      The reactor is tripped. (Note that this can be accomplished at the reactor trip switchgear as well as in the control room.)
: 3.      Safety related manual controls for hot standby shutdown are located inside as well as outside the main control room. These controls are provided with REMOTE/
LOCAL selector switches located outside the main control room. An annunciator is alarmed in the main control room and the indicator lights in the main control room are turned off when LOCAL CONTROL is selected.
1.2.2  Pumps and Fans
: 1.      Auxiliary feedwater pumps In the event of a main feedwater pump stoppage due to a loss of electrical power, the auxiliary feedwater pumps start automatically or can be started manually.
START/STOP controls located outside as well as inside the control room are provided.
 
START/STOP motor controls for these pumps are located outside, as well as inside the control room.
: 3.      Service water pumps These pumps start automatically following a loss of normal electrical power.
START/STOP motor controls are located outside as well as inside the control room.
: 4.      Component cooling water pumps These pumps, energized from the emergency generator, start automatically following a loss of normal electrical power. START/STOP controls are located outside as well as inside the control room.
: 5.      Control room ventilation units including the control room air inlet dampers.
The control room ventilation units are started and stopped by the associated control building chilled water pumps. The chilled water pumps have LOCAL/
REMOTE switches. Normally, one air-conditioning train is operating with the other train on standby. Upon a loss of power, one train starts automatically with the second on standby. The control room ventilation isolation valves are automatically opened (if closed) on receipt of a control building isolation (CBI) signal. The isolation valves can also be operated manually from within the control room.
1.2.3  Emergency Generators se units start automatically following a loss of normal AC power. However, manual controls diesel startup are provided locally at the emergency generator (as well as within the control m). For a description of Class IE power supplies, refer to Section 8.3.
1.2.4  Valves and Heaters
: 1.      Charging flow control Flow control valves fail open. Subsequent control can be maintained by the use of solenoid valves described in Section 5.4.7 controlled manually from both inside and outside the control room.
: 2.      Letdown valves Letdown can be established through the RCS head vent, if normal letdown is unavailable, by manual control from both inside and outside the control room (Section 5.4.15).
 
Manual control for these valves are located on the ASP. Transfer switches for these valves are located on the Transfer Switch Panel. These controls duplicate functions that are inside the control room.
: 4.      Steam generator safety valves
: 5.      Pressurizer heater control ON/OFF control selector switches are provided for two backup heater groups on the ASP. The heater groups are connected to separate buses, such that each can be connected to separate emergency generators in the event of loss of outside power.
The controls are grouped with the charging flow controls and duplicate functions available in the control room.
1.3    Control Room Evacuation noted that the instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2 which are d to achieve and maintain a safe shutdown are available in the event that an evacuation of the trol room is required. These controls and instrumentation channels together with the ipment identified in Section 7.4.1.4 identify the potential capability for cold shutdown of the tor subsequent to a control room evacuation through the use of suitable procedures. The trol room evacuation shall not occur simultaneously or coincident with an abnormal operating dition (ANS Condition II, III, or IV), except the loss of offsite power which would be cident. The auxiliary shutdown panel and the equipment used to maintain remote shutdown ills the single failure criterion.
1.4    Equipment and Systems Necessary for Cold Shutdown
: 1.      Auxiliary feedwater pumps (Section 10.4.9)
: 3.      Charging pumps (Section 9.3.4)
: 4.      Service water pumps (Section 9.2.1)
: 5.      Control room ventilation (Section 9.4.0)
: 6.      Component cooling pumps (Section 9.2.2.1)
: 7.      Residual heat removal pumps (Section 5.4.7)
: 8.      Certain motor control center and switchgear (Section 8.3.1)
: 9.      Controlled steam release (Sections 7.7 and 10.4.4)
: 10. Nuclear instrumentation system (NIS) (source range or intermediate range)
(Section 7.2). For a more complete description of the NIS, refer to WCAP 8255.
: 11. Reactor coolant inventory control (charging and letdown) (Section 9.3.4 and Section 5.4.15)
: 12. Pressurizer pressure control including opening control for pressurizer relief valves and heater control (Sections 5.4.10 and 7.6)
: 13. Accumulator piping and valving for isolation and venting (Section 6.3) ddition, the pressurizer pressure and steam line pressure safety injection trip signals must be ked and the accumulator isolation valves closed.
trols are provided to block the steamline low pressure and pressurizer low pressure signals.
se controls prevent an SIS provided that the pressure within the pressurizer is less than a determined design level.
rumentation and controls provided outside the control room for cold shutdown are listed in le 7.4-1.
1.5    Other Considerations
: 1.      Additional shutdown air compressors are powered from Class IE buses and are provided to increase availability of normal controls and minimize operator actions.
: a.      Containment recirculation coolers
: b.      CRDM air cooling fans
: 3.      Loss of instrument air does not prevent the operation of the minimum systems necessary for hot standby or cold shutdown described in Section 7.4.1.
2    ANALYSIS shutdown is a stable plant condition, automatically reached following a reactor trip from er. The plant design features also permit the achievement of cold shutdown as referred to in tion 7.4.1.2 and described in Section 5.4.7. In the unlikely event that access to the control m is restricted, the plant can be safely kept at a hot standby by the use of the monitoring cators and the controls listed in Sections 7.4.1.1 and 7.4.1.2, and described in Section 7.4.1.3, l the control room can be re-entered.
d shutdown conditions can be achieved from outside the control room through the use of able procedures and by virtue of local control of the equipment listed in Section 7.4.1.2, in junction with the instrumentation and controls provided on the auxiliary shutdown panel P) (Table 7.4-1). The layout of the ASP is provided in the ESK series drawings, listed in tion 1.7.
design basis for the ASP is as follows:
: 1.      The design of the system to provide redundant safety grade capability to achieve and maintain a safe shutdown condition from location(s) remote from the control room is as follows.
Panels and associated equipment used in control room evacuation are located at elevation 4 feet 6 inches in the control building. Also located at elevation 4 feet 6 inches is the emergency switchgear for each train, along with two transfer switch panels (TSP) and the ASP.
Controls which are located outside the control room are listed in Table 7.4-1. Most pumps have their controls located at their respective emergency switchgear.
Two rooms are provided to separate the redundant emergency switchgear and the transfer switch panels. The ASP panel is located in the purple switchgear room (Train B) and the two trains (A and B) of the ASP are separated by a non-train panel.
: 2.      All controls and instrumentation required for the reactor hot and cold shutdown from ASP are decoupled from those normally used in the main control room in
 
failure of equipment in the main control room.
: 3. The ASP is provided with a communication network to important plant locations which include locations of equipment required for reactor shutdown. The control room and cable spreading room can be isolated from the system by controls at the ASP.
: 4. The following design criteria are applicable to the instrumentation and control devices located on the ASP:
ANSI C37.90 1978 IEEE 279        1971 IEEE 308        1974 IEEE 323        1974 IEEE 344        1975 IEEE 338        1971 IEEE 379        1972 IEEE 384        1974 IEEE 420        1974 NUREG-0588 Dec. 1979 RG 1.75        Feb. 1974
: 6. There are no cases in which transfer from the main control room to the auxiliary shutdown panel requires a jumper or equipment to be received.
: 7. The design is such that transfer of equipment from the main control room to the alternate shutdown area will not change the status of the equipment.
: 8. Loss of offsite power will not negate shutdown capability from the remote shutdown area.
: 9. The design is such that access to the remote shutdown stations at the ASP, the TSPs and the 4 kV switchgear requires keys for operation of equipment. Access to these areas is under administrative control.
Each cabinet located at the remote shutdown area (TSPs, ASP) has door limit switches mounted on the front and rear doors which annunciate in the main control room whenever personnel gain access to the equipment. Also, each transfer switch mounted on the TSPs is annunciated in the main control room whenever local control of assigned equipment has been taken over.
: 10. The ASP is located such that it can be safely occupied during a remote shutdown event. Ventilation temperature control is provided to allow continuous occupancy.
: 11. The design requirements for compliance with Appendix R, 10 CFR 50, are explained in the Millstone 3 Fire Protection Evaluation Report.
controls available on the ASP provide the capabilities of achieving and maintaining a safe tdown when the main control room is inaccessible. The controls necessary for immediate rator action to establish a stable plant condition are available on the ASP or in adjacent rgency switchgear rooms. The controls provide a means of sustaining the capability for ation, letdown, residual heat removal, natural circulation, continuing reactor coolant pump injection and for thermal barrier cooling water flow, and depressurization. The rumentation and control functions which are required to be aligned for maintaining safe tdown of the reactor that are discussed above are the minimum number of instrumentation and trol functions.
per operation of other nonsafety related systems allows a more normal shutdown to be made maintained by preventing a transient (Section 7.7).
onsidering more restrictive conditions than those discussed in Section 7.4, certain accidents transients are postulated in the Chapter 15 safety analyses which take credit for safe shutdown n the protection systems reactor trip terminates the transients and the engineered safety ures system mitigates the consequences of the accident. In these transients, in general, no it is taken for the control system operation should such operation mitigate the consequences
 
control system, whose equipment failure was assumed to have initiated the transient. These lyses in Chapter 15 show that safety is not adversely affected when such transients include the owing:
: 1.      Inadvertent boron dilution
: 2.      Loss of normal feedwater
: 3.      Loss of external electrical load and/or turbine trip
: 4.      Loss of AC power to the station auxiliaries results of the analysis which determined the applicability of the nuclear steam supply system shutdown systems to the NRC General Design Criteria, IEEE Standard 279-1971, applicable C Regulatory Guides and other industry standards are presented in Table 7.1-1. The functions sidered and listed below include both safety-related and nonsafety-related equipment.
: 1.      Reactor trip system
: 2.      Engineered safety features actuation system
: 3.      Safety related display instrumentation for post-accident monitoring
: 4.      Main control board
: 5.      Auxiliary shutdown station
: 6.      Residual heat removal
: 7.      Instrument power supply
: 8.      Control systems
 
COLD SHUTDOWN Safety-Related Instruments on ASP        ASP Section 1      ASP Section 3 Electrical Train A  Electrical Train B Description                      (Orange)            (Purple)
R Heat Exchanger tlet                    (0-800 gpm x 10)  3CCP*FI67A2        3CCP*FI67B2 oling Flow ric Acid Tank 5A (0-240 gal x 100) 3CHS*LI102A        3CHS*LI104A vel ric Acid Tank 5B (0-240 gal x 100) 3CHS*LI105A        3CHS*LI106A vel m Gen 1 Level            (0-100%)          3FWS*LI501A        3FWS*LI519A m Gen 2 Level            (0-100%)          3FWS*LI529A        3FWS*LI502A m Gen 3 Level            (0-100%)          3FWS*LI503A        3FWS*LI537A m Gen 4 Level            (0-100%)          3FWS*LI548A        3FWS*LI504A S Pressure              (0-300 psia x 10) 3RCS*PI405B        3RCS*PI403B min Water Storage (18,520-352,435 gal) 3FWA*LI20A2        3FWA*LI20B2 nk Level m Gen 1 Aux Fdwtr (0-350 gpm)      3FWA*FI51A2        Note 1 w
m Gen 2 Aux Fdwtr (0-350 gpm)      Note 1              3FWA*FI33B2 w
m Gen 3 Aux Fdwtr (0-350 gpm)      Note 1              3FWA*FI33C2 w
m Gen 4 Aux Fdwtr (0-350 gpm)      3FWA*FI51D2        Note 1 w
fueling Water rage Tank Level          (0-1.2 gal x 106) 3QSS*LI930A            3QSS*LI931A Loop 1 Hot Leg (0-700F)        3RCS*TI413C            Note 2 mp Loop 2 Hot Leg (0-700F)        3RCS*TI423C            Note 2 mp Loop 3 Hot Leg (0-700F)        3RCS*TI433C            Note 2 mp Loop 4 Hot Leg (0-700F)          3RCS*TI443C          Note 2 mp
 
Safety-Related Instruments on ASP            ASP Section 1      ASP Section 3 Electrical Train A  Electrical Train B Description                      (Orange)            (Purple)
Loop 1 Cold Leg (0-700F)            Note 2              3RCS*TI413D mp Loop 2 Cold Leg (0-700F)            Note 2              3RCS*TI423D mp Loop 3 Cold Leg (0-700F)            Note 2              3RCS*TI433D mp Loop 4 Cold Leg (0-700F)            Note 2              3RCS*TI443D mp ssurizer Level          (0-100%)              3RCS*LI459C          RCS*LI460C ssurizer Pressure        (170-250 psia x 10)  3RCS*PI455B          3RCS*PI456B m Gen 1 Pressure          (0-1300 psig)        3MSS*PI514B          3MSS*PI515B m Gen 2 Pressure          (0-1300 psig)        3MSS*PI524B          3MSS*PI525B m Gen 3 Pressure          (0-1300 psig)        3MSS*PI534B          3MSS*PI535B m Gen 4 Pressure          (0-1300 psig)        3MSS*PI544B          3MSS*PI545B er 4.16 kV Bus 34C (0-5250V)          VM2-3ENS*SWG-A        Note 3 in A er 4.16 kV Bus 34D (0-5250V)            Note 3            VM2-3ENS*SWG-in B B
ntainment Pressure      (0-60 psia)          3LMS*PI937A          3LMS*PI936A fety-Related Equipment with Controls on ASP x Fdwtr Control Valve (Throttling)            3FWA*HV31A          3FWA*HV31B x Fdwtr Control Valve (Throttling)            3FWA*HV31D          3FWA*HV31C x Fdwtr Control Valve (Throttling)            3FWA*HV32A          3FWA*HV32B x Fdwtr Control Valve (Throttling)            3FWA*HV32D          3FWA*HV32C x Fdwtr Control Valve (Throttling)            3FWA*HV36B          3FWA*HV36A x Fdwtr Control Valve (Throttling)            3FWA*HV36C          3FWA*HV36D x Fdwtr Isolation Valve                      3FWA*MOV35B        3FWA*MOV35A x Fdwtr Isolation Valve                      3FWA*MOV35C        3FWA*MOV35D x Fdwtr Pump Alt Suction Valve              3FWA*AOV23A        3FWA*AOV23B
 
Safety-Related Instruments on ASP            ASP Section 1      ASP Section 3 Electrical Train A  Electrical Train B Description                      (Orange)            (Purple) rbine Driven Aux Fdwtr Pump Stm Supply 3MSS*AOV31A        3MSS*AOV31B lve rbine Driven Aux Fdwtr Pump Stm Supply Note 4            3MSS*AOV31D lve in Stm Pressure Relieving Valve Isol Valve  3MSS*MOV18A        3MSS*MOV18B in Stm Pressure Relieving Valve Isol Valve  3MSS*MOV18C        3MSS*MOV18D in Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74B        3MSS*MOV74A in Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74D        3MSS*MOV74C ssurizer Power Relief Valve                  3RCS*PCV455A        3RCS*PCV456 ssurizer Relief Isol Valve                  3RCS*MV8000A        3RCS*MV8000B ssurizer Aux Spray Valve                    3RCS*AV8145            Note 5 actor Vessel Head Vent Isol Valve            3RCS*SV8095A          3RCS*SV8095B actor Vessel Head Vent Isol Valve            3RCS*SV8096A          3RCS*SV8096B actor Vessel to Excess Letdown Valve          3RCS*MV8098            Note 6 actor Vessel to Pressurizer Relief Tank 3RCS*HCV442A        3RCS*HCV442B tdown Valve ssurizer Level Control Valve                3RCS*LCV459            Note 7 ssurizer Level Control Valve                3RCS*LCV460            Note 7 tdown Orifice Isol Valve                      3CHS*AV8149A          Note 8 tdown Orifice Isol Valve                      3CHS*AV8149B          Note 8 tdown Orifice Isol Valve                      3CHS*AV8149C          Note 8 tdown to VCT/GWS Divert Valve                3CHS*LCV112A          Note 9 l Control Tank Outlet Isol Valve              3CHS*LCV112B        3CHS*LCV112C ST to Charging Pump Suction Valve          3CHS*LCV112D        3CHS*LCV112E arging System to RCS Isol Valve              3CHS*AV8147        3CHS*AV8146 ric Acid Gravity Feed Valve                  3CHS*MV8507A        3CHS*MV8507B arging Header Isol Valve                      3CHS*MV8438A        3CHS*MV8438B arging Header Isol Valve                      3CHS*MV8438C          Note 10 arging Pump A Recirc Valve                      Note 11          3CHS*MV8111A
 
Safety-Related Instruments on ASP          ASP Section 1      ASP Section 3 Electrical Train A  Electrical Train B Description                    (Orange)            (Purple) arging Pump B Recirc Valve                    Note 11          3CHS*MV8111B arging Pump C Recirc Valve                    Note 11          3CHS*MV8111C SI to Charging Pumps Suction Valve        3CHS*MV8468A        3CHS*MV8468B arging Header Flow Control Valve          3CHS*HCV190A        3CHS*HCV190B arging Header Isol Bypass Valve            3CHS*MV8116            Note 12 arging Pump to RCS Isol Valve              3CHS*MV8105          3CHS*MV8106 arging Pump Miniflow Control Valve        3CHS*MV8511A        3CHS*MV8511B S Heat Exchanger Component Cooling Water 3CCP*FV66A          3CCP*FV66B tlet Valve S to Cold Leg Isol Valve                  3SIL*MV8809A        3SIL*MV8809B ST to RHR Pump Suction Valve            3SIL*MV8812A        3SIL*MV8812B ety Injection Accumulator Tank Isol Valve 3SIL*MV8808A        3SIL*MV8808B ety Injection Accumulator Tank Isol Valve 3SIL*MV8808C        3SIL*MV8808D ety Injection Accumulator Tank 1 Nitrogen 3SIL*SV8875A        3SIL*SV8875E pply ety Injection Accumulator Tank 2 Nitrogen 3SIL*SV8875B        3SIL*SV8875F pply ety Injection Accumulator Tank 3 Nitrogen 3SIL*SV8875C        3SIL*SV8875G pply ety Injection Accumulator Tank 4 Nitrogen 3SIL*SV8875D        3SIL*SV8875H pply ety Injection Accumulator Vent Control    3SIL*HCV943A        3SIL*HCV943B 3RHS*MV8701A S Inlet Isol Valve                                            3RHS*MV8701B (Note 13)
S Inlet Isol Valve                        3RHS*MV8701C        3RHS*MV8702B S Inlet Isol Valve                        RHS*MV8702A          3RHS*MV8702C arging Pump Cooling Pump                  3CCE*P1A            3CCE*P1B 3RCS*H1A            3RCS*H1B ssurizer Heater Backup (Group A)            (Group B) ld Shutdown Air Compressor                3IAS-C2A            3IAS-C2B
 
Safety-Related Instruments on ASP              ASP Section 1      ASP Section 3 Electrical Train A  Electrical Train B Description                        (Orange)            (Purple) r Conditioning Unit for SI, QS, and RHR Pump 3HVQ*ACUS1A        3HVQ*ACUS1B ea fety-Related Miscellaneous Controls in Stm Line Safety Injection Block/Reset        Train A              Train B ssurizer Pressure Safety Injection Block/Reset  Train A              Train B quencer LOP Reset                                Train A              Train B quencer LOP Reset Light                          Train A              Train B quencer Manual Start Block Light                  Train A              Train B S Cold Overpressure Mitigating Arm/Block        Train A              Train B nSafety-Related Instruments on ASP Section on-Train serve Instrument Air (0-150 psig)                                3IAS-PI73B ader Pressure S-Source Range unt Rate                  (100 - 106 CPS)                            3NMS-NI31C S-Source Range unt Rate                  (100 - 106 CPS)                            3NMS-NI32C R Heat Exchanger (50-400F)                                  3RHS-TI604 Outlet Temp S-Intermediate nge Neutron Flux          (10 10-3 AMPS)                        3NMI-NI35C S-Intermediate nge Neutron Flux          (10 10-3 AMPS)                        3NMI-NI36C ndensate Storage nk Level                  (0-300 x 103 GAL)                          3CNS-LI15A lume Control Tank (0-100)                                    3CHS-LI112A vel tdown Flow                (0-200 gpm)                                3CHS-FI132A generative Heat (100-600F)                                3CHS-TI126A changer Outlet Temp
 
Safety-Related Instruments on ASP        ASP Section 1        ASP Section 3 Electrical Train A  Electrical Train B Description                    (Orange)              (Purple)
R Heat Exchanger (50-400F)                              3RHS-TI605 Outlet Temp P 1 Seal Water Flow      (0-15 gpm)                              3CHS-FI145C P 2 Seal Water Flow      (0-15 gpm)                              3CHS-FI144C P 3 Seal Water Flow      (0-15 gpm)                              3CHS-FI143C P 4 Seal Water Flow      (0-15 gpm)                              3CHS-FI142C ABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN (CONTINUED)
Description                                    Mark No.
uipment with Nonsafety-Related Controls ASP ction 2/Non-Train cess Letdown Flow Control Valve                              3CHS*HCV123 R Letdown Flow Control Valve                                3CHS*HCV128 arging Flow Control Valve                                    3CHS*FCV121 w Pressure Letdown Control Valve                              3CHS*PCV131 P Seal Water Supply Control Valve                            3CHS*HCV182 R Heat Exchanger A Outlet Flow Control                      3RHS*HCV606 R Heat Exchanger A Bypass Control                            3RHS*FCV618 R Heat Exchanger A Component Cooling 3CCP*FV66A w Control R Heat Exchanger B Component Cooling 3CCP*FV66B w Control R Heat Exchanger B Outlet Flow Control                      3RHS*HCV607 R Heat Exchanger B Bypass Flow Control                      3RHS*FCV619 in Stm Pressure Relieving Valve                              3MSS*PV20A in Stm Pressure Relieving Valve                              3MSS*PV20B in Stm Pressure Relieving Valve                              3MSS*PV20C
 
Description                                            Mark No.
in Stm Pressure Relieving Valve                                      3MSS*PV20D scellaneous Controls ASP Section 2/Non-Train hite Indicator Light (Steam Line Safety Injection Blocked, Train A) hite Indicator Light (Steam Line Safety Injection Blocked, Train B) hite Indicator Light (Pressurizer Safety Injection Blocked, Train A) hite Indicator Light (Pressurizer Safety Injection Blocked, Train B) fety-Related Controls on 4160V Emergency itchgear tor-Driven Aux 3FWA*P1A, Train A wtr Pumps 3FWA*P1B, Train B arging Pumps                                                      3CHS*P3A, Train A 3CHS*P3B, Train B 3CHS*P3C, Spare Pump rvice Water Pumps                                                  3SWP*P1A, Train A 3SWP*P1C, Train A 3SWP*P1B, Train B 3SWP*P1D, Train B actor Plant Component Cooling Pumps                                3CCP*P1A, Train A 3CCP*P1B, Train B 3CCP*P1C, Swing Pump ntrol Building Chilled Water Pumps                                3HVK*P1A, Train A 3HVK*P1B, Train B R Pumps                                                          3RHS*P1A, Train A 3RHS*P1B, Train B cal, Manual Valve Control justable travel limiters                                          3RHS*FCV618, Train A be used during safety grade cold shutdown h single failure loss of one train of RHS and                      3RHS*FCV619, Train B s of all instrument air.)
 
There is one auxiliary feedwater flow indicator per steam generator on the ASP - two are Train A and two are Train B.
The RC loop hot leg temperature indicators are Train A; the cold leg temperature indicators are Train B.
There is one emergency bus volt meter for each emergency bus (Trains A and B) on the ASP.
There are three steam supply valves for the turbine-driven auxiliary feedwater pump - one is Train A and two are Train B.
The pressurizer auxiliary spray valve is Train A only.
There is no Train B reactor vessel to the excess letdown valve.
3RCS*LCV459 and 460 are in series; both are Train A letdown valves.
The three letdown orifice isolation valves are all Train A.
3CHS*LCV112A is Train A; 3CHS*AOV71 up stream of 3CHS*LCV112A is non-train and can be controlled from the main board or gaseous waste panel.
3CHS*MV8438C is Train A only; it is the charging header cross connect valve.
3CHS*MV8111A, B, and C - charging pump recirculation valves are all Train B.
3CHS*MV8110 is the Train A common recirculation valve and can be operated from the main control board; it is normally OPEN.
The charging header isolation bypass valve is Train A only.
3RHS*MV8701A is not interlocked with RCS pressure low from ASP control.
In the event of a loss of Control Room and transfer of operations to the ASP, Local-Remote switches outside the Control Room are used to transfer certain control functions.
Control power to operate valves 3RHS*HCV 606 & 607 and 3RHS*FCV 618 & 619 (energize solenoid operated valves on pneumatic tubing) will be shifted via the local-remote switch that transfers control of valves 3SIL*MV8809 A & B to the ASP.
 
1    DESCRIPTION analysis was conducted to identify the appropriate variables and establish appropriate design es and qualification criterion for instrumentation employed by the operator for monitoring ditions in the reactor coolant system, the secondary heat removal system and the containment, uding engineered safety functions and other systems normally employed for attaining a safe tdown condition.
instrumentation is used by the operators to monitor Millstone 3 throughout all operating ditions, including anticipated operational occurrences and accidents and post accident ditions. Table 7.5-1 provides a listing of the variables identified to meet the intent of ulatory Guide 1.97 Revision 2. The table includes the following information for each variable tified:
: 1. Sensor and Main Board Instrument Component Identification Tag Numbers.
: 2. Recommended Range and Regulatory Guide 1.97 Design Category, versus, Actual Range and Design Category.
: 3. Designed Redundancy.
: 4. Type of Power Supply.
: 5. Display Methodology (Variable, Trend, and/or Safety Parameter Display System (SPDS) or Offsite Facilities Information System (OFIS) availability).
: 6. Regulatory Guide 1.97 Revision 2, Type and Category (as defined in Specification SP-M3-IC-022).
: 7. Environmental Qualification (as defined in Specification SP-M3-IC-022).
: 8. Seismic Qualification (as defined in Specification SP-M3-IC-022).
: 9. Quality Assurance Qualification (as defined in Specification SP-M3-IC-022).
assist in understanding the process for identifying the variables in Table 7.5-1, Specification M3-IC-022 The Millstone 3 Design Basis to Respond to Regulatory Guide 1.97, Revision 2, cribes:
: 1. Plant conditions under which the instrumentation must be operable
: 2. Selection criteria (Type A, B, C, D, or E)
: 3. Qualification criteria (Category 1, 2, or 3)
: 5.      Processing display criteria (assessibility, historical record, etc.)
title of this section originates from Regulatory Guide 1.70. Although this section is titled ety Related Display Instrumentation, not all the instruments discussed in this section are safety ted.
1.1      Safety Parameter Display System purpose of the Safety Parameter Display System (SPDS) is to provide a concise display of cal plant variables to control room operators to aid them in rapidly and reliably determining safety status of the plant. SPDS is designed to assist the operator in implementing the ctional restoration guidelines in the Emergency Operations Procedures (EOPs) by providing puter-driven displays that show the current state of the plants critical safety functions used by guidelines. Details of the SPDS design are provided in Specification SP-EE-149A.
means of displaying the variables identified in Table 7.5-1 as part of the Safety Parameter play System and the Emergency Response Facilities (EOF/TSC) are discussed in Specification M3-IC-022.
1.2      Emergency Response Facilities Emergency Response Facilities are discussed in Section 13.3 of the FSAR as part of the lstone Nuclear Power Station Emergency Plan.
2    ANALYSIS lyses for compliance with the requirements of this section are addressed in Table 7.5-1.
ther information is provided in Specification SP-M3-IC-022 The Millstone 3 Design Basis to pond to Regulatory Guide 1.97, Revision 2.
3    COMPLIANCE WITH OTHER REGULATORY REQUIREMENTS
: 1.      Compliance with Regulatory Guide 1.47 for bypassed and inoperable status design philosophy is described below.
: a.      An indicator of bypass is provided for each protection system. Bypass includes any deliberate action which renders a protection system inoperable.
: b.      The indicator is at the system level, not the channel or component level.
(Quench spray is a system. A quench spray pump is a component.) There is a separate indicator for each train.
* The action is deliberate. (Component failure may be indicated by component failure indicators but should not operate the system bypass indicator. It is not the intent of the indicator to show operator errors or component failures.)
* The action is expected to occur more often than once a year. This more often than once a year criterion should be interpreted liberally. If an accessible, permanently installed electrical control device will bypass a safety system, assume that it will be used more than once a year.
Devices within the containment are not accessible.
* The action is expected when the protection system must be operable. (Bypass of source range flux trip during normal power operation should not, for example, be indicated on the system bypass indicator. It may be indicated on a channel or component status indicator.)
* The action renders the system inoperable, not merely potentially inoperable. (If, for example, redundant, parallel, 100 percent valves are provided for the discharge line of a spray pump, the system bypass indicator should not be actuated by the closing of only one of those valves. Valve closing may be indicated on a component status indicator. If both valves have been deliberately moved from the Open position, the system bypass indicator should be operated. If, on the other hand, each valve carried only 50 percent flow, the system would be inoperable if either was not open. That inoperability should be indicated at the system level. Also, if a system is put in the Trip mode during test, there should be no operation of the system bypass indicator. Such a test may be indicated on a channel status indicator. If a channel is put into bypass mode for test and sufficient redundant channels remain capable of operating the protection system and not more than one channel at a time is expected to be tested, the channel bypass should not be indicated at the system level. If an actuation signal will override the bypass, the system bypass indicator should not be operated.
* Some deliberate action has taken place in the protection system or a necessary supporting system. (For example, if the cooling water inlet valve for a recirculation spray heat exchanger is deliberately
: d. The bypass indicators are separate from other plant indicators and grouped in a logical fashion.
: e. A capability is provided to operate each bypass indicator manually. This lets the operator provide bypass indication for an event that renders a safety system inoperable but does not automatically operate the system bypass indicator.
: f. There is not any capability to defeat an automatic operation of a bypass indicator. (Audible alarms may be silenced.)
: g. The bypass indicators are accompanied by audible alarm.
: h. No immediate operator action is required as a result of any system bypass indication.
: i. The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. No fault in the indicator system can impair the ability of the safety system to perform its safety-related function. The bypass indicators are not considered safety-related; i.e., they need not be designed to safety system criteria such as IEEE-279.
: j. In accordance with IEEE-279, Paragraph 4.20, the operator must be able to determine why a system level bypass is indicated. This information is provided by the plant computer.
: k. Inoperative indicators are provided for the Service Water, Emergency Diesel Generator, Control Building Chilled Water, Reactor Plant Component Cooling Water, and Vital Battery systems. These support systems are unique. They are important enough to warrant bypass indicators, but these indicators are differentiated from non-support system bypass indicators by color.
: l. System design meets the recommendations of Branch Technical Position ICSB-21 as follows:
* Each safety system has a Train A (orange) and Train B (purple) bypass indicator. The indicators are grouped together by train on the main control board. Support systems have white bypass indicators and are arranged together with the associated train of bypass indicators.
* Means by which the operator can cancel erroneous bypassed indications are not provided.
* The bypass indication systems does not perform functions essential to safety. No operator action is required based solely on the bypass indication.
* The indication system has no effect on plant safety systems.
* The bypass indicating and annunciating function can be tested during normal plant operation.
: 2. Compliance with Regulatory Guide 1.75 for separation criteria is described in Section 1.8 and Specification SP-M3-IC-022.
: 3. Compliance with Regulatory Guide 1.105 for instrument spans and setpoints is described in Sections 1.8 and Specification SP-M3-IC-022 and referenced in Section 7.1.
 
