ML21133A086

From kanterella
Jump to navigation Jump to search
0 to Updated Final Safety Analysis Report, Chapter 7, Section 7.3, Engineered Safety Feature Systems
ML21133A086
Person / Time
Site: Limerick  Constellation icon.png
Issue date: 04/29/2021
From:
Exelon Generation Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21138A803 List: ... further results
References
Download: ML21133A086 (251)
v  d  e


Text

LGS UFSAR 7.3 ENGINEERED SAFETY FEATURE SYSTEMS Safety-related instrumentation and controls for ESF systems are described in this section.

Instrumentation and controls for systems that support ESF systems are also described.

7.

3.1 DESCRIPTION

The following systems are part of the ESF:

a. Emergency core cooling systems
b. Primary containment and reactor vessel isolation control system
c. Deleted
d. RHR containment spray mode
e. RHR suppression pool cooling mode
f. Containment atmospheric control system
g. Standby gas treatment system
h. Reactor enclosure recirculation system
i. Reactor enclosure isolation system
j. Habitability and control room isolation
k. Emergency service water system
l. RHR service water system
m. Control enclosure chilled water system
n. Class 1E power system
o. Safety-related equipment area cooling ventilation systems:
1. SGTS filter room and access area unit coolers
2. Diesel generator enclosure ventilation system
3. Spray pond pump structure ventilation system
4. ESF switchgear and battery rooms cooling system
5. ECCS pump compartment unit coolers
6. Auxiliary equipment room ventilation system CHAPTER 07 7.3-1 REV. 19, SEPTEMBER 2018

LGS UFSAR

p. Drywell Unit Coolers 7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems - Instrumentation and Controls The ECCS is a network of the following systems:
a. HPCI system
b. ADS
c. Core spray system
d. LPCI mode of the RHR system The purpose of ECCS instrumentation and controls is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled if there is a DBA. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which coolant is lost from the RCPB.

The ECCS instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response. The ECCS instrumentation and controls are classified as Safety Class 2, seismic Category I, Quality Group B, and electric Class 1E.

Not included in this section is a discussion of measures that are taken to protect the low pressure ECCS from the high pressure RCS. The high pressure/low pressure interlocks are examined in Section 7.6.

The instrumentation and controls of the ECCS network system are powered by the 125 V dc and 120 V ac systems. The redundancy and separation of these systems are consistent with the redundancy and separation of the ECCS functional requirements. The power sources for the ECCS network systems are described in detail in Chapter 8.

7.3.1.1.1.1 High Pressure Coolant Injection System - Instrumentation and Controls 7.3.1.1.1.1.1 HPCI System Identification When actuated, the HPCI system pumps water from either the CST or the suppression pool to the reactor vessel via a core spray line and a feedwater line. The HPCI system includes a turbine-driven pump, a dc motor-driven auxiliary oil pump, a gland seal condenser condensate pump, a gland seal condenser vacuum pump, automatic valves, control devices, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in drawings M-55 and M-

56. These drawings identify both nonsafety-related and safety-related parts of this system.

7.3.1.1.1.1.2 HPCI Equipment Design Pressure and level transmitters used in the HPCI system are located on racks in the reactor enclosure. The only active component for the HPCI system located inside the primary containment is the inboard HPCI system turbine steam supply line isolation valve. The rest of the HPCI system control and instrumentation is located outside the primary containment. A full flow functional test of the system can be conducted during normal reactor power operation; however, the controls are CHAPTER 07 7.3-2 REV. 19, SEPTEMBER 2018

LGS UFSAR configured such that the system can be realigned automatically to fulfill its safety function regardless of the test being conducted.

There are three exceptions:

a. The HPCI flow controller auto/manual feature in the manual mode sets the HPCI system at selected flow rate; the operator can select auto if required. This feature is for operator flexibility during system operation.
b. Steam inboard/outboard isolation valves. Closure of either or both of these valves requires operator action to properly sequence their opening. An alarm sounds when either of these valves leaves the fully open position.
c. HPCI test switch in F006 and F007 position and test plug J1 or J10 inserted results in the HPCI system being inoperable. Depending on whether the test switch is in F006 or F007 position, one of the two series discharge valves are interlocked closed, preventing high pressure core injection. If the test switch is in F006, it disables both the F006 (discharge to core spray) and F105 (discharge to feedwater). HPCI OUT-OF-SERVICE annunciator sounds in the control room in indicate HPCI in test.

7.3.1.1.1.1.3 HPCI Initiating Circuits Reactor vessel low water level is monitored by four level sensors that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel as shown in drawing M-42. Each level sensor provides an input to a trip unit. Refer to Figure 7.3-26 for a diagram of level sensor connections. The four trip units are connected in a one-out-of-two-twice logic to provide an automatic HPCI initiation signal. Two lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of level sensors. The lines terminate outside the primary containment and inside the reactor enclosure. The sensors are physically separated from the ADS sensors and tap off the reactor vessel at points widely separated from the ADS sensors.

These same lines are also used for pressure and water level instruments for other systems. A similar arrangement of the ADS instrumentation initiates the ADS system. The arrangement ensures that no single event can prevent reactor vessel low water level from initiating both the HPCI system and the ADS.

Primary containment pressure is monitored by four pressure sensors that are mounted on an instrument rack outside the drywell, but inside the reactor enclosure. Pipes from the drywell interior to the sensors provide the sensing lines. Each drywell high pressure sensor provides an input into a trip unit. The four trip units are connected in a one-out-of-two-twice logic to provide an automatic HPCI initiation signal. The relay contacts from the trip units are arranged so no single event can prevent containment high pressure from initiating the HPCI system and ADS. The sensors are physically separated from the ADS pressure sensors and tap off the containment at points widely separated from the ADS pressure sensors.

The HPCI system controls automatically start the HPCI system from the receipt of a reactor vessel low water level signal (level 2) or primary containment drywell high pressure signal and bring the system to its design flow rate within 60 seconds. The system can also be initiated by use of a system-level remote manual switch or an individual remote manual switch for each valve and the auxiliary oil pump which provides the initial hydraulic fluid for the turbine stop and governor valves.

In all initiation modes, the system is prevented from operating above high water level (level 8) using one-out-of-two-twice logic. The controls then function to provide design makeup water flow to the CHAPTER 07 7.3-3 REV. 19, SEPTEMBER 2018

LGS UFSAR reactor vessel until the amount of water delivered to the reactor vessel is adequate (level 8), at which time the HPCI system automatically shuts down. The system is designed to automatically cycle between these two levels. The controls are arranged to allow remote manual startup, operation, and shutdown.

The HPCI turbine is functionally controlled as shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. A speed governor limits the turbine speed to its maximum operating level. A control governor receives a HPCI system flow signal and adjusts the turbine steam control valve so that the design HPCI system pump discharge flow rate is obtained. drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009 shows the various modes of turbine control. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI system pump discharge line. The governor controls the pressure applied to the hydraulic operator of the turbine control valve, which in turn controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the dc-powered auxiliary oil pump during startup and then by the shaft-driven hydraulic oil pump when the turbine reaches operating speed.

Upon receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. Because there is no flow in the HPCI system, the flow signal runs the control governor to the high speed stop. As hydraulic oil pressure is developed, the turbine stop valve and the turbine control valve open, and the turbine accelerates toward the speed setting of the control governor. As HPCI system flow increases, the flow signal adjusts the control governor setting so that design flow is maintained. The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected:

a. High turbine exhaust pressure (one-out-of-two)
b. Low HPCI pump suction pressure (one-out-of-one)
c. High reactor water level (one-out-of-two-twice)
d. Turbine overspeed signal (one-out-of-one mechanical)
e. Low steam supply pressure (two-out-of-two)
f. HPCI autoisolation signals (one-out-of-two logic for turbine trip, for isolation one channel closes the inboard valve and one channel closes the outboard valve).
g. Remote manual trip In each division, an auto isolation signal is initiated by any of the following:
a. Steam supply line - high flow (one-out-of-one logic trip)
b. High turbine exhaust diaphragm pressure (two-out-of-two logic trip)
c. High equipment or piping area temperature or high equipment area delta temperature (one-out-of-six logic trip)
d. Low steam supply pressure (two-out-of-two logic trip)

CHAPTER 07 7.3-4 REV. 19, SEPTEMBER 2018

LGS UFSAR Precautions taken to preclude spurious HPCI system turbine isolation are:

a. Using coincident logic isolation trip circuits for low steam supply and high turbine exhaust diaphragm pressure.
b. Using trip time delay circuits (Reference NUREG-0737, Item II.K.3.15).
c. Using safety-grade instrumentation and control equipment.
d. Selecting trip settings far enough from normal operating values to avoid spurious trips, yet close enough to protect equipment.

The HPCI test return to condensate storage line valve HV-55-*F011 is normally kept closed except during HPCI or RCIC system flow testing. If during testing either a low reactor water level (level 2) or high drywell pressure condition initiates HPCI system operation, valve HV-55-*F011 and in series test return valve HV-55-*F008 are automatically closed. In addition, HPCI valve HV *F011 is automatically closed if one of the HPCI or RCIC pump suppression pool suction valves HV-55-*F041, HV-49-*F029 or F031 fully opens. The *F011 is not automatically closed if the suppression pool to pump suction PCIV, HV-055 *F042 is open.

The preferred source of water for the HPCI is the CST. The HPCI system will realign to suppression pool suction upon receipt of a CST low level or suppression pool high level signal.

Either of these signals open the HPCI suppression pool suction valves HV-55-*F041 and F042, if closed, which in turn sends a signal to close the CST suction valve HV-55-*F004 when both are fully open.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the turbine casing. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump, which could place it out-of-service. A turbine trip is initiated for abnormal conditions so that, if the causes of the abnormal condition can be found and corrected, the system can be restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so close that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed electronic device for indication and a mechanical-hydraulic device for tripping the turbine. Two pressure sensors are used to detect high turbine exhaust pressure; either sensor can initiate turbine shutdown. One pressure sensor is used to detect low HPCI system pump suction pressure.

High water level in the reactor vessel indicates that the HPCI system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in HPCI system turbine damage caused by gross carryover of moisture. The reactor vessel high water level setting that trips the turbine (level 8) is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Four level 8 trip units, connected to appropriate sensors, arranged in a one-out-of-two-twice configuration, are required to initiate a turbine shutdown. Refer to Figure 7.3-26 for a diagram of level sensor connections.

Low steam supply pressure is detected by two pressure sensors, both of which must trip to initiate a turbine shutdown. This low pressure indicates that there is insufficient energy in the steam for the turbine to function.

The control scheme for the turbine auxiliary oil pump is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. System controls are arranged for automatic or manual control. Upon receipt of an HPCI system initiation CHAPTER 07 7.3-5 REV. 19, SEPTEMBER 2018

LGS UFSAR signal, the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. When the pressure supply by the shaft-driven oil pump is sufficient, the auxiliary oil pump automatically stops. Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts automatically.

The operation of the gland seal condenser components (gland seal condenser condensate pump (dc), gland seal condenser vacuum pump (dc), and gland seal condenser water level instrumentation) prevents outleakage from the turbine shaft seals. Startup of this equipment is automatic, as shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Failure of this equipment does not prevent the HPCI system from providing water to the reactor vessel.