APPENDIX 7.5A MILLSTONE UNIT 3 DEVIATIONS TO REGULATORY GUIDE 1.97 REVISION 2
 
Table of Contents iation mber        Variable                                                                                                    Page iation Number 1 RCS Pressure (Wide Range) .............................................................................1 iation Number 2 RCS Wide Range T-Hot ...................................................................................2 iation Number 3 RCS Wide Range T-Cold .................................................................................3 iation Number 4 Steam Generator Level (Wide Range) ..............................................................4 iation Number 5 Deleted ........................................................................................................ 5 iation Number 6 Steamline Pressure ............................................................................................6 iation Number 7 RCS Subcooling ................................................................................................7 iation Number 8 Containment Hydrogen Concentration .............................................................8 iation Number 9 Reactor Coolant Level ......................................................................................9 iation Number 10 Containment Isolation Valve Status ...............................................................10 iation Number 11 RHR-Heat Exchanger Discharge Temperature ...............................................11 iation Number 12 Accumulator Tank Pressure ............................................................................12 iation Number 13 Accumulator Level .........................................................................................13 iation Number 14 Pressurizer Heater Breaker Position ...............................................................14 iation Number 15 Containment Sump Water Temperature .........................................................15 iation Number 16 Containment Sump Level (NR) ......................................................................16
 
iation mber        Variable                                                                                                      Page iation Number 17 VCT Level ......................................................................................................17 iation Number 18 High Level Liquid Radwaste Tank Level .......................................................18 iation Number 19 Condenser Air Ejector ....................................................................................19 iation Number 20 Reactor Coolant System Soluble Boron Concentration ..................................20 iation Number 21 Heat removal by the Containment Fan Heat Removal System ......................21 iation Number 22 Radioactive Gas Holdup Tank Pressure .........................................................22 iation Number 23 Radiation Exposure Rate (inside building or areas which are in direct contact with primary containment where penetrations and hatches are located) ........23 iation Number 24 Radiation Exposure Rate (inside buildings or areas where access is required to service equipment important to safety) ...........................................................24 iation Number 25 Deleted by FSARCR 05-MP3-006 .................................................................25 iation Number 26 Pressurizer Relief Tank Level, Pressure, and Temperature ............................26 iation Number 27 Hydrogen Recombiner Cubicle Ventilation Monitor .....................................27 iation Number 28 This Deviation deleted per FSARCR 01-MP3-33. .........................................28 iation Number 29 Flow rate to Millstone Stack (SLCRS) ...........................................................29 iation Number 30 Flow out Ventilation Vent ..............................................................................30 iation Number 31 Deleted ............................................................................................................31 iation Number 32 Valve Status ....................................................................................................32
 
iation mber      Variable                                                                                    Page iation Number 33 Main Steam Isolation and Bypass Valve Status .............................................34 iation Number 34 Steam Generator Safety Valve Status .............................................................36
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 1 Variable Name                              AMI Table Item Number S Pressure (Wide Range)                      A1, B5, B15, C5, D4, D18 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 3000 PSIA, versus a recommended range of 3000 PSIG.
tification actual range of 0-3000 PSIA, which is approximately -14.7 to 2985.3 PSIG, is adequate to nitor the Reactor Coolant System pressure. In addition, RCS pressure (Extended Range, 15-0 PSIA) which is also a Regulatory Guide 1.97 variable, envelopes the recommended range as cribed above.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 2 Variable Name                              AMI Table Item Number S Wide Range T-Hot                            A2, B2, B13 iation From Regulatory Guide 1.97 Rev. 2 Guidance
: 1. Actual range is 0-700F, versus a recommended range of 50-750F.
: 2. Main board indicators are not redundant as recommended for Category 1 variables.
tification h the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 3 Variable Name                              AMI Table Item Number S Wide Range T-Cold                          A3, B3, B14 iation From Regulatory Guide 1.97 Rev. 2 Guidance
: 1. Actual range is 0-700F, versus a recommended range of 50-750F.
: 2. Main board indicators are not redundant as recommended for Category 1 variables.
tification h the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 4 Variable Name                              AMI Table Item Number am Generator Level (Wide Range)            A4, B7, B10, B18, D27 iation From Regulatory Guide 1.97 Rev. 2 Guidance n board indicators are not redundant as recommended for Category 1 variables.
tification e Range Steam Generator Level and Auxiliary Feedwater Flow is considered diverse undant instrumentation. Although loss of one division of power supply would result in loss of cation of both flow and wide range level for two of the four steam generators, the design has n determined acceptable in accordance with the intent of Regulatory Guide 1.97, since only steam generator is required for safe shutdown and Narrow Range Steam Generator Level ruments provide adequate backup information. Refer to NRC Inspection Report 50-423/90-August 14, 1990.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 5 Variable Name                        AMI Table Item Number iation From Regulatory Guide 1.97 Rev. 2 Guidance eted tification
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 6 Variable Name                              AMI Table Item Number amline Pressure                                A8, B19, D23 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0 to 1300 PSIG, versus a recommended range of from Atmospheric pressure to above the lowest safety valve setting. The lowest safety valve setting is 1185 PSIG.
tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.14.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 7 Variable Name                              AMI Table Item Number S Subcooling                                    A15, B16 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 2, versus a recommended Category 1 design.
tification Inadequate Core Cooling Monitor (ICCM) is designed and installed as a Class 1E System.
wever, its primary means of display in the Main Control Room is the Safety Parameter Display tem (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of REG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, endix L, 3.3.4 and SSER 5, 4.4.8.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 8 Variable Name                            AMI Table Item Number ntainment Hydrogen Concentration              C12 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0-10% (capable of operating from 11.76 PSIA to maximum design pressure),
us a recommended range of 0-10% (capable of operating from 10 PSIA to maximum design sure).
tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.7.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 9 Variable Name                              AMI Table Item Number actor Coolant Level                            B11 iation From Regulatory Guide 1.97 Rev. 2 Guidance
: 1. Actual range of Plenum Level: 0 to 100% and Head Level: 63 to 100%, versus a recommended range of Bottom of Core to Top of Vessel.
: 2. This variable is designed as a Category 2, versus a recommended Category 1 design.
tification
: 1. The actual range is consistent with the recommended range in Regulatory Guide 1.97 Rev. 3 of Top of Vessel to Top of Core. This range deviation has been accepted per SSER 4, Appendix L, 3.3.3.
: 2. The Inadequate Core Cooling Monitor (ICCM) processes the reactor coolant level information for display. The ICCM is designed and installed as a Class 1E System.
However, its primary means of display in the Main Control Room is the Safety Parameter Display System (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of NUREG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, Appendix L, 3.3.3 and SSER 5, 4.4.8.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 10 Variable Name                                AMI Table Item Number ntainment Isolation Valve Status                C16 iation From Regulatory Guide 1.97 Rev. 2 Guidance
: 1. Containment Isolation Valves are qualified to recommended Category 1 requirements with exception of redundancy of associated main board valve indicators. Therefore, this variable will be considered a Category 2 variable.
: 2. Containment Isolation Valve 3CVS*MOV25 is not supplied with highly reliable power as recommended for Category 2 variables.
tification
: 1. Type C variables which indicate the actual breach of a fission product barrier have been designated as preferred backup information and are qualified to Category 2 criteria. The deviation regarding redundancy of main board indicators has been accepted per SSER 4, Appendix L, 3.3.5.
: 2. Containment Isolation Valve 3CVS*MOV25 is locked closed. This valve does not perform a containment isolation function during a Design Basis Accident and should not be considered a Regulatory Guide 1.97 variable.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 11 Variable Name                          AMI Table Item Number R-Heat Exchanger Discharge Temperature                D1 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 50-400F, versus a recommended range of 32-350F.
tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.8.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 12 Variable Name                            AMI Table Item Number cumulator Tank Pressure                      D10 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0-700 PSIA, versus a recommended range of 0-750 PSIG.
tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.10. However, the eptance was based on a designed range of 0-700 PSIG, while the actual range is 0-700 PSIA, ch is approximately -14.7 - 685.3 PSIG. The existing range is adequate to monitor expected umulator tank pressures.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 13 Variable Name                            AMI Table Item Number cumulator Level                                  D13 iation From Regulatory Guide 1.97 Rev. Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.
tification NRC has accepted the design category deviation per NRC letter to John F Opeka, dated April 992, Docket Number 50-423. Refer to SSER 4, Appendix L, 3.3.9.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 14 Variable Name                                AMI Table Item Number ssurizer Heater Breaker Position              D16 iation From Regulatory Guide 1.97 Rev. 2 Guidance ssurizer Heater Breaker Position is monitored, versus a recommended measurement of electric ent.
tification s deviation was accepted per SSER 4, Appendix L, 3.3.13.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 15 Variable Name                            AMI Table Item Number ntainment Sump Water Temperature                D37 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.
tification roval of the installation of containment sump temperature as a Category 3 variable was nted by the NRC with the issue of Amendment 42 to Operating License NPF-49 in response to NNECO request of August 14, 1989, which deleted license condition 2.C (6).
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 16 Variable Name                              AMI Table Item Number ntainment Sump Level (NR)                        D38 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.
tification s deviation was explicitly described in the Response to NRC question 420.6. The NRC roved the response to question 420.6 as part of SSER 4. The response to 420.6 states that two ss 1E qualified wide range and one unqualified narrow range sump water level channels are d to monitor the Containment Water Level. The narrow and wide range channels overlap.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 17 Variable Name                                AMI Table Item Number T Level                                        D44 iation From Regulatory Guide 1.97 Rev. 2 Guidance y the cylindrical portion of the tank is measured for level, versus a recommended surement of Top to Bottom.
tification s deviation was accepted per SSER 4, Appendix L, 3.3.19.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 18 Variable Name                                  AMI Table Item Number gh Level Liquid Radwaste Tank Level                D63 iation From Regulatory Guide 1.97 Rev. 2 Guidance cation via dial, digital, CRT, or stripchart recorder of tank level is not provided in the Main trol Room as recommended for Category 3 variables.
tification y a common trouble alarm is available in the Main Control Room. Variable indication and h/low level alarms are provided locally. This deviation has been accepted per SSER 4, endix L, 3.3.21
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 19 Variable Name                                AMI Table Item Number ndenser Air Ejector                          C9 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 1.5x10-5 to 100Ci/cc, versus a recommended range of 10-6 to 10-2Ci/cc.
tification low range or sensitivity of this monitor depends on the radionuclide mix and on the monitor kground radiation. Both of these parameters are variable and therefore so is the monitors sitivity. The ability to detect certain size RCS leakage into the steam generator secondary side lso highly dependent on the reactor coolant activity, which is also highly variable. Even with coolant activity, these monitors meet the intent of Regulatory Guide 1.97 Rev. 2, in that any or RCS leakage, including a tube rupture, would be easily detected and alarmed by the denser Air Ejector Monitor.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 20 Variable Name                          AMI Table Item Number actor Coolant System Soluble Boron Concentration              Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends Category 3 instrumentation with a range of 0 to 6000 s per million for this variable.
tification egory 1 Neutron Flux monitoring will adequately perform this function. This is being ressed by the NRC as part of their review of NUREG-0737, Item II.B.3 as described in SSER ppendix L, 3.3.1
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 21 Variable Name                              AMI Table Item Number at removal by the Containment Fan Heat Removal System              Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends plant specific instrumentation for this variable.
tification containment air coolers are not used in an accident or post-accident condition, and, therefore is not considered a Regulatory Guide 1.97 variable. This has been accepted per SSER 4, endix L, 3.3.16.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 22 Variable Name                            AMI Table Item Number dioactive Gas Holdup Tank Pressure                                Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends instrumentation for this variable.
tification lstone 3 does not have radioactive gas holdup tanks and therefore will not provide rumentation for this variable. This has been accepted per SSER 4, Appendix L, 3.3.22.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 23 Variable Name                              AMI Table Item Number diation Exposure Rate (inside building or areas which are in          Not Listed ect contact with primary containment where penetrations and ches are located) iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings reas, e.g., auxiliary building, reactor shield building annulus, fuel handling building, which in direct contact with primary containment where penetrations and hatches are located, for the pose of monitoring the containment structure for an indication of breach. This variable is listed er type C variables.
tification utility is providing area radiation monitors, some of which happen to satisfy this requirement.
monitors are listed in FSAR Table 12.3-2. The utility declines to list these monitors in any dent plans and does not consider them to be safety related, nor Regulatory Guide 1.97 ables for the following reasons. Regulatory Guide 1.97 Rev. 2 requires the monitors for cation of breach of containment. Breach of containment is best indicated by the effluent nitors and field test results. The proposed area monitors would be essentially useless for this pose. During a serious accident, typical streaming and shine dose rates from the containment ld be approximately 100 R/hr in these areas. Add to this the direct dose rates from any piping rces (e.g., RHR piping could be reading 106 R/hr) and it is obvious that the accident levels in e areas would preclude any determination of airborne leakage. Even if containment breach ld be detected, these monitors would not be used for a quantitative estimate of release rates.
er to response to NRC question 420.6, note 29.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 24 Variable Name                              AMI Table Item Number diation Exposure Rate (inside buildings or areas where              Not Listed ess is required to service equipment important to safety) iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings reas where access is required to service equipment important to safety, for the purpose of ction of significant releases, release assessment, and long-term surveillance. This variable is d under type E variables.
tification utility is providing area radiation monitors, some of which happen to satisfy this requirement.
se monitors are listed in FSAR Table 12.3-2. The utility declines to list these monitors in any dent plans and does not consider them safety related, nor Regulatory Guide 1.97 variables for following reason. Regulatory Guide 1.97 states that these areas should have monitors with a ge of 10-1 R/hr to 104 R/hr. This range is too high because dose rates above 102 R/hr will lude personnel access to the area. At Millstone Unit 3, any radiation areas that need personnel ess will be surveyed by radiation protection teams using portable survey instruments to obtain ore accurate radiation picture than would be obtained with a single permanently mounted high ge area monitor. Also, the high range area monitors would not be used for any post-accident e assessments nor corrective actions. Refer to response to NRC Question 420.6, Note 67.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 25 Variable Name                  AMI Table Item Number leted by FSARCR 05-MP3-006 eted
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 26 Variable Name                              AMI Table Item Number ssurizer Relief Tank Level, Pressure, and Temperature            Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends instrumentation to monitor Quench Tank Level, ssure, and Temperature. Millstone Unit 3 does not list these instruments as accident nitoring variables.
tification rumentation is provided for the above variables that meet the requirements of Regulatory de 1.97 Rev. 2. However, the utility does not consider these instruments as post-accident nitoring instrumentation. This deviation was accepted by the NRC as part of the response to C question 420.6.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 27 Variable Name                                AMI Table Item Number drogen Recombiner Cubicle Ventilation Monitor                        C10, E10 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 10-6 to 100Ci/cc, versus a recommended range of 10-6 to 102Ci/cc.
tification s variable is not considered a release point, but is used to actuate closure of the hydrogen mbiner cubicle. Because this is not a release point, instrumentation in conformance to ulatory Guide 1.97 Rev. 2 is not needed. This has been accepted per SSER 4 Appendix L, 24.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 28 s Deviation deleted per FSARCR 01-MP3-33.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 29 Variable Name                              AMI Table Item Number w rate to Millstone Stack (SLCRS)                                E3 iation From Regulatory Guide 1.97 Rev. 2 Guidance RS accident monitoring instrumentation flow rate range is 150 to 15,142 Standard Cubic Feet Minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.
tification ulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 ent of design flow rate. The SLCRS design maximum flow rate is 10,800 SCFM. The flow corresponding to 110 percent of the SLCRS design flow is 11,880 SCFM. The flow rate of low end of the indication range, 150 SCFM, corresponds to 1.4 percent of the SLCRS design actual SLCRS flow range is approximately 200 SCFM to 10,800 SCFM. Actual minimum during SLCRS accident operation is 7600 SCFM and maximum flow is 10,800 SCFM.
refore, the accident monitoring instrumentation flow range of 150 to 12,150 SCFM is servative and bounding. This range exceeds 110 percent requirement of the Regulatory Guide flow rate to the Millstone Stack. The minimum flow rate indication of 150 SCFM bounds the imum system flow rate of 200 SFCM, although it deviates slightly from the Regulatory Guide requirement of 0 percent flow rate. Based on this minor nature of the deviation, and the fact the indication provided fully bounds the expected system flow rates, this deviation is sidered insignificant.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 30 Variable Name                                AMI Table Item Number w out Ventilation Vent                                              E2 iation From Regulatory Guide 1.97 Rev. 2 Guidance w out Ventilation Vent instrumentation flow rate range is 30,000 to 280,000 Standard Cubic t per minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.
tification ulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 ent of design flow rate. The Ventilation Vent maximum flow rate is 232,000 SCFM. The flow corresponding to 110 percent of the Ventilation Vent maximum flow is therefore 255,200 FM. The measurement flow rate at the low end of the indication range, 30,000 SCFM, esponds to 13 percent of the Ventilation Vent maximum flow.
actual SLCRS flow range is approximately 17,000 SCFM to 232,000 SCFM. Therefore, the tilation Vent flow instruments measurement range is conservative and bounding at the high but will not measure down to the minimum flow rate that is possible. This minimum flow rate ld result when a loss of power (LOP) occurs during cold weather conditions, i.e., when the rging pump cubicle dampers have been manually throttled. This system alignment isolates all the ventilation from the Charging Pump Cubicles and with the dampers partially closed in r winter mode will result in approximately 17,000 SCFM. Otherwise, the expected minimum em flow will be above the instruments minimum flow value of 30,000 SCFM. The flow rument provides input to the Ventilation Vent radiation monitor computer to support a ulation of the amount of radioactivity released from the Ventilation Vent for the purpose of ite dose estimates. Should a LOCA occur during this condition of flow rates below the ruments measurement capability, the flow instrument will default to its minimum signal value ch will result in a conservative (larger) estimate of activity release. While less than desirable, will result in conservative decisions with respect to Emergency Plan actions resulting from dose assessment calculations.
ed upon this conservative result the deviation is determined to be acceptable.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 31 Variable Name                  AMI Table Item Number leted
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 32 Variable Name                                AMI Table Item Number in Steam Isolation and Bypass Valve Status                            B21 am Generator Atmospheric Valve Status                                D20 in Steam Isolation and Bypass Valve Status                            D21 FW Control and Bypass Valve Status                                    D24 FW Isolation Valve Status                                              D25 am Generator Blowdown Isolation Valve Status                          D29 iation From Regulatory Guide 1.97 Rev. 2 Guidance it switches providing valve position indication are not qualified for long term post accident nitoring following a Main Steam Line Break (MSLB) inside the Main Steam Valve Building VB).
tification er the worst case MSLB scenario in the MSVB the NAMCo limit switches monitoring safety ted valve position may fail to provide the Regulatory Guide 1.97 required position indication ause the limit switch temperature can exceed their qualification temperature during long term t accident periods (Reference 2). The NAMCo limit switches for the subject components are d in EQRs 109-0-7, 109-8-2 and 109-3-1. As described in Reference 3, the MSVB NAMCo t switches subjected to the temperature rise for this bounding scenario perform one of the owing functions:
: 1.      Valve position indication via lights on the Main Control Board and or local electrical distribution equipment, plant process computer valve position input, and valve position annunciation. Failure of these limit switches will simply result in loss, or ambiguity, of those position signals. Many of these are credited for Regulatory Guide 1.97 post accident monitoring, primarily for containment isolation verification. Because this environmental condition is from a MSLB in the MSVB, containment isolation is not a required function and loss of these indications will not be significant nor impact any safety function. For the other valve position indications which are related to feedwater and/or steam line isolation, the closure of the valve will be recorded in the plant process computer history file once the valve has reached its safety position, which will occur prior to
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS reaching the NAMCo qualification temperature. Subsequent indirect indication of maintaining valve closure will be evident through monitoring of steam generator level indications. These are indications only and any environmental failure of these limit switches cannot result in a repositioning of these valves from their safety position.
: 2. Air Operated Valve (AOV) control seal-in circuits which hold the AOVs solenoid valve energized after the momentary push button opens the AOV. These limit switch contacts are normally open in their de-energized state, i.e., the limit switch internal spring opposes contact closure. Once the valves move to their fail safe position, closed, there is no credible failure mechanism on the part of these limit switches that could cause a re-actuation of the solenoid and subsequent opening of the AOV.
: 3. The Feedwater Isolation Valves (FWIVs) limit switches perform no function in the FWIVs safety action to close upon receipt of a Feedwater Isolation signal, nor can their failure prevent the FWIVs safety action to close. Additionally any failure of the limit switches will not cause the FWIVs to open once they have moved to their fail safe closed position.
refore, should any of the subject MSVB NAMCo limit switches fail as a result of being osed to the bounding worst case MSLB postulated above, they will not prevent any safety ctions from occurring, nor will their failure result in any unacceptable consequences.
erences
: 1. Calculation 07-ENG-04255M3, Rev. 00, Impact of SPU on MSVH Temperature
            & Pressure Transient due to Steam Line Break.
: 2. 08-SPUP-04379M3, Rev. 0, Thermal Lag Analysis for NAMCO Limit Switches Exposed to a HELB in the MSVB under SPU conditions.
: 3. Letter to NRC Serial Number 08-0248A RAI response to Stretch Power Uprate LAR dated May 15, 2008.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 33 Variable Name                                AMI Table Item Number in Steam Isolation and Bypass Valve Status                          B21, D21 iation From Regulatory Guide 1.97 Rev. 2 Guidance ition sensor coils of the main steam isolation valves (MSIVs) are not qualified for long term t accident monitoring following a Main Steam Line Break (MSLB) inside the Main Steam ve Building (MSVB).
tification IV (3MSS*CTV27A-D) valve position status is provided via position sensor coils in the valve ies. The position sensor coils provide confirmation of steam line isolation through valve ition indication, following a MSLB. The MSVB environment resulting from the worst case LB in the MSVB will result in the Sulzer position sensor coils exceeding their qualification perature during this event with possible loss of position indication. In a letter to the NRC ference 1), it was stated that alternately, steam generator level indication, which does not see MSVB harsh environment, can be used to establish that isolation has occurred. This is further forced by Supplement 5 of the Millstone 3 SER (Reference 2), which states:
addition, the licensee stated that all Millstone 3 equipment which is required to function to gate the consequences of a main steam line break accident is qualified to function at the imum compartment temperature of 325F at steam line isolation. The licensee also stated that equipment will remain in its safe position regardless of the fact that it will be exposed to peratures above the qualification temperature. The staff reviewed all information provided by licensee and found it acceptable.
refore position indication is not necessary following Main Steam Line Break inside Main am Valve Building since alternate methods are available for monitoring.
erences
: 1.      Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.
 
MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS
: 2. NUREG-1031, Supplement Number 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.
 