7.3.1.1.1.1.4 HPCI Logic and Sequencing Either reactor vessel low water level (level 2) or primary containment (drywell) high pressure can automatically start the HPCI system as indicated in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The scheme used for initiating the HPCI system is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. The components required for HPCI system initiation are powered by dc buses.

Instrument settings for the HPCI system controls and instrumentation are listed in Table 7.3-1. The reactor vessel low water level setting for HPCI system initiation is selected high enough above the active fuel to start the HPCI system in time both to prevent excessive fuel cladding temperatures and to prevent more than a small fraction of the core from reaching the temperature at which gross fuel failure occurs. The water level setting is sufficiently below normal levels so that spurious HPCI system startups are avoided. The primary containment high pressure setting is selected to be as low as possible without inducing a spurious HPCI system startup. The logic diagram for BOP portions of the HPCI system is shown in drawing M-55FD.

7.3.1.1.1.1.5 HPCI Bypasses and Interlocks To prevent the turbine-pump from being damaged by overheating at reduced HPCI pump discharge flow, a pump discharge minimum flow line is provided to route the water being discharged from the pump to the suppression pool. The minimum flow is controlled by an automatic, dc MOV whose control scheme is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. On high HPCI flow, stop valve closure, or steam supply valve closure, the valve is closed, and on low flow, provided pump discharge pressure is above a pressure permissive setpoint (indicates pump is running) the valve is opened. The flow transmitter and trip units that measure the pressure difference across a flow element in the HPCI pump discharge pipeline provide the control signal for this valve.

To prevent the HPCI steam supply pipeline from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009.

The controls position valves so that during normal operation steam line drainage is routed to the CHAPTER 07 7.3-6 REV. 19, SEPTEMBER 2018

LGS UFSAR main condenser. Upon receipt of a HPCI initiation signal and subsequent steam supply valve opening, the drainage path is isolated. The water level in the steam line condensate drain pot is controlled by a level switch, a flow orifice, and an air-operated steam trap bypass drain valve that allows condensate to flow out of the pot.

During test operation, the HPCI pump discharge is routed to the CST. Two dc MOVs are installed in the pump discharge to the CST pipeline. The piping arrangement is shown in drawing M-55.

The control scheme for the two valves is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Upon receipt of an HPCI system initiation signal, the two valves close and remain closed. Valve F011 is interlocked closed if the HPCI F041 or RCIC F029 or F031 valves are fully open. Numerous indications pertinent to the operation and condition of the HPCI system are available to the control room operator. Drawings M-55, M-56, E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009 show the various indications provided.

Suction is normally taken from the CST. If the level in the CST falls to a low level or the nonseismic pipeline from the CST breaks, a level sensor in the vertical run of pipe from the grade down to the HPCI pump compartment initiates an automatic realignment of pump suction piping to the suppression pool. The logic for automatic operation of the suction valves is shown by drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Also, high suppression pool level will cause an automatic realignment of the suction source from the CST to the suppression pool.

7.3.1.1.1.1.6 HPCI Redundancy and Diversity The HPCI system is actuated either by reactor vessel low water level (level 2) or by primary containment (drywell) high pressure. Both of these conditions could result from a LOCA. The redundancy of the HPCI system initiating circuits is consistent with the design of the HPCI system.

7.3.1.1.1.1.7 HPCI Actuated Devices The HPCI actuated devices are automatically controlled by logic circuitry or manually controlled by switches in the control room. MOVs are provided with appropriate limit and/or torque switches to turn off the motors when the fully open or fully closed positions are reached. Valves that are automatically closed on isolation signals are equipped with remote manual reset devices so that they cannot be reopened without operator action. All essential components of the HPCI system controls operate on dc power or ac power supplied by an inverter that is part of the ECCS.

To ensure that the HPCI system can be brought to design flow rate within 60 seconds from receipt of the initiation signal, the following maximum operating times for essential HPCI system valves are provided by the valve operation mechanisms:

a. HPCI system turbine steam supply valve 20 sec
b. HPCI system pump discharge valves 20 sec (except F105 valve 40 sec)
c. HPCI system pump minimum flow bypass valve 15 sec The operating time is the time required for the valve to travel from the fully closed to the fully open position or vice-versa. Because the two HPCI system steam supply line isolation valves are normally open and because they are intended to isolate the HPCI system steam line if there is a break in that line, their operating time requirements are based on isolation requirements. These are described in Section 7.3.1.1.2.4.1.2. A normally closed dc MOV is located in the turbine steam supply line just upstream of the turbine stop valve. The control scheme for this valve is shown in CHAPTER 07 7.3-7 REV. 19, SEPTEMBER 2018

LGS UFSAR drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Upon receipt of an HPCI system initiation signal, this valve opens and remains open until closed by operator action from the control room.

Two normally open isolation valves are provided in the steam supply line to the turbine. The control diagram is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. The valves automatically close upon receipt of an HPCI system turbine steam line high flow signal, an HPCI system turbine steam supply low pressure signal, high turbine exhaust diaphragm pressure, high steam line space temperature, HPCI equipment room ventilation inlet/outlet high differential temperature, or high area temperature.

Three pump suction valves are provided in the HPCI system. One valve provides pump suction from the CST; the other two provide suction from the suppression chamber. The CST is the preferred source. All valves are operated by dc motors. The control arrangement is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Although the CST suction valve is normally open, an HPCI system initiation signal opens it if it is closed. If the water level in the CST falls below a preselected level, the suppression chamber suction valves automatically open. When both suppression chamber valves are fully open, the CST suction valve automatically closes. Two level sensors are used to detect the CST low water level condition. Either sensor can cause the suppression chamber suction valve to open. The suppression chamber suction valve also automatically opens, and the CST suction valve closes if a high water level is detected in the suppression chamber.

Two level sensors monitor the suppression pool water level. Either sensor can initiate the opening of the suppression chamber suction valves. If open, the suppression chamber suction valves automatically close upon receipt of the signals that initiate HPCI system steam line isolation.

Two dc motor-operated HPCI system pump discharge injection valves (F006, F105) are downstream of a single pump discharge shutoff valve (F007). The control scheme for these valves is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009and is arranged to open upon receipt of HPCI system initiation signals. The injection valves close following a turbine trip signal.

To prevent damage by overheating at reduced HPCI system pump flow, a pump discharge minimum flow bypass is provided by an automatic, dc MOV whose control scheme is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. On HPCI system high flow, stop valve closure or steam supply valve closure, the valve is closed; on low flow, provided pump discharge pressure is above a pressure permissive setpoint (indicates pump is running), the valve is opened. Flow sensors that measure the pressure difference across a flow element in the HPCI system pump discharge line provide the signals to control this valve. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped due to the subsequent stop valve closure. This is necessary to prevent drainage of the CST into the suppression pool.

To prevent the HPCI system steam supply line from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain line arrangement just upstream of the turbine supply valve. The control scheme is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. The controls position valves so that, during normal operation, steam line drainage is routed to the main condenser. Upon receipt of an HPCI system initiation signal, the drainage path is isolated. The water level in the steam line condensate drain pot is controlled by a steam trap and secondarily by a level switch and an AOV that opens to allow condensate to flow out of the pot.

CHAPTER 07 7.3-8 REV. 19, SEPTEMBER 2018

LGS UFSAR During test operation, the HPCI system pump discharge can be routed to the CST. The dc MOVs are installed in the pump discharge test line. The piping arrangement is shown in drawing M-55.

The control scheme for the valves is shown in drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. Upon receipt of an HPCI system initiation signal, the valves close and remain closed. The F011 is interlocked closed if the HPCI F041 or RCIC F029 or F031 valves are fully open. Indications pertinent to the operation and condition of the HPCI system are available to the plant operator. Drawings M-55, M-56, E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009 show the indications provided.

7.3.1.1.1.1.8 HPCI Separation Separation within the ECCS is designed so that no single occurrence can prevent core cooling when required. Control and instrumentation equipment wiring is segregated into separate divisions designated 1, 2, 3, and 4. Similar separation requirements are also maintained for the control and motive power required. Separation is as follows:

Division 1 Division 2 Division 3 Division 4 Core spray A Core spray B Core spray C Core spray D RHR "A" RHR "B" RHR "C" RHR "D" HPCI HPCI (including (including inboard isolation outboard valves) isolation valve)

ADS "A" ADS "C" The ADS, combined with the low pressure ECCS (CS and RHR), is considered a backup for HPCI.

A complete description of the physical independence between divisions is given in Section 7.1.2.2.

7.3.1.1.1.1.9 HPCI Testability The HPCI system has components that are not activated or tested during normal operation with an integrated testing procedure. These components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of flow using the installed return piping such that the turbine and pump are operated. A system functional test, including simulated automatic actuation of the system, with verification that automatic valves in the injection flow path move to the correct position, is also performed.

Associated sensors and circuits are monitored to verify proper operation. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

The HPCI instrumentation and control system is capable of being tested during normal unit operation to verify the operability of each system component. Testing of the initiation sensors that are located outside the drywell is accomplished by valving out each sensor, one at a time, and applying a test pressure source. This verifies the operability of the sensor. Trip units located in the auxiliary equipment room are calibrated individually by a calibration source with verification of setpoint by a digital readout located on the calibration module.

CHAPTER 07 7.3-9 REV. 19, SEPTEMBER 2018

LGS UFSAR

a. Calibration and test controls for the sensors are located in the reactor enclosure.

Calibration and test controls for the trip units are located in the auxiliary equipment room. To gain access to the calibration points of each sensor, a cover plate must be removed. The control room operator is responsible for granting access to the calibration points. Only properly qualified plant personnel are granted access for testing or calibration adjustments.

In addition to the above tests, operability of the sensors can be verified by cross-checking instrument readouts in the auxiliary equipment room at any time during operation.

b. Test jacks are provided to test the logic. Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the control room operator that the HPCI system is in the test status. Operation of the test plug switches can initiate or isolate the HPCI system. Injection into the reactor on an initiation signal is prevented by an interlock, actuated only when the test plug is inserted, which prevents the opening of one of the HPCI discharge valves. The test can be repeated with the other discharge valve interlocked closed. The manual initiation switch can also be tested at this time. This sequence of tests ensures that all components are tested. A logic test of the HPCI does not interfere with the operation of other ECCS equipment if required by an initiation signal.
c. The functional performance of the HPCI system can be verified by pumping water from the CST, through the full flow test lines, and back to the CST. If a LOCA were to occur during this mode of operation, the valve line-up would automatically be changed so that water can be pumped to the reactor.

During the above testing, the operation of the HPCI system can be observed in the control room by panel lamps, indicators, recorders, annunciators, and computer printout.

7.3.1.1.1.1.10 HPCI Environmental Considerations The only HPCI system control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inboard isolation valve on the HPCI system turbine steam line. The environmental capabilities of this valve are discussed in Section 7.3.1.1.2.12. The HPCI system control and instrumentation equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate. These conditions are discussed in Section 3.11.

7.3.1.1.1.1.11 HPCI Operational Considerations 7.3.1.1.1.1.11.1 HPCI General Information The HPCI system is not required for normal operations. Under abnormal or accident conditions, initiation and control are automatically provided for at least 10 minutes if required. After that time, operator action can assist the automatic controls to sustain core cooling.