Variable Name                              AMI Table Item Number am Generator Safety Valve Status                                    D22 iation From Regulatory Guide 1.97 Rev. 2 Guidance flow elements (3SVV-FE28A-D, 3SVV-FE29A-D, 3SVV-FE30A-D, 3SVV-FE31A-D, and V-32A-D) which sense flow through the main steam safety relief valves (3MSS*RV22A-D, 23A-D, *RV24A-D, *RV25A-D, *RV26A-D), are not qualified for long term monitoring of
  / no flow indication following a Main Steam Line Break (MSLB) inside the Main Steam ve Building (MSVB).
tification R 191-1-2 currently states the function of the flow elements is to sense flow through the main m safety relief valves (3MSS*RV22A-D, *RV23A-D, *RV24A-D, *RV25A-D, *RV26A-and to provide flow / no flow indication to the plant control room in order to verify whether safety valves are open or closed. The safety function of the flow element is to provide rmation on the main steam safety valve position, but they are not required for long term post dent monitoring following an MSLB in the MSVB, since there are other means to detect the ty valve lift. In a Letter from J. F. Opeka (NU) to NRC, Millstone Nuclear Power Station, t No.3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside tainment, Docket Number 50-423, B11944, dated January 7, 1986 states that following a m line break, the steam generator level indication, which is located inside containment, will vailable to identify the faulted loop. The letter further states:
r the intact loops, indication that the steam generators are isolated and level is maintained heat removal is being accomplished can be obtained from steam generator level, auxiliary water flow and reactor coolant system temperature, none of which are affected by the MSLB ironment. Safety valve lift can be detected using main steam flow indication located inside tainment or visual indication from the yard, and successful heat removal an be monitored by erving steam generator level, auxiliary feedwater flow and reactor coolant system perature, as stated above. Containment isolation indication in the main steam valve building r the MSIV position indication. Isolation can be established via the main steam line pressure smitters, which will be operable at the time of MSIV closure. Alternatively, steam generator l indication, which does not see the harsh environment, can be used to establish that isolation occurred.
s is further reinforced by Supplement 5 of the Millstone 3 SER NUREG-1031, Supplement mber 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power ion, Unit Number 3, Docket Number 50-423, January 1986, which states:
 
imum compartment temperature of 325F at steam line isolation. The licensee also stated the ipment will remain in its safe position regardless of the fact that it will be exposed to peratures above the qualification temperature. The staff reviewed all the information provided he licensee and found it acceptable.
refore, the Steam Generator safety valve flow elements will not be required to be qualified for g term post accident monitoring following a MSLB inside the MSVB. Alternately, safety valve can be detected using main steam flow indication located inside containment or visual cation from the yard, and successful heat removal can be monitored by observing steam erator level, auxiliary feedwater flow and reactor coolant system temperature. Deviation to ulatory Guide 1.97 Program, specific to MSLB in MSVB, has no adverse impact on any other ctures, systems, or components important to safety.
erences
: 1.      Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.
: 2.      NUREG-1031, Supplement No. 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST DISPLAY MAIN BOARD R.G. 1.97                                                                                Millstone 3 Item                          R.G. 1.97 Recommended Design    Actual                    Power        Variable        Trend      TSC, EOF    Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy    Supply      Indication    Indication  Computer    Category      EEQ  Seismic    QA    Trending            Remarks/Notes PLANT SPECIFIC TYPE A Revision 3606/29/23 VARIABLES
* SEE Deviation Number 1, IN A1      RCS PRESSURE (WR)        0-3000 PSIG          1      0-3000 PSIA
* YES      VITAL UPS 3RCS*PI403      3RCS-PR403    RCS-P403        1        YES    YES      YES  DED_REC Appendix 7.5A.
3RCS*PT403                                                                              3RCS*PI405                    RCS-P405                                        OFIS 3RCS*PT403A                                                                                                                                                            SPDS 3RCS*PT405 3RCS*PT405A
* SEE Deviation Number 2, IN A2      RCS WIDE RANGE T-HOT      50-750F            1          0-700F
* NO **    VITAL UPS 3RCS*TI413A      3RCS-TR413A    RCS-T413A      1        YES    YES      YES  DED_REC Appendix 7.5A.
                                                                                                                                                                                                ** CORE EXIT THERMOCOUPLES 3RCS*TE413C                                                                            3RCS*TI423A    3RCS*TR433A    RCS-T423A                                        OFIS        (A13) PROVIDES DIVERSE MEASUREMENT.
3RCS*TE423C                                                                                                            RCS-T433A                                        SPDS 3RCS*TE433C                                                                                                            RCS-T443A 3RCS*TE443C RCS WIDE RANGE T-
* SEE Deviation Number 3, IN A3                                50-750F            1          0-700F
* NO **    VITAL UPS 3RCS*TI413B      3RCS-TR413B    RCS-T413B      1        YES    YES      YES  DED_REC COLD                                                                                                                                                                                  Appendix 7.5A.
                                                                                                                                                                                                ** STEAMLINE PRESSURE 3RCS*TE413B                                                                            3RCS*TI423B    3RCS*TR433B    RCS-T423B                                        OFIS        PROVIDES DIVERSE MEASUREMENT.
3RCS*TE423B                                                                                                          RCS-T433B                                        SPDS 3RCS*TE433B                                                                                                          RCS-T443B 3RCS*TE443B A4      S/G LEVEL (WR)                                1      0-100% OF      NO
* VITAL UPS 3FWS*LI501      3FWS-LR501    FWS-L501        1        YES    YES      YES  DED_REC
* SEE Deviation Number 4, IN 3FWS*LT501                                        SPAN FROM                          3FWS*LI502      3FWS-LR503    FWS-L502                                        OFIS        Appendix 7.5A.
FROM TUBE SHEETS TO 3FWS*LT502                                        TUBE                                3FWS*LI503                      FWS-L503                                                    AUXILIARY FEEDWATER FLOW SEPARATORS 3FWS*LT503                                        SHEETS TO                          3FWS*LI504                      FWS-L504                                                    (A11) PROVIDES DIVERSE MPS-3 FSAR 3FWS*LT504                                        SEPARATORS                                                                                                                      MEASUREMENT.
0-100% OF A5      S/G LEVEL (NR)            NS                  1                      YES      VITAL UPS 3FWS*LI517      3FWS-FR510    FWS-L517        1        YES    YES      YES  DED_REC SPAN 3FWS*LT517                                                                              3FWS*LI518      3FWS-FR520    FWS-L518                                        OFIS 3FWS*LT518                                                                              3FWS*LI519      3FWS-FR530    FWS-L519                                        SPDS 3FWS*LT519                                                                              3FWS*LI527      3FWS-FR540    FWS-L551 3FWS*LT551                                                                              3FWS*LI528                    FWS-L527 3FWS*LT527                                                                              3FWS*LI529                    FWS-L528 3FWS*LT528                                                                              3FWS*LI537                    FWS-L529
* NON-QA LEVEL INDICATORS PROVIDE ADDITIONAL 3FWS*LT529                                                                              3FWS*LI538                    FWS-L552 INFORMATION BUT ARE NOT 3FWS*LT552                                                                              3FWS*LI539                    FWS-L537 CREDITED AS RG 1.97 CATEGORY 1 3FWS*LT537                                                                              3FWS*LI547                    FWS-L538 CHANNELS.
3FWS*LT538                                                                              3FWS*LI548                    FWS-L539 3FWS*LT539                                                                              3FWS*LI549                    FWS-L553 3FWS*LT553                                                                              3FWS-LI551
* FWS-L547 3FWS*LT547                                                                              3FWS-LI552                    FWS-L548 3FWS*LT548                                                                              3FWS-LI553                    FWS-L549 3FWS*LT549                                                                              3FWS-LI554                    FWS-L554 3FWS*LT554                                                                                                                                                                                                          7.5-38 0 TO 100% 0F A6      PRESSURIZER LEVEL      BOTTOM TO TOP          1                      YES      VITAL UPS 3RCS*LI459A      3RCS-LR459    RCS-L459        1        YES    YES      YES  DED_REC SPAN 3RCS*LT459                                                                              3RCS*LI460A                    RCS-L460                                        OFIS
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                                  Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                    Power        Variable        Trend      TSC, EOF      Design Number      Variable/Sensor            Range/Status    Category Range/Status Redundancy    Supply      Indication    Indication  Computer      Category      EEQ    Seismic    QA    Trending            Remarks/Notes 3RCS*LT460                                                                                3RCS*LI461                    RCS-L461                                            SPDS 3RCS*LT461 Revision 3606/29/23 CONTAINMENT A7                                0 TO DESIGN PRESSURE    1      0 TO 60 PSIA    YES      VITAL UPS 3LMS*PI934      3LMS-PR934      LMS-P934        1        YES      YES      YES  DED_REC PRESSURE (NR) 3LMS*PT934                                                                                3LMS*PI935                      LMS-P935                                            OFIS 3LMS*PT935                                                                                3LMS*PI936                      LMS-P936                                            SPDS 3LMS*PT936                                                                                3LMS*PI937                      LMS-P937 3LMS*PT937 0 TO 1300
* SEE Deviation Number 6, IN A8      STEAMLINE PRESSURE                              1                      YES      VITAL UPS 3MSS*PI514A      3MSS-PR514      MSS-P514        1        YES **  YES      YES  DED_REC PSIG
* Appendix 7.5A.
3MSS*PT514                                                                                3MSS*PI515A    3MSS-PR535      MSS-P515                                            OFIS 3MSS*PT515                                                                                3MSS*PI516A                    MSS-P516                                            SPDS 3MSS*PT516                                                                                3MSS*PI524A                    MSS-P524 3MSS*PT524            FROM ATMOS.                                                        3MSS*PI525A                    MSS-P525 PRESSURE TO 20%
3MSS*PT525                                                                                3MSS*PI526A                    MSS-P526 ABOVE THE LOWEST 3MSS*PT526                                                                                3MSS*PI534A                    MSS-P534 SAFETY VALVE 3MSS*PT534                                                                                3MSS*PI535A                    MSS-P535 SETTING.
3MSS*PT535                                                                                3MSS*PI536A                    MSS-P536 3MSS*PT536                                                                                3MSS*PI544A                    MSS-P544 3MSS*PT544                                                                                3MSS*PI545A                    MSS-P545 3MSS*PT545                                                                                3MSS*PI546A                    MSS-P546 3MSS*PT546 0 TO 1,200,000 A9      RWST LEVEL              TOP TO BOTTOM          1                      YES      VITAL UPS 3QSS*LI930      3QSS-LR930      QSS-L930        1        YES      YES      YES  DED_REC GAL 3QSS*LT930                                                                                3QSS*LI931                      QSS-L931                                            OFIS 3QSS*LT931                                                                                3QSS*LI932                      QSS-L932                                            SPDS 3QSS*LT932                                                                                3QSS*LI933 3QSS*LT933 CONTAINMENT WATER                                      1 TO 17 FEET
* EEQ EXCEPT FOR LITS WHICH MPS-3 FSAR A10                                                      1                      YES      VITAL UPS 3RSS*LI22A      3RSS*LR22      RSS-L22A1        1        YES*    YES      YES  DED_REC LEVEL (WR)                                              **                                                                                                                                  ARE IN A MILD ENVIRONMENT.
                                                                                                                                                                                                      ** EQUIVALENT TO A RANGE OF 3RSS*LE22A1                                                                              3RSS*LI22B                    RSS-L22B1                                            OFIS 5,000 TO 1,400,000 GALLONS.
3RSS*LE22A2          BOTTOM OF                                                                                                                                              SPDS CONTAINMENT TO 3RSS*LE22A3 600,000 GAL 3RSS*LE22B1 EQUIVALENT 3RSS*LE22B2 3RSS*LE22B3 3RSS*LIT22A 3RSS*LIT22B 0 TO 110 OF DESIGN                                      VITAL &                                  FWA-F33A3,
* SG LEVEL (A4 & A5) PROVIDE A11      AUX FEEDWATER FLOW                              1      0 TO 350 GPM    YES
* 3FWA*FI33B1                                      1        YES      YES      YES  OFIS FLOW                                                    VITAL UPS                                  B3, C3, D3                                                      DIVERSE MEASUREMENT.
FWA-F51A3, 3FWA*FT33A, B, C, D                                                                      3FWA*FI51A1                                                                        SPDS B3, C3, D3 3FWA*FI51A, B, C, D                                                                      3FWA*FI33C1 3FWA*FI51D1 CONTAINMENT STRUCT. 1R/hr TO                          100 TO 108R/
A12                                                      1                      YES      VITAL UPS 3RMS*RAK1A      3HVR*RR10A    RMS-R04A          1        YES      YES      YES  OFIS
* DIGITAL DISPLAY ON RAK RAD. LEVEL (HR)    104R/hr                            hr 3RMS*RE04A                                                                                3RMS*RAK1B      3HVR*RR19A    RMS-R05A                                            SPDS                                      7.5-39 DIGITAL 3RMS*RE05A DISPLAY
* TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                                  Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                    Power        Variable        Trend        TSC, EOF    Design Number        Variable/Sensor          Range/Status    Category Range/Status Redundancy    Supply      Indication    Indication    Computer    Category      EEQ  Seismic    QA    Trending            Remarks/Notes
* ICC CABINETS ARE NOT IN CORE EXIT                                              200F TO A13                              200F TO 2300F        1                      YES      VITAL PS    3CTS*ICCA                      CVCTST1-50      1        YES    YES      YES  OFIS        MAIN CONTROL ROOM, PRIMARY TEMPERATURE                                            2300F Revision 3606/29/23 MEANS OF DISPLAY IS VIA SPDS.
3CTS*TE1 THROUGH 50                                                                          3CTS*ICCB                        CVCETMX SPDS
* 3RPS*RAKNIS1
* THIS INSTRUMENTATION LOOP 10-6% TO 100% FULL            SR: 10-1 TO A14      NEUTRON FLUX                                    1                      YES      VITAL UPS                  3NME*NR1        NME-DET1SR      1        YES    YES      YES  REDN_REC IS PART OF THE GAMMAMETRICS POWER                          105 CPS                                                                                                                          SYSTEM.
WR: 10-8% TO                          3RPS*RAKNIS2 3NME*DET1                                                                                                    3NME*NR2        NME-DET2SR                                        OFIS 100%
3NME*DET2                                                                                                                    NME-DET1WR                                        SPDS NME-DET2WR
* SEE Deviation Number 7, IN A15      RCS SUBCOOLING                                  1*                    N/A      VITAL UPS 3CTS*ICCA                        CVSUBCOOL        2*        YES    YES      YES  OFIS 200F SUB-                                                                                                                          Appendix 7.5A.
200F SUBCOOLING TO            COOLING TO                                                                                                                          ** ICC CABINETS ARE NOT IN SEE A1 AND A13 FOR 35F SUPERHEAT                35F                                  3CTS*ICCB                                                                        SPDS        MAIN CONTROL ROOM, PRIMARY LIST OF SENSORS SUPERHEAT                                                                                                                          MEANS OF DISPLAY IS VIA SPDS.
SPDS **
A16      Deleted by FSARCR 05-MP3-010 A17      Deleted by FSARCR 05-MP3-006 TYPE B VARIABLES REACTIVITY CONTROL B1      NEUTRON FLUX            10-6% TO 100 FULL    1          SEE A14                                                                        SEE A14 POWER 3NME*DET1 3MNE*DET2 B2      RCS WIDE RANGE T-HOT 50 - 750F                1          SEE A2                                                                          SEE A2 RCS WIDE RANGE T-B3                                50 - 750F            1          SEE A3                                                                          SEE A3 COLD MPS-3 FSAR DIGITAL ROD 0 TO 228 FULL IN OR NOT FULL                                                    POSITION B4      CONTROL ROD POSITION                            3      STEPS, FULL    N/A      N/A                                                          3        N/A    N/A      N/A IN                                                                      INDICATION IN LIGHT DISPLAY RCS PRESSURE CONTROL B5      RCS PRESSURE (WR)        0-3000 PSIG            1          SEE A1                                                                          SEE A1 CONTAINMENT B6                              0 TO DESIGN PRESSURE    1          SEE A7                                                                          SEE A7 PRESSURE (NR)
FROM TUBE SHEETS TO B7      S/G LEVEL (WR)                                  1          SEE A4                                                                          SEE A4 SEPARATORS RCS INVENTORY CONTROL B8      PRESSURIZER LEVEL        BOTTOM TO TOP          1          SEE A6                                                                          SEE A6 BOTTOM OF CONTAINMENT WATER      CONTAINMENT TO B9                                                      1          SEE A10                                                                        SEE A10 LEVEL (WR)              600,000 BAL EQUIVALENT FROM TUBE SHEETS TO B10      S/G LEVEL (WR)                                  1          SEE A4                                                                          SEE A4 SEPARATORS NOT PLENUM REACTOR COOLANT        BOTTOM OF CORE TO                                                                    REQUIRED
* SEE Deviation Number 9, IN    7.5-40 B11                                                      1      LEVEL: *0 TO    YES      VITAL UPS 3CTS*ICCA                          CVHDLVL        2*        YES    YES      YES      OFIS LEVEL                  TOP OF VESSEL                                                                        PER RG 1.97                                                                  Appendix 7.5A.
100 REV. 2
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                          R.G. 1.97 Recommended Design        Actual                Power        Variable      Trend      TSC, EOF    Design Number        Variable/Sensor        Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication    Computer    Category      EEQ  Seismic    QA  Trending            Remarks/Notes HEAD                                                                                                                        ** ICC CABINETS ARE NOT IN 3CTS*HJTCA1 THRU A8                                    LEVEL:                            3CTS*ICCB                    CVHDLVLA                                            SPDS ** MAIN CONTROL ROOM, PRIMARY Revision 3606/29/23 63 TO 100                                                                                                                  MEANS OF DISPLAY IS VIA SPDS.
3CTS*HJTCB1 THRU B8                                                                          SPDS **                    CVHDLVLB CVUPLENLVL CVPLENLVLA CVPLENLVLB REACTOR CORE COOLING CORE EXIT B12                            200F TO 2300F          1        SEE A13                                                                      SEE A13 TEMPERATURE B13    WIDE RANGE T-HOT        50-750F                1        SEE A2                                                                      SEE A2 B14    WIDE RANGE T-COLD        50-750F                1        SEE A3                                                                      SEE A3 B15    RCS PRESSURE (WR)        0-3000 PSIG              1        SEE A1                                                                      SEE A1 200F SUB TO 35F B16      RCS SUBCOOLING                                  1        SEE A15                                                                      SEE A15 SUPERHEAT HEAT SINK MAINTENANCE B17      S/G LEVEL (NR)            NS                    NS      SEE A5                                                                      SEE A5 FROM TUBE SHEETS TO B18      S/G LEVEL (WR)                                  1        SEE A4                                                                      SEE A4 SEPARATORS FROM ATMOS.
PRESSURE TO 20 B19      STEAMLINE PRESSURE    ABOVE THE LOWEST        1        SEE A8                                                                      SEE A8 SAFETY VALVE SETTING.
CORE EXIT B20                            200F TO 2300F          1        SEE A13                                                                      SEE A13 TEMPERATURE FULLY TWO PAIR OF OPENED, MAIN STEAMLINE                                                                            RED/GREEN FULLY
* VALVE LVDTS ARE USED AS B21      ISOLATION & BYPASS        NS                  NS                  N/A        VITAL UPS LIGHTS PER                    MSS-Z27A#      2        YES *** YES      YES    OFIS **
MPS-3 FSAR CLOSED, &                                                                                                                      SENSORS.
VALVE STATUS
* ISOLATION INTERMEDIA VALVE TE
                                                                                                                                                                                              ** FOR ISOLATION VALVES NOT 3MSS*CTV27A                                                                                                          MSS-Z27B#
BYPASS VALVES.
                                                                                                                                                                                              *** SEE DEVIATION NOS. 32 AND 3MSS*CTV27B                                                                                                          MSS-Z27C#
ONE PAIR OF                                                                                33 IN Appendix 7.5A 3MSS*CTV27C                                                                            RED/GREEN                    MSS-Z27D#
3MSS*CTV27D                                                                            LIGHTS PER 3MSS*HV28A                                                                            BYPASS VALVE 3MSS*HV28B 3MSS*HV28C 3MSS*HV28D PRIMARY REACTOR CONTAINMENT B22                              0 TO DESIGN PRESSURE  1        SEE A7                                                                      SEE A7 PRESSURE (NR)
B23      Deleted by FSARCR 05-MP3-010 TYPE C VARIABLES IN-CORE FUEL CLAD CORE EXIT C1                                200F TO 2300F        1        SEE A13                                                                      SEE A13                                                                        7.5-41 TEMPERATURE
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                            Millstone 3 Item                            R.G. 1.97 Recommended Design        Actual              Power        Variable        Trend      TSC, EOF    Design Number        Variable/Sensor          Range/Status    Category Range/Status Redundancy  Supply      Indication    Indication  Computer  Category      EEQ  Seismic    QA    Trending            Remarks/Notes PRIMARY COOLANT                                        10 Ci/ml to
* REFER TO SSER 4, APPENDIX L, C2                                                        3                    N/A    N/A          **                                        3        N/A    N/A      N/A GAMMA SPECTRUM                                          10 Ci/ml                                                                                                                    3.3.1, 3.3.6 Revision 3606/29/23
                                                                                                                                                                                              ** NO EXISTING INSTRUMENTS 10 Ci/gm TO 10 Ci/gm MONITOR THIS VARIABLE.
OR CONTINGENCY PLANS TO OBTAIN TID-14844 SOURCE AND ANALYZE SAMPLES OF TERM IN COOLANT PRIMARY COOLANT ARE VOLUME CONTAINED WITHIN CHEMISTRY DEPARTMENT IMPLEMENTING PROCEDURES.
C3      Deleted by FSARCR 05-MP3-015 RCS BOUNDARY VITAL &
* ALTHOUGH THIS VARIABLE IS C4      RCS PRESSURE (ER)            NS                NS    15-3500 PSIA      YES            3RCS*P149                        RCS-P49      1*        YES    YES      YES      OFIS VITAL UPS                                                                                            DESIGNED TO CATEGORY 1 CRITERIA, IT IS NOT UTILIZED AS A KEY VARIABLE. THIS VARIABLE IS USED AS A PREFERRED BACKUP 3RCS*PT49                                                                            3RCS*P150                                                                                  VARIABLE TO MONITOR AN ACTUAL BREACH OF RCS BOUNDARY. REFER TO SPECIFICATION SP-M3-IC-022.
3RCS*PT50 C5      RCS PRESSURE (WR)      0-3000 PSIG            1          SEE A1                                                                    SEE A1 CONTAINMENT C6                              0 TO DESIGN PRESSURE    1          SEE A7                                                                    SEE A7 PRESSURE (NR)
BOTTOM OF 1 CONTAINMENT WATER      CONTAINMENT TO C7                                                                  SEE A10                                                                  SEE A10 LEVEL (WR)              600,000 GAL EQUIVALENT CONTAINMENT MPS-3 FSAR 1R/hr TO C8      STRUCTURE RADIATION                            1          SEE A12                                                                  SEE A12 INTERNAL            107R/hr 1.5x10-5 Ci/cc CONDENSER AIR          10-6Ci/cc TO
* SEE Deviation Number 19, IN C9                                                      3      TO 100Ci/cc      N/A  N/A        3ARC-RIY21                    CVARC21        3        N/A    N/A      N/A      OFIS EJECTOR MONITOR        10-2Ci/cc                                                                                                                                                  Appendix 7.5A.
3RMS-CNSL1 3ARC-RE21                                                                            Workstation Monitor CONTAINMENT BOUNDARY
* RECOMMENDED RANGE IS HYDROGEN                                                                                                                                                                          NOT SPECIFIED FOR TYPE C IN THE RECOMBINER CUBICLE      10-6 TO                      10-6 TO                VITAL &                                                                                          REGULATORY GUIDE. THIS RANGE C10                                                      2                        N/A            3HVZ*RIY09A      3HVR*RR10B    CVHVZ09A      2        NO    YES      YES  REDN_REC VENTILATION            102 Ci/cc
* 100 Ci /cc **          VITAL UPS                                                                                          IS FROM ALL OTHER IDENTIFIED RADIATION                                                                                                                                                                        RELEASE POINTS UNDER THE TYPE E CRITERIA IN RG 1.97 REV. 2
                                                                                                                                                                                          ** SEE Deviation Number 27, IN 3HVZ*RE09A                                                                            3HVZ*RIY09B    3HVR*RR19B    CVHVZ09B                                        OFIS Appendix 7.5A.
3HVZ*RE09B CONTAINMENT PRES.                                                              VITAL &
C11                                                      1      0 TO 200 PSIA    YES            3LMS*PI24A      3LMS*PR24      LMS-P24A      1        YES    YES      YES  DED_REC                                      7.5-42 (ER)                    5 PSIA TO 3 TIMES                                      VITAL UPS 3LMS*PT24A          DESIGN PRESSURE                                                  3LMS*PI24B                      LMS-P24B                                        OFIS 3LMS*PT24B                                                                                                                                                          SPDS
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                                      Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                        Power          Variable        Trend      TSC, EOF    Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy        Supply        Indication    Indication  Computer    Category      EEQ    Seismic    QA    Trending            Remarks/Notes CONTAINMENT
* SEE Deviation Number 8 IN C12      HYDROGEN                0 TO 10%              3        0-10%          YES          VITAL        3SSP*AI58A      3SSP*AR58A      SSP-A58A      1 **      YES **  YES ** YES ** DED_REC Appendix 7.5A.
Revision 3606/29/23 CONCENTRATION
                                                                                                                                                                                                          ** ALTHOUGH REG. GUIDE 1.7 REV. 3 ALLOWS A DESIGN VITAL UPS 3SSP*AI58B                          SSP-A58B                                          OFIS        CATEGORY 3, THE MONITORS ARE INSTALLED AND MAINTAINED AS CATEGORY I.
SPDS
* SUPPLY AND RETURN LINES 10-6TO                                                      VITAL &
C13      VENTILATION VENT (ER)    3 2                          N/A              3HVR*RIY10A        3HVR*RIY10A    CVHR10A1        2        NO      YES
* YES  DED_REC    ARE CONNECTED TO NON-SEISMIC 10 Ci/cc                      5X10 -7 TO VITAL UPS DUCT.
4 10 Ci/cc 3HVR*RE10A (HR)                                                                                3HVR*RIY10B    3HVR*RR10B      CVHR10B                                          OFIS 3HVR*RE10B (NMR)                                                                                                                                                                  SPDS SUPPLEMENTARY LEAK 10-6 TO                          5X10-7 TO                  VITAL &
C14      COLLECTION AND                                    2                          N/A              3HVR*RIY19A        3HVR*RR19A    CVHVR19A1      2        NO      YES      YES  DED_REC 103 Ci/cc                        104Ci/cc                    VITAL UPS RELEASE SYSTEM (ER) 3HVR*RE19A (HR)                                                                                3HVR*RIY19B    3HVR*RR19B    CVHVR19B                                          OFIS 3HVR*RE19B (NMR)                                                                                                                                                                  SPDS CONTAINMENT RECIRCULATION                                          10-6 TO 10-                  VITAL &
C15                                NS                      NS  1 N/A              3SWP*RIY60A        3SWP*RR60A    CVSWP60A        2        NO      YES      YES  DED_REC COOLER SERVICE WATER                                      Ci/cc                    VITAL UPS OUTLET 3SWP*RE60A                                                                                      3SWP*RIY60B    3SWP*RR60B    CVSWP60B                                          OFIS 3SWP*RE60B                                                                                                                                                                        SPDS FULLY OPENED, FULLY                                                                                              YES
* SEE Deviation Number 10, IN C16                              CLOSED-NOT CLOSED          1                          NO
* CIA          2                  YES      YES  OFIS CLOSED, &                                                                                          ****                                Appendix 7.5A.
INTERMEDIA MPS-3 FSAR CONTAINMENT **
TE ISOLATION VALVE
                                                                                                                                                                                                          ** VALVE LIMIT SWITCHES ARE STATUS INCLUDES ALL                                                                  VITAL &      ONE PAIR OF                      CIB USED AS SENSORS.
VALVES FROM FSAR                                                                    VITAL UPS    RED/GREEN
                                                                                                                                                                                                          *** 3CVS*MOV25 IS NOT SUPPLIED Table 6.2-65EXCEPT                                                                  NON-VITAL    LIGHTS PER                      *****
WITH HIGHLY RELIABLE POWER.
CHECK VALVES, RELIEF                                                                UPS ***      VALVE
                                                                                                                                                                                                          ****REFER TO EQML.
VALVES, & MANUALLY
                                                                                                                                                                                                          *****THESE OFIS POINTS PROVIDE OPERATED VALVES.
STATUS OF CONTAINMENT ISOLATION SIGNALS. THEY DO NOT PROVIDE STATUS OF INDIVIDUAL CONTAINMENT ISOLATION VALVES.
CONTAINMENT C17                              0 TO DESIGN PRESSURE      1        SEE A7                                                                            SEE A7 PRESSURE (NR)
TYPE D VARIABLES RHR HEAT EXCHANGER NON-VITAL
* SEE Deviation Number 11, IN D1      DISCHARGE              32 TO 350F                2    50 TO 400F
* N/A                                  3RHS-TR612      RHS-T604      2        YES      YES      NO    DED_REC UPS                                                                                                        Appendix 7.5A.
TEMPERATURE 3RHS-TE604                                                                                                      3RHS-TR613      RHS-T605                                          OFIS 3RHS-TE605 7.5-43 0 TO 110% OF DESIGN            0 TO 6000                    NON-VITAL
* REFER TO SSER 4, APPENDIX L, D2      FLOW (LHSI)
* 2                          N/A              3RHS-FI618                          RHS-F618      2        YES      YES      NO    OFIS FLOW                            GPM                          UPS                                                                                                        3.3.11.
3RHS-FT618                                                                                  3RHS-FI619                          RHS-F619                                          SPDS
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                              R.G. 1.97 Recommended Design    Actual                    Power        Variable      Trend      TSC, EOF    Design Number        Variable/Sensor            Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication  Computer  Category      EEQ    Seismic    QA    Trending          Remarks/Notes 3RHS-FT619 FULLY Revision 3606/29/23 OPENED, ONE PAIR OF VALVE STATUS SEE                                          FULLY                    SEE                                                              SEE Attachment 1FOR
* VALVE LIMITS SWITCHES ARE D3                                    NS                  NS                    N/A                    LIGHTS PER                                2 Attachment 1                                              CLOSED, &                Attachment 1                                                      QUALIFICATIONS                      USED AS SENSORS.
VALVE INTERMEDIA TE D4      RCS PRESSURE (WR)          0-3000 PSIG            1        SEE A1                                                                      SEE A1 SAFETY INJECTION SYSTEMS D5      RWST LEVEL                TOP TO BOTTOM          1        SEE A9                                                                      SEE A9 CHARGING PUMP FLOW        0 TO 110DESIGN                  0 TO 1000              NON-VITAL
* SEE ITEM NUMBER D7 FOR SI 2                      N/A                3SIH-FI917                    CHSP3A        2        YES    YES      NO    OFIS **
(HHSI)
* FLOW                          GPM                      UPS                                                                                                  PUMP FLOW.
D6          3SIH-FT917                                                                                                                CHSP3B
                                                                                                                                                                                                  ** CHARGING PUMP BREAKER CHS3C/C POSITION IS MONITORED VIA OFIS CHS3C/D 0 TO 100 OF DESIGN            27 TO 800                NON-VITAL
* SEE ITEM NUMBER D6 FOR D7      SI PUMP FLOW (HHSI)
* 2                      N/A                3SIH-FI918                    SIHP1A        2        NO      YES      NO    OFIS **
FLOW                          GPM (FI918)              UPS                                                                                                  CHARGING PUMP FLOW.
32 TO 800                                                                                                                      ** CHARGING PUMP BREAKER 3SIH-FT918                                                            N/A                  3SIH-FI922                    SIHP1B GPM (FI922)                                                                                                                    POSITION IS MONITORED VIA OFIS 3SIH-FT922 BOTTOM OF CONTAINMENT WATER          CONTAINMENT TO D8                                                          1          SEE A10                                                                    SEE A10 LEVEL (WR)                600,000 GAL EQUIVALENT D9      CCI PUMP STATUS
* NS                  NS    BREAKER        N/A      VITAL                                                  2        NO      YES      YES
* ALTERNATE TYPE D VARIABLE ONE PAIR OF 32-4T(F2F), 3CCI*P1A                                  POSITION                                                                                                                        TO CCW FLOW TO ESF LIGHTS PER OPEN/                                                                                                                          COMPONENT (ITEM D54) REFER TO 32-3U(F2D), 3CCI*P1B                                                                      PUMP CLOSED                                                                                                                          SSER 4, APPENDIX L, 3.3.20 ACCUMULATOR TANK                                          0 TO 700 PSIA            NON-VITAL
* SEE Deviation Number 12, IN D10                                0 TO 750 PSIG          2                      N/A                3SIL-PI961                                    2        NO      YES      NO PRESSURE 3SIL-PT961
* UPS                                                                                                  Appendix 7.5A.
MPS-3 FSAR 3SIL-PT963                                                                                3SIL-PI963 3SIL-PT965                                                                                3SIL-PI965 3SIL-PT967                                                                                3SIL-PI967 FULLY OPENED, ACCUMULATOR                                                                                    ONE PAIR OF FULLY
* VALVE LIMIT SWITCHES ARE D11      ISOLATION VALVE            CLOSED/OPEN            2                      N/A      VITAL      LIGHTS PER                                  2        YES    YES      YES CLOSED, &                                                                                                                      USED AS SENSORS.
STATUS
* VALVE INTERMEDIA TE 3SIL*MV8808A, B, C, D
FULLY ACCUMULATOR                                              OPENED, ONE PAIR OF NITROGEN VENT                                            FULLY
* VALVE LIMIT SWITCHES ARE D12                                    NS                  NS                    N/A      VITAL UPS LIGHTS PER                                    2        YES    YES      YES ISOLATION VALVE                                          CLOSED, &                                                                                                                      USED AS SENSORS.
VALVE STATUS
* INTERMEDIA TE 3SIL*SV8875A THRU H,                                                                      3SIL*ZI943A 3SIL*HCV943A, B                                                                            3SIL*ZI943B 7.5-44
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                            Millstone 3 Item                          R.G. 1.97 Recommended Design      Actual                Power        Variable      Trend      TSC, EOF      Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy  Supply      Indication  Indication  Computer    Category      EEQ    Seismic    QA    Trending            Remarks/Notes 6560 TO 7340          NON-VITAL
* SEE Deviation Number 13, IN D13      ACCUMULATOR LEVEL                              2                    N/A              3SIL-LI950                                    3*        N/A      N/A      N/A GAL*                  UPS                                                                                                    Appendix 7.5A.
Revision 3606/29/23 3SIL-LT950                                                                            3SIL-LI951 3SIL-LT951                                                                            3SIL-LI952 3SIL-LT952            10 TO 90OF                                                    3SIL-LI953 3SIL-LT953            VOLUME                                                          3SIL-LI954 3SIL-LT954                                                                            3SIL-LI955 3SIL-LT955                                                                            3SIL-LI956 3SIL-LT956                                                                            3SIL-LI957 3SIL-LT957 REACTOR COOLANT SYSTEM CLOSED/NOT D14      PORV STATUS            CLOSED/NOT CLOSED        2                    N/A      VITAL UPS ONE PAIR OF                  RCS-Z455A#      2        YES      YES      YES  OFIS CLOSED LIGHTS PER 3RCS*PCV455A                                                                                                      RCS-Z456#
VALVE 3RCS*PCV456 ONE PAIR OF PRESSURIZER SAFETY                                    CLOSED/NOT              NON-VITAL D15                                                      2                    N/A              LIGHTS PER                                    2        YES      YES      NO VALVE STATUS          CLOSED/NOT CLOSED              CLOSED (VIA            UPS VALVE (VIA FLOW ELEMENT/            FLOW 3RCS-FE48A SWITCH)                        ELEMENT/
3RCS-FE48B SWITCH) 3RCS-FE48C BREAKERS
* ONLY HEATER GROUP A & B PRESSURIZER HEATER                                    **
D16                            ELECTRIC CURRENT        2                    N/A      VITAL                                  RCS-H1A        2        NO      YES      YES  OFIS        ARE CONSIDERED POST-ACCIDENT BREAKER POSITION
* OPEN/                              ONE PAIR OF VARIABLE (420.6-1, NOTE 43)
CLOSED                            LIGHTS PER BREAKER                                                                                      ** SEE Deviation Number 14, IN 32S5-2 (3RCS*H1A)                                                                                                  RCS-H1B Appendix 7.5A.
32V4-2 (3RCS*H1B)
D17    PRESSURIZER LEVEL        BOTTOM TO TOP            1        SEE A6                                                                    SEE A6                                                                            MPS-3 FSAR D18    RCS PRESSURE (WR)        0-3000 PSIG              1        SEE A1                                                                    SEE A1 REACTOR COOLANT                                        0 TO 800
* REFER TO SSER 4, APPENDIX L.
D19                            MOTOR CURRENT            3                    N/A      N/A      MB5A0403                                      3        N/A      N/A      N/A PUMP STATUS
* AMPS                                                                                                                            3.3.12.
MB5A0403                                                                              MC5B0203 MC5B0203                                                                              MB5C0503 MB5C0503                                                                              MC5D0103 MC5D0103 SECONDARY SYSTEM S/G ATMOSPHERIC
* NON-VITAL POWER SIGNAL TO D20                            CLOSED/NOT CLOSED        2                    N/A                                                              2        YES **  YES      YES VALVE STATUS                                                                                                                                                                            POSITIONER 3MSS*PV20S
                                                                                                                                                                                              ** SEE Deviation Number 32 IN 3MSS*MOV74A                                        FULLY                                                                                                                          Appendix 7.5A 3MSS*MOV74B                                        OPENED, VITAL &  ONE PAIR OF FULLY 3MSS*MOV74C                                                                NON-VITAL LIGHTS PER CLOSED, &
3MSS*MOV74D                                                                UPS
* VALVE INTERMEDIA 3MSS*PV20A TE 3MSS*PV20B 3MSS*PV20C 3MSS*PV20D MAIN STEAMLINE                                                                                                                                                                                                        7.5-45 D21      ISOLATION AND BYPASS      NS                    NS        SEE B21                                                                  SEE B21 VALVE STATUS
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                          Millstone 3 Item                          R.G. 1.97 Recommended Design      Actual                Power      Variable      Trend      TSC, EOF    Design Number      Variable/Sensor        Range/Status    Category Range/Status Redundancy  Supply    Indication  Indication  Computer  Category      EEQ    Seismic    QA    Trending            Remarks/Notes S/G SAFETY VALVE                                      CLOSED/NOT            NON-VITAL ONE PAIR OF                                                                              SEE Deviation Number 34 IN Appendix D22                            CLOSED/NOT CLOSED        2                    N/A                                            SVV-F28A      2        YES
* YES      NO    OFIS STATUS                                                CLOSED                UPS      LIGHTS PER                                                                                7.5A Revision 3606/29/23 3SVV-FE28A                                                                        VALVE                        SVV-F28B                                        SPDS 3SVV-FE28B                                                                                                      SVV-F28C 3SVV-FE28C                                                                                                      SVV-F28D 3SVV-FE28D                                                                                                      SVV-F29A 3SVV-FE29A                                                                                                      SVV-F29B 3SVV-FE29B                                                                                                      SVV-F29C 3SVV-FE29C                                                                                                      SVV-F29D 3SVV-FE29D                                      VALVE                                                          SVV-F30A STATUS 3SVV-FE30A                                                                                                      SVV-F30A INDICATING 3SVV-FE30B                                                                                                      SVV-F30B LIGHT 3SVV-FE30C                                                                                                      SVV-F30C BASED ON 3SVV-FE30D                                                                                                      SVV-F30D FLOW/NO 3SVV-FE31A                                      FLOW                                                          SVV-F31A 3SVV-FE31B                                                                                                      SVV-F31B 3SVV-FE31C                                                                                                      SVV-F31C 3SVV-FE31D                                                                                                      SVV-F31D 3SVV-FE32A                                                                                                      SVV-F32A 3SVV-FE32B                                                                                                      SVV-F32B 3SVV-FE32C                                                                                                      SVV-F32C 3SVV-FE32D                                                                                                      SVV-F32D FORM ATMOS.
PRESSURE TO 20%
D23      STEAMLINE PRESSURE    ABOVE THE LOWEST        1        SEE A8                                                                  SEE A8 SAFETY VALVE SETTING.
FULLY OPENED, VITAL &  ONE PAIR OF MPS-3 FSAR MFW CONTROL AND                                      FULLY
* VALVE LIMIT SWITCHES USED D24                              NS                  NS                    N/A    NON-VITAL LIGHTS PER                                  2        YES *** YES      YES BYPASS VALVE STATUS                                  CLOSED, &                                                                                                                  AS SENSOR.
UPS**    VALVE INTERMEDIA TE
                                                                                                                                                                                          ** NON-VITAL POWER SIGNAL TO 3FWS*FCV510 VALVE POSITIONER.
                                                                                                                                                                                          *** SEE Deviation Number 32 IN 3FWS*FCV520 Appendix 7.5A 3FWS*FCV530 3FWS*FCV540 3FWS*LV550 3FWS*LV560 3FWS*LV570 3FWS*LV580 VITAL &
MFW ISOLATION VALVE
* VALVE LIMIT SWITCHES USED D25                              NS                  NS                    N/A    NON-VITAL                                            2        YES *** YES      YES STATUS                                              FULLY                                                                                                                      AS SENSOR.
UPS**
OPENED, ONE PAIR OF                                                                            ** NON-VITAL POWER SIGNAL TO 3FWS*CTV41A                                      FULLY LIGHTS PER                                                                              VALVE POSITIONER.
CLOSED, &
VALVE                                                                                  *** SEE Deviation Number 32 IN        7.5-46 3FWS*CTV41B                                      INTERMEDIA Appendix 7.5A TE 3FWS*CTV41C 3FWS*CTV41D
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                          R.G. 1.97 Recommended Design    Actual                    Power      Variable        Trend      TSC, EOF    Design Number      Variable/Sensor        Range/Status    Category Range/Status Redundancy    Supply    Indication    Indication  Computer    Category      EEQ    Seismic    QA    Trending            Remarks/Notes NON-VITAL D26      MFW FLOW                                      3      0 TO 5 MPPH    N/A                  3FWS-FI510A                    FWS-F510        2        NO      NO        NO    OFIS UPS Revision 3606/29/23 3FWS-FT510                                                                            3FWS-FI511A                    FWS-F511                                          SPDS 3FWS-FT511                                                                            3FWS-FI520A                    FWS-F520 3FWS-FT520        0 TO 100DESIGN                                                  3FWS-FI521A                    FWS-F521 3FWS-FT521        FLOW                                                              3FWS-FI530A                    FWS-F530 3FWS-FT530                                                                            3FWS-FI531A                    FWS-F531 3FWS-FT531                                                                            3FWS-FI540A                    FWS-F540 3FWS-FT540                                                                            3FWS-FI541A                    FWS-F541 3FWS-FT541 FROM TUBE SHEETS TO D27      S/G LEVEL (WR)                                1        SEE A4                                                                      SEE A4 SEPARATORS D28      S/G LEVEL (NR)          NS                  NS        SEE A5                                                                      SEE A5 FULLY OPENED,
* VALVE LIMIT SWITCHES ARE S/G BLOWDOWN                                                                            ONE PAIR OF FULLY                                                                                                                            USED AS SENSORS. THESE VALVES D29      ISOLATION VALVE          NS                  NS                    N/A        VITAL UPS LIGHTS PER                                    2        YES **  YES      YES CLOSED, &                                                                                                                        ARE ALSO PART OF CONTAINMENT STATUS
* VALVE INTERMEDIA                                                                                                                        ISOLATION VALVES, C16.
TE
                                                                                                                                                                                                ** SEE Deviation Number 32 IN 3BDG*CTV22A                                                                                                                                                                        Appendix 7.5A 3BDG*CTV22B 3BDG*CTV22C 3BDG*CTV22D EMERGENCY FEEDWATER SYSTEM AUXILIARY FEEDWATER 0 TO 110 OF DESIGN D30                                                    1        SEE A11                                                                      SEE A11 FLOW                FLOW                                                                                                                                                                                                MPS-3 FSAR FULLY OPENED, AUXILIARY FEEDWATER                                                                        ONE PAIR OF FULLY                    SEE                                                                SEE Attachment 1 FOR
* VALVE LIMIT SWITCHES ARE D31      VALVE STATUS
* SEE      NS                  NS                    N/A                    LIGHTS PER                                  2 CLOSED, &                Attachment 1                                                      QUALIFICATIONS                      USED AS SENSORS.
Attachment 1                                                                                VALVE INTERMEDIA TE
* BASED ON CALCULATION NSP-D32      DWST LEVEL            PLANT SPECIFIC          1      18,520 TO      YES                  3FWA*LI20A1      3FWA*LR20    FWA-L20B1      1        YES      YES      YES  DED_REC VITAL &                                                                                                098-FWA REV. 2 352,435 3FWA*LT20A                                                                    VITAL UPS 3FWA*LI20B1                    FWA-L20B2                                          OFIS GALLONS
* 3FWA*LT20B                                                                                                            FWA-L20B3 CONTAINMENT COOLING SYSTEM CONTAINMENT                                                                      VITAL &
D33                        40 TO 400F                2      0 TO 400F    N/A                  3LMS*TI21A      3LMS*TR21                    2        YES      YES      YES  DED_REC TEMPERATURE                                                                      VITAL UPS 3LMS*TE21A, B                                                                          3LMS*TI21B BOTTOM OF CONTAINMENT WATER  CONTAINMENT TO D34                                                    1        SEE A10                                                                      SEE A10 LEVEL (WR)          600,000 GAL EQUIVALENT 7.5-47
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                    Power        Variable        Trend      TSC, EOF    Design Number      Variable/Sensor            Range/Status    Category Range/Status Redundancy    Supply      Indication    Indication  Computer  Category      EEQ  Seismic    QA    Trending            Remarks/Notes SPRAY SYSTEM VALVE
* VALVE LIMIT SWITCHES ARE D35                                  NS                  NS                    N/A        VITAL                                                    2        YES    YES      YES STATUS                                                                                                                                                                                  USED AS SENSORS.
FULLY Revision 3606/29/23 3QSS*MOV34A, B                                                                                                                                                            SPDS OPENED, 3RSS*MOV20A, B, C,                                                                        ONE PAIR OF FULLY D                                                                                            LIGHTS PER CLOSED, &
3RSS*MOV23A, B, C,                                                                        VALVE INTERMEDIA D
TE 3RSS*MV8837A, B 3RSS*MV8838A, B CONTAINMENT D36                              0 TO DESIGN PRESSURE    1          SEE A7                                                                      SEE A7 PRESSURE (NR)
* SEE Deviation Number 15, IN CONTAINMENT SUMP D37                              50 TO 250 F            2      0 TO 300 F    N/A        N/A        3RSS-TI21A                                    3*        N/A    N/A      N/A                Appendix 7.5A. REFER TO SSER 4, WATER TEMPERATURE APPENDIX L, 3.3.17.
3RSS-TE21A, B                                                                            3RSS-TI21B
* SUPPLEMENTS CONTAINMENT CONTAINMENT SUMP                                                                                                                                                                        WR LEVEL (ITEM A10) TO D38                                  SUMP                2      0 TO 3 FEET    N/A        N/A        3RSS-LI49                                    3**        N/A    N/A      N/A LEVEL (NR)                                                                                                                                                                              MONITOR THE LOWER END OF THE SUMP LEVEL.
                                                                                                                                                                                                  ** SEE Deviation Number 16, IN 3RSS-LE49
* Appendix 7.5A.
RSS HEAT EXCHANGER                                                                NON-VITAL D39                                  NS                  NS    40 TO 350F    N/A                  3RSS-TI28A                                    2        YES    YES      NO OUTLET TEMPERATURE                                                                UPS 3RSS-TE28A, B, C, D                                                                      3RSS-TI28B 3RSS-TI28C 3RSS-TI28D CONTAINMENT RECIRC      0 TO 110OF DESIGN            0 TO 3300                                                                                                    YES/
* FT40C, D AND FIS ARE D40                                                      2                    N/A                  3RSS-FI38A                    RSSP1A        2**        YES    YES              OFIS SPRAY FLOW (RSS)        FLOW                          GPM                                                                                                          NO*                NONSAFETY RELATED.
                                                                                                                                                                                                  ** REFER TO SSER4, APPENDIX L, 3RSS*FT38A                                                                              3RSS-FI38B                      RSSP1B                                          SPDS VITAL &                                                                                                3.3.15.
MPS-3 FSAR VITAL UPS                                                                                              *** PUMP BREAKER STATUS IS 3RSS*FT38B                                                                    NON-VITAL 3RRS-FI40C                      RSSP1C                                                      PROVIDED BY OFIS FOR ALL UPS                                                                                                    PUMPS SPDS PROVIDES BREAKER STATUS 3RSS-FT40C                                                                                3RRS-FI40D                    RSSP1D FOR ALL THE A, B, C, & D PUMPS.
3RSS-FT40D                                                                                                                ***
CONTAINMENT QUENCH                                      0 TO 5000                NON-VITAL
* REFER TO DOCKETED D41                                  NS                  NS                    N/A                  3QSS-FI32A                                    3*        N/A    N/A      N/A SPRAY FLOW (QSS)                                        GPM                      UPS                                                                                                    CORRESPONDENCE DOCKET NO.
50-423 A04668. REFER TO SSER4, 3QSS-FT32A, B                                                                            3QSS-FI32B APPENDIX L, 3.3.15.
CVCS 0 TO 110DESIGN                                        NON-VITAL
* REFER TO SSER4, APPENDIX L, D42      CHARGING FLOW                                    2      0 TO 200 GPM  N/A                  3CHS-FI121A                    CHS-F121      2        YES    YES      NO    OFIS FLOW                                                    UPS                                                                                                    3.3.11 & 3.3.18.
3CHS-FT121
* SPDS D43      LETDOWN FLOW            0 TO 110DESIGN        2      0 TO 200 GPM  N/A        NON-VITAL 3CHS-FI132                      CHS-F132      2        YES    YES      NO    OFIS 3CHS-FT132            FLOW                                                    UPS 0 TO 100%                NON-VITAL                                                          YES/  YES/
D44      VCT LEVEL                TOP TO BOTTOM          2                    N/A                  3CHS-LI112 (CRT)                CHS-L112      2                          NO    OFIS
* LT112 IS EEQ, LT185 IS NOT.
(LI185) **                UPS                                                                NO*    NO*
                                                                                                                                                                                                  ** SEE Deviation Number 17, IN 3CHS-LT112                                                                                3CHS-LI185                                                                                                                    7.5-48 Appendix 7.5A.
3CHS-LT185
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                    Power        Variable      Trend      TSC, EOF    Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication  Computer  Category      EEQ    Seismic    QA  Trending          Remarks/Notes
* REFER TO SSER 4, APPENDIX L, D45      SEAL INJECTION FLOW
* 2      0 TO 15 GPM    N/A                  3CHS-FI142A                                  2*        YES    YES        NO 3.3.11 & 3.3.18.
Revision 3606/29/23 3CHS-FT142          0 TO 110DESIGN                                        NON-VITAL 3CHS-FI143A 3CHS-FT143          FLOW                                                    UPS      3CHS-FI144A 3CHS-FT144                                                                              3CHS-FI145A 3CHS-FT145 FULLY OPENED, ONE PAIR OF VALVE STATUS
* FULLY                    SEE                                                              SEE Attachment 1 FOR
* VALVE LIMIT SWITCHES ARE D46                                NS                  NS                    N/A                    LIGHTS PER                                2 SEE Attachment 1                                      CLOSED, &                Attachment 1                                                      QUALIFICATIONS                      USED AS SENSORS.
VALVE INTERMEDIA TE D47      CCE PUMP STATUS            NS                  NS    BREAKER        N/A        VITAL                                                  2        NO      YES        YES ONE PAIR OF 32-1R(R2K) (3CCE*P1A)                              POSITION LIGHTS PER OPEN /
32-1W(R2K) (3CCE*P1B)                                                                    VALVE CLOSED ONE PAIR OF FULLY
* VALVE LIMIT SWITCHES ARE D48      CCE VALVE STATUS
* NS                  NS                    N/A        VITAL UPS LIGHTS PER                                    2        YES    YES        YES OPENED,                                                                                                                        USED AS SENSORS.
VALVE FULLY 3CCE*AOV26A CLOSED, &
3CCE*AOV26B INTERMEDIA 3CCE*AOV30A TE 3CCE*AOV30B CCW
* REFER TO SSER 4, APPENDIX L, D49      HEADER TEMPERATURE        32 TO 200F          2      0 TO 200F    N/A                  3CCP-TI34A                                  2        YES    YES        NO 3.3.20 NON-VITAL 3CCP-TE34A                                                                              3CCP-TI34B UPS 3CCP-TE34B                                                                              3CCP-TI34C 3CCP-TE34C                                                                                                                                                                                                          MPS-3 FSAR FULLY
* SOME VALVES ARE NOT OPENED,                                                                                                                        EXPOSED TO HARSH ONE PAIR OF FULLY                    VITAL &                                                          YES/                                ENVIRONMENTS DURING D50      VALVE STATUS
* NS                  NS                    N/A                  LIGHTS PER                                    2                YES        YES CLOSED, &                VITAL UPS                                                        NO*                                ACCIDENT CONDITIONS AND VALVE INTERMEDIA                                                                                                                      THEREFORE ARE NOT TE                                                                                                                              ENVIRONMENTALLY QUALIFIED.
                                                                                                                                                                                                ** VALVE LIMIT SWITCHES ARE 3CCP*AOV10A USED AS SENSORS 3CCP*AOV10B 3CCP*AOV19A 3CCP*AOV19B 3CCP*AOV179A 3CCP*AOV179B 3CCP*AOV180A 3CCP*AOV180B 3CCP*AOV194A 3CCP*AOV194B 3CCP*AOV197A 3CCP*AOV197B 3CCP*MOV45A                                                                                                                                                                                                          7.5-49 3CCP*MOV45B 3CCP*MOV48B 3CCP*MOV48B
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                          R.G. 1.97 Recommended Design    Actual                    Power        Variable      Trend      TSC, EOF    Design Number      Variable/Sensor        Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication  Computer    Category      EEQ    Seismic    QA    Trending            Remarks/Notes 3CCP*MOV49A 3CCP*MOV49B Revision 3606/29/23 3CCP*FV66A 3CCP*FV66B
* FT67A,B IS SAFETY RELATED, FLOW TO ESF          0 TO 110 OF DESIGN            0-8000 GPM                                                                                  YES/    YES/      YES/
D51                                                    2                    N/A                  3CCP-FI11A                    CCP-F11A*      2                                  OFIS        EEQ, AND COMPONENTS COMPONENTS            FLOW                          (FI11)                                                                                      NO*    NO*        NO*
SEISMICALLY QUALIFIED.
0-2000 GPM                                                                                                                        ** REFER TO SSER 4, APPENDIX L, 3CCP-FT11A                                                                  VITAL &  3CCP-FI11B                    CCP-F11B*
(FI15)                                                                                                                            3.3.20.
VITAL UPS 0-8000 GPM 3CCP-FT11B                                                                  & NON-    3CCP-FI15A                    CCP-F15A*
(FI67)
VITAL UPS 3CCP-FT15A                                                                            3CCP-FI15B                    CCP-F15B*
3CCP-FT15B                                                                            3CCP*FI67A1 3CCP*FT67A                                                                            3CCP*FI67B1 3CCP*FT67B HVAC FULLY
* SOME DAMPERS ARE NOT OPENED,                                                                                                                            EXPOSED TO HARSH ONE PAIR OF DAMPER POSITIONS SEE                                FULLY                    SEE                                                                SEE Attachment 1 FOR                  ENVIRONMENTS DURING D52                          OPEN/CLOSED              2                    N/A                    LIGHTS PER                                  2 Attachment 1                                        CLOSED, &                Attachment 1                                                      QUALIFICATIONS
* ACCIDENT CONDITIONS AND DAMPER INTERMEDIA                                                                                                                        THEREFORE ARE NOT TE                                                                                                                                ENVIRONMENTALLY QUALIFIED.
SERVICE WATER
* SOME VALVES ARE NOT EXPOSED TO HARSH ONE PAIR OF VITAL &                                                            YES/                                  ENVIRONMENTS DURING D53      VALVE STATUS **          NS                  NS                    N/A                  LIGHTS PER                                    2                YES        YES VITAL UPS                                                          NO*                                  ACCIDENT CONDITIONS AND VALVE THEREFORE ARE NOT ENVIRONMENTALLY QUALIFIED.
FULLY MPS-3 FSAR
                                                                                                                                                                                                ** VALVE LIMIT SWITCHES ARE 3SWP*MOV54A, B, C, D                              OPENED,                                                                                                                            USED AS SENSORS.
3SWP*MOV57A, B, C, D                              FULLY 3SWP*MOV102A, B, C, D                              CLOSED, &
INTERMEDIA 3SWP*MOV71A, B TE 3SWP*MOV50A, B 3SWP*MOV115A, B 3SWP*AOV39A, B 3SWP*TV35A, B 3WTC*AOV25A, B 3SWP*MOV24A, B, C, D FLOW TO RSS HEAT-                                    0 TO 8000                NON-VITAL D54                                NS                  NS                    N/A                  3SWP-FI59A                    SWP-F59A        2        YES    YES        NO    SPDS EXCHANGER                                            GPM                      UPS 3SWP-FT59A                                                                            3SWP-FI59B                    SWP-F59B 3SWP-FT59B                                                                            3SWP-FI59C                    SWP-F59C 3SWP-FT59C                                                                            3SWP-FI59D                    SWP-F59D 3SWP-FT59D ELECTRIC POWER 7.5-50
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Item                          R.G. 1.97 Recommended Design      Actual                  Power        Variable      Trend      TSC, EOF    Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication    Computer    Category      EEQ  Seismic    QA    Trending  Remarks/Notes EMERGENCY BUS(S)                                          4160V                                                          DC BUS D55                            VOLTAGES, CURRENT        2                    N/A                  4160 BUS:                                    2        NO    YES      YES  OFIS VOLTAGE                                                BUS:                                                              VOLTS:
Revision 3606/29/23 0 TO 5250 4160 V                                                                                  MB4CM816                    301A1BUS-V VAC 480 V                                                  480V BUS                        MC4DM817                    301A2BUS-V 120 VAC                                            0 TO 600 VAC                        480V BUS:                    301A2BUS-V 125 VDC                                                120V BUS                        MB2R0103                    301B2BUS-V EMERGENCY DIESEL 0 TO 150 VAC                        MB2S0104                    301C1BUS-V GENERATORS 125V VOLTS                                                                                  MB2T0104                    301D1BUS-V BUS:
HERTZ                                              0 TO 150 VDC                        MB2Y0104                    DG A VOLTS DIESEL AMPS                                                                                    MC2U0104                    15G-14U-V VOLTS:
VOLT-AMPS                                          0 TO 5250 V                          MC2V0104                    DG B VOLTS DIESEL MC2W0104                    15G-15U-V HERTZ:
55 TO 65 HZ                          MC2X0104 DIESEL 120V BUS:
AMPS:                    VITAL &
0 TO 1200                VITAL UPS MBVA0106 AMPS                      & NON-DIESEL                    VITAL UPS MBVA0306 VOLT-AMPS:
0 TO 4.36 MCVA0206 MVAR MCVA0406 125V BUS:
MBBY0109                                                                                                  MPS-3 FSAR MBBY0309 MCBY0209 MCBY0409 A AND B DIESELS:
AM-3EGS*EG-A, B VM-3EGS*EG-A, B FM-3EGS*EG-A, B VAR-3EGS*EG-A, B VERIFICATION OF AUTOMATIC ACTUATION OF SAFETY SYSTEMS ONE PAIR OF REACTOR TRIP BREAKER                                  OPEN /
D56                                NS                  NS                    N/A        VITAL UPS LIGHTS PER        TMB-RX                      2        NO    YES      YES  OFIS POSITION                                              CLOSED BREAKER 3RPS*ACB-RTA, B                                                                                                                                                        SPDS 3RPS*ACB-BYA, B                                                                                                                                                                                    7.5-51
 
MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                              Millstone 3 Revision 3606/29/23 Item                              R.G. 1.97 Recommended Design    Actual                    Power      Variable        Trend      TSC, EOF    Design Number      Variable/Sensor            Range/Status    Category Range/Status Redundancy    Supply    Indication    Indication  Computer  Category      EEQ    Seismic    QA  Trending          Remarks/Notes ONE PAIR OF BREAKER D57      AFW PUMP STATUS              NS                  NS                      N/A      VITAL UPS LIGHTS PER                                    2        NO      YES        YES POSITION PUMP OPEN /
34C16-2 (3FWA*P1A)                                                                      3FWA-SI40B CLOSED 34D15-2 (3FWA*P1B) 0-6000 (SI40B) 3FWA*SE40 (3FWA*P2)
D58      SI PUMP STATUS              NS                  NS    BREAKER          N/A      VITAL UPS                                              2        NO      YES        YES ONE PAIR OF 34C8-2 (3SIH*P1A)                                    POSITION LIGHTS PER OPEN /
34D7-2 (3SIH*P1B)                                                                            PUMP CLOSED SERVICE WATER PUMP D59                                  NS                  NS                      N/A      VITAL UPS                                              2        NO      YES        YES STATUS                                                  BREAKER ONE PAIR OF 34C17-2 (3SWP*P1A)                                    POSITION LIGHTS PER 34D16-2 (3SWP*P1B)                                    OPEN /
PUMP 34C18-2 (3SWP*P1C)                                    CLOSED 34D17-2 (3SWP*P1D)
D60      CCW PUMP STATUS              NS                  NS    BREAKER          N/A      VITAL UPS                                              2        NO      YES        YES ONE PAIR OF 34C9-2 (3CCP*P1A)                                    POSITION LIGHTS PER 34D8-2 (3CCP*P1B)                                    OPEN /
PUMP 34D9-2 (3CCP*P1C)                                    CLOSED FULLY OPENED, ONE PAIR OF SI VALVE ALIGNMENT
* FULLY                    SEE                                                              SEE Attachment 1 FOR
* VALVE LIMIT SWITCHES ARE D61                                  NS                  NS                      N/A                  LIGHTS PER                                2 SEE Attachment 1                                        CLOSED, &                Attachment 1                                                      QUALIFICATIONS.                    USED AS SENSORS.
VALVE INTERMEDIA TE MPS-3 FSAR CONTAINMENT SPRAY D62                                  NS                  NS                      N/A      VITAL UPS                                              2        NO      YES        YES SYSTEM PUMP STATUS 34C6-2  (3QSS*P3A)                                    BREAKER ONE PAIR OF 34D5-2  (3QSS*P3B)                                    POSITION LIGHTS PER 34C19-2 (3RSS*P1A)                                    OPEN /
PUMP 34D18-2 (3RSS*P1B)                                    CLOSED 34C20-2 (3RSS*P1C) 34D19-2 (3RSS*P1D)
HIGH / LOW
* ONLY A COMMON TROUBLE HIGH LEVEL LIQUID                                                                              HIGH / LOW D63                          TOP TO BOTTOM                3      LEVEL            N/A      N/A                                                    2        N/A    N/A        N/A              ALARM IS AVAILABLE IN THE RADWASTE TANK LEVEL                                                                            LEVEL ALARMS ALARMS
* MAIN CONTROL ROOM. HIGH/LOW 3LWS-LT21A                                                                                  3LWS-LI21A                                                                              ALARMS AND LEVEL INDICATORS 3LWS-LI21B                                                                                  3LWS-LI21B
* ARE PROVIDED LOCALLY.
TYPE E VARIABLES CONTAINMENT RADIATION CONTAINMENT STRUCT. 1R/hr TO E1                                                        1          SEE A12                                                                    SEE A12 RAD. LEVEL (HR)    104R/hr AIRBORNE RADIOACTIVE MATERIALS RELEASED FROM                                                                                                                                                                                                        7.5-52 PLANT
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                            Millstone 3 Item                            R.G. 1.97 Recommended Design    Actual                    Power        Variable      Trend      TSC, EOF    Design Number      Variable/Sensor          Range/Status    Category Range/Status Redundancy    Supply      Indication  Indication  Computer  Category      EEQ    Seismic    QA      Trending            Remarks/Notes
* SEE Deviation Number 30 IN Appendix 7.5A Revision 3606/29/23
                                                                                                                                                                                                ** INSTRUMENTS ARE DESIGNATED AS NON-SAFETY FLOW OUT VENTILATION 0 - 110VENT DESIGN              30,000 -                VITAL &                                                                                                RELATED/QUALITY (NSQ) TO E2                                                          2                  N/A                3HVR*RIY10A                  CVFE10        2        NO **  NO **    NO **  OFIS VENT                FLOW                              280,000 SCFM            VITAL UPS                                                                                              ENSURE THAT INSTRUMENTATION IS PROCURED AND MAINTAINED WITH THE NECESSARY EEQ CAPABILITIES FOR THE INSTALLED ENVIRONMENT.
3HVR-FE10 3HVR-FT10 FLOW RATE TO 0 - 110 VENT DESIGN            150-15,142              VITAL &
* SEE Deviation Number 29 IN E3      MILLSTONE STACK                                                        N/A                3HVR*RIY19A                  CVFE19        2        NO      YES      YES    OFIS FLOW                            SCFM                    VITAL UPS                                                                                              Appendix 7.5A.
(SLCRS) 3HVR*FE19                                      2 3HVR*FT19                                      2 10-6 TO
* REFER TO SSER 4, APPENDIX L, E4      VENTILATION VENT (ER)                              2        SEE C13                                                                  SEE C13 103 Ci/cc                                                                                                                                                      3.3.23 SUPPLEMENTARY LEAK 10-6 TO E5      COLLECTION AND                                    2        SEE C14                                                                  SEE C14 RELEASE SYSTEM (ER)  103 Ci/cc CONTAINMENT RECIRCULATION E6                                NS                      NS      SEE C15                                                                  SEE C15 COOLER SERVICE WATER OUTLET TUR. DRIVEN AUX. F/W                                    10-3 TO                NON-VITAL
* REFER TO SSER 4, APPENDIX L, E7                                NS                      NS                  N/A                3MSS-RIY79                    CVMSS79        2        NO      YES      NO      OFIS PUMP DISCHARGE                                          103 Ci/cc              UPS                                                                                                    3.3.24 3RMS-CNSL1 MPS-3 FSAR 3MSS-RE79                                                                                  Workstation Monitor MAIN STEAM RELIEF      10-1 TO                        10-3 TO                NON-VITAL
* REFER TO SSER 4, APPENDIX L, E8                                                          2                  N/A                3MSS-RIY75                    CVMSS75        2        NO      YES      NO      OFIS LINE                    103 Ci/cc                      103Ci/cc              UPS                                                                                                    3.3.6 & 3.3.24 3MSS-RE75                                                                                3MSS-RIY76                  CVMSS76 3MSS-RE76                                                                                3MSS-RIY77                  CVMSS77 3MSS-RE77                                                                                3MSS-RE78                    CVMSS78 3RMS-CNSL1 3MSS-RE78 (CRT)
CONDENSER AIR            10-6 TO E9                                                          2        SEE C9                                                                  SEE C9 EJECTOR                  105Ci/cc HYDROGEN 10-6 TO E10    RECOMBINER CUBICLE                              2            SEE C10                                                                  SEE C10 VENTILATION              10-2 Ci/cc ENVIRONS RADIATION AND RADIOACTIVITY 7.5-53
 
TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)
DISPLAY MAIN BOARD R.G. 1.97                                                                            Millstone 3 Item                          R.G. 1.97 Recommended Design    Actual                    Power    Variable      Trend      TSC, EOF    Design Number      Variable/Sensor        Range/Status    Category Range/Status Redundancy    Supply  Indication    Indication    Computer    Category      EEQ  Seismic    QA    Trending          Remarks/Notes
* SAMPLING LOCATIONS FOR SITE ENVIRONMENTAL Revision 3606/29/23 REFER TO RG1.97 REV 2                                                                                                                                        RADIATION MONITORING ARE FOR COMPLETE LIST                                                                                                                                            LISTED ON ODCM TABLE E-1 AND OF RECOMMENDED                                                                                                                                              SHOWN IN ODCM APPENDIX G OF PORTABLE SAMPLING                                                                                                                                            RADIATION EFFLUENT SITE ENVIRONMENTAL    WITH ON SITE                                                                                                                                                MONITORING AND OFF SITE DOSE E11                                                    3
* N/A        N/A        *              *
* 3        N/A    N/A      N/A RADIATION LEVEL
* ANALYSIS                                                                                                                                                    CALCULATION MANUAL CAPABILITIES AND                                                                                                                                            (REMODCM). PORTABLE PORTABLE RADIATION                                                                                                                                          SAMPLING AND MONITORING MONITORING                                                                                                                                                  EQUIPMENT AND ON SITE INSTRUMENTATION.                                                                                                                                            LABORATORY ANALYSIS EQUIPMENT ARE DISCUSSED IN FSAR Section 12.5.2.
METEOROLOGY
* COMPONENT TAGS DO NOT METEOROLOGICAL                                      WIND                                                              WIND                                                        EXIST. THIS INSTRUMENTATION IS E12                            WIND DIRECTION          3                    N/A        N/A        OFIS            OFIS                        3        N/A    N/A      N/A  OFIS INSTRUMENTATION
* DIRECTION                                                      DIRECTION                                                    COMMON TO THE MILLSTONE SITE.
0 TO 360                      0 TO 360                                                        CVWD033 WIND SPEED                    WIND SPEED                                                      CVWD142 0 TO 67 MPH                    0 TO 100 MPH                                                    CVWD374 DELTA DELTA TEMP                                                                                    WIND SPEED TEMP
                                                              -10 F TO 18
                              -9 F TO 18 F                                                                                CVWS033MPH F
CVWS142MPH SEE RG1.97 FOR                                                                                CVWS374MPH ACCURACY REQUIRE-                                                                              DELTA TEMP MENTS                                                                                          CVDT142F MPS-3 FSAR CVDT374F 7.5-54
 
Abbreviations:
EEQ    Electrical Environmental Qualification EOF    Emergency Offsite Facility EQML Environmental Qualification Master List (Specification SP-EE-353)
ER    Extended Range HR    High Range Revision 3606/29/23 ICC    Inadequate Core Cooling MCR Main Control Room NMR Normal Range NR    Narrow Range NS    Not Specified OFIS Off site Facilities Information System SPDS Safety Parameter Display System TSC    Technical Support Center UPS    Uninterruptible Power Supply WR    Wide Range Explanatory Notes:
A Under the Actual Range/Status column:
The calibrated range of the instrument is listed unless otherwise noted. Valve and Circuit Breaker position status information is provided for valves and pumps respectively.
B Under the Redundancy column:
MPS-3 FSAR Yes means redundant qualified (Class 1E) channels are available in the MCR. For design Category 2 and 3 instrumentation this column in marked N/A since there are no specific provisions for redundancy of Reg. Guide 1.97 Rev. 2 Category 2 or 3 instrumentation.
C Under the Power Supply column:
The type of power supply for the subject instrumentation channel(s) is listed. An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed under the Variable Indication column). Since there are no specific provisions for the power supply of design Category 3 instrumentation, N/A is marked in this column. The power supplies listed in this table are defined as follows:
VITAL: Consists of an Emergency Electrical Bus or Distribution Panel which is, at a minimum, backed by the Emergency Diesel Generators.
VITAL UPS: Consists of an Emergency Electrical Bus or Distribution Panel which is backed by the Emergency Diesel Generators and Class 1E Batteries.
NON-VITAL: Consists of a Normal Electrical Bus or Distribution Panel which is neither backed by the Emergency Diesel Generators nor Class 1E Batteries.
NON-VITAL UPS: Consists of a Normal Electrical Bus or Distribution Panel which is, at a minimum, backed by Non-Class 1E Batteries.
Note: VITAL, VITAL UPS, and NON-VITAL UPS power supplies as defined above, are considered highly reliable power sources.
The type of power supply for the subject instrumentation channel(s) is listed. An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed under the Variable Indication column). Since there are no specific provisions for the power supply of design Category 3 instrumentation, N/A is marked in this column. The power supplies listed in this table  7.5-55 are defined as follows:
D Under the Display column:
 
The tag number(s) of available MCR display instrumentation is listed. Under the TSC/EOF Computer column, display will be via CRTs driven by either OFIS or SPDS.
E Under the Millstone 3 Design Category column:
The plant-specific Regulatory Guide 1.97 Rev. 2 design category (1, 2, or 3) for this instrumentation as determined by Specification SP-M3-IC-022.
F Under the EEQ column:
Yes means the subject instrumentation loop sensor(s) is listed in the EEQ Program Specification SP-EE-353 Millstone Unit 3 Environmental Qualification Master List. The listed sensor and instrument loop up to and Revision 3606/29/23 including an isolation device is consider environmentally qualified in accordance with Regulatory Guide 1.89. The appropriate environmental qualification requirements for each instrument are determined as part of the EEQ program. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for environmental qualification.
G Under the Seismic column:
Yes means that the instrumentation has been seismically qualified in accordance with the criteria stated in section 3.0 of Specification SP-M3-IC-022 for Category 1 and 2 instrumentation. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for seismic qualification.
H Under the QA column:
Yes means that the instrumentation meets the QA requirements detailed in section 3.0 of Specification SP-M3-IC-022 for Category 1 and 2 instrumentation. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for design qualification.
I Under the Trending column:
DED_REC means continuously available dedicated recorders are provided. A dedicated recorder is defined as a recorder that has at least one channel dedicated for a specific instrument loop. The term dedicated does not imply or impose QA qualification. These recorders may be qualified either QA or NON-QA depending upon its use.
REDN_REC means continuously available, qualified (Class 1E), redundant dedicated recorders are provided.
OFIS means data measurement/trending is available via the Off site Facilities Information System. This data is continuously available, updated, stored in computer memory, and displayed on demand.
SPDS means data measurement/trending is available via the Safety Parameter Display System. This data is continuously available, updated, stored in computer memory, and displayed on demand.
J Under the Remarks/Notes column:
For each item number, any column entry with an asterisk is explained in the Remark/Notes column                                                                                                                                  MPS-3 FSAR 7.5-56
 
Table 7.5-1 Accident Monitoring Instrumentation List Variable No./Name        Sensor ID                EEQ        Seismic  QA  Power Supply D3/RHR Valve Status      3RHS*FCV610                    Yes          Yes    Yes Vital 3RHS*FCV611                    Yes          Yes    Yes Vital 3RHS*HCV606                    No            No    No  Non-Vital UPS 3RHS*HCV607                    No            No    No  Non-Vital UPS 3RHS*MV8701A                  Yes          Yes    Yes Vital 3RHS*MV8701B                  Yes          Yes    Yes Vital 3RHS*MV8701C                  Yes          Yes    Yes Vital 3RHS*MV8702A                  Yes          Yes    Yes Vital 3RHS*MV8702B                  Yes          Yes    Yes Vital 3RHS*MV8702C                  Yes          Yes    Yes Vital 3RHS*MV8716A                  Yes          Yes    Yes Vital 3RHS*MV8716B                  Yes          Yes    Yes Vital D31/AFW Valve Status    3FWA*HV31A                    Yes          Yes    Yes Vital UPS 3FWA*HV31B                    Yes          Yes    Yes Vital UPS 3FWA*HV31C                    Yes          Yes    Yes Vital UPS 3FWA*HV31D                    Yes          Yes    Yes Vital UPS 3FWA*HV32A                    No            Yes    Yes Vital UPS 3FWA*HV32B                    No            Yes    Yes Vital UPS 3FWA*HV32C                    No            Yes    Yes Vital UPS 3FWA*HV32D                    No            Yes    Yes Vital UPS 3FWA*HV36A                    Yes          Yes    Yes Vital UPS 3FWA*HV36B                    Yes          Yes    Yes Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3FWA*HV36C                    Yes          Yes        Yes Vital UPS 3FWA*HV36D                    Yes          Yes        Yes Vital UPS 3FWA*AOV23A                    Yes          Yes        Yes Vital UPS 3FWA*AOV23B                    Yes          Yes        Yes Vital UPS 3FWA*AOV61A                    Yes          Yes        Yes Vital UPS 3FWA*AOV61B                    Yes          Yes        Yes Vital UPS 3FWA*AOV62A                    No            Yes        Yes Vital UPS 3FWA*AOV62B                    No            Yes        Yes Vital UPS 3FWA*MOV35A                    Yes          Yes        Yes Vital 3FWA*MOV35B                    Yes          Yes        Yes Vital 3FWA*MOV35C                    Yes          Yes        Yes Vital 3FWA*MOV35D                    Yes          Yes        Yes Vital 3MSS*MOV17A                    No            Yes        Yes Vital 3MSS*MOV17B                    No            Yes        Yes Vital 3MSS*MOV17D                    No            Yes        Yes Vital 3MSS*MOV74A                    Yes          Yes        Yes Vital 3MSS*MOV74B                    Yes          Yes        Yes Vital 3MSS*MOV74C                    Yes          Yes        Yes Vital 3MSS*MOV74D                    Yes          Yes        Yes Vital D46/CVCS Valve Status          3CHS*AOV64                    No            No          No  Non-Vital UPS 3CHS*AOV68                    No            No          No  Non-Vital UPS 3CHS*AOV71                    No            No          No  Non-Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3CHS*AV002A                    No            No          No  Non-Vital UPS 3CHS*AV002B                    No            No          No  Non-Vital UPS 3CHS*AV7010A                  No            No          No  Non-Vital UPS 3CHS*AV7010B                  No            No          No  Non-Vital UPS 3CHS*AV7010C                  No            No          No  Non-Vital UPS 3CHS*AV7010D                  No            No          No  Non-Vital UPS 3CHS*AV7010E                  No            No          No  Non-Vital UPS 3CHS*AV7022                    No            No          No  Non-Vital UPS 3CHS*AV7040                    No            No          No  Non-Vital UPS 3CHS*AV7041                    No            No          No  Non-Vital UPS 3CHS*AV7045                    No            No          No  Non-Vital UPS 3CHS*AV7046                    No            No          No  Non-Vital UPS 3CHS*AV7054                    No            No          No  Non-Vital UPS 3CHS*AV7057                    No            No          No  Non-Vital UPS 3CHS*AV8101                    No            No          No  Non-Vital UPS 3CHS*AV8141A                  No            No          No  Non-Vital UPS 3CHS*AV8141B                  No            No          No  Non-Vital UPS 3CHS*AV8141C                  No            No          No  Non-Vital UPS 3CHS*AV8141D                  No            No          No  Non-Vital UPS 3CHS*AV8143                    Yes          Yes        Yes Vital UPS 3CHS*AV8146                    No            Yes        Yes Vital UPS 3CHS*AV8147                    No            Yes        Yes Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3CHS*AV8149A                  No            Yes        Yes Vital UPS 3CHS*AV8149B                  No            Yes        Yes Vital UPS 3CHS*AV8149C                  No            Yes        Yes Vital UPS 3CHS*CV8152                    Yes          Yes        Yes Vital UPS 3CHS*CV8160                    Yes          Yes        Yes Vital UPS 3CHS*FCV110A                  Yes          Yes        Yes Vital UPS 3CHS*FCV110B                  Yes          Yes        Yes Vital UPS 3CHS*FCV111A                  Yes          Yes        Yes Vital UPS 3CHS*FCV111B                  Yes          Yes        Yes Vital UPS 3CHS*FCV110A                  Yes          Yes        Yes Vital UPS 3CHS*FCV110B                  Yes          Yes        Yes Vital UPS 3CHS*FCV111A                  Yes          Yes        Yes Vital UPS 3CHS*FCV111B                  Yes          Yes        Yes Vital UPS 3CHS*FCV121                    No            No          No  Non-Vital UPS 3CHS*HCV128                    No            No          No  Non-Vital UPS 3CHS*HCV182                    No            No          No  Non-Vital UPS 3CHS*HCV190A                  Yes          Yes        Yes Vital UPS 3CHS*HCV190B                  Yes          Yes        Yes Vital UPS 3CHS*HCV387                    No            No          No  Non-Vital UPS 3CHS*LCV112A                  Yes          Yes        Yes Vital UPS 3CHS*LCV112B                  Yes          Yes        Yes Vital 3CHS*LCV112C                  Yes          Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID                EEQ        Seismic        QA Power Supply 3CHS*LCV112D                  Yes          Yes        Yes Vital 3CHS*LCV112E                  Yes          Yes        Yes Vital 3CHS*MV8100                    Yes          Yes        Yes Vital 3CHS*MV8104                    Yes          Yes        Yes Vital 3CHS*MV8105                    Yes          Yes        Yes Vital 3CHS*MV8106                    Yes          Yes        Yes Vital 3CHS*MV8109A                  Yes          Yes        Yes Vital 3CHS*MV8109B                  Yes          Yes        Yes Vital 3CHS*MV8109C                  Yes          Yes        Yes Vital 3CHS*MV8109D                  Yes          Yes        Yes Vital 3CHS*MV8110                    Yes          Yes        Yes Vital 3CHS*MV8111A                  Yes          Yes        Yes Vital 3CHS*MV8111B                  Yes          Yes        Yes Vital 3CHS*MV8111C                  Yes          Yes        Yes Vital 3CHS*MV8112                    Yes          Yes        Yes Vital 3CHS*MV8116                    Yes          Yes        Yes Vital 3CHS*MV8438A                  Yes          Yes        Yes Vital 3CHS*MV8438B                  Yes          Yes        Yes Vital 3CHS*MV8438C                  Yes          Yes        Yes Vital 3CHS*MV8468A                  Yes          Yes        Yes Vital 3CHS*MV8468B                  Yes          Yes        Yes Vital 3CHS*MV8507A                  Yes          Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3CHS*MV8507B                  Yes          Yes        Yes Vital 3CHS*MV8511A                  Yes          Yes        Yes Vital 3CHS*MV8511B                  Yes          Yes        Yes Vital 3CHS*MV8512A                  Yes          Yes        Yes Vital 3CHS*MV8512B                  Yes          Yes        Yes Vital 3CHS*PCV131                    No            No          No  Non-Vital UPS 3CHS*SOV390A                  No            Yes        Yes Non-Vital UPS 3CHS*SOV390B                  No            Yes        Yes Non-Vital UPS 3CHS*TCV129                    Yes          Yes        Yes Vital UPS 3CHS*TCV381A                  No            No          No  Non-Vital UPS 3CHS*TCV381B                  No            No          No  Non-Vital UPS 3CHS*TCV386                    No            No          No  Non-Vital UPS 3RCS*AV8036A                  No            No          No  Non-Vital UPS 3RCS*AV8036B                  No            No          No  Non-Vital UPS 3RCS*AV8036C                  No            No          No  Non-Vital UPS 3RCS*AV8036D                  No            No          No  Non-Vital UPS 3RCS*AV8037A                  No            No          No  Non-Vital UPS 3RCS*AV8037B                  No            No          No  Non-Vital UPS 3RCS*AV8037C                  No            No          No  Non-Vital UPS 3RCS*AV8037D                  No            No          No  Non-Vital UPS 3RCS*AV8153                    Yes          Yes        Yes Vital UPS 3RCS*LCV459                    No            Yes        Yes Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name                Sensor ID              EEQ        Seismic        QA Power Supply 3RCS*LCV460                    Yes          Yes        Yes Vital UPS 3RCS*MV8098                    No            Yes        Yes Vital D52/HVAC Damper Positions        3HVC*AOV20                    No            Yes        Yes Vital UPS 3HVC*AOV21                    No            Yes        Yes Vital UPS 3HVC*AOV22                    No            Yes        Yes Vital UPS 3HVC*AOV23                    No            Yes        Yes Vital UPS 3HVC*AOV25                    No            Yes        Yes Vital UPS 3HVC*AOV26                    No            Yes        Yes Vital UPS 3HVC*AOD27A                    No            Yes        Yes Vital UPS 3HVC*AOD27B                    No            Yes        Yes Vital UPS 3HVC*MOD33A                    No            Yes        Yes Vital 3HVC*MOD33B                    No            Yes        Yes Vital 3HVC*AOD119B                  No            Yes        Yes Vital UPS 3HVC*AOD119A                  No            Yes        Yes Vital UPS 3HVP*MOD20A                    No            Yes        Yes Vital 3HVP*MOD20B                    No            Yes        Yes Vital 3HVP*MOD20C                    No            Yes        Yes Vital 3HVP*MOD20D                    No            Yes        Yes Vital 3HVP*MOD23A                    No            Yes        Yes Vital 3HVP*MOD23B                    No            Yes        Yes Vital 3HVP*MOD26A                    No            Yes        Yes Vital 3HVP*MOD26B                    No            Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3HVQ*AOD40A                    Yes          Yes        Yes Vital UPS 3HVQ*AOD40B                    Yes          Yes        Yes Vital UPS 3HVQ*AOD40C                    No            Yes        Yes Vital UPS 3HVQ*AOD40D                    No            Yes        Yes Vital UPS 3HVQ*AOD41A                    No            Yes        Yes Vital UPS 3HVQ*AOD41B                    Yes          Yes        Yes Vital UPS 3HVQ*AOD41C                    No            Yes        Yes Vital UPS 3HVQ*AOD41D                    No            Yes        Yes Vital UPS 3HVQ*AOD42A                    No            Yes        Yes Vital UPS 3HVQ*AOD42B                    Yes          Yes        Yes Vital UPS 3HVQ*AOD42C                    No            Yes        Yes Vital UPS 3HVQ*AOD42D                    No            Yes        Yes Vital UPS 3HVQ*AOD43A                    No            Yes        Yes Vital UPS 3HVQ*AOD43B                    Yes          Yes        Yes Vital UPS 3HVQ*AOD43C                    Yes          Yes        Yes Vital UPS 3HVQ*AOD43D                    No            Yes        Yes Vital UPS 3HVQ*MOD26A1                  No            Yes        Yes Vital 3HVQ*MOD26B1                  No            Yes        Yes Vital 3HVQ*MOD26C1                  No            Yes        Yes Vital 3HVQ*MOD26A2                  No            Yes        Yes Vital 3HVQ*MOD26B2                  No            Yes        Yes Vital 3HVQ*MOD26C2                  No            Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3HVR*AOD20A                    Yes          Yes        Yes Vital UPS 3HVR*AOD20B                    Yes          Yes        Yes Vital UPS 3HVR*AOD29A                    Yes          Yes        Yes Vital UPS 3HVR*AOD29B                    Yes          Yes        Yes Vital UPS 3HVR*AOD32A                    Yes          Yes        Yes Vital UPS 3HVR*AOD32B                    Yes          Yes        Yes Vital UPS 3HVR*AOD33A                    Yes          Yes        Yes Vital UPS 3HVR*AOD33B                    Yes          Yes        Yes Vital UPS 3HVR*AOD35A                    Yes          Yes        Yes Vital UPS 3HVR*AOD35B                    Yes          Yes        Yes Vital UPS 3HVR*AOD39A                    Yes          Yes        Yes Vital UPS 3HVR*AOD39B                    Yes          Yes        Yes Vital UPS 3HVR*AOD40A                    Yes          Yes        Yes Vital UPS 3HVR*AOD40B                    Yes          Yes        Yes Vital UPS 3HVR*AOD42A                    Yes          Yes        Yes Vital UPS 3HVR*AOD42B                    Yes          Yes        Yes Vital UPS 3HVR*AOD43A                    Yes          Yes        Yes Vital UPS 3HVR*AOD43B                    Yes          Yes        Yes Vital UPS 3HVR*AOD44A                    Yes          Yes        Yes Vital UPS 3HVR*AOD44B                    Yes          Yes        Yes Vital UPS 3HVR*AOD55A                    Yes          Yes        Yes Vital UPS 3HVR*AOD55B                    Yes          Yes        Yes Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID                EEQ        Seismic        QA Power Supply 3HVR*AOD65A                    Yes          Yes        Yes Vital UPS 3HVR*AOD65B                    Yes          Yes        Yes Vital UPS 3HVR*AOD66A                    Yes          Yes        Yes Vital UPS 3HVR*AOD66B                    Yes          Yes        Yes Vital UPS 3HVR*AOD80A                    Yes          Yes        Yes Vital UPS 3HVR*AOD80B                    Yes          Yes        Yes Vital UPS 3HVR*AOD81A                    Yes          Yes        Yes Vital UPS 3HVR*AOD81B                    Yes          Yes        Yes Vital UPS 3HVR*AOD85                    Yes          Yes        Yes Vital UPS 3HVR*AOD86                    Yes          Yes        Yes Vital UPS 3HVR*AOD95A                    Yes          Yes        Yes Vital 3HVR*AOD95B                    Yes          Yes        Yes Vital 3HVR*AOD174A                  Yes          Yes        Yes Vital UPS 3HVR*AOD174B                  Yes          Yes        Yes Vital UPS 3HVR*AOD184                    Yes          Yes        Yes Vital UPS 3HVR*MOD28A                    Yes          Yes        Yes Vital 3HVR*MOD28B                    Yes          Yes        Yes Vital 3HVR*MOD49A                    Yes          Yes        Yes Vital 3HVR*MOD49B                    Yes          Yes        Yes Vital 3HVR*MOD49C1                  Yes          Yes        Yes Vital 3HVR*MOD49C2                  Yes          Yes        Yes Vital 3HVR*MOD50A                    Yes          Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID                EEQ        Seismic        QA Power Supply 3HVR*MOD50B                    Yes          Yes        Yes Vital 3HVR*MOD50C1                  Yes          Yes        Yes Vital 3HVR*MOD50C2                  Yes          Yes        Yes Vital 3HVR*MOD72A                    Yes          Yes        Yes Vital 3HVR*MOD72B                    Yes          Yes        Yes Vital 3HVV*MOD50C                    No            Yes        Yes Vital 3HVV*MOD50D                    No            Yes        Yes Vital 3HVV*AOD50A1                  No            Yes        Yes Vital UPS 3HVV*AOD50B1                  No            Yes        Yes Vital UPS 3HVV*AOD50A2                  No            Yes        Yes Vital UPS 3HVV*AOD50B2                  No            Yes        Yes Vital UPS 3HVV*MOD51A                    Yes          Yes        Yes Vital 3HVV*MOD51B                    Yes          Yes        Yes Vital 3HVV*MOD51C                    Yes          Yes        Yes Vital 3HVV*MOD51D                    Yes          Yes        Yes Vital 3HVY*AOD23A                    No            Yes        Yes Vital 3HVY*AOD23B                    No            Yes        Yes Vital 3HVZ*MOD20A                    No            Yes        Yes Vital 3HVZ*MOD20B                    Yes          Yes        Yes Vital 3HVZ*MOD21A                    No            Yes        Yes Vital 3HVZ*MOD21B                    No            Yes        Yes Vital D61/SI Valve Alignment          3SIH*MV8801A                  Yes          Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID                EEQ        Seismic        QA Power Supply 3SIH*MV8801B                  Yes          Yes        Yes Vital 3SIH*MV8802A                  Yes          Yes        Yes Vital 3SIH*MV8802B                  Yes          Yes        Yes Vital 3SIH*MV8806                    Yes          Yes        Yes Vital 3SIH*MV8807A                  Yes          Yes        Yes Vital 3SIH*MV8807B                  Yes          Yes        Yes Vital 3SIH*MV8813                    Yes          Yes        Yes Vital 3SIH*MV8814                    Yes          Yes        Yes Vital 3SIH*MV8821A                  Yes          Yes        Yes Vital 3SIH*MV8821B                  Yes          Yes        Yes Vital 3SIH*MV8835                    Yes          Yes        Yes Vital 3SIL*MV8840                    Yes          Yes        Yes Vital 3SIH*MV8920                    Yes          Yes        Yes Vital 3SIH*MV8923A                  Yes          Yes        Yes Vital 3SIH*MV8923B                  Yes          Yes        Yes Vital 3SIH*MV8924                    Yes          Yes        Yes Vital 3SIH*CV8823                    Yes          Yes        Yes Vital 3SIH*CV8824                    Yes          Yes        Yes Vital 3SIH*CV8843                    Yes          Yes        Yes Vital 3SIH*CV8871                    Yes          Yes        Yes Vital 3SIH*CV8964                    Yes          Yes        Yes Vital 3SIH*CV8881                    Yes          Yes        Yes Vital
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID                EEQ        Seismic        QA Power Supply 3SIH*CV8888                    Yes          Yes        Yes Vital 3SIL*MV8804A                  Yes          Yes        Yes Vital 3SIL*MV8804B                  Yes          Yes        Yes Vital 3SIL*MV8809A                  Yes          Yes        Yes Vital 3SIL*MV8809B                  Yes          Yes        Yes Vital 3SIL*MV8812A                  Yes          Yes        Yes Vital 3SIL*MV8812B                  Yes          Yes        Yes Vital 3SIL*CV8825                    Yes          Yes        Yes Vital UPS 3SIL*CV8890A                  Yes          Yes        Yes Vital UPS 3SIL*CV8890B                  Yes          Yes        Yes Vital UPS 3SIL*SV8875A                  Yes          Yes        Yes Vital UPS 3SIL*SV8875B                  Yes          Yes        Yes Vital UPS 3SIL*SV8875C                  Yes          Yes        Yes Vital UPS 3SIL*SV8875D                  Yes          Yes        Yes Vital UPS 3SIL*SV8875E                  Yes          Yes        Yes Vital UPS 3SIL*SV8875F                  Yes          Yes        Yes Vital UPS 3SIL*SV8875G                  Yes          Yes        Yes Vital UPS 3SIL*SV8875H                  Yes          Yes        Yes Vital UPS 3SIL*CV8880                    Yes          Yes        Yes Vital UPS 3SIL*CV8968                    Yes          Yes        Yes Vital UPS 3SIL*HCV943A                  Yes          Yes        Yes Vital UPS 3SIL*HCV943B                  Yes          Yes        Yes Vital UPS
 