7.3.1.1.1.1.11.2 HPCI Reactor Operator Information A detection system continuously confirms the integrity of the HPCI injection piping to the reactor vessel. The HPCI discharge to the reactor vessel is through a CS system line and sparger and feedwater line. A differential pressure sensor measures the pressure difference between the two CS system injection lines. If the CS piping is sound, the pressure difference is very small between these lines. If integrity is lost, increasing differential pressure initiates an alarm in the main control room. Pressure in the HPCI pump suction line is monitored by pressure transmitters, which initiate CHAPTER 07 7.3-10 REV. 19, SEPTEMBER 2018

LGS UFSAR alarms in the control room on high or low suction pressure and also provide signals to indicators in the control room. Sufficient level, flow, pressure, and valve position information is available in the control room for the operator to assess the HPCI system operation as shown in drawings M-55, M-56, E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009.

7.3.1.1.1.1.11.3 HPCI Setpoints See Chapter 16 for safety setpoints.

7.3.1.1.1.2 Automatic Depressurization System - Instrumentation and Controls 7.3.1.1.1.2.1 ADS Identification The ADS automatically controls five of the SRVs that are installed on the main steam lines inside the primary containment. Table 1 in drawing M-41 identifies which SRVs are controlled by the ADS. The valves are dual-purpose in that they relieve pressure by normal mechanical action or by automatic action of an electric-pneumatic control system. The relief by normal mechanical action is intended to prevent overpressurization of the RCPB. The depressurization by automatic action of the control system is intended to reduce the pressure during a LOCA in which the HPCI system is not available so that the CS system and/or LPCI system can inject water into the reactor vessel.

7.3.1.1.1.2.2 ADS Equipment Design The control system consists of pressure and water level sensors arranged in trip systems that control dual solenoid valves. The dual solenoid valves control the pneumatic pressure applied to an actuator that controls the SRV directly. An accumulator is included with the control equipment to store pneumatic energy for SRV operation. Cables from the sensors lead to the control structure, where the logic arrangements are formed in cabinets. The electrical control circuitry is powered by dc from the plant safeguard batteries. The power supplies for the redundant control circuits are selected and arranged to maintain tripping ability if there is an electrical power circuit failure. Electrical elements in the control system energize to cause the opening of the SRV. The instrument gas supply to the accumulators is furnished from a seismic Category I gas supply if the normal supply is lost. Seismic Category I backup gas supply is required to be connected at all times during normal operation.

7.3.1.1.1.2.3 ADS Initiating Circuits The pressure and level sensors used to initiate ADS are separated from those used to initiate the HPCI system. Drawing M-42 lists sensors with common transmitters. The ADS function is initiated automatically by low reactor water level and high drywell pressure signals or low reactor water level with the high drywell pressure bypass timer timed out. The ADS function can also be initiated by system-level remote manual switches. In either mode, the ADS valves are prevented from opening unless both pumps in either of the two CS loops, or any of the four RHR pumps, are running. In addition, each individual ADS valve can be opened manually without restriction from permissive sensors.

Reactor vessel low water level (level 1) is monitored by four level sensors that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel as shown in drawing M-42. Each level sensor provides an input to a trip unit. Two pairs of lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for the level sensors. The lines terminate outside the primary containment and inside the reactor enclosure. They are physically CHAPTER 07 7.3-11 REV. 19, SEPTEMBER 2018

LGS UFSAR separated from the HPCI sensors and tap off the reactor vessel at points widely separated from the HPCI sensors. These same lines are also used for pressure and water level instruments for other systems. Two additional level sensors are piped individually to confirm reactor vessel low water level (level 3) so that an instrument line break inside containment does not inadvertently initiate autoblowdown. The relay contacts from the trip units are arranged so that a set of sensors sensing low water level initiates the ADS system and a separate pair of sensors initiates the HPCI. This arrangement ensures that no single event due to reactor vessel low water level can prevent the initiation of both the HPCI system and the ADS.

Primary containment pressure is monitored by four pressure sensors that are mounted on instrument racks outside the drywell, but inside the reactor enclosure as shown in drawing M-42.

Pipes from the drywell interior to the sensors provide the sensing lines. Each drywell high pressure sensor provides an input into a trip unit. The sensors are grouped in a manner similar to the level sensors and are electrically arranged so that no single event due to primary containment high pressure can prevent the initiation of both the HPCI and the ADS systems.

Discharge pressure on the CS and RHR pumps is monitored by twelve pressure sensors; one sensor is at the discharge of each CS pump as shown in drawing M-52 and two sensors are at the discharge of each RHR pump as shown in drawing M-51. Each pressure sensor provides an input to a trip unit.

The primary containment high pressure signals are arranged to seal-in the control circuitry; they must be manually reset to clear. The level sensing logic and the pump discharge pressure signals do not seal-in.

A timer is used in each of the two ADS trip systems. The time delay setting before actuation of the ADS is long enough so that the HPCI system has time to operate, yet not so long that the LPCI and CS systems are unable to adequately cool the fuel if the HPCI system fails to start. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiating signals recycles the timers. A manual reset switch is provided in each trip system to reset the timer to delay ADS initiation.

Within each trip system, if the reactor level is restored before the timer times out, the timer automatically resets, and autodepressurization is aborted. Should additional reactor level dips occur below the setpoints, the timer is again initiated.

7.3.1.1.1.2.4 ADS Logic and Sequencing Two initiation signals and one permissive signal are used for the ADS: reactor vessel low water level; drywell high pressure; and RHR and/or CS pumps running. If all signals are present, the ADS SRVs will open after the ADS timer runs out. If the high drywell pressure signal is not present, the ADS SRVs can open after the high drywell pressure bypass timer and ADS timer run out (Figure 7.3-4). There are two reactor vessel low water level signals associated with the ADS system; one (level 3) prevents undesired system operation, and the other (level 1) initiates the ADS. Primary containment high pressure indicates a breach in the RCPB inside the drywell. A permissive signal indicating RHR or CS pump discharge pressure is also required. Discharge pressure on any one of the RHR pumps or both pumps of either CS loop is sufficient to give the permissive signal, which permits automatic depressurization when the LPCI or CS systems are operating.

The ADS is composed of four logics, arranged with the A and E logics in ADS trip system A and the C and G logics in ADS trip system C. Each trip system controls one of the two solenoid valves CHAPTER 07 7.3-12 REV. 19, SEPTEMBER 2018

LGS UFSAR associated with each SRV. As shown in Figure 7.3-4, both logics in a trip system must be enabled to energize the solenoid valves associated with that trip system.

After receipt of the initiation signals and a delay provided by timers, one or both of the solenoid valves are energized. This allows pneumatic pressure from the accumulator to act on the cylinder operator. The pneumatic cylinder operator holds the relief valve open. Lights in the control room indicate when the solenoid valves are energized to open an SRV.

Manual reset circuits are provided in the ADS initiation logic. By manually resetting the initiation signal, the delay timers are recycled. The operator can use the reset push buttons to delay or prevent the automatic opening of the relief valves if such delay or prevention is prudent.

The operator's decision to use the manual reset circuits is based on the following criteria:

a. ADS logic shall not be reset prior to system initiation unless spurious initiation is verified.
b. ADS logic may be reset after system initiation if reactor vessel level is greater than Level 1 and sufficient water delivery capability exists to maintain this level.

The EOPs written in accordance with the BWROG EPGs further address operator intervention concerning the ADS function.

A manual inhibit switch is provided in each division of the ADS initiation logic. By placing this switch in the inhibit position, the automatic depressurization will be inhibited, and it will be indicated by a white status light and annunciator window in the control room. If the ADS has already begun and is sealed-in, the inhibit switch does not break the seal-in and does not terminate the ADS.

A manual initiation switch is provided in the control room for each ADS logic. The design minimizes the components that are common to both the manual and automatic logics. The manual initiation signal is sealed-in until reset by the operator.

Once opened by an ADS initiation, the ADS SRVs will return to their normal (closed) position if both ADS reset buttons dedicated to valve closure are depressed. If, however, the ADS initiating signal has not reset or the signal recurs, a subsequent time-delayed ADS trip and valve opening logic sequence will commence.

Activating both ADS divisional reset circuits is an acceptable operating method to prevent or limit inadvertent ADS valve actuation. This is considered to be a deliberate operator action and the only expedient means to close the ADS valves.

Control switches are available in the control room for manual operation of each SRV.

Two ADS trip systems are provided as shown in Figure 7.3-4. Division 1 sensors for low reactor water level and high drywell pressure initiate ADS A, and Division 3 sensors initiate ADS C.

The dual solenoids 'A' and 'B', on the pilot valve for each ADS SRV are individually controlled by ADS trip systems A and C, respectively.

The reactor vessel low water level initiation setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the LPCI system or CS system following a LOCA in which the HPCI system fails to perform its function adequately. The primary containment high pressure setting selected is as low as possible without inducing a spurious CHAPTER 07 7.3-13 REV. 19, SEPTEMBER 2018

LGS UFSAR initiation of the ADS. This provides timely depressurization of the reactor vessel if the HPCI system fails to start or fails after it successfully starts following a LOCA.

The pump discharge pressure setting used as a permissive for depressurization is selected to ensure that at least one of the RHR pumps, or both pumps of either CS loop, have received electrical power, have started, and are capable of delivering water into the vessel. The setting is high enough to ensure that the pump or pump pair delivers at near-rated flow, yet not so low as to provide an erroneous signal that the pump or pump pair is running when it actually is not.

7.3.1.1.1.2.5 ADS Bypasses and Interlocks It is possible for the operator to manually delay the depressurizing action by the trip system reset switches. This would reset the timers to zero seconds and prevent depressurization until the timers have timed out. The operator would make this decision based on an assessment of other plant conditions. ADS is interlocked with the CS and RHR systems by pressure sensors located on the discharge of these pumps. This interlock ensures that at least one of the RHR pumps or both pumps of either CS loop are capable of delivering water into the vessel. Although the ac interlock is common to both the automatic and manual ADS initiation circuits, ADS initiation is not compromised because each of the trip systems is duplicated (ADS A and ADS C). For a failure of the ADS to occur, this interlock would have to fail in each of the ADS trip systems.

The high drywell pressure bypass timer is actuated on low water level (level 1). When this timer runs out, the high drywell pressure trip is bypassed, and the ADS timer is initiated on low water level alone. If the low water level signal clears before the high drywell pressure bypass timer runs out, the bypass timer will automatically reset.

7.3.1.1.1.2.6 ADS Redundancy and Diversity The ADS has two independent and redundant trip systems. Each trip system controls one of the two independent and redundant solenoid valves associated with each ADS valve. The initiating circuits for each trip system are redundant, as verified by the circuit description of this section.

7.3.1.1.1.2.7 ADS Actuated Devices The five SRVs associated with the ADS are equipped with remote manual switches so that the entire system can be operated manually as well as automatically. The valves also prevent RCPB overpressurization by their built-in mechanical action.

7.3.1.1.1.2.8 ADS Separation ADS is a Division 1 (ADS A) and Division 3 (ADS C) system except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two solenoid valves supplying gas to the relief valve operator. One of the solenoid valves is actuated by trip system A and the other by trip system C. Logic relays, manual controls, and instrumentation are mounted so that Division 1 and Division 3 separation is maintained. A complete description of the physical independence between divisions is given in Section 7.1.2.2.