Table 7.5-1 Accident Monitoring Instrumentation List (Continued)
Variable No./Name              Sensor ID              EEQ        Seismic        QA Power Supply 3SIL*MV8808A                  Yes          Yes        Yes Vital 3SIL*MV8808B                  Yes          Yes        Yes Vital 3SIL*MV8808C                  Yes          Yes        Yes Vital 3SIL*MV8808D                  Yes          Yes        Yes Vital
 
1    INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM instrumentation and control power supply system is described in Section 8.3.
2    RESIDUAL HEAT REMOVAL ISOLATION VALVES 2.1    Description residual heat removal system (RHS) isolation valves are normally closed and are only opened residual heat removal after system pressure is reduced to approximately 375 psig.
RHS valves are provided with red (OPEN) and green (CLOSED) position indicating lights ted at the keylock control switch for each valve. These lights are powered by valve control er and actuated by valve motor operator limit switches.
re are three motor-operated valves in series in each of the two RHS pump suction lines from reactor coolant system (RCS) hot legs. Two valves in series located close to the containment ls, one inside containment and one outside containment, are provided with interlocks. The rlock features provided for the isolation valves are similar for both trains and are shown on ure 7.6-1.
h of the two valves is interlocked so that it cannot be opened unless the RCS pressure is below roximately 412.5 psia. This interlock prevents the valve from being opened when the RCS sure plus the RHS pump pressure would be above the RHS system design pressure. The rlocks for each train are independent. If the valve remains open and RCS pressure increases to psig, an alarm will sound requiring operator action.
e plant is in Mode 1, 2, or 3, the operator is required to close all three suction valves. If the t is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the operator is required to e the motor-operated valve closest to the pump.
ould be noted that these valves can also be controlled from the Auxiliary Shutdown Panel P). Valve 8701A is not interlocked with RCS pressure low to open to provide one train of R cooling when the control room is inaccessible. Valve 8701B is interlocked with RCS low sure to open from the ASP but can be manually opened if necessary, because it is located ide of containment.
first valve in each train is located in the ESF building closest to the RHS pump and is closed deenergized at the MCC during power operation. The alarm will function with the valve nergized.
third valve in each train is located inside the containment and is closed and deenergized at the C during power operation. No interlocks are provided.
 
ed on the scope definitions presented in IEEE Standard 279-1971 and 338-1971, these criteria ot apply to the RHS isolation valve interlocks; however, in order to meet NRC requirements because of the possible severity of the consequences of loss of function, the requirements of E Standard 279-1971 will be applied with the following comments:
: 1. For the purpose of applying IEEE Standard 279-1971 to this circuit, the protection system shall consist of the two valves in series in each line and all components of their interlocking and closure circuits.
: 2. IEEE Standard 279-1971, Paragraph 4.10: The above-mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will include the analog signal through to the train signal which activates the slave relay (the slave relay provides the final output signal to the valve control circuit). This is done in the best interests of safety since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low-pressure RHS from the RCS.
: 3. IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed.
ironmental qualification of the valves and wiring are discussed in Section 3.11.
3    REFUELING INTERLOCKS ctrical interlocks (i.e., proximity/limit switches), as discussed in Section 9.1.4, are provided minimizing the possibility of damage to the fuel during fuel handling operations.
4    ACCUMULATOR MOTOR-OPERATED VALVES design of the interconnecting of these signals to the accumulator isolation valve meets the owing criteria established in previous NRC positions on this matter:
: 1. Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value specified in the Technical Specifications or (b) a safety injection signal has been initiated. Both signals shall be provided to the valves.
: 2. Utilization of a safety injection signal (SIS) to automatically remove (override) and bypass features that are provided to allow an isolation valve to be closed for short periods of time when the reactor coolant system is at pressure in accordance with the provisions of the Technical Specifications. As a result of the confirmatory SIS, isolation of an accumulator with the reactor at pressure is acceptable.
 
safety injection system accumulator discharge isolation valves are motor operated, normally n valves which are controlled from the main control board.
se valves are interlocked such that:
: 1.      Signals from the ESFAS are provided to the valve(s) upon initiation of SIS. These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).
: 2.      Signals from the ESFAS are provided to the valve(s) upon receipt of high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).
: 3.      They cannot be closed as long as a SIS is present.
four main control board position switches for these valves provide a spring return to auto m the OPEN position and a maintained closed position.
se normally open motor-operated valves have alarms, indicating a malpositioning (with rd to their ECCS function during the injection phase). The alarms sound in the main control m.
alarm sounds for any accumulator isolation valve under the following conditions when the S pressure is above the SI unblocking pressure:
: 1.      Valve motor-operator limit switch indicates valve not open
: 2.      Valve stem limit switch indicates valve not open. The alarm on this switch repeats itself at given intervals.
ass and inoperable alarms are in accordance with Regulatory Guide 1.47.
5    REACTOR COOLANT SYSTEM LOOP ISOLATION VALVE INTERLOCKS.
tup of an isolated reactor coolant loop is prevented by strict administrative controls until the t is in Mode 5 or 6 with all conditions of Technical Specification 3/4.4.1.6 satisfied.
interlocks allow opening of the cold leg loop stop valves (refer to Valve 2 on Figure 7.6-4) never:
: 2.      The reactor coolant system temperature is less than a preset amount (170F), and
: 3.      The cold leg temperature is within 20F of the highest cold leg temperature in other loops, and the hot leg temperature is within 20F of the highest hot leg temperature in other loops.
the logic functions of these interlocks, refer to Figure 7.2-1, Sheets 17, 18, and 19.
6    FUEL POOL COOLING AND PURIFICATION SYSTEM 6.1    Description fuel pool cooling and purification system design is described in Section 9.1.3, and the flow ram is shown on Figure 9.1-6.
l pool cooling pump motor controls are located on the main control board and at the tchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An unciator is alarmed on the main control board when local control is selected.
following parameters are indicated on the fuel pool cooling panel:
: 1.      Fuel pool water level
: 2.      Fuel pool demineralizer total flow
: 3.      Fuel pool water temperature
: 4.      Fuel pool coolers outlet temperature
: 5.      Fuel pool cooling return flow
: 6.      Fuel pool cooling pumps discharge pressure
: 7.      Fuel pool purification return flow
: 8.      Fuel pool demineralizer flow following parameters are provided with first out annunciators on the fuel pool panel:
: 1.      Fuel pool water level low
: 2.      Fuel pool water level high
: 3.      Fuel pool water temperature high
: 5.      Fuel pool cooling return flow low
: 6.      Fuel pool purification flow low
: 7.      Fuel pool prefilter 3A differential pressure high
: 8.      Fuel pool prefilter 3B differential pressure high
: 9.      Fuel pool demineralizer differential pressure high
: 10. Fuel pool post filter differential pressure high
: 11. Fuel pool coarse filter differential pressure high
: 12. Fuel pool cooler cooling water outlet flow low
: 13. Fuel pool purification pump 2A auto trip
: 14. Fuel pool purification pump 2B auto trip el pool cooling system trouble annunciator located on the main control board is alarmed never an alarm is received on the fuel pool panel.
undant pressure switches are utilized to energize low level indicator lights on the main control rd. Temperature is indicated on the main control board by redundant temperature indicators.
l pool level low, fuel pool level high, fuel pool cooling pumps auto trip, and fuel pool perature high are alarmed on the main control board.
tinuous wide range level indication is provided from the top of the fuel racks to the normal rating level of the spent fuel pool by the Spent Fuel Pool Wide Range Level Displays within Auxiliary Building.
protect personnel from high radiation doses which could occur due to fuel pool water level er than normal, or during the refueling process, continuous radiation monitoring above the pool is provided. For a detailed description of the radiation monitor provided above the fuel l, see Chapter 11, Section 11.5.2.
6.2      Analysis of Fuel Pool Cooling and Purification System
: 1.      IEEE Standard 279-1971, Paragraph 4.2: For a discussion of system instrumentation redundancy and single failure criteria, refer to FSAR Sections 3.1 and 9.1.3.
: 3.      Design Bases For the fuel pool cooling and purification system design bases, refer to Section 9.1.3.1.
: 4.      IEEE Standard 279-1971, Paragraph 4.6: Instrumentation for the fuel pool cooling and purification system has no multiple instrument channels. The instrument trains (A and B) for this system meet the requirements of General Design Criteria 44 (Section 3.1.2.44).
: 5.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Calibration of the level switches, alarms, and indicators is verified periodically by removing the device in service and testing with test apparatus compatible with the specific equipment being tested and injecting simulated signals. Inspections and testing requirements are discussed in Section 9.1.3.4.
: 6.      IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.
7    CONTAINMENT LEAKAGE MONITORING SYSTEM (CONTAINMENT ATMOSPHERE PRESSURE AND TEMPERATURE MONITORING INSTRUMENTATION) 7.1      Description containment leakage monitoring system design is shown on Figure 6.2-53.
h the exceptions described below, components mounted between the containment structure the outer containment isolation valves, including the valves themselves and the two tainment air temperature detectors located inside the containment structure, are safety related.
remainder of the containment leakage monitoring system components inside and outside the tainment structure are not safety related.
r safety related containment pressure transmitters (two extended range and two narrow range) installed in two of the four containment penetration lines (PT935 and PT936). The extended ge containment pressure transmitters transmit the containment pressure signal to the plant puter, and to dual channel indicators in the control room and one channel is recorded. The ow range containment pressure transmitters transmit the containment pressure signal to dual nnel indicators in the control room. The dual channel indicators and recorder in the control m are safety related.
itional safety related containment atmosphere pressure transmitters are installed in each of the containment penetration lines (PT-934 through 937). The transmitter output signals are used
 
channels of containment pressure indication in the control room and two channels on the iliary shutdown panels. Two channels are recorded in the control room. Each transmitter may erified and calibrated by valving the transmitter out of service and applying a simulated al.
otor-operated valve is installed in each containment open pressure tap line between the tainment and the transmitter connections. This valve is normally open and fails in the AS IS ition on loss of power. An inadvertent closed position of these valves is alarmed and a bypass unciator is alarmed in the control room. The motor-operated valves are remote manually trolled from the control room. Two safety related temperature measuring channels are vided to monitor the containment atmosphere temperature. This temperature is indicated in the trol room and one channel is recorded.
7.2    Analysis
: 1.      IEEE Standard 279-1971, Paragraph 4.2: Redundant channels and trains for pressure and redundant trains of temperature indication supplied from separate power sources preclude a single random failure from preventing a protective action or indication at the system level.
: 2.      IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Each pressure transmitter associated with Hi-1, Hi-2, and Hi-3 containment pressure may be tested and calibrated by valving the transmitter out of service and applying a simulated signal.
Temperature transmitters and indicators may be tested and calibrated periodically with a compatible test apparatus.
: 3.      IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.
: 4.      Design Bases For design bases information and a further discussion of compliance with IEEE-279-1971 for engineered safety features, refer to Section 7.3.1.2 and 7.3.2.
: 5.      IEEE Standard 279-1971, Paragraph 4.4: For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11.
: 6.      IEEE Standard 279-1971, Paragraph 4.5: For a discussion of channel independence applicable to Hi-1, Hi-2, and Hi-3 containment pressure, refer to Section 7.3.2.2.3.
 
8.1    Description basic function of the RCS pressure control during low-temperature operation is discussed in tion 5.2.2. As noted in Section 5.2.2, this pressure control includes automatic actuation logic two pressurizer power operated relief valves (PORV). The function of this actuation logic is to tinuously monitor RCS temperature and pressure conditions with actuation logic armed by rator action by means of an ARM/BLOCK main control board (MCB) switch which is placed he BLOCK position when the plant is at operating pressure. The monitored system perature signals are processed to generate the reference pressure limit which is compared to actual monitored RCS pressure. This comparison provides an actuation signal to an actuation ice which, if manually armed, causes the PORV to automatically open if necessary to prevent sure conditions from exceeding allowable limits. See Figure 7.2-1, Sheets 18 and 19, for the c diagram showing the basic elements used to process the generating station variables for this
-temperature RCS overpressurization preventive interlock. These two sheets present the logic ram for the pressurizer pressure relief system for Trains A and B that is part of the safety de cold shutdown system.
wide range temperature signals are used as input to generate the reference pressure limit gram considering the plants allowable pressure and temperature limits. This reference sure is then compared to the actual RCS pressure monitored by the wide range pressure nnel. The error signals derived from the difference between the reference pressure and the sured pressure first annunciates a main board alarm whenever the measured pressure roaches, within a predetermined amount, the reference pressure. On a further increase in sured pressure, the error signal generates an annunciated actuation signal channel, the train pendence between protection sets and between Trains A and B is maintained from sensors to PORVs.
n receipt of the actuation signal, the actuation device automatically causes the PORV to open.
n sufficient RCS inventory letdown, the operating RCS pressure decreases, clearing the ation signal. Removal of this signal from the actuation device causes the PORV to close.
8.2    Analysis of Interlock logic functions and actuation signals shown on Figure 7.2-1, Sheets 18 and 19, are lemented in NSSS protection equipment. For the criteria for which the protection system was gned, and which apply equally well to the interlocks, which are part of this protection system, Sections 7.2 and 7.3. The primary purpose of these interlocks is automatic transient gation. These interlocks do not perform a primary protective function, but rather provide matic overpressure protection at low temperature as backup to operator action. However, to re a well engineered design and improved operability, the instrumentation and control ions of the interlocks for RCS pressure control during low temperature operation will satisfy licable sections of US NRC Branch Technical Position RSB 5-2 that addresses
: 1.      For the purpose of applying IEEE Standard 279-1971 to this circuit, the following definitions will be used:
: a.      Safety Grade System The block valve and the power operated relief valve (PORV) in series in each of the redundant lines and all components of the interlocks for RCS pressure control during low temperature operation. The I&C equipment for one redundant line is defined as the Train A system; the I&C equipment for the other redundant line is defined as the Train B system.
: b.      Protective Action The automatic control of RCS pressure during low-temperature operation to prevent the actual pressure from exceeding the calculated reference pressure limit. This protective action can be satisfied by either train of the redundant system, the Train A system or the Train B system.
: 2.      IEEE Standard 279-1971, Paragraph 4.2 Any single random failure within the Train A system or the Train B system will not prevent protective action at the system level when required.
: 3.      (Deleted)
: 4.      IEEE Standard 279-1971, Paragraph 4.12 The protection action is manually blocked by operator action of the MCB ARM/
BLOCK switch which places it in the BLOCK position when the plant is at temperatures greater than the range of concern for RCS low temperature operation.
The annunciator initiated by the low temperature auctioneered circuit will alarm to warn the operator that the ARM/BLOCK switch should be placed in the ARM position. Whether or not the system should be armed and actually is not armed will be indicated to the operator when this annunciator is initiated and the switch is positioned to the maintained BLOCK position. In addition, if the system is armed and the PORV block valve is not fully open, this condition is also annunciated.
8.3    Pressurizer Pressure Relief System pressurizer low pressure interlocks shown on Figure 7.2-1, Sheet 6, together with pressurizer sure control shown on Figure 7.2-1, Sheet 11, and the interlocks for the pressurizer block es, 8000 A and B, shown on Figure 7.2-1, Sheets 18 and 19, are referred to as the pressurizer sure relief system.
: 1.      Capability for RCS overpressure mitigation during cold shutdown, heatup, and cooldown operations to minimize the potential for impairing reactor vessel integrity when operating at or near the vessel ductility limits
: 2.      Capability for RCS depressurization following Condition II, III, and IV events and for safety grade cold shutdown
: 3.      An interlock that, with the RCS cold overpressure protection system armed and the PORV block valves in auto control, opens the PORV block valves
: 4.      A safety related pressure relief function which opens the pressurizer PORVs when two out of four protection channels sense high pressurizer pressure. To avoid spurious PORV opening, the actuation bistables are energized to open the PORVs.
Coincidence logic and PORV actuation is performed by the Solid State Protection System (SSPS). One PORV is controlled by the A train of SSPS while the other PORV is controlled by the B train. The PORVs close after pressurizer pressure has been reduced by a predetermined value. Refer to FSAR Figure 7.2-1 sheets 6, 18 and 19 for additional details.
rlocks from the PPR system control the opening and closing of the pressurizer PORVs and the RV block valves. These interlocks provide the following functions:
: 1.      Pressurizer pressure control
: 2.      RCS pressure control during low-temperature operation
: 3.      RCS pressure control to achieve and maintain safety grade cold shutdown and to heat up using equipment that is required for safety interlock functions that provide pressurizer pressure control are derived from process meters as shown on Figure 7.2-1, Sheets 6, 11, 18, and 19. The functions shown on ure 7.2-1, Sheets 18 and 19, include those needed for the PORV block valves as well as the surizer PORVs to meet both interlock logic and manual operation requirements where manual ration can be either at the main control board or on the local shutdown panel.
9    HEAT TRACING OF SAFETY-RELATED SYSTEMS ety-related systems requiring heat tracing are heated by circuits powered from two pendent control panels, 3HTS-PNLF1 and 3HTS-PNLF2. The transformers for each panel powered by the purple and orange safety trains, respectively. The power from the panels is safety grade. The safety grade power is protected from the nonsafety service by the sformers which are safety grade isolation transformers or isolated by two Class 1E breakers in es.
 
erated low ambient temperature signals. A temperature sensor on the piping provides an alarm e primary panel, 3HTS-PNLF1, if it senses a temperature below its setpoint. This also causes larm to sound on the main control board identifying trouble at the primary panel. Should the perature of the piping continue to drop, a second temperature sensor on the piping provides an m at the secondary panel, 3HTS-PNLF2, which in turn, provides an additional alarm on the n control board.
10 SHUTDOWN MARGIN MONITOR 10.1 Description safety related shutdown margin monitor is an instrument that measures the count rate from neutron monitoring instruments and identifies any statistically significant increase that would cate a loss of reactor shutdown margin.
monitors input signal is obtained as a pulse output from the existing neutron-flux monitoring em. This design minimizes unwanted background counts from electromagnetic pickup or m alpha, beta, or gamma flux at the detector.
shutdown monitors have been designed with bipolar discrete components and complimentary al oxide semiconductor (CMOS) microprocessors and integrated circuitry for high reliability long life.
shutdown margin monitors are designed with 20 memory registers that are updated every 30 nts, (detected neutrons) or once a second, whichever is longer. These registers are used to vide an average count rate over a period of time in an effort to reduce noise spikes and ecessary alarms. This averaging process causes a time delay in the instruments response le monitoring the reactor core at very low count rates, such as following long shutdowns or eling operations. The time delay of the monitor increases as the instruments count rate reases. Minimum count rates for operability have been established and procedurealized to ount for this time delay.
shutdown margin monitor will alarm when the monitored count rate increases above the eline count rate by a pre-set factor (Alarm Ratio). The Alarm Ratio can range from 1.25 to mes the baseline count rate. The monitor continually lowers its baseline count rate as the count decays with time. This renormalization is required to properly monitor the core for istically significant neutron flux increases.
10.2 Function shutdown margin monitors provide the reactor operator adequate warning if an unintentional of shutdown margin occurs. The monitors monitor the count rate from the existing neutron at the reactor core for a statistically significant increase. The monitor will alarm once the nitored count rate has increased by a factor of 1.25 to 4, depending on the instrument's
 
uirements Manual (TRM). The setpoint ensures that the operator will be provided with at least minutes response time to mitigate the boron dilution event.
tion 15.4.6 of the FSAR describes the event of a possible unplanned moderation dilution that ld result in an unwanted increase in reactivity and a decrease in shutdown margin. Such an nt could be detected by measuring the boron concentration in the moderator. However, the tdown margin is monitored directly by measuring the neutron flux at the reactor core. The rator will be alerted to any reduction in shutdown margin whether from an unplanned boron tion or from another cause.
increase in reactivity or decrease in shutdown margin due to boron dilution event results in ncrease in neutron flux in the reactor core due to an increase in subcritical multiplication. By nitoring the neutron flux at the reactor core during a shutdown, a loss of shutdown will be tified. The shutdown margin monitors are required to be operable in MODES 3, 4 and 5. With h monitors inoperable, mode changes are allowed up to MODE 3 as long as the action ement in the technical specification is completed.
11 REFERENCES FOR SECTION 7.6 1 IEEE Standard 279-1971. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations. The Institute of Electrical and Electronic Engineers, Inc.
2 IEEE Standard 338-1971. IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection System. The Institute of Electrical and Electronic Engineers, Inc.
 
FIGURE 7.6-1 LOGIC DIAGRAM FOR RHS ISOLATION VALVES re are two normally closed motor-operated series isolation valves in each of the two RHS p suction lines from the RCS hot legs. The electrical interlock features provided for isolation es (8701B and 8702B) are similar to those provided for isolation valves (8701A and 8702A).
h valve is interlocked against opening unless the following conditions are met:
: 1. The RCS pressure, as measured by appropriate wide range pressure channels, is less than 412.5 psia. This assures the RHS system cannot be overpressurized by aligning it to the RCS when RCS pressure plus RHS pump head would exceed the RHS system design pressure.
It should be noted that when controlling valve 8701A from the ASP, the RCS low pressure interlock is not available. This design feature allows one train of RHR cooling when the control room is inaccessible.
: 2. The corresponding RHS pump/RWST suction isolation valve is closed. This assures posi-tive isolation of the RWST and RHS/RWST suction piping before initiating a normal cooldown.
: 3. The corresponding recirculation line to the CHG/HHSI pumps isolation valve is closed.
This assures the suction of the HHSI and/or CHG pumps cannot be overpressurized by normal cooldown flow via an open recirculation line isolation valve.
: 4. "Closed" indication is present from both of the recirculation pump discharge isolation valves. (Note: Redundancy is provided by the check valves at the recirculation pump dis-charge.)
h valve is also alarmed when open and RCS pressure is greater than 440 psig. When the plant Mode 1, 2, or 3, the operator is required to close all three suction valves. This assures that h of the interlocked valves in the pump suction line will be closed during a plant startup prior eaching operating conditions, should one valve have been inadvertently left open by operator ssion. These valves may be shut at any time that plant conditions warrant closure of the es. When the plant is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the rator is required to close the motor-operated valve closest to the RHS pump.
wide range RCS pressure interlock on the first set of isolation valves is independent and rse from that provided to the second set of isolation valves. This is specifically required to t NRC criteria which are applicable to the RHS system design.
 
FIGURE 7.6-2 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVES FIGURE 7.6-3 AUTOMATIC RHS AND QSS PUMP SHUTOFF (SHEET 1)
FIGURE 7.6-3 AUTOMATIC RHS AND QSS PUMP SHUTOFF (SHEET 2)
FIGURE 7.6-4 REACTOR COOLANT SYSTEM LOOP WITH LOOP STOP VALVES CONTROL SYSTEMS NOT REQUIRED FOR SAFETY The general design objectives of the plant control systems are:
: 1.      To establish and maintain power equilibrium between primary and secondary system during steady state operation
: 2.      To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation
: 3.      To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system 1  DESCRIPTION plant control systems described in this section perform the following functions:
: 1.      Reactor Control System
: a.      Enables the nuclear plant to accept a step load decrease of 10 percent and a ramp decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations. The reactor control system will not withdraw control rods for step and ramp load increases. The operators will take the appropriate actions in response to alarms and maintain control of the plant.
: b.      Maintains reactor coolant average temperature Tavg within prescribed limits by creating the bank demand signals for moving groups of full length rod cluster control assemblies during normal operation and operational transients. The Tavg control also supplies a signal to pressurizer water level control and steam dump control.
: 2.      Rod Control System Provides for reactor power modulation by manual and automatic control of full length control rod banks in a preselected sequence and for manual operation of individual banks.
: 3.      Systems for Monitoring and Indicating
: a.      Provide alarms to alert the operator if the required core reactivity shutdown margin is not available, due to excessive control rod insertion.
: c.      Provide alarms to alert the operator in the event of control rod deviation exceeding a preset limit.
: 4. Plant Control System Interlocks
: a.      Prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a DNBR limit or kW/ft limit.
: b.      Inhibit automatic turbine load change as required by the nuclear steam supply system.
: 5. Pressurizer Pressure Control Maintains or restores the pressurizer pressure to a value which is well within reactor trip and relief and safety valve actuation setpoint limits following normal operational transients that induce pressure changes by control (manual or automatic) of the pressurizer heaters and spray valves.
: 6. Pressurizer Water Level Control Establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational, and unloading transients.
Level changes are produced by means of charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory.
: 7. Steam Generator Water Level Control
: a.      Establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients.
: b.      The steam generator water level control system also restores the steam generator water level to within predetermined limits at unit trip conditions.
It regulates the feedwater flow rate such that under operational transients the heat sink for the reactor coolant system does not decrease below a minimum. Steam generator water inventory control is manual or automatic through the use of feedwater control valves.
: 8. Steam Dump Control
: a.      Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser and/or the atmosphere as
: b.      Ensures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no load conditions without actuation of the steam generator safety valves.
: c.      Maintains the plant at no load conditions and permits a manually controlled cooldown of the plant.
: 9.      Incore Instrumentation Provides information on the neutron flux distribution and on the core outlet temperatures at selected core locations.
1.1    Reactor Control System reactor control system enables the nuclear plant to follow load decreases automatically uding the acceptance of step load decreases of 10 percent and ramp decreases of 5 percent per ute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or sure relief (subject to possible xenon limitations). The system is also capable of restoring lant average temperature to within the programmed temperature deadband following a change oad. Manual control rod operation is required for response to load increases and may be ormed at any time.
reactor control system controls the reactor coolant average temperature by regulation of trol rod bank position. The reactor coolant loop average temperatures are determined from hot and cold leg measurements in each reactor coolant loop. There is an average coolant perature (Tavg) computed for each loop, where:
Tavg = (Thot + Tcold)/2                                                  (7.7-1) error between the programmed reference temperature (based on turbine impulse chamber sure) and the highest of the Tavg measured temperatures (which is processed through a
-lag compensation unit) from each of the reactor coolant loops constitutes the primary control al as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown Figure 7.2-1, Sheet 9. The system is capable of restoring coolant average temperature to the grammed value following a decrease in load. The programmed coolant temperature increases arly with turbine load from zero power to the full power condition. The Tavg also supplies a al to pressurizer level control and steam dump control and rod insertion limit monitoring.
temperature channels needed to derive the temperature input signals for the reactor control em are fed from protection channels via isolation amplifiers.
 
reducing transient peaks.
core axial power distribution is controlled during load follow maneuvers by changing (a ual operator action) the boron concentration in the reactor coolant system. The control board displays (Section 7.7.1.3.1) indicate the need for an adjustment in the axial power distribution.
ing boron to the reactor coolant will reduce Tavg and require the rods to be moved toward the of the core. This action will reduce power peaks in the bottom of the core. Likewise, removing on from the reactor coolant will move the rods further into the core to control power peaks in tops of the core.
1.2    Rod Control System 1.2.1    Full Length Rod Control System full length rod control system, when operating in automatic, receives rod speed and direction als to move into the core from the Tavg control system. The rod speed demand signal varies r the corresponding range of 5 to 45 inches per minute (8 to 72 steps/minute) depending on the nitude of the input signal. Manual control is provided to move a control bank in or out at a cribed fixed speed.
en the operator selects the AUTOMATIC mode, rod motion is then controlled by the reactor trol systems. In the AUTOMATIC mode, the rods are inserted in a predetermined grammed sequence with the control interlocks listed in Table 7.7-1. Rod withdrawal is ually controlled by the operator.
shutdown banks are always in the fully withdrawn position during normal operation and are ved to this position at a constant speed by manual control prior to criticality. A reactor trip al causes them to fall by gravity into the core. There are 5 shutdown banks.
control banks are the only rods than can be manipulated under automatic control. Each trol bank is divided into two groups to obtain smaller incremental reactivity changes per step.
rod cluster control assemblies in a group are electrically paralleled to move simultaneously.
re is individual position indication for each rod cluster control assembly.
er to rod drive mechanisms are supplied by two motor generator sets operating from two arate 480V, three-phase buses. Each generator is the synchronous type and is driven by a 200 induction motor. The AC power is distributed to the rod control power cabinets through the series connected reactor trip breakers.
Rod Control System can insert small amounts of reactivity to accomplish fine control of tor coolant average temperature about a small temperature deadband. A summary of the rod ter control assembly sequencing characteristics is given below:
: 2.      The control banks are programmed such that withdrawal of the banks is sequenced in the following order; control bank A, control bank B, control bank C, and control bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.
: 3.      The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite.
: 4.      Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of 1 step.
: 5.      Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 6 steps per minute and a maximum of 68 steps per minute.
1.3    Plant Control Signals for Monitoring and Indicating 1.3.1    Monitoring Functions Provided by the Nuclear Instrumentation System power range channels are important because of their use in monitoring power distribution in core within specified safe limits. They are used to measure power level, axial flux imbalance, radial flux imbalance. These channels are capable of recording overpower excursions up to percent of full power. Suitable alarms are derived from these signals as described below.
ic power range signals are:
: 1.      Total current from a power range detector (four such signals from separate detectors); these detectors are vertical and have a total active length of 10 feet
: 2.      Current from the upper half of each power range detector (four signals)
: 3.      Current from the lower half of each power range detector (four signals) ived from these basic signals are the following (including standard signal processing for bration):
: 1.      Indicated nuclear power (four signals)
 
rm functions derived are as follows:
: 1.      Deviation (maximum minus minimum of four power range input signals) in indicated nuclear power
: 2.      Upper radial tilt (maximum to average of four power range input signals) on upper-half detector currents
: 3.      Lower radial tilt (maximum to average of four power range input signals) on lower-half detector currents vision is made to continuously record on strip charts on the control board the 8 ion chamber als, i.e. upper and lower currents for each detector. Nuclear power and axial unbalance is ctable for recording as well. Indicators are provided on the control board for nuclear power for axial flux imbalance.
plant computer monitors the excore detectors and actuates an alarm when the calculated al Flux Different (AFD) exceeds the specified limits. The indicated AFD will be monitored logged in accordance with the Technical Specifications when the AFD alarm is inoperable.
itional background information on the Nuclear Instrumentation System can be found in AP-8255.
1.3.2    Rod Position Monitoring of Full Length Rods o separate systems are provided to sense and display control rod position as described below:
: 1.      Digital Rod Position Indication System The digital rod position indication system measures the actual position of each full length rod using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, the coils are interlaced into two data channels, and are connected to the containment electronics (Data A and B) by separate multi-conductor cables. By employing two separate channels of information, the digital rod position indication system can continue to function when one channel fails. Multiplexing is then used to transmit the digital position signals from the containment electronics to the control board display unit.
The control board display unit contains a column of light emitting diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that particular rod. Since shutdown rods are always fully
 
228 steps. Note for 3C20 and 3C21: Rod H12 indication is displayed every 6 steps from 210-222 steps. All intermediate positions of the rod are represented by a single transition LED. Each rod of the control banks has its position displayed every 6 steps with 4 step accuracy throughout its range of travel.
Included in the system is a rod at bottom signal for each rod that operates a rod bottom light. Also a control room annunciator is actuated when any shutdown rod or control bank rod is at bottom.
: 2.      Demand Position System - The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded group position.
demand position and digital rod position indication systems are separate systems, but safety eria were not involved in the separation, which was a result only of operational requirements.
rating procedures require the reactor operator to compare the demand and indicated (actual) ings from the rod position indication system so as to verify operation of the rod control em.
1.3.3    Control Bank Rod Insertion Monitoring en the reactor is critical, the normal indication of reactivity status in the core is the position of control bank in relation to reactor power (as indicated by the reactor coolant system loop T) coolant average temperature. These parameters are used to calculate insertion limits for the trol banks. Two alarms are provided for each control bank.
: 1.      The low alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the chemical and volume control system.
: 2.      The low-low alarm alerts the operator to take immediate action to add boron to the reactor coolant system by any one of several alternate methods.
purpose of the control bank rod insertion monitor is to give warning to the operator of essive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin owing reactor trip and provides a limit on the maximum inserted rod worth in the unlikely nt of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking ors are maintained. Since the amount of shutdown reactivity required for the design shutdown gin following a reactor trip increases with increasing power, the allowable rod insertion limits t be decreased (the rods must be withdrawn further) with increasing power. Two parameters ch are proportional to power are used as inputs to the insertion monitor. These are the T ween the hot leg and the cold leg, which is a direct function of reactor power, and Tavg, which rogrammed as a function of power. The rod insertion monitor uses parameters for each control bank as follows:
 
re:
ZLL = Maximum permissible insertion limit for a control bank (T)auct = Highest T of all loops (Tavg)auct = Highest Tavg of all loops A, B, C = Constants chosen to maintain ZLL  actual limit based on physics calculations control rod bank demand position (Z) is compared to Z as follows:
If Z - ZLL  D a low alarm is actuated If Z - ZLL  E a low-low alarm is actuated ce the highest values of Tavg and T are chosen by auctioneering, a conservatively high esentation of power is used in the insertion limit calculation.
has an adjustable upper limit on insertion which is set to a value low enough to prevent ance alarms. When ZLL for a given control rod bank is limited, the low and low-low alarms also be limited, possibly to a value below the insertion limit. However, ZLL is set high enough the lead control bank and alarm will never be limited.
uation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity ation. Administrative procedures require the operator to add boron through the chemical and ume control system. Actuation of the low-low alarm requires the operator to initiate boration cedures as required by Technical Specifications. The value for E is chosen such that the
-low alarm would normally (if not limited) be actuated before the insertion limit is reached.
value for D is chosen to allow the operator to start boration procedures early, prior to hing the E limit. Figure 7.7-2 shows a block diagram representation of the control rod bank rtion monitor. The monitor is shown in more detail on the functional diagrams shown on ure 7.2-1, Sheet 9. In addition to the rod insertion monitor for the control banks, the plant puter, which monitors individual rod positions, provides an alarm that is associated with the deviation alarm discussed in Section 7.7.1.3.4. This warns the operator if any shutdown rod ter control assembly leaves the fully withdrawn position.
insertion limits are established by:
: 1.      Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above
: 2.      Establishing the differential reactivity worth of the control rods when moved in normal sequence
: 4.      Linearizing the resultant limit curve; all key nuclear parameters in procedure measured as part of the initial and periodic physics testing program unexpected change in the position of the control bank under automatic control, or a change in lant temperature under manual control, provides a direct and immediate indication of a change he reactivity status of the reactor. In addition, samples are taken periodically of coolant boron centration. Variations in concentration during core life provide an additional check on the tivity status of the reactor, including core depletion.
1.3.4      Rod Deviation Alarm d deviation function is performed as part of the digital rod position indication system where larm is generated if a preset limit is exceeded as a result of a comparison of any control rod inst the other rods in a bank. The deviation alarm of a shutdown rod is based on a preset rtion limit being exceeded.
demanded and measured rod position signals are also monitored by the plant computer which vides a visual printout and an audible alarm whenever an individual rod position signal iates from the other rods in the bank or from the demand position by a preset limit. The alarm be set with appropriate allowance for instrument error and within sufficiently narrow limits to lude exceeding core design hot channel factors.
ure 7.7-3 is a block diagram of the rod deviation comparator and alarm system implemented he plant computer. Additionally, the DRPI system contains rod deviation circuitry that detects alarms the following conditions:
: 1.      When any 2 rods within the same control bank are misaligned by a preset distance (12 steps) or
: 2.      When any shutdown rod is below the full-out position by a preset distance (18 steps) 1.3.5      Rod Bottom Alarm d bottom signal for the full length rods in the digital rod position system is used to operate trol relays, which generate the rod bottom alarms.
1.4      Plant Control System Interlocks listing of the plant control system interlocks, along with the description of their derivations functions, is presented in Table 7.7-1. It is noted that the designation numbers for these rlocks are preceded by C. The development of these logic functions is shown in the ctional diagrams (Figure 7.2-1, Sheets 4, 5, 7, 9, 10 and 16).
 
stops are provided to prevent abnormal power conditions which could result from excessive trol rod withdrawal initiated by operator violation of administrative procedures.
stops are the C1, C2, C3, and C4 control interlocks identified in Table 7.7-1. The C3 rod stop ved from overtemperature T and the C4 rod stop, derived from overpower T are also used turbine runback, which is discussed below.
1.4.2    Automatic Turbine Load Runback omatic turbine load runback is initiated by an approach to an overpower or overtemperature dition. This will prevent high power operation that might lead to an undesirable condition, ch, if reached, will be protected by reactor trip.
bine load reference reduction is initiated by either an overtemperature or overpower T signal.
o out of four coincidence logic is used.
d stop and turbine runback are initiated when T T rod stop                                                        (7.7-3) both the overtemperature and the overpower condition.when For either condition in general T rod stop = T setpoint-BP                                            (7.7-4) re:
BP = a setpoint bias re T setpoint refers to the overtemperature T reactor trip value and the overpower T tor trip value for the two conditions. The turbine runback is continued until T is equal to or than T rod stop. This function maintains an essentially constant margin to trip.
1.4.3    Turbine Loading Stop interlock (C-16) is provided to limit turbine loading during a rapid return to power transient n a reduction in reactor coolant temperature is used to increase reactor power (through the ative moderator coefficient). This interlock limits the drop in coolant temperature within ldown accident limits and preserves satisfactory steam generator operating conditions.
sequent manual turbine loading can begin after the interlock has been cleared by an increase oolant temperature which is accomplished by reducing the boron concentration in the coolant.
 
reactor coolant system pressure is controlled by using either the heaters (in the water region) he spray (in the steam region) of the pressurizer. The electrical immersion heaters are located r the bottom of the pressurizer. A portion of the heater group is proportionally controlled to ect small pressure variations. These variations are due to heat losses, including those due to a ll continuous spray. The remaining (backup) heaters are turned on when the pressurizer sure controlled signal demands approximately 100 percent proportional heater power.
spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure troller spray demand signal is above a given setpoint. The spray rate increases proportionally h increasing spray demand signal until it reaches a maximum value.
m condensed by the spray reduces the pressurizer pressure. A small continuous spray is mally maintained to reduce thermal stresses and thermal shock and to help maintain uniform er chemistry and temperature in the pressurizer.
ay flow may be increased by energizing one or more backup heaters. This may be done to rove chemical mixing between the RCS loop and the pressurizer or it may be done to force itional outflow from the pressurizer through the surge line to reduce the risk of thermal shock he surge line nozzle during unexpected transients. Energizing the backup heaters can shift sure control from the proportionally controlled heaters to the spray.
e that power-operated relief valves limit system pressure for large positive pressure transients.
he event of a large load reduction, not exceeding the design plant load rejection capability, the surizer power operated relief valves might be actuated for the most adverse conditions, e.g.,
most negative Doppler coefficient, and the maximum incremental rod worth. The relief acity of the power operated relief valves is sized large enough to limit the system pressure to vent actuation of high pressure reactor trip for the above condition. Power-operated relief es are actuated by safety related circuitry and are, therefore, not part of the nonsafety related surizer pressure control system.
lock diagram of the pressurizer pressure control system is shown on Figure 7.7-4.
1.6    Pressurizer Water Level Control pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density he reactor coolant adjusts to the various temperatures, the steam water interface moves to orb the variations with relatively small pressure disturbances.
water inventory in the reactor coolant system is maintained by the chemical and volume trol system. During normal plant operation, the charging flow varies to produce the flow anded by the pressurizer water level controller. The pressurizer water level is programmed as nction of coolant average temperature, with the highest average temperature (auctioneered) g used. The pressurizer water level decreases as the load is reduced from full load. This is a lt of coolant contraction following programmed coolant temperature reduction from full
 
control pressurizer water level during startup and shutdown operations, the charging flow is ually regulated from the main control room. The letdown line isolation valves are closed on pressurizer level.
lock diagram of the pressurizer water level control system is shown on Figure 7.7-5.
1.7    Steam Generator Water Level Control h steam generator is equipped with a three-element feedwater flow controller which maintains ogrammed water level which is a function of turbine load. The three-element feedwater troller regulates the feedwater valve by continuously comparing the feedwater flow signal, the er level signal, the programmed level and the pressure compensated steam flow signal. The water pump speed is varied to maintain a programmed pressure differential between the m header and the feed pump discharge header. The speed controller continuously compares actual P with a programmed P ref which is a linear function of steam flow. Continued very of feedwater to the steam generators is required as a sink for the heat stored and erated in the reactor following a reactor trip and turbine trip. A feedwater isolation signal es all feedwater valves when the average coolant temperature is below a given temperature the reactor has tripped. Manual override of the feedwater control system is available at all es.
en the nuclear plant is operating at very low power levels (as during startup), the steam and water flow signals will not be usable for control. Therefore, a secondary automatic control em is provided for operation at low power. This system uses the steam generator water level nuclear power signals in a feed forward control scheme to position a bypass valve which is in llel with the main feedwater regulating valve. Switchover from the bypass feedwater control em (low power) to the main feedwater control system is initiated by the operator at roximately 25 percent power.
ck diagrams of the steam generator water level control system and the main feedwater pump ed control system are shown on Figures 7.7-6 and 7.7-7.
1.8    Steam Dump Control steam dump system, in conjunction with the rod control system, is designed to accept a 50 ent loss of net load without tripping the reactor (Section 10.4.4).
automatic steam dump system is able to accommodate this abnormal load rejection and to uce the effects of the transient imposed upon the reactor coolant system. By bypassing main m directly to the condenser and/or the atmosphere, an artificial load is thereby maintained on primary system. The rod control system can then reduce the reactor temperature to a new ilibrium value without causing overtemperature and/or overpressure conditions. The steam
 
e difference between the reference Tavg (Tref) based turbine impulse chamber pressure and the
/lag compensated auctioneered Tavg exceeds a predetermined amount, and the interlock tioned below is satisfied, a demand signal will actuate the steam dump to maintain the reactor lant system temperature within control range until a new equilibrium condition is reached.
prevent actuation of steam dump on small load perturbations, an independent load rejection sing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected he turbine impulse chamber pressure. It is provided to unblock the dump valves when the rate oad rejection exceeds a present value corresponding to a 10 percent step load decrease or a ained ramp load decrease of 5 percent/minute.
lock diagram of the steam dump control system is shown on Figure 7.7-8.
1.8.1    Load Rejection Steam Dump Controller s circuit prevents large increase in reactor coolant temperature following a large, sudden load rease. The error signal is a difference between the lead/lag compensated auctioneered Tavg and reference Tavg is based on turbine impulse chamber pressure.
Tavg signal is the same as that used in the reactor coolant system. The lead/lag compensation the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning.
owing a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus erating an immediate demand signal for steam dump. Since control rods are available, in this ation steam dump terminates as the error comes within the maneuvering capability of the trol rods.
1.8.2    Plant Trip Steam Dump Controller owing a reactor trip, the load rejection steam dump controller is defeated and the plant trip m dump controller becomes active. Since control rods are not available in this situation, the and signal is the error signal between the lead/lag compensated auctioneered Tavg and the reference Tavg. When the error signal exceeds a predetermined setpoint, the dump valves are ped open in a prescribed sequence. As the error signal reduces in magnitude, indicating that reactor coolant system Tavg is being reduced toward the references no-load value, the dump es are modulated by the plant trip controller to regulate the rate of removal decay heat and gradually establish the equilibrium hot shutdown condition.
1.8.3    Steam Header Pressure Controller idual heat removal is maintained by the steam generator pressure controller (manually cted) which controls the amount of steam flow to the condensers. This controller operates a
 
1.9    Incore Instrumentation incore instrumentation system consists of chromel-alumel thermocouples at fixed core outlet itions and movable miniature neutron detectors which can be positioned to scan selected fuel mblies, anywhere along the length of the fuel assembly vertical axis. The basic system for rtion of these detectors is shown on Figure 7.7-9.
1.9.1    Thermocouples omel-alumel Type K thermocouples are inserted into guide tubes that penetrate the reactor sel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The mocouples are provided with two primary seals, a grayloc coupling and swage type seal from duit to head. Thermocouple readings are monitored by the process computer and the equate core cooling monitoring system, which is described in Section 4.4.6.5.
1.9.2    Movable Neutron Flux Detector Drive System iature fission chamber detectors can be remotely positioned in retractable guide thimbles to vide flux mapping of the core. The stainless steel detector shell is welded to the leading end of cal wrap drive cable and to stainless steel sheathed coaxial cable. The retractable thimbles, which the miniature detectors are driven, are pushed into the reactor core through conduits ch extend from the bottom of the reactor vessel down through the concrete shield area and up to a thimble seal table. Their distribution over the core is nearly uniform with about the e number of thimbles located in each quadrant.
thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier ween the reactor water pressure and the atmosphere. Mechanical seals between the retractable bles and the conduits are provided at the seal table. During reactor operation, the retractable bles are stationary. They are extracted downward from the core during refueling to avoid rference within the core. A space above the seal table is provided for the retraction operation.
drive system for the insertion of the miniature detectors consists basically of drive mblies, six path transfer assemblies, and fifteen path transfer assemblies, as shown on ure 7.7-9. The drive system pushes hollow helical wrap drive cables into the core with the iature detectors attached to the leading ends of the cables and small diameter sheathed coaxial les threaded through the hollow centers back to the ends of the drive cables. Each drive mbly consists of a motor which pushes a helical wrap drive cable and a detector through a cted thimble path by means of a special drive box, and includes a storage reel for the total e cable length.
h flux thimble is equipped with a passive magnetic ball check valve. These valves are installed he non-QA position of the detector drive system between the fifteen path transfer assembly the high pressure seal. These valves are free to open to allow passage of the incore fission
 
tainment entry. Flux thimble plugs are also provided for isolating a thimble in the event that destructive examination of the thimbles during a refueling reveals excessive wear. The ctor/drive cable will have to be retracted above the seal table prior to installing any plugs.
1.9.3    Control and Readout Description control and readout system provides means for inserting the miniature neutron detectors into reactor core and withdrawing the detectors while providing information on neutron flux us detector position. The control system consists of two sections; one is physically mounted h the drive units and the other is mounted in the control room. Limit switches in each transfer ice provide feedback of path selection operation. Each gear box drives an encoder for position back. One six path operation selector is provided for each drive unit to insert the detector in of six functional modes of operation. A fifteen path transfer assembly is the transfer device will be used to route a detector into any one of up to fifteen selectable paths. Access to a mon path is provided to permit cross calibration of the detectors.
control room contains the necessary equipment for control, position indication, and flux rding for each detector. Additionally, drive motor controls, core path selection, and system us displays are provided.
flux-mapping consists briefly of selecting flux thimbles in given fuel assemblies at various quadrant locations. The detectors are driven to the top of the core and stopped automatically.
x level, as a function of detector position, is to be obtained during the slow withdrawal of the ctors through the core from top to a point below the bottom. In a similar manner other core tions can be selected and plotted. Each detector provides axial flux distribution data along the ter of a fuel assembly. Data from detectors in various radial positions are then combined to in a flux map of the core.
thimbles are distributed nearly uniformly over the core with approximately the same number himbles in each quadrant. The number and location of these thimbles have been chosen to mit measurement of local to average peaking factors to an accuracy of 5 percent (95 percent fidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this uracy. If the measured power peaking is larger than acceptable, reduced power capability will ndicated.
rating plant experience has demonstrated the adequacy of the In-Core Instrumentation in ting the design bases stated.
2    ANALYSIS plant control systems are designed to assure high reliability in any anticipated operational urrences. Equipment used in these systems is designed and constructed with a high level of ability.
 
operator of a deviation of one rod cluster control assembly from the other rods in that bank or m the bank demand position. There are also insertion limit monitors with visual and audible unciation. A rod bottom alarm signal is provided to the control room for each full length rod ter control assembly. Four excore long ion chambers also detect asymmetrical flux ribution indicative of rod misalignment.
rall reactivity control is achieved by the combination of soluble boron and rod cluster control mblies. Long term regulation of core reactivity is accomplished by adjusting the centration of boric acid in the reactor coolant. Short term reactivity control for power changes ccomplished by the plant control system which automatically moves rod cluster control mblies for load reductions, and manual operator action for load increases. This system uses ut signals including neutron flux, coolant temperature, and turbine load.
axial core power distribution is controlled by moving the control rods through changes in tor coolant system boron concentration. Adding boron requires the rods to be moved out, eby reducing the amount of power in the bottom of the core, allowing power to redistribute ard the top of the core. Reducing the boron concentration causes the rods to move into the core eby reducing the power in the top of the core, the result redistributes power towards the om of the core.
transient analysis performed for the plant control systems shows that they will prevent an esirable condition in the operation of the plant that, if reached, will be protected by reactor trip e Section 7.7.2.7). The description and analysis of the reactor trip protection is covered in tion 7.7.2.7. Worst case failure modes of the plant control systems are postulated in the lysis of off-design operational transients and accidents covered in Chapter 15, such as the owing:
: 1.      Uncontrolled rod cluster control assembly bank withdrawal from a subcritical or low power startup condition
: 2.      Uncontrolled rod cluster control assembly bank withdrawal at power
: 3.      Rod cluster control assembly misalignment
: 4.      Loss of external electrical load and/or turbine trip
: 5.      Loss of non-emergency AC power to the station auxiliaries
: 6.      Excessive heat removal due to feedwater system malfunctions
: 7.      Excessive load increase incident
: 8.      Accidental depressurization of the reactor coolant system
 
duce a DNBR which is not less than the safety analysis limits (see Section 4.4). Thus, there be no cladding damage and no release of fission products to the reactor coolant system under assumption of these postulated worst case failure modes of the plant control system.
2.1    Separation of Protection and Control System ome cases, it is advantageous to employ control signals derived from individual protection nnels through isolation amplifiers contained in the protection channel. As such, a failure in the trol circuitry does not adversely affect the protection channel. Test results have shown that a rt circuit or the application (credible fault voltage from within the cabinets) of 118 VAC or 140 C on the isolated output portion of the circuit (non-protection side of the circuit) will not affect input (protection) side of the circuit.
ere a single random failure can cause a control system action that results in a generating ion condition requiring protective action and can also prevent proper action of a protection em channel designed to protect against the condition, the remaining redundant protection nnels are capable of providing the protective action even when degraded by a second random ure. This meets the applicable requirements of Section 4.7 of IEEE Standard 279-1971.
pressurizer pressure channels needed to derive the control signals are electrically isolated m control.
2.2    Response Considerations of Reactivity ctor shutdown with control rods is completely independent of the control functions since the breakers interrupt power to the full length rod drive mechanisms regardless of existing control als. The design is such that the system can withstand accidental withdrawal of control groups nplanned dilution of soluble boron without exceeding acceptable fuel design limits. The gn meets the requirements of the 1971 General Design Criteria 25.
single electrical or mechanical failure in the rod control system can cause the accidental hdrawal of a single rod cluster control assembly from the partially inserted bank at full power ration. The operator can deliberately withdraw a single rod cluster control assembly in the trol bank; this feature is necessary in order to retrieve a rod should one be accidentally pped. In the event of withdrawal of a single rod cluster control assembly by operator action, ther deliberate or by a combination of errors, rod deviation will be displayed on the plant unciator, and the individual rod position readouts will indicate the relative positions of the s in the bank.
h bank of control and shutdown rods in the system is divided into two groups (groups 1 and 2) to 5 mechanisms each. The rods comprising a group operate in parallel through multiplexing istors. The two groups in a bank move sequentially such that the first group is always within step of the second group in the bank. The group 1 and group 2 power circuits are installed in erent cabinets as shown on Figure 7.7-14, which also shows that one group is always within
 
ter control assembly attached to the mechanism as shown in Figure 7.7-15 since the four ionary gripper, moveable gripper, and lift coils associated with the rod cluster control mblies of these rod groups are driven in parallel, any single failure which could cause rod hdrawal would affect a minimum of one group of rod cluster control assemblies. Mechanical ures are in the direction of insertion, or immobility.
ure 7.7-15 is provided for a discussion of design features that assure that no single electrical ure could cause the accidental withdrawal of a single rod cluster control assembly from the ially inserted bank at full power operation.
ure 7.7-15 shows the typical parallel connections on the lift, movable and stationary coils for a up of rods. Since single failures in the stationary or movable circuits will result in dropping or venting rod (or rods) motion, the discussion of single failure will be addressed to the lift coil uits. (1) Due to the method of wiring, the gate firing transformers which fire the lift coil tiplex thyristors, three of the four thyristors in a rod group could remain turned off when uired to fire if, for example, the 120 VAC supply failed open at point X1. Upon up demand, rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point X2 in the up 2 circuit is required to withdraw one rod cluster control assembly; (2) Timing circuit ures will affect the four mechanisms of a group or the eight mechanisms of the bank and will cause a single rod withdrawal; (3) More than two simultaneous component failures are uired (other than the open wire failures) to allow withdrawal of a single rod.
identified multiple failure involving the least number of components consists of open circuit ure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The bability of open wire (or terminal) failure is 0.016 x 10-6 per hour by MIL-HDB-217A. These e failures would have to be accompanied by failure, or disregard, of the indications mentioned ve. The probability of this occurrence is, therefore, too low to have any significance.
cerning the human element, to erroneously withdraw a single rod cluster control assembly, the rator would have to improperly set the bank selector switch, the lift coil disconnect switches, the in hold out switch. In addition, the three indications would have to be disregarded or fective. Such series of errors would require a complete lack of understanding and inistrative control. A probability number cannot be assigned to a series of errors such as e.
rod position indication system provides direct visual displays of each control rod assembly ition. The plant computer alarms for deviation of rods from their banks. In addition, a rod rtion limit monitor provides an audible and visual alarm to warn the operator of an approach n abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to ow borating procedures as required by Technical Specifications. The facility reactivity control ems are such that acceptable fuel damage limits will not be exceeded even in the event of a le malfunction of either system.
 