7.3.1.1.1.2.9 ADS Testability The ADS has two divisional trip systems, and either one can initiate automatic depressurization.

Each trip system has two trip logics, both of which must trip to initiate ADS. Four test jacks are provided, one in each trip logic. During testing, only one trip logic is actuated at a time to prevent spurious ADS operation. The test plug switch disables one trip logic of a trip system while the other CHAPTER 07 7.3-14 REV. 19, SEPTEMBER 2018

LGS UFSAR is undergoing test. Actuation of appropriate trip units in the trip logic being tested closes one of the two series relay contacts in the valve solenoid circuit. This causes a panel light to come on, indicating proper trip logic operation and also continuity of the solenoid electrical circuit. Testing of the other trip logic and trip system is similar. Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the reactor operator that the ADS is in a test status. Testing in one division of the ADS does not interfere with automatic operation of the other division if required by an initiation signal.

Integrated testing of the ADS solenoid valves and circuitry is not performed with the plant operating at power, which is consistent for safety systems where the final actuating device(s) would cause temporary modification of plant processes such as fluid injection or discharge. The Technical Specifications provide for a functional partially integrated test without valve actuation. The transmitter/ trip units that provide sensory inputs to the ADS are checked by station personnel. The logic chain up to the solenoid is tested by manually inserting a trip signal and observing the trip logic lights which indicate both continuity of the solenoid circuit and proper trip logic operation 7.3.1.1.1.2.10 ADS Environmental Considerations The signal cables, solenoid valves, and SRV operators are the only essential control and instrumentation equipment for the ADS located inside the primary containment. These items operate in the most severe environment resulting from a design basis LOCA (Section 3.11).

Gamma and neutron radiation have been considered in the selection of these items. Equipment located outside the primary containment operates in an appropriate environment. The environmental conditions for these areas are discussed in Section 3.11.

7.3.1.1.1.2.11 ADS Operational Considerations 7.3.1.1.1.2.11.1 ADS General Information The instrumentation and controls of the ADS are not required for normal plant operations. When automatic depressurization is required, it is initiated automatically or manually by the circuits described in this section.

7.3.1.1.1.2.11.2 ADS Reactor Operator Information Recorders and indicators in the control room provide information regarding reactor water level and drywell pressure.

Each manual and automatic ADS input is provided to the annunciator system. Annunciation is also provided on initiation of the ADS timers, tripping of each logic, and system out-of-service indication.

All interface with the annunciator system is through isolated contacts.

7.3.1.1.1.2.11.3 ADS Setpoints See Chapter 16 for safety setpoints.

7.3.1.1.1.3 Core Spray System - Instrumentation and Controls 7.3.1.1.1.3.1 CS System Identification The CS system consists of two independent and redundant spray loops as illustrated in drawing M-52.

CHAPTER 07 7.3-15 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.1.3.2 CS Equipment Design The two spray loops are physically and electrically separated so that no single physical or electrical event makes both loops inoperable. Each loop includes two ac motor-driven pumps, each with a separate suction path from the suppression pool, necessary control and instrumentation devices and valves, and a discharge path connected directly to the reactor which is common to both pumps. Each pump supplies 50% of the required core spray flow so either loop can satisfy 100%

of the core spray design requirements. The controls and instrumentation for the CS system include the sensors, relays, wiring, and valve operating mechanisms used to start, operate, and test the system. Except for the testable check valve and the bypass valve in each spray loop that are inside the primary containment, the sensors and valve operating mechanisms for the CS system are located in the reactor enclosure. Testable check valves are described in Chapter 6. Cables from the sensors are routed to the control structure, where the logic circuitry is assembled in electrical panels. Each pump, associated suction valve, instrumentation, control and motive devices are assigned to separate electrical safety divisions. Each division is fully separated (including instrumentation, control, and power cables) from each of the other divisions as required by the LGS electrical separation criteria. Logic and motive power for each division is supplied from safeguard power sources within the division. The remaining devices and valves in each loop are assigned to the same safety divisions as the pumps in that loop to provide adequate separation between the redundant loops. Control power for each of the CS pumps comes from separate dc buses. The electrical equipment in the control room for one CS loop is separated from that used for the other loop.

7.3.1.1.1.3.3 CS Initiating Circuits Trip units associated with two reactor vessel low water level sensors and two drywell high pressure sensors in conjunction with two reactor low pressure sensors are electrically connected in a one-out-of-two-twice arrangement for each CS pump as shown in Figure 7.3-9, so that no single event can prevent initiation of CS.

The following discussion describes the initiation and operation of the 'A' core spray loop. The 'B' loop is initiated and operated similarly and independently of the 'A' loop. The 'A' loop is automatically initiated when a LOCA condition (low reactor vessel level or high drywell pressure coincident with low reactor vessel pressure) exists. The 'A' core spray loop can also be manually initiated by arming and depressing the 'A' and 'C' core spray initiation switches ('B' & 'D' switches for B loop).

Upon receipt of either of the above loop initiation signals in their respective divisions of initiation logic, the 'A' and 'C' core spray pumps start automatically, the core spray test return line to the suppression pool is automatically isolated, and a signal to open the inboard and outboard loop injection valves is initiated. However the normally-closed inboard injection valve (also refereed to as the injection valve) and the normally-open outboard injection valves are interlocked to prevent opening if reactor pressure is greater than the pressure permissive setpoint (determined by monitoring reactor pressure) or if power is not available at the 4 kV bus to which the 'A' core spray pump is connected.

When the 4 kV bus is energized and reactor pressure has decreased to below the pressure permissive setpoint the injection valves will automatically open. The pressure permissive setpoint prevents overpressurizing the low pressure portions of core spray.

Each of the components in the core spray flow path can also be manually operated from the control room by means of the component's individual control switch. The inboard injection valve is interlocked to prevent opening unless; either its respective loop initiation signal with 4kV power and CHAPTER 07 7.3-16 REV. 19, SEPTEMBER 2018

LGS UFSAR pressure permissive is present (as described above), or the associated outboard injection valve is closed.

Reactor vessel low water level is monitored by eight level sensors that sense the difference between the pressure that is due to a constant reference leg of water and the pressure that is due to the actual height of water in the vessel. Each level sensor provides an input to a trip unit located in the control structure. Refer to Figure 7.3-26 for a diagram of level sensor connections. The lines terminate outside the primary containment and inside the reactor enclosure.

Drywell pressure is monitored by eight sensors mounted on instrument racks in the reactor enclosure. Four sensing lines that terminate in the reactor enclosure allow the sensors to measure the drywell interior. Each drywell high pressure sensor provides an input to a trip unit located in the control structure.

Reactor pressure is monitored by twelve pressure sensors mounted on racks in the reactor enclosure. Four of the pressure sensors are used to develop system initiation signals, four are used in development of injection value open-permissive interlocks, four provide inputs to both system initiation and injection valve open-permissive interlock logic. Four sensing lines that terminate in the reactor enclosure allow the sensors to measure the reactor vessel. Each pressure sensor provides an input to a trip unit located in the control structure.

The CS initiation signal also initiates the corresponding diesel generator.

7.3.1.1.1.3.4 CS Logic and Sequencing The control scheme for the CS system is illustrated in Figure 7.3-9. The logic of BOP portions of the CS system is shown in drawing M-52FD. Trip settings are given in Chapter 16. The overall operation of the system following the receipt of an initiating signal is as follows:

a. Test bypass valves are closed and interlocked to prevent opening.
b. If offsite ac power is available, the CS pumps in one loop start after a 10 second delay, and the CS pumps in the other loop start after a 15 second delay.
c. If offsite ac power is not available, the CS pumps in both spray loops start 7 seconds after standby power becomes available for loading.
d. The pump minimum flow bypass valves open as soon as the core spray pumps start.
e. When reactor vessel pressure drops to a preselected value, valves open in the pump discharge lines, allowing water to be sprayed over the core.
f. When pump discharge flow is greater than a preselected value, the pump minimum flow bypass valves shut, directing full flow into the reactor vessel.

Three initiating variables are used for the CS system: reactor vessel low water level; drywell high pressure; and reactor vessel low pressure.

The CS initiation logic is a one-out-of-two-twice network using level and pressure sensors. The initiation signal is generated when:

a. Both level sensors are tripped.

CHAPTER 07 7.3-17 REV. 19, SEPTEMBER 2018

LGS UFSAR

b. Four pressure sensors are tripped (two high drywell pressure and two low reactor vessel).
c. Either of two combinations of one level sensor and two pressure sensors (one high drywell and one low reactor vessel) are tripped.

The CS system can also be manually initiated.

Once an initiation signal is received by the CS control circuitry, the signal is sealed-in until manually reset. The seal-in feature is shown in Figure 7.3-9.

The pressure permissive signal for opening the respective injection valve is provided by four division (1) or four division (2) pressure sensors that monitor reactor vessel pressure. Two of these sensors are the ones described in Section 7.3.1.1.1.3.3, to initiate the CS system in conjunction with high drywell pressure. The other two sensors are located on the same sensing lines and provide signals to trip units located in the control structure. These pressure signals are arranged in a one-out-of-two-twice logic.

7.3.1.1.1.3.5 CS Bypasses and Interlocks The CS pump motors and inboard injection valves are provided with manual override controls that allow the operator to control the system following automatic initiation.

A pressure transmitter is installed upstream of each pump discharge check valve. These pressure signals are used in the ADS to indicate that core spray pumps are running, allowing actuation of the ADS.

The CS initiation signal also initiates the corresponding diesel generator and is used to trip the drywell chillers.

7.3.1.1.1.3.6 CS Redundancy and Diversity As described in Section 7.3.1.1.1.3.4, sufficient redundancy and diversity of initiation signals is provided to prevent a single failure from preventing initiation of the CS system. Core spray is a four-pump, two-loop system that is backed up by the four-loop LPCI mode of the RHR system.

Each of the two CS loops is independent.

Each loop of either core spray or LPCI in itself is not designed to sustain a single failure and still perform its design functions. Single failures such as: loss of one division of safeguard power, logic failure in one division, or an instrument failure in one division can disable one loop of core spray and/or one loop of LPCI including both manual and automatic operation of those loops. For a DBA coincident with a worst case single failure, the most demanding and limiting scenarios on low pressure ECCS are:

a. A pipe break that is not part of the low pressure ECCS and a single diesel generator failure. Three LPCI loops and one core spray loop would remain.
b. A low pressure ECCS pipe break and a single diesel generator failure. If the pipe break is in core spray, three LPCI loops would remain. If the pipe break is in LPCI, one core spray loop and two LPCI would remain.

CHAPTER 07 7.3-18 REV. 19, SEPTEMBER 2018

LGS UFSAR For either scenario, the remaining low pressure ECCS loops are more than sufficient to satisfy the low pressure coolant flow requirements to the reactor.

The above scenarios are more demanding on the low pressure ECCS than the failure of any one core spray or LPCI instrument. Hence, the consequences of a single core spray or LPCI instrument failure are bounded by the consequences for the above scenarios. Because the low pressure ECCS is designed with sufficient redundancy and separation to perform their design functions in the worst case single failure scenarios, no design changes are required to reduce the consequence of a single failure of a core spray or LPCI instrument.