ll analyses involving reactor trip, the single, highest worth rod cluster control assembly is tulated to remain untripped in its full out position.
means of detecting a stuck control rod assembly is available from the actual rod position rmation displayed on the control board. The control board position readouts, one for each full th rod, give the plant operator the actual position of the rod in steps. The indications are uped by banks (e.g., Control Bank A, Control Bank B, etc.) to indicate to the operator the iation of one rod with respect to other rods in a bank. This serves as a means to identify rod iation.
plant computer monitors the actual position of all rods with an accuracy of 4 steps. Should a be misaligned from the other rods in that bank by more than 12 steps, the rod deviation alarm ctuated. Due to rod position measurement uncertainties, the actual rod misalignment may be as e as 20 steps (12.5 inches) at the alarm setpoint.
aligned rod cluster control assemblies are also detected and alarmed in the control room by power range deviation circuits which are independent of the plant computer.
ated signals derived from the nuclear instrumentation system are compared with one another etermine if a preset amount of deviation of average power level has occurred. Should such a iation occur, the comparator output will operate a bistable unit to actuate a control board unciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod.
use of individual rod position readouts, the operator can determine the deviating control rod take corrective action. The design of the plant control systems meets the requirements of the 1 General Design Criteria 23. Refer to Section 4.3 for additional information on response siderations due to reactivity.
2.3    Step Load Changes without Steam Dump plant control system restores equilibrium conditions, without a trip, following a minus 10 ent step change in load demand, over the 15 to 100 percent power range for automatic trol. Steam dump is blocked for load decrease less than or equal to 10 percent. A load demand ter than full power is prohibited by the turbine control load limit devices.
plant control system minimizes the reactor coolant average temperature deviation during the decrease transient within a given value and restores average temperature to the programed oint. Excessive pressurizer pressure variations are prevented by using spray and heaters.
omatic rod withdrawal has been disabled, therefore manual operator action is required to ond to any increases in load.
 
p unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range er automatic control without tripping the plant. Ramp loading is performed manually. Coolant rage temperature is maintained as a function of turbine generator load.
coolant average temperature increases during loading and causes a continuous insurge to the surizer as a result of coolant expansion. The sprays limit the resulting pressure increase.
versely, as the coolant average temperature is decreasing during unloading, there is a tinuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer ters limit the resulting system pressure decrease. The pressurizer water level is programmed h that the water level is above the setpoint for heater cut out during the loading and unloading sients. The primary concern during loading is to limit the overshoot in nuclear power and to vide sufficient margin in the overtemperature T setpoint.
ing rapid loading transients, a drop in reactor coolant temperature could be used to increase power. This mode of operation could be applied when the control rods are not inserted deep ugh into the core to supply all the reactivity requirements of the rapid load increase (the boron trol system is relatively ineffective for rapid power changes). The reduction in temperature ld be initiated by continued turbine loading past the point where the control rods are pletely withdrawn from the core. The temperature drop would be recovered and nominal ditions restored by a boron dilution operation.
essive drops in coolant temperature are prevented by interlock C-16. This interlock circuit nitors the auctioneered low coolant Tavg and the programmed reference temperature which is a ction of turbine impulse pressure and causes a turbine loading stop when Tavg reaches the low g or Tavg below Tref setpoints.
core axial power distribution would be controlled during the reduced temperature return to er because the control rods will be in the manual mode. Normally, power distribution control ot required during a rapid power increase and the rods may proceed to the top of the core. The position is reestablished at the end of the transient by decreasing the coolant boron centration.
2.5    Load Rejection Furnished by Steam Dump System en a load rejection occurs, if the difference between the required temperature setpoint of the tor coolant system and the actual average temperature exceeds a predetermined amount, a al will actuate the steam dump to maintain the reactor coolant system temperature within trol range until a new equilibrium condition is reached.
reactor power is reduced at a rate consistent with the capability of the rod control system.
uction of the reactor power is automatic. The steam dump flow reduction is as fast as rod ter control assemblies are capable of inserting negative reactivity.
 
acity is 28.2 to 35.1 percent of full load steam flow at full load steam pressure.
steam dump flow reduces proportionally as the control rods act to reduce the average coolant perature. The artificial load is, therefore, removed as the coolant average temperature is ored to its programmed equilibrium value.
dump valves are modulated by the reactor coolant average temperature signal. The required ber of steam dump valves can be tripped quickly to stroke full open or modulate, depending n the magnitude of the temperature error signal resulting from loss of load.
2.6    Turbine-Generator Trip With Reactor Trip enever the turbine generator unit trips at an operating power-level above 51 percent power, the tor also trips. The unit is operated with a programmed average temperature as a function of
  , with the full load average temperature significantly greater than the equivalent saturation sure of the steam generator safety valve setpoint. The thermal capacity of the reactor coolant em is greater than that of the secondary system, and because the full load average temperature reater than the no load temperature, a heat sink is required to remove heat stored in the reactor lant to prevent actuation of steam generator safety valves for a trip from full power. This heat is provided by the combination of controlled release of steam to the condenser and by eup of feedwater to the steam generators.
steam dump system is controlled from the reactor coolant average temperature signal whose oint values are programmed as a function of turbine load. Actuation of the steam dump is d to prevent actuation of the steam generator safety valves. With the dump valves open, the rage coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of perature acts to proportionally close the valves to minimize the total amount of steam which is assed.
feedwater flow is cut off following a reactor trip when the average coolant temperature reases below a given temperature or when the steam generator water level reaches a given h level.
itional feedwater makeup is then controlled manually to restore and maintain steam generator er level while assuring that the reactor coolant temperature is at the desired value. Residual t removal is maintained by the steam header pressure controller (manually selected) which trols the amount of steam flow to the condensers. This controller operates a portion of the e steam dump valves to the condensers which are used during the initial transient following ine and reactor trip.
pressurizer pressure and level fall rapidly during the transient because of coolant contraction.
pressurizer water level is programmed so that the level following the turbine and reactor trip bove the heaters. However, if the level at which the heaters become uncovered is approached owing the trip, the heaters are cutout, letdown is isolated and the chemical and volume control
 
steam dump and feedwater control systems are designed to prevent the average coolant perature from falling below the programmed no load temperature following the trip to ensure quate reactivity shutdown margin.
2.7  Operational Transient Analysis operational transients were analyzed using the NSSS control system settings and setpoints to onstrate adequate margin exists to relevant reactor trip and ESF actuation setpoints over the g normal operating range of 581.5 F to 589.5 F.
analyses were performed using the multi-loop version of the Westinghouse LOFTRAN puter code. This computer model simulates the overall thermal-hydraulic and nuclear onse of the NSSS as well as various control and protection systems. This methodology has n reviewed and approved by the NRC (Reference 7.7-2).
following inputs are applicable for the transients analyzed:
All applicable NSSS control systems were assumed to be functioning as-designed and operating in the automatic mode of control. The automatic withdrawal feature is disabled.
To address the Tavg coastdown maneuver, the limiting transients were analyzed with the rods in manual control.
The pressurizer pressure and steam dump control systems were credited in the analyses.
The steam generator and pressurizer level control systems were not explicitly modeled and not specifically addressed in the analysis.
In accordance with Westinghouse methodology, two percent conservatism was applied to the initial power level in the analysis. The other plant parameters (RCS Tavg, pressurizer pressure, pressurizer level and steam generator mass at the nominal water level) were assumed to be at the nominal full power values.
Best estimate reactor kinetics parameters were modeled (rod worth, moderator temperature coefficient (MTC), doppler power defect, etc.) for the normal operating transient conditions. Since beginning-of-cycle (BOC) core physics parameters have lower differential rod worth and a less negative MTC, modeling BOC core characteristics yield more conservative results that bound the full cycle of operation. To address the Tavg coastdown maneuver, the limiting transients were analyzed at EOC fuel reactivity conditions.
The initial conditions for each of the transients were chosen to maximize the transient responses.
 
The load rejection transient was modeled as a ramp load change at a maximum rate of 200 percent per minute.
following operational transients were addressed:
5 percent per minute unit loading and unloading 10 percent step load increase 10 percent step load decrease 50 percent load rejection (i.e., 50 percent loss of net load at 200 percent per minute)
Turbine trip without reactor trip from the P-9 Setpoint.
results show the following:
The plant control system restores equilibrium conditions, without a trip, following a10 percent step change in load demand over the 15-100 percent power range for automatic control.
Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant.
The results of the 50 percent load rejection transient analysis with the revised steam dump setpoints demonstrated that no reactor trip or engineered safety features were challenged.
The analysis was performed with two steam dump valves out of service. The control systems response was smooth during the transient with no excessive oscillatory responses.
The turbine trip without reactor trip transient from the P-9 setpoint satisfies the criteria of the NUREG-0737, Item II.K.3.10 and is acceptable for the SPU conditions.
3  REFERENCE FOR SECTION 7.7 1 WCAP-8255, 1974 (for background information only), Lipchak, J.B. and Stokes, R.A.,
Nuclear Instrumentation System.
2 WCAP-7907-A, April 1984, LOFTRAN Code Description.
3 NUREG-0737, Clarification of TMI Action Plan Requirements, Item II.K.3.10, Proposed Anticipatory Trip Modification, October 1980.
 
signation                Derivation                                Function 1            1-out-of-2 Neutron flux (intermediate Blocks manual control rod withdrawal.
range) above setpoint 2            1-out-of-4 Neutron flux (power        Blocks manual control rod withdrawal.
range) above setpoint 3            2-out-of-4 Overtemperature T        Blocks manual control rod withdrawal above setpoint                        Blocks turbine load reference increase and initiates a turbine runback.
4            2-out-of-4 Overpower T above        Blocks manual control rod withdrawal.
setpoint                              Blocks turbine load reference increase and initiates a turbine runback.
7            1-out-of-1 Time derivative (absolute  Makes steam dump valves available for value) of turbine impulse chamber    either tripping or modulation.
pressure (decrease only) above setpoint Reactor trip and bypass breakers      Blocks steam dump control via the load open                                  rejection controller and makes the plant trip controller available for steam dump control. Makes steam dump valves available for either tripping or modulation.
9            Any condenser pressure above          Block steam dump to condenser.
setpoint or both circulating water pumps in an condenser section not running 11          1-out-of-1 Control Bank D position    Alarms Control Bank D above limit.
above setpoint 16          1-out-of-1 Auctioneered low Tavg      Stops automatic turbine loading until below setpoint or below Tref          condition clears.
20          2-out-of-2 turbine impulse chamber    Arms AMSAC; below setpoint, blocks pressure above setpoint              AMSAC (generated in AMSAC; see Section 7.8).
* Not part of control system (control grade)
 
GURE 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR FIGURE 7.7-3 ROD DEVIATION COMPARATOR FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM
 
GURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM FIGURE 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM
 
GURE 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEED CONTROL SYSTEM
 
FIGURE 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM FIGURE 7.7-9 BASIC FLUX-MAPPING SYSTEM FIGURE 7.7-10 NOT USED FIGURE 7.7-11 NOT USED FIGURE 7.7-12 NOT USED FIGURE 7.7-13 NOT USED FIGURE 7.7-14 SIMPLIFIED BLOCK DIAGRAM OF ROD CONTROL SYSTEM FIGURE 7.7-15 CONTROL BANK B PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM OF POWER CABINETS 1 BD AND 2 BD
 
1    DESCRIPTION 1.1    System Description Anticipated Transient Without Scram (ATWS) Mitigation System Actuation Circuitry SAC) provides a backup to the Reactor Trip System (RTS) and Engineered Safety Features uation System (ESFAS) for initiating turbine trip and auxiliary feedwater flow in the event of nticipated transient; e.g., in the complete loss of main feedwater. The AMSAC is independent nd diverse from the RTS and the ESFAS with the exception of the final actuation devices and assified as control grade equipment. It is a highly reliable, microprocessor based, single-train em powered by a non-Class 1E source.
AMSAC continuously monitors level in the steam generators (SG), which is an anticipatory cation of a loss of heat sink, and initiates certain functions when the level drops below a determined set point for at least a preselected time and for three of the four SG levels. These ated functions are the tripping of the turbine, the initiation of auxiliary feedwater, and ation of the SG blowdown and sample lines.
AMSAC is designed to be highly reliable, resistant to inadvertent actuation, and easily ntained. Reliability is assured through the use of internal redundancy and continual
-testing by the system. Inadvertent actuations are minimized through the use of internal undancy and majority voting at the output stage of the system. The time delay on low steam erator level and the coincidence logic used also minimize inadvertent actuations.
AMSAC automatically performs its actuations when above a preselected power level, rmined using turbine impulse chamber pressure, and remains armed sufficiently long after pressure drops below the set point to ensure that its function will be performed in the event of rbine trip.
1.2    Equipment Description AMSAC consists of a single train of equipment located in a seismically qualified cabinet.
design of the AMSAC is based on the industry standard Intel multibus format, which permits use of various readily available, widely used microprocessor cards on a common data bus for ous functions.
: 1. Steam Generator Level Sensing AMSAC utilizes the SG level signals as measured with four differential pressure type level transmitters, measuring the level of each of the main steam generators as shown in Figure 7.2-1, Sheet 7.
: 2. Turbine Impulse Pressure AMSAC also utilizes the turbine impulse pressure signal for measuring Turbine Power, as shown in Figure 7.2-1, Sheet 16. Turbine impulse pressure is measured at the high pressure turbine.
: 3. System Hardware The system hardware consists of two primary systems: the Actuation Logic System (ALS) and the Test/Maintenance System (T/MS).
Actuation Logic System The ALS monitors the analog and digital inputs, performs the functional logic required, provides actuation outputs to trip the turbine and initiate auxiliary feedwater flow, and provides status information to the T/MS.
The ALS consists of three groups of input/output (I/O) modules, three actuation logic processors (ALPs), two majority voting modules, and two output relay panels. The I/O modules provide signal conditioning, isolation, and test features for interfacing the ALS and T/MS. Conditioned signals are sent to three identical ALPs for analog-to-digital conversion, set point comparison, and coincidence logic performance. Each of the ALPs perform identical logic calculations using the same inputs and derive component actuation demands which are then sent to the majority voting modules. The majority voting modules perform a two-out-of-three vote on the ALP demand signals. These modules drive the relays providing outputs to the existing turbine trip and auxiliary feedwater initiation circuits. A simplified block diagram of the AMSAC ALS architecture is presented in Figure 7.8-1.
Test/Maintenance System The T/MS provides the AMSAC with automated and manual testing as well as a maintenance mode. Automated testing is the continuously performed self-checking done by the system during normal operation. ALS status is monitored by the T/MS and sent to the plant computer and the main control board.
Manual testing of the system by the Instrumentation and Controls (I&C) staff can be performed on line to provide assurance that the ALS system is fully operational.
The maintenance mode permits the I&C staff, under administrative control, to
 
The T/MS consists of a test/maintenance processor, a digital-to-analog conversion board, a memory board, expansion boards, a self-health board, digital output modules, a test/maintenance panel, and a portable terminal/printer.
: 4.      Equipment Actuation The output relay panels provide component actuation signals through isolation relays which then drive the final actuation circuitry as shown in Figure 7.2-1, Sheets 15 and 16, for initiation of auxiliary feedwater and for turbine trip.
1.3      Functional Performance Requirements lyses have shown that the two most limiting ATWS events are a loss of external electrical and a loss of feedwater event both without a reactor trip. AMSAC performs the mitigative ations of automatically initiating auxiliary feedwater, tripping the turbine, and isolating SG wdown and sampling lines. These are initiated in order to ensure a secondary heat sink owing an anticipated transient (ANS Condition II) without a reactor trip, in order to limit core age following an anticipated transient without a reactor trip, and to ensure that the energy erated in the core is compatible with the design limits to protect the reactor coolant pressure ndary by maintaining the reactor coolant pressure to within ASME Stress Level C.
1.4      AMSAC Interlocks ngle interlock, designated as C-20, is provided to allow for the automatic arming and blocking he AMSAC (see Figure 7.2-1, Sheet 16). The system is blocked at sufficiently low reactor er levels when the actions taken by the AMSAC following an ATWS need not be matically initiated. Turbine impulse chamber pressure in a two-out-of-two logic scheme is d for this permissive. Turbine impulse chamber pressure above the set point will automatically at any block; i.e., will arm the AMSAC. Dropping below this set point will automatically k the AMSAC. Removal of the C-20 permissive is automatically delayed for a predetermined
: e. The operating status of the AMSAC is displayed on the main control board.
1.5      Trip System SG level and turbine impulse chamber pressure inputs are used by AMSAC to determine trip and. Signal conditioning is performed on the transmitter output and used by each of the ALPs erive a component actuation demand. If three of the four steam generators have a low level at wer level greater than the C-20 permissive, then a trip demand signal is generated. This signal es output relays for performing the necessary mitigative actions.
 
SAC is independent of the RTS and ESFAS. The AMSAC inputs for measuring turbine ulse chamber pressure and narrow-range SG water level are derived from transmitters and nnels within the process protection system. Connections to these channels are made nstream of Class 1E isolation devices which are located within the process protection inets. These isolation devices ensure that the existing protection system continues to meet all licable safety criteria by providing isolation. Buffering of the AMSAC outputs from the safety ted final actuation device circuits is achieved through qualified relays. A credible fault urring in the non safety related AMSAC will not propagate through and degrade the RTS and AS.
1.7      AMSAC Diversity From the Reactor Protection Systems ipment diverse from the RTS and ESFAS (excluding sensors and isolation devices) is used in AMSAC to prevent common mode failures that might affect the AMSAC and the RTS or AS. The AMSAC is a digital, microprocessor based system with the exception of the analog level and turbine impulse pressure transmitter inputs. The RTS and ESFAS utilize analog and rse digital-based protection system components. Where similar components are utilized for same function in both AMSAC and the RTS and ESFAS, the components used in AMSAC are vided from a different manufacturer.
mmon mode failure of identical components in the analog portion of the RTS that results in the ility to generate a reactor trip signal will not impact the ability of the digital AMSAC to erate the necessary mitigative actuations. Similarly, a postulated common mode failure cting analog components in ESFAS, affecting its ability to initiate auxiliary feedwater, will impact the ability of the digital based AMSAC to automatically initiate auxiliary feedwater.
1.8      Power Supply AMSAC power supply is a dedicated uninterruptible power supply (UPS) which is pendent from the RTS power supplies and is backed by batteries which are independent from existing batteries which supply the RTS.
1.9      Environmental Variations SAC equipment is not designed as safety-related equipment; therefore, it is not required to be lified as safety related equipment. The AMSAC equipment is located in a controlled ironment such that variations in the ambient conditions are minimized. No AMSAC ipment is located inside containment. The SG level transmitters (located inside containment) the turbine impulse chamber pressure transmitters (located inside the turbine building) supply input into AMSAC and are qualified for the environment in which they are located.
 
AMSAC makes use of two set points in the coincidence logic in order to determine if gative functions are required. Water level in each SG is sensed to determine if a loss of ondary heat sink is imminent. The low level set point is selected in such a manner that a true ering of the level will be detected by the system. The normal small variations in SG level will result in a spurious AMSAC signal.
C-20 permissive set point is selected in order to be consistent with ATWS investigations wing that the mitigative actions performed by the AMSAC need not be automatically actuated w a certain power level. The maximum allowable value of the C-20 permissive set point is ned by these investigations.
avoid inadvertent AMSAC actuation on the loss of one main feedwater pump, AMSAC ation is delayed by a defined amount of time. This will ensure the reactor protection system S) will provide the first trip signal.
nsure that the AMSAC remains armed sufficiently long to permit its function in the event of a ine trip, the C-20 permissive is maintained for a preset time delay after the turbine impulse mber pressure drops below the set point.
set points and the capability for their modification in the AMSAC are under administrative trol.
2    ANALYSIS 2.1      Safety Classification/Safety Related Interface AMSAC is not safety related and therefore need not meet the requirements of IEEE
-1971. The AMSAC has been implemented such that the RTS and the ESFAS continue to t all applicable safety-related criteria. The AMSAC is independent of the RTS and ESFAS.
isolation provided between the RTS and the AMSAC and between the ESFAS and the SAC by the isolator modules and the isolation relays ensures that the applicable safety-related eria are met for the RTS and the ESFAS.
2.2      Redundancy tem redundancy has not been provided. Since AMSAC is a backup nonsafety-related system he redundant RTS, redundancy is not required. To ensure high system reliability, portions of AMSAC have been implemented as internally redundant, such that a single failure of an input nnel or ALP will neither actuate nor prevent actuation of the AMSAC.
2.3      Diversity From the Existing Trip System erse equipment has been selected in order that common cause failures affecting both the RTS the AMSAC or both the ESFAS and the AMSAC will not render these systems inoperable
 
2.4    Electrical Independence AMSAC is electrically independent of the RTS and ESFAS from the process protection inet signal output (into AMSAC) up to the final actuation devices. Isolation devices are vided to isolate the nonsafety AMSAC circuitry from the safety related actuation circuits of auxiliary feedwater system as discussed in Section 7.8.1.6.
2.5    Physical Separation From the RTS and ESFAS SAC needs to be and is physically separated from the existing protection system hardware.
AMSAC outputs are provided from separate relay panels within the cabinets. The two trains separated within the AMSAC cabinet by a combination of metal barriers, conduit, and ance.
2.6    Environmental Qualification ipment related to the AMSAC is qualified to operate under conditions resulting from cipated operational occurrences for the respective equipment location. The AMSAC ipment, with the exception of the isolation devices, is not designated as safety related ipment and therefore is not required to be qualified as safety related per the requirements of E Standard 279-1971, IEEE Standard for Criteria for Protection Systems for Nuclear Power erating Stations.
2.7    Seismic Qualification required that only the isolation devices comply with seismic qualification. The AMSAC put isolation device is qualified in accordance with a program that was developed to lement the requirements of IEEE Standard 344-1975, IEEE Standard for Seismic lification of Class 1E Electrical Equipment for Nuclear Power Generating Stations.
2.8    Test, Maintenance, and Surveillance Quality Assurance C Generic Letter 85-06, Quality Assurance Guidance for ATWS Equipment that is not Safety ated, requires quality assurance procedures commensurate with the non-safety related sification of the AMSAC. The quality controls for the AMSAC are, at a minimum, consistent h existing plant procedures or practices for non-safety related equipment.
ign of the AMSAC followed procedures relating to equipment procurement, document trol, and specification of system components, materials, and services. In addition, cifications also define quality assurance practices for inspections, examinations, storage, ping, and tests as appropriate to a specific item or service.
 
the system design requirements implemented with the use of software have been properly lemented and to ensure compliance with the system functional, performance, and interface uirements.
tem testing is completed prior to the installation and operation of the AMSAC as part of the mal factory acceptance testing and the validation program. Periodic testing is performed both matically through use of the system automatic self-checking capability and manually under inistrative control via the AMSAC test/maintenance panel.
2.9    Power Supply er to the AMSAC is from a battery backed, dedicated UPS independent of the power supplies the RTS and ESFAS. The station battery supplying power to the AMSAC is independent of e used for the RTS and ESFAS. The AMSAC is an energize-to-actuate system capable of orming its mitigative functions with a loss of off-site power.
2.10 Testability at Power AMSAC is testable at power. This testing is done via the system test/maintenance panel. The ability of the AMSAC to perform its mitigative actuations is bypassed at a system level while he test mode. Total system testing is performed as a set of three sequential, partial, overlapping
: s. The first of the tests checks the analog input portions of the AMSAC in order to verify uracy. Each of the analog input modules is checked separately. The second test checks each of ALPs to verify that the appropriate coincidence logic is sent to the majority voter. Each ALP is ed separately. The last test exercises the majority voter and the integrity of the associated put relays. The majority voter and associated output relays are tested by exercising all possible ut combinations to the majority voter. The integrity of each of the output relays is checked by firming continuity of the relay coils without operating the relays. The capability to vidually operate the output relays, confirm integrity of the associated field wiring, and operate corresponding isolation relays and final actuation devices at plant shutdown is provided.
2.11 Inadvertent Actuation AMSAC has been designed such that the frequency of inadvertent actuations is minimized.
s high reliability is ensured through use of three redundant ALPs and a majority voting dule. A single failure in any of these modules will not result in a spurious AMSAC actuation.
ddition, a three-out-of-four low SG level coincidence logic and a time delay have been cted to further minimize the potential for inadvertent actuations.
 
2.12.1 Maintenance Bypasses AMSAC is blocked at the system level during maintenance, repair, calibration, or test. While system is blocked, the bypass condition is continuously indicated in the main control room.
2.12.2 Operating Bypasses AMSAC has been designed to allow for operational bypasses with the inclusion of the C-20 missive. Above the C-20 set point, the AMSAC is automatically unblocked (i.e., armed);
w the set point, the system is automatically blocked. The operating status of the AMSAC is tinuously indicated in the main control room via an annunciator window.
2.12.3 Indication of Bypasses enever the mitigative capabilities of the AMSAC are bypassed or deliberately rendered perable, this condition is continuously indicated in the main control room. In addition to the rating bypass, any manual maintenance bypass is indicated via the AMSAC general warning to the main control room.
2.12.4 Means for Bypassing ermanently installed system bypass selector switch is provided to bypass the system. This is a
-position selector switch with NORMAL and BYPASS positions. At no time is it essary to use any temporary means, such as installing jumpers or pulling fuses, to bypass the em.
2.13 Completion of Mitigative Actions Once Initiated AMSAC mitigative actions go to completion as long as the coincidence logic is satisfied and time delay requirements are met. If the flow in the feedwater lines is reinitiated before the er expires and the SG water level increases to above the low-low set point, then the cidence logic will no longer be satisfied and the actuation signal disappears. If the cidence logic conditions are maintained for the duration of the time delay, then the mitigative ons go to completion. The auxiliary feedwater initiation signal is latched in at the component ating devices and the turbine trip is latched in at the turbine electrohydraulic control system.
iberate operator action is then necessary to terminate auxiliary feedwater flow, clear the ine trip signal using the main control board turbine trip reset switch, and proceed with the pening of the turbine stop valves.
2.14 Manual Initiation nual initiation of the AMSAC is not provided. The capability to initiate the AMSAC gative functions manually (i.e., initiate auxiliary feedwater, trip the turbine, and isolate SG wdown and sampling lines) exists at the main control board independent of AMSAC.
 
AMSAC has been designed such that the operating and I&C staffs have accurate, complete, timely information pertinent to the status of the AMSAC. A system level general warning m is indicated in the control room. Diagnostic capability exists from the test/maintenance el to determine the cause of any unanticipated inoperability or deviation.
2.16 Compliance With Standards and Design Criteria AMSAC meets the applicable requirements of Part 50.62 of Title 10 of the Code of Federal ulations and the quality assurance requirements of NRC Generic Letter 85-06. No other dards currently apply to the AMSAC.}}

Latest revision as of 18:57, 13 November 2024

6 to Updated Final Safety Analysis Report, Chapter 7, Instruments and Controls
ML23193A885
Person / Time
Site: Millstone Dominion icon.png
Issue date: 06/28/2023
From:
Dominion Energy Nuclear Connecticut
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23193A862 List:
References
23-169
Download: ML23193A885 (1)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML23193A885&oldid=3699196"