7.3.1.1.1.3.7 CS Actuated Devices The control arrangements for the CS pumps are shown in Figure 7.3-9. The circuitry provides for detection of normal power available, so that all pumps are automatically started in sequence. Each pump can be manually controlled by a control room remote switch or the automatic control system.

The CS pump motors are provided with overload and undervoltage protection. Overload relays are sized so as to maintain power as long as possible without immediate damage to the motors or emergency power system.

Flow-measuring instrumentation is provided in the discharge line of each set of core spray pumps.

This instrumentation provides flow indication in the control room.

Except where otherwise specified, the remainder of the description of the CS system refers to one spray loop. The second CS loop is identical. The control arrangements for the various automatic valves in the CS system are indicated in Figure 7.3-9. All MOVs can be controlled from the control room and are equipped with limit and torque switches to turn off the valve motor when the valve reaches the limits of movement and provide control room indication for valve position.

Each automatic valve can be operated from the control room. Overload protection is provided to valve motors in accordance with Section 8.1.6.1.19. The valves in the suction paths from the suppression pool are key-locked open and require no automatic action to line-up CS suction.

Upon receipt of an initiation signal, the test bypass valve is automatically closed and interlocked shut. The injection valves are automatically opened when reactor vessel pressure drops to a preselected value; the setting selected is low enough so that the low pressure portions of the CS system are not overpressurized, yet is high enough to open the valves in time to provide adequate cooling for the fuel. The full stroke operating times of the MOVs are selected to be rapid enough to ensure proper delivery of water to the reactor vessel following a DBA.

A flow sensor on the discharge of each set of pumps provides a signal to operate the minimum flow bypass line valve for each loop. When the flow reaches the value required to prevent pump overheating, the valves close and all flow is directed into the sparger.

7.3.1.1.1.3.8 CS Separation The CS system consists of four pumps, each with its own independent logic and control power source. The sensors used to initiate one core spray pump are separated from those used to initiate the other core spray pumps. The locations of the instrumentation and controls components are provided in Table 1.7-3.

Logics for the A and B loop valves are powered by the 125 V dc buses A and B, respectively.

A complete description of the physical independence between divisions is given in Section 7.1.2.2.

CHAPTER 07 7.3-19 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.1.3.9 CS Testability The CS System has components that are not activated or tested during normal operation with an integrated testing procedure. The components are tested using manual test methods which allow for independent checking of individual components. This testing includes verification of flow using the installed test piping such that the motors and pumps are operated. A system function test, including automatic actuation of the system, with verification that automatic valves in the injection flow path move to the correct position, is also performed. Associated sensors and circuits are monitored to verify proper operation. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

The CS system is capable of being tested during normal operation by an overlapping series of tests. All sensors are individually valved out of service and subjected to a test pressure. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the auxiliary equipment room are calibrated individually by a calibration source with verification of setpoint by a digital readout located on the calibration module.

a. Calibration and test controls for the sensors are located in the reactor enclosure.

Calibration and test controls for the trip units are located in the auxiliary equipment room. To gain access to the calibration points of each sensor, a cover plate must be removed. The control room operator is responsible for granting access to the calibration points. Only properly qualified plant personnel are granted access for testing or calibration adjustments.

In addition to the above tests, the operability of the sensors can be verified by cross-checking instrument readouts in the auxiliary equipment room at any time during operation.

b. Test jacks are provided to test the logic. Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the control room operator that the CS system is in the test status. Operation of the test plug switches initiates the system. Injection into the reactor is prevented by an interlock actuated when the test plug is inserted. This will prevent the automatic opening of either the inboard or the outboard injection valve, depending on the position of the test switch that is used to select which valve to test. The manual initiation switches can also be tested. This sequence of tests ensures that all components are tested. A logic test of one CS loop does not interfere with the operation of the other CS loop if required by an initiation signal.
c. The functional performance of CS components can be verified by pumping water to the suppression pool through the full flow test line. If a LOCA were to occur during this mode of operation, the valve line-up would automatically be changed so that water can be pumped to the reactor.

During the above testing, CS operation can be observed in the control room by panel lamps, indicators, recorders, annunciators, and computer printout.

7.3.1.1.1.3.10 CS Environmental Considerations The testable check valves are the only control and instrumentation components for the CS system that are located inside the primary containment that must operate in the environment resulting from a LOCA. All other components of the CS system that are required for system operation are outside CHAPTER 07 7.3-20 REV. 19, SEPTEMBER 2018

LGS UFSAR the drywell and are selected in consideration of the normal and accident environments in which they must operate. The environmental conditions for the areas where the equipment is located are provided in Section 3.11.

7.3.1.1.1.3.11 CS Operational Considerations 7.3.1.1.1.3.11.1 CS General Information The CS system is not required for normal plant operation. When it is required for accident conditions it is automatically initiated by the circuitry described in this section. No operator action is required for at least 10 minutes following initiation. After this time, operator action can assist the automatic controls to sustain core cooling.

7.3.1.1.1.3.11.2 CS Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess CS system operation. Valves have indications of fully open, intermediate, and fully closed position. The pump has indications for pump running and pump stopped. Alarm and indication devices are shown in drawing M-52 and Figure 7.3-9. A detection system continuously confirms the integrity of the CS A and B injection line piping to the reactor vessel. A differential pressure sensor measures the pressure difference between the two injection lines. If the CS A and B piping is sound, the pressure difference will be very small between these lines. If integrity is lost, an increase in differential pressure initiates an alarm in the control room. Pressure in each CS pump suction line is monitored by a local pressure indicator to determine suction head and pump performance. Pressure in the discharge line of each CS loop is monitored by a pressure indicator in the control room to determine pump performance.

7.3.1.1.1.3.11.3 CS Setpoints See Chapter 16 for safety setpoints.

7.3.1.1.1.4 LPCI Mode of the RHR System - Instrumentation and Controls 7.3.1.1.1.4.1 LPCI System Identification LPCI is an operating mode of the RHR system. The RHR system and its operating modes are discussed in Sections 5.4 and 6.3. Because the LPCI mode of the RHR system is designed to provide water to the reactor vessel following the design basis LOCA, the controls and instrumentation for it are discussed herein.

7.3.1.1.1.4.2 LPCI Equipment Design Drawing M-51 shows the entire RHR system, including the equipment used for LPCI operation.

This drawing identifies nonsafety-related parts of this system. Control and instrumentation required for the operation of the LPCI mode are electric Class 1E and seismic Category I.

The instrumentation for LPCI operation controls other valves in the RHR. This ensures that the water pumped from the suppression pool by the main system pumps is routed directly to the reactor. These interlocking features are described in this section.

LPCI, an operating mode of the RHR system, consists of four independent and redundant loops.

Each loop contains a separate suction path from the suppression pool, a motor-driven pump, necessary control and instrumentation devices and valves, and a separate injection path that CHAPTER 07 7.3-21 REV. 19, SEPTEMBER 2018

LGS UFSAR discharges directly into the reactor. Drawing M-51 shows the locations of instruments, control equipment, and LPCI components. Except for the LPCI testable check valves, the components pertinent to LPCI operation are located outside the primary containment.

Each loop is assigned to a separate electrical safety division. Logic and motive power for each division is supplied from safeguard power sources within that division. Each safety division is fully separated (including instrumentation, control, and power cables) from each of the other safety divisions as required by the LGS electrical separation criteria. Each LPCI pump will supply 100%

of the loop design flow. Power for the main system pumps is supplied from ac buses that can receive standby ac power. Motive power for each of the injection valves, one in each loop, used during LPCI operation comes from a separate bus that can be automatically connected to standby power sources. Control power for all LPCI components, except valves, comes from the dc buses.

Redundant trip systems are powered from different dc buses.

LPCI is arranged for automatic operation and for remote manual operation from the control room.

The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls if there is a LOCA.

7.3.1.1.1.4.3 LPCI Initiating Circuits Two automatic initiation signals are provided for the LPCI mode of operation of the RHR systems:

reactor vessel low water level and drywell high pressure with a reactor vessel low pressure permissive. Either will initiate the LPCI mode of operation. The same sensors and trip units used for initiation of the CS system are used to initiate LPCI.

The low water level or high drywell pressure coincident with reactor low pressure initiation signal for LPCI is a one-out-of-two-twice arrangement as described in Section 7.3.1.1.1.3.3 for the CS system.

Drawing M-42 can be used to identify the instrument rack used for the sensors. Table 1.7-3 can be used to determine the location of the sensors, and drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003 can be used to determine the functional use of each sensor in the control circuitry for LPCI components. Instrument characteristics are given in Table 7.3-4.

The following discussion describes the initiation and operation of the 'A' LPCI loop only. The three remaining loops are initiated and operated similarly and each loop is initiated and operated independently of the other loops. The 'A' LPCI loop is automatically initiated when LOCA condition (reactor vessel low level or containment high pressure coincident with reactor low pressure) exists.

LPCI can be manually initiated from the control room by arming and depressing the loop initiation switch.

Upon receipt of the LOCA or manual initiation signal, the 'A' RHR pump is automatically started.

The necessary valves required to isolate non-LPCI portions of the RHR system from the LPCI flow path are automatically closed. A signal to open the 'A' LPCI injection valve is initiated, however the valve is interlocked to prevent opening if reactor pressure is greater than the RHR piping design maximum pressure (determined by monitoring the P across the injection valve) or if power is not available at the 4 kV bus to which the 'A' RHR pump motor is connected. When the 4 kV bus is energized and reactor pressure has decreased to below the RHR piping design maximum pressure, the injection valve will automatically open and allow low pressure coolant injection.

Each of the components in the LPCI flow path can also be manually operated from the control room by means of each component's individual control switch. Again the LPCI valve is interlocked to prevent opening if reactor pressure is greater than the RHR piping design maximum pressure.

CHAPTER 07 7.3-22 REV. 19, SEPTEMBER 2018

LGS UFSAR The interlocks and control devices used in this manner are the same as those used for automatic operation.

7.3.1.1.1.4.4 LPCI Logic and Sequencing The control scheme for LPCI operation is illustrated in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003. The logic for BOP portions of the LPCI system is shown in drawing M-51FD.

Three variables are used for LPCI: reactor vessel low water level, drywell high pressure, and reactor vessel low pressure.

The LPCI initiation logic is a one-out-of-two-twice network using appropriately connected trip units from level and pressure sensors. The initiation signal is generated when:

a. Both level sensor trip units are tripped.
b. Four pressure sensor trip units are tripped (two high drywell pressure and two low reactor vessel pressure).
c. Either of two other combinations of one level sensor trip unit and two pressure sensor (one high drywell and one low reactor vessel) trip units are tripped.

LPCI operation can also be manually initiated.

Once an initiation signal is received by the RHR control circuitry, the signal is sealed-in until manually reset. The seal-in feature is shown in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

The overall LPCI operating sequence following the receipt of an initiation signal is as follows:

a. If offsite ac power is available, the C and D RHR pumps start immediately, taking suction from the suppression pool. The other two pumps start after a 5 second delay to limit the loading of the power sources. If offsite ac power is lost, standby power sources become available, and all pumps start immediately.
b. Valves used in other RHR modes are automatically positioned so that the water pumped from the suppression pool is routed correctly.
c. The LPCI injection valves automatically open when the differential pressure across the valves decreases to less than a pre-established value.
d. When reactor vessel pressure has dropped to a value at which the RHR pumps are capable of injecting water into the reactor, water is delivered to the reactor vessel via four independent loops.
e. An open signal is applied to the RHR heat exchanger bypass valves for the first 3 minutes following LPCI initiation to ensure that full injection flow is available, then it is removed to permit the operator to manually throttle flow for other modes of operation.
f. The valves in the suction paths from the suppression pool are key-locked open and require no automatic action to line-up LPCI suction.

CHAPTER 07 7.3-23 REV. 19, SEPTEMBER 2018

LGS UFSAR

g. The valves at the primary containment penetration in the pump minimum flow recirculation return lines to the suppression pool and in the full flow test return line to the suppression pool are normally open. These valves can be repositioned only by a key-locked switch in the control room. The logic for these valves is shown in drawing M-51FD.

7.3.1.1.1.4.5 LPCI Bypasses and Interlocks Two pressure transmitters are installed in each pump discharge pipeline to verify that the pumps are operating following an initiation signal. The pressure signal is used in the ADS to verify availability of low pressure core cooling. The pressure instruments are located upstream of the pump discharge check valves. Limit switches from the system suction valves are used to trip the RHR pump motors if a suction flow path is not established. The system pump motors are provided with overload protection. The overload relays maintain power on the motors as long as possible without harming the motors or jeopardizing the emergency power system.

The RHR pump motors and injection valves are provided with manual override controls that allow the operator to control the system following automatic initiation.

The valves that allow the diversion of water for suppression pool spray are automatically closed upon receipt of an LPCI initiation signal. The manual controls for these valves are interlocked so that opening the valves by manual action is not possible unless the reactor vessel injection valve in its respective RHR loop is closed or the LPCI initiation signal is not present. The valves that allow diversion of water for containment spray are normally closed. The manual controls for these valves are interlocked so that opening both valves in one drywell spray loop by manual action is not possible unless an LPCI initiation signal is present, the reactor vessel injection valve in its respective RHR loop is closed, and drywell pressure is high. The sensors used to monitor drywell pressure for LPCI initiation are also used in the drywell spray logic. The trip setting is selected to be as low as possible yet provide indication of abnormally high drywell pressure. The drywell pressure switches are arranged in a one-out-of-two logic arrangement as shown in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

7.3.1.1.1.4.6 LPCI Redundancy and Diversity The LPCI is redundant in that four separate loops are provided. Failure of any one loop still allows three pumps to supply water to the reactor.

The LPCI mode of operation is initiated by either reactor vessel low water level or primary containment high pressure coincident with low reactor vessel pressure. These two initiating signals are diverse indications of a LOCA. Diversity for LPCI is provided by the CS system.

7.3.1.1.1.4.7 LPCI Actuated Devices The functional control arrangement for the RHR pumps is shown in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003. The circuitry provides for detection of normal power available so that all pumps are automatically started in sequence. The operator can manually control the pumps from the control room, thus permitting the operator to use the pumps for other purposes such as containment cooling. Controls for the pumps are discussed in Section 7.3.1.1.1.4.5.

All automatic valves used in the LPCI function are equipped with remote manual test capability.

The entire system can be operated from the control room. All MOVs are equipped with limit and CHAPTER 07 7.3-24 REV. 19, SEPTEMBER 2018

LGS UFSAR torque switches to turn off the motors when the valve reaches the limits of movement and to provide control room indication. Valves that have vessel and containment isolation requirements are described in Section 7.3.1.1.2. Overload protection is provided to valve motors in accordance with Section 8.1.6.1.19.

The RHR pump suction valves from the suppression pool are normally open. To reposition the valves, a key-lock switch must be turned in the control room. On receipt of an LPCI initiation signal, other RHR system valves are signaled to open or close, as required, even though they may normally be left in the proper position to ensure that the RHR pump discharge is correctly routed.

Included in this set of valves are the valves that, if not closed, would permit the RHR system pumps to take suction from the reactor recirculation loops and pump water to the reactor during normal shutdown cooling operation.

A timer similar to that used in the LPCI system pump control circuitry cancels the LPCI open signal to the heat exchanger bypass valves after a 3 minute delay, which is time enough to permit satisfactory start of the LPCI system. The signal cancellation allows the operator to control the flow through the heat exchangers for other postaccident purposes. Cancelling the open signal does not cause the bypass valves to close.

A flow sensor on the discharge of each pump provides a signal to operate the minimum flow bypass valve in that loop. When the flow has been established above the value required to prevent pump overheating, the valves close and all flow is directed into the reactor.

7.3.1.1.1.4.8 LPCI Separation Four separate logics located in separate panels and powered by four 125 V dc buses are used.

Control power for pumps A through D is from the corresponding 125 V dc buses A through D. AC power for A through D pump motors is supplied from the corresponding A through D 4160 V buses.

A complete description of the physical independence between divisions is given in Section 7.1.2.2.

7.3.1.1.1.4.9 LPCI Testability The LPCI mode of the RHR system has components that are not activated or tested during normal operation with an integrated testing procedure. These components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of flow using the installed test piping such that the motors and pumps are operated. A system function test, including automatic actuation of the system, with verification that automatic valves in the injection flow path move to the correct position, is also performed.

Associated sensors and circuits are monitored to verify proper operation. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

The RHR system is capable of being tested during normal plant operation by an overlapping series of tests:

a. All sensors can be individually valved out-of-service and subjected to a test pressure. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the auxiliary equipment room can be calibrated individually by a calibration source with verification of setpoint by a digital readout located on the calibration module.

Calibration and test controls for the sensors are located in the reactor enclosure.

Calibration and test controls for the trip units are located in the auxiliary equipment CHAPTER 07 7.3-25 REV. 19, SEPTEMBER 2018

LGS UFSAR room. To gain access to the calibration points of each sensor, a cover plate must be removed. The control room operator is responsible for granting access to the calibration points. Only properly qualified plant personnel are granted access for testing or calibration adjustment.

In addition to the above tests, the operability of the sensors can be verified by cross-checking instrument readouts in the auxiliary equipment room at any time during operation.

b. Test jacks are provided to test the logic. Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the control room operator that the RHR system is in the test status. Operation of the test plug switches initiates LPCI. Injection into the reactor is prevented by an interlock, actuated only when the test plug is inserted, which prevents the opening of the LPCI discharge valve. After the RHR pump is tripped, the LPCI discharge valve can be opened to ensure its operability. The manual initiation switches can also be tested. This sequence of tests ensures that all components are tested. A logic test of one LPCI loop does not interfere with the operation of the other LPCI loops if required by an initiation signal.
c. Functional performance of LPCI components can be verified by pumping water to the suppression pool through the full flow test line. If a LOCA were to occur during this mode of operation, the valve line-up would automatically be changed so that water can be pumped to the reactor.

During the above testing, LPCI operation can be observed in the control room by panel lamps, indicators, recorders, annunciators, and computer printout.

7.3.1.1.1.4.10 LPCI Environmental Considerations The only control components pertinent to LPCI operation that are located inside the drywell are those controlling the air-operated testable check valves on the injection lines. Other equipment, located outside the primary containment, is selected in consideration of the normal and accident environments in which it must operate. The environmental conditions for the areas where the equipment is located are provided in Section 3.11.

7.3.1.1.1.4.11 LPCI Operational Considerations 7.3.1.1.1.4.11.1 LPCI General Information LPCI is a mode of the RHR system. The pumps, valves, piping, etc., used for LPCI are also used for other modes of the RHR system. The LPCI mode is not required for normal operation. When it is required for accident conditions, it is initiated automatically by the circuitry described in this section. No operator action is required for at least 10 minutes following initiation. The operator may manually control the RHR system after a 3 minute delay (for the RHR heat exchanger bypass valve open command timers) to use its capabilities in the other modes of the RHR system, provided the core is being cooled by other portions of the ECCS.

7.3.1.1.1.4.11.2 LPCI Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess the LPCI system operation. A detection system continuously confirms the integrity of the injection line piping to the reactor vessel. Differential CHAPTER 07 7.3-26 REV. 19, SEPTEMBER 2018

LGS UFSAR pressure sensors sense the pressure differential between injection lines of RHR A and C loops and between the B and D loops. If the piping is sound, the pressure differential is very small between these lines. If integrity is lost, an increase in differential pressure initiates an alarm in the control room. Valves have indications of fully open, intermediate, and fully closed positions. Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in drawings M-51, E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

7.3.1.1.1.4.11.3 LPCI Setpoints See Chapter 16 for safety setpoints.

7.3.1.1.1.5 Manual Shutdown of ECCS Pumps Design provisions in the ECCS allow the operator to manually shut down the ECCS pumps after they have been automatically started.

The HPCI pump-turbine driver can be stopped after starting automatically, and in the presence of an automatic signal, by: (1) closing the system supply isolation valves or (2) pressing the isolation push button, which closes the steam supply valves, the pump discharge valve, and the pump suction valve (from the suppression pool) and trips the HPCI turbine.

Provisions in the core spray and RHR systems allow the operator to stop any of the pumps after an automatic start signal. There are also provisions in both systems to allow the operator to close the injection valves after they have been signalled open. Operator action is required to reopen the injection valve or to restart the stopped pump as long as the original accident signal is still present and has not been reset.

7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.3.1.1.2.1 PCRVICS Identification The PCRVICS includes the instrument channels, trip logics, and actuation circuits that activate valve closing mechanisms associated with the valves that, when closed, effect isolation of the primary containment or reactor vessel or both. The following description of the PCRVICS instrument channels and logic circuits are applicable to the Nuclear Steam Supply Shutoff System, and the Plant Leak Detection System unless noted otherwise.

PCRVICS provides initiation to the following systems:

a. SGTS (Section 7.3.1.1.7)
b. REIS and HVAC support system (Section 7.3.1.1.9)

The purpose of the system is to prevent the gross release of radioactive materials to the environment from the fuel or a break in the RCPB. The PCRVICS automatically isolates the appropriate pipelines that penetrate the primary containment whenever monitored variables exceed preselected setpoints. All other pipelines that penetrate primary containment are manually isolated. The power generation objective of this system is to prevent spurious closure of isolation valves as a result of single failure. A list of valves closed by PCRVICS is provided in Table 6.2-17.

7.3.1.1.2.2 PCRVICS Power Sources Power for the system instrument channels except for the Leak Detection System (Refer to Section 7.6.1.3.2) are supplied from the two nonessential electrical buses that supply the RPS trip systems.

CHAPTER 07 7.3-27 REV. 19, SEPTEMBER 2018

LGS UFSAR Power for the isolation logics of the isolation control system and MSIVs are supplied from the two nonessential electrical buses that supply the RPS trip systems. Each bus has its own inverter and can receive alternate power from an alternate power source. Each bus can be supplied from only one of its power sources at any given time. Additional details of these power sources are given in Section 7.2.1.1.3.

The MSIV electrical control power is supplied as follows:

Inboard (Div 1) Outboard (Div 2)

Solenoid 1 RPS Bus A RPS Bus B Solenoid 2 125 V dc Bus A 125 V dc Bus B A pressurized pneumatic supply is required for motive power to open the MSIVs. The power to close these valves is provided by pneumatic and spring force .

Motor-operated isolation valves and solenoid pilot valves for air-operated isolation valves receive power from essential emergency buses. Power for the operation of any two valves mounted in series is supplied from independent essential sources.

Direct solenoid-operated main steam, RHR and reactor water sample valves are energized open against spring pressure by essential 120 vac instrument power. Spring pressure provides closure force.

7.3.1.1.2.3 PCRVICS Equipment Design The isolation valve arrangement for pipelines that penetrate containment is discussed in Section 6.2.4. The general valve arrangements are as follows:

a. Pipelines that penetrate primary containment and communicate directly with the reactor vessel have two isolation valves: one inside primary containment and one outside primary containment.
b. Pipelines that connect directly to the containment atmosphere and penetrate the primary containment have two valves outside the containment.

The MSIV controls include pneumatic piping and an accumulator for the AOVs as the isolation motive power source in addition to the springs. Pressure, temperature, and water level sensors are mounted on instrument racks or locally in either the reactor enclosure or the turbine enclosure.

Valve position switches are mounted on MOVs and AOVs. Switches are encased to protect them from environmental conditions. All signals transmitted to the control room are electrical (no pipe from the nuclear system penetrates the control room). The sensor cables and logic power supply cables are routed to cabinets in the auxiliary equipment room, where the system logic is located.

All instrument line penetrations of the containment are equipped with automatic isolation valves.

These excess flow check valves automatically isolate due to high flow if there is a break in the instrument line downstream of the valve.

7.3.1.1.2.4 PCRVICS Initiating Isolation Signals The isolation trip settings of primary containment and reactor vessel isolation control system are listed in Chapter 16. The FCDs (drawings B21-1030-F-002, B21-1030-F-002, B21-1030-F-003, CHAPTER 07 7.3-28 REV. 19, SEPTEMBER 2018

LGS UFSAR B21-1030-F-004, B21-1030-F-005, E11-1030-F-001, E11-1030-F-002, E11-1030-F-003, E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, E41-1030-F-009, E51-1030-F-004, E51-1030-F-005, E51-1030-F-006, E51-1030-F-007, E51-1030-F-008, E51-1030-F-009, and G31-1020-F-001) and the P&IDs (drawings M-41, M-42, M-44, M-49, M-51, and M-55) illustrate how these signals initiate closure of isolation valves. Additional logic is shown in drawings M-51FD, M-52FD, M-55FD, M-57FD, M-59FD, and M-61FD.

7.3.1.1.2.4.1 PCRVICS - Reactor Vessel Low Water Level 7.3.1.1.2.4.1.1 Subsystem Identification A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the RCPB and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel.

The first (and highest) low water level isolation setting (level 3) is the same water level setting as the RPS scram setting. This setting initiates selected isolations at the earliest indication of a possible breach in the RCPB, yet the setting is far enough below normal operational levels to prevent spurious isolation. RHR shutdown cooling piping is isolated when reactor vessel low water level falls to level 3.

The second (middle) reactor vessel low water level isolation setting (level 2) is the same water level setting at which the RCIC and HPCI systems are initiated. The setting selected is low enough to allow the removal of heat from the reactor for a predetermined time following the scram and high enough to complete isolation in time for the operation of ECCS if there is a large break in the RCPB. The pipelines that are isolated when the reactor vessel water level falls to this second setting are listed below.

a. RWCU
b. CAC including H2O2 sample lines
c. TIP
d. Main steam sample
e. HPCI pump flush (isolation signal generated by the HPCI system logic circuits)
f. Deleted
g. Drywell sump drains
h. Suppression pool cleanup
i. Drywell radiation sample
j. Recirculation loop sample The third (and lowest) of the reactor vessel low water level isolation settings (level 1) is the water level setting used to initiate RHR, core spray, and ADS, and to start the diesel generators. The CHAPTER 07 7.3-29 REV. 19, SEPTEMBER 2018

LGS UFSAR pipelines that are isolated when the reactor vessel water level falls to this third setting are the main steam, main steam line drain, containment instrument gas, RHR heat exchanger vent valves (Unit 2 only), suppression pool spray, drywell chilled water, and core spray pump test and flush.

Reactor vessel low water level signals used by NSSS and RPS are initiated from eight differential pressure sensors, four sensors for the level 1 and level 2 trip and four sensors for the level 3 trip, as shown in drawing M-42. They sense the difference between the pressure caused by a constant reference leg of water and the pressure caused by the actual water level in the vessel.

Four of the eight sensors are used in the measurement of level 1 and 2. Signals from these sensors are used by NSSS only. Each sensor is connected to different reference leg. Sensors A and B share a common variable leg. Sensors C and D share a common variable leg. The remaining four sensors are used in the measurement of level 3 and are used by both NSSS and RPS. Each of these sensors is connected to different reference and variable legs. The variable legs are different from those used by the level 1 and 2 sensors. Refer to Figure 7.3-26 for a diagram of level sensor connections. This arrangement ensures that no single physical event can prevent isolation, if required.

7.3.1.1.2.4.2 PCRVICS 7.3.1.1.2.4.3 PCRVICS - Main Steam Line Temperature in Outboard MSIV Room and Turbine Enclosure Main Steam Tunnel High Ambient Temperature High ambient temperature in the areas in which the main steam lines are located outside of the primary containment could indicate a leak in a main steam line. The automatic closure of various valves prevents the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the RCPB.

See Section 7.6.1.3.3.2.2 for a detailed description of this system.

7.3.1.1.2.4.4 PCRVICS - Main Steam Line High Flow Main steam line high flow could indicate a breach in a main steam line. Automatic closure of isolation valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the RCPB.

The main steam line high flow trip setting selected is high enough to permit isolation of one main steam line for testing at rated power without causing an automatic isolation of the other steam lines, yet low enough to permit detection of a steam line break.

High flow in each main steam line is sensed by four differential pressure sensors that sense the pressure difference across the flow element in that line.

Refer to Section 7.6.1.3.3.2.3 for a detailed description of this system.

7.3.1.1.2.4.5 PCRVICS - Main Steam Line Low Pressure 7.3.1.1.2.4.5.1 Subsystem Identification Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the steam pressure controller in which the turbine control valves or turbine bypass valves become fully open and cause rapid depressurization of the reactor vessel. From part-load operating conditions, the rate of decrease of saturation temperature could exceed the allowable CHAPTER 07 7.3-30 REV. 19, SEPTEMBER 2018

LGS UFSAR rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection before returning the reactor to power operation.

The steam pressure at the turbine inlet is monitored to forestall these effects and thus preclude the necessity of requiring analysis and/or inspection.

The low steam pressure isolation setting selected is far enough below normal turbine inlet pressures to prevent spurious isolation, yet high enough to provide timely detection of a pressure controller malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of isolation functions.

Main steam line low pressure is monitored by four pressure sensors that sense pressure downstream of the outboard MSIVs. The sensing point is located at the header that connects the four steam lines upstream to the turbine stop valves. Each sensor provides a signal to one isolation logic.

7.3.1.1.2.4.5.2 Subsystem Power Supplies See Figures 7.3-1 and 7.3-2.

Logic channels A and C and one pilot solenoid of the inboard (Division 1) MSIVs are supplied from RPS bus A 120 V ac. The second pilot solenoid of the inboard MSIV is supplied from a Division I, Class 1E 125 V dc station battery.

Logic channels B and D and one pilot solenoid of the outboard (Division 2) MSIVs are supplied from RPS bus B 120 V ac. The second pilot solenoid of the outboard MSIV is supplied from a Division II, Class 1E 125 V dc station battery.

7.3.1.1.2.4.5.3 Subsystem Initiating Circuits Four pressure channels, one for each main steam line, monitor main steam line pressure. Each channel is associated with one of four trip logics. The locations of the pressure sensors provide the earliest practicable detection of low main steam line pressure.

7.3.1.1.2.4.5.4 Subsystem Logic and Sequencing When a predetermined decrease in main steam line pressure is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiates closure of all main steam line isolation drain valves.

Four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. The output trip signals of the trip logics are combined in one-out-of-two-twice configuration for the MSIVs and two-out-of-two configuration for the drain valves as shown in Figures 7.3-1 and 7.3-2. Trip logics A or C and B or D are required to initiate main steam line isolation. Trip logics A and B or C and D are required to initiate main steam line drain isolation. Failure of any one trip logic does not result in inadvertent action.

CHAPTER 07 7.3-31 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.2.4.5.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for low pressure is provided by four pressure sensors, one for each main steam line. Each pressure sensor is associated with one of four trip logics. Two pressure trip channels are supplied from one 120 V ac bus A and the other two are supplied from 120 V ac bus B.

7.3.1.1.2.4.5.6 Subsystem Bypasses and Interlocks The main steam line low pressure trip is bypassed by the reactor mode switch in the shutdown, refuel, and startup modes of reactor operation. In the run mode, the low pressure trip function is operative.

There are no interlocks to other systems for main steam line low pressure trip signals.

7.3.1.1.2.4.5.7 Subsystem Testability Testability is discussed in Sections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.5.8 Environmental Considerations This subsystem is designed and has been qualified to meet the environmental conditions indicated in Section 3.11. The seismic qualification of this subsystem in discussed in Section 7.3.2.2.2.3.1.5.

7.3.1.1.2.4.6 PCRVICS - Drywell High Pressure 7.3.1.1.2.4.6.1 Subsystem Identification High pressure in the drywell could indicate a breach of the RCPB inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from the primary containment.

The drywell high pressure isolation setting selected is as low as possible without inducing spurious isolation trips. Based on a BWROG generic analysis, the containment isolation pressure setpoint is based on an analytic limit of approximately 2 psig (drywell pressure).

Fluctuations in the atmospheric barometric pressure as well as heat inputs (from such sources as pumps) during normal operation can result in containment pressure increases on the order of 1 psi.

Consequently, the analytic limit of 2 psig provides a 1 psi margin above the maximum expected operating pressure. The 1 psi margin to isolation has proved to be a suitable value to minimize the possibility of spurious containment isolation. At the same time, it is such a low value (particularly in view of the small drywell volume) that it provides a sensitive and positive means of detecting and protecting against breaks and leaks in the RCS.

7.3.1.1.2.4.6.2 Subsystem Power Supplies Logic channels A and C and one pilot solenoid of the inboard (Division 1) MSIVs are supplied from RPS bus A 120 V ac. The second pilot solenoid of the inboard MSIV is supplied from a Division I, Class 1E 125 V dc station battery.

CHAPTER 07 7.3-32 REV. 19, SEPTEMBER 2018

LGS UFSAR Logic channels B and D and one pilot solenoid of the outboard (Division 2) MSIVs are supplied from RPS bus B 120 V ac. The second pilot solenoid of the outboard MSIV is supplied from a Division II, Class 1E 125 V dc station battery.

See Figures 7.3-1 and 7.3-2.

7.3.1.1.2.4.6.3 Subsystem Initiating Circuits Drywell pressure is monitored by four pressure sensors that are mounted on instrument racks outside the primary containment. Instrument sensing lines that terminate in the reactor enclosure connect the sensors with the drywell interior. Redundant sensors are physically separated and electrically connected to the isolation control systems so that no single event prevents isolation because of primary containment high pressure.

7.3.1.1.2.4.6.4 Subsystem Logic and Sequencing When a predetermined increase in drywell pressure is detected, trip signals are transmitted to the PCRVICS for generation of isolation signals. The following lines are isolated for a high drywell pressure condition.

a. Drywell and drywell sump drain discharge toradwaste
b. Containment purge and vent
c. TIP system
d. Containment atmosphere sampling
e. Containment instrument gas
f. HPCI pump flush (isolation signal generated by the HPCI system logic circuits)
g. HPCI vacuum relief (isolation signal generated by the HPCI system logic circuits if low steam pressure condition exists)
h. RCIC vacuum relief (isolation signal generated by the RCIC system logic circuits if low steam pressure condition exists)
i. Suppression pool cleanup
j. Drywell radiation sample
k. Drywell chilled water
l. Reactor enclosure cooling water Four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of the instrumentation channels are combined in two-out-of-two logics. Instrumentation channels A and B or C and D are required to initiate isolation of either inboard or outboard valves, respectively.

Thus, failure of any one channel does not result in inadvertent action.

7.3.1.1.2.4.6.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for drywell high pressure is provided by pressure switches installed at different locations around the drywell. Wiring from redundant instruments is separated.

CHAPTER 07 7.3-33 REV. 19, SEPTEMBER 2018

LGS UFSAR Each pressure switch is associated with one logic. Two pressure sensors are supplied from RPS bus A, and the other two are supplied from RPS bus B.

Diversity of trip initiation signals for line breaks inside the primary containment is provided by drywell high pressure and reactor low water level. An increase in drywell pressure or a decrease in reactor water level initiates isolation.

7.3.1.1.2.4.6.6 Subsystem Bypasses and Interlocks There are no bypasses or interlocks for drywell high pressure trip signals.

7.3.1.1.2.4.6.7 Subsystem Testability Testability is discussed in Section 7.3.1.1.2.11.

7.3.1.1.2.4.6.8 Environmental Considerations This subsystem is designed and has been qualified to meet the environmental conditions indicated in Section 3.11. In addition, this subsystem has been seismically qualified as described in Section 3.10.

7.3.1.1.2.4.7 PCRVICS - Reactor Enclosure Ventilation Exhaust Radiation Monitoring System -

Instrumentation and Controls The purpose of this system is to indicate when excessive amounts of radioactivity exist in the reactor enclosure ventilation exhaust and to provide signals for initiation of appropriate action so that the release of radioactive gases to the environment is limited to levels below the guidelines of published regulations. The radiation monitoring system is described in Section 11.5. The system consists of four independent channels monitoring the reactor zone.

See Section 7.6.1.1.2 for a detailed description of this system.

7.3.1.1.2.4.8 PCRVICS - Refueling Area Ventilation Exhaust Radiation Monitoring System -

Instrumentation and Controls The purpose of this system is to indicate when excessive amounts of radioactivity exist in the refueling area ventilation exhaust and to provide signals for initiation of appropriate action so that the release of radioactive gases to the environment is limited to levels below the guidelines of published regulations. The radiation monitoring system is described in Section 11.5. The system consists of independent channels, monitoring the refueling area.

See Section 7.6.1.1.3 for a detailed description of this system.

7.3.1.1.2.4.9 PCRVICS - RWCU System High Differential Flow High differential flow in the RWCU system could indicate a breach of the RCPB in the cleanup system. The flow at the inlet to the system (suction from "B" recirculation line and bottom head drain) is compared with the flow at the outlets of the system (discharge to feedwater, main condenser, radwaste and CST). High differential flow initiates isolation of the cleanup system.

See Section 7.6.1.3.3.4.2 for a detailed description of this system.

CHAPTER 07 7.3-34 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.2.4.10 PCRVICS - RWCU System Area High Temperature and Differential Temperature High temperature in the equipment room areas of the RWCU system could indicate a breach in the RCPB in the cleanup system. High ambient temperature and high differential temperature in the equipment area ventilation system initiates isolation of the RWCU system.

See Section 7.6.1.3.3.4.3 for a detailed description of this system.

7.3.1.1.2.4.11 PCRVICS - Main Condenser Low Vacuum Trip 7.3.1.1.2.4.11.1 Subsystem Identification A main steam line isolation valve trip from a low condenser vacuum instrumentation system is provided.

The main turbine condenser low vacuum signal could indicate a leak in the condenser. Initiation of automatic closure of selected valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material from the RCPB.

The turbine condenser low vacuum trip setting selected is far enough above the normal operating vacuum to prevent spurious isolation, yet low enough to provide an isolation signal before the rupture of the condenser and subsequent loss of reactor coolant and release of radioactive material. There are four main condenser sensors that provide an isolation trip signal to the main steam line isolation valve logic channels.

7.3.1.1.2.4.11.2 Subsystem Power Supplies See Figures 7.3-1 and 7.3-2.

7.3.1.1.2.4.11.3 Subsystem Initiating Circuits Four vacuum sensors monitor the main condenser vacuum. Each vacuum sensor is associated with one of four separate trip logics. Four vacuum sensors are installed to provide the earliest practicable detection of a main condenser leak.

7.3.1.1.2.4.11.4 Subsystem Logic and Sequencing When a predetermined decrease in main condenser vacuum is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiates closure of all main steam line isolation and drain valves.

Four vacuum sensors with associated trip units are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output signals of the trip logics are combined in one-out-of-two-twice logic for the MSIVs and two-out-of-two logics for the main steam line drain valves. Trip logics A or C and B or D are required to initiate main steam line isolation. Trip logics A and B or C and D are required to initiate main steam line drain isolation. Failure of any one trip logic does not result in inadvertent isolation action.

7.3.1.1.2.4.11.5 Subsystem Redundancy and Diversity CHAPTER 07 7.3-35 REV. 19, SEPTEMBER 2018

LGS UFSAR Redundancy of trip initiation signals for low condenser vacuum is provided by four vacuum sensors. Each pressure signal is associated with one of four logics. Two vacuum sensors are supplied by one power source, and the other two are supplied from a different power source.

Diversity of trip initiation signals is not required or provided.

7.3.1.1.2.4.11.6 Subsystem Bypasses and Interlocks Main condenser low vacuum trip can be bypassed manually when the turbine stop valve is less than 90% open.

There are no interlocks to other systems from the main condenser low vacuum trip signals.

7.3.1.1.2.4.11.7 Subsystem Testability Testability is discussed in Section 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.11.8 Environmental Considerations This subsystem is designed and has been qualified to meet the environmental conditions indicated in Section 3.11. The seismic qualification for this subsystem is discussed in Section 7.3.2.2.2.3.1.5.

7.3.1.1.2.4.12 PCRVICS - HPCI System Isolation Signals The HPCI system is constantly monitored for leaks by the following types of monitoring circuits:

a. Equipment area and pipe chase area ambient and differential temperature monitoring
b. HPCI steam flow rate monitoring
c. HPCI turbine exhaust diaphragm pressure monitoring When limiting conditions are attained an HPCI autoisolation signal is initiated and an annunciator activated in the control room.

Refer to Section 7.6.1.3.3.5 for a description of the leak detection functions of these subsystems.

HPCI area temperatures are monitored by instrumentation of the LDS. Monitored temperatures include the following.

a. HPCI pipe chase area ambient temperatures
b. HPCI emergency area cooler ambient temperature
c. HPCI area vent air differential temperature.

The common HPCI/RHR steam line connecting the reactor vessel main steam line and the HPCI turbine is monitored by differential pressure sensors which signal a high steam flow rate condition.

CHAPTER 07 7.3-36 REV. 19, SEPTEMBER 2018

LGS UFSAR The HPCI turbine exhaust diaphragm is monitored by pressure sensors which signal a high pressure condition.

For a detailed discussion see Section 7.6.1.3.3.5.5.

7.3.1.1.2.4.13 PCRVICS - RCIC System Isolation Signals The RCIC system is constantly monitored for leaks by the following types of monitoring circuits:

a. Equipment area and pipe chase area ambient and differential temperature monitoring
b. RCIC steam flow rate monitoring
c. RCIC steam line pressure monitoring
d. RCIC turbine exhaust diaphragm pressure monitoring When limiting conditions are attained an RCIC autoisolation signal is initiated and an annunciator activated in the control room.

Refer to Section 7.6.1.3.3.3 for a description of the leak detection functions of these subsystems.

RCIC area temperatures are monitored by instrumentation of the LDS. Monitored temperatures include the following:

a. RCIC pipe chase area temperatures
b. RCIC emergency area cooler ambient temperature
c. RCIC area vent air differential temperature The RCIC steam line connecting the reactor vessel main steam line and the RCIC turbine is monitored by differential pressure sensors which signal a high steam flow rate condition.

The RCIC steam line connecting the nuclear boiler and the RCIC turbine is monitored by two pressure sensors which signal a low steam supply pressure condition.

The RCIC turbine exhaust diaphragm is monitored by pressure sensors which signal a high pressure condition.

For a detailed discussion see Section 7.6.1.3.3.3.6.

7.3.1.1.2.5 PCRVICS Instrumentation Sensors providing inputs to the PCRVICS are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems. Redundant channels are physically separated and electrically independent to reduce the probability that a single physical event would prevent isolation. Redundant channels for each monitored variable provide inputs to different isolation trip systems. The functions of the sensors in the isolation control system are shown in Figures 7.3-1 and 7.3-2. Table 7.3-5 lists instrument characteristics.

7.3.1.1.2.6 PCRVICS Initiating Circuits CHAPTER 07 7.3-37 REV. 19, SEPTEMBER 2018

LGS UFSAR Solenoid valves which are controlled by the PCRVICS for automatic isolation generally utilize actuator solenoids which are energized during normal service. The logic circuitry signalling automatic isolation is generally arranged such that when a monitored parameter reaches its trip setpoint, the associated trip logic contact opens. When the proper combination of logic trips occur, the actuator trip relay de-energizes, de-energizing the valve actuator solenoid. The system also has system level manual initiation switches that isolate all automatically controlled isolation valves.

This general arrangement is applicable to the following valve discussions.

The MSIV actuators each have two actuator solenoids. For automatic valve closure, both solenoids must be de-energized. Each solenoid receives inputs from two separate trip logics, either of which can de-energize the solenoid.

Four RPS instrument channels are provided for each monitored parameter used in the MSIV trip logic. The redundant instrument channels are independent and separate. A and C trip logic relays control one solenoid in each of the inboard and outboard MSIVs on each main steam line.

Channels B and D trip logic relays control the other solenoid in the inboard and outboard MSIVs.

Closure of the inboard and outboard main steam line drain isolation MOVs is initiated by the MSIV trip logic relays, utilizing two-out-of-two logic. Logic relays A and B initiate closure of the inboard isolation valve and relays C and D initiate closure of the outboard isolation valve.

Closure of the inboard and outboard RHR discharge to radwaste isolation valves and RHR process sampling isolation valves is initiated by low reactor vessel water level and high drywell pressure signals, utilizing two-out-of-two logic. Logic trip A closes the inboard valves, and logic trip B closes the outboard valves.

Closure of the inboard RHR shutdown cooling suction valves, as well as the RHR shutdown cooling injection-testable check valve and bypass valve is initiated by logic trip A. Closure of the outboard RHR shutdown cooling suction, and RHR shutdown cooling injection outboard throttling MOVs is initiated by logic trip B. Tripping requires two-out-of-two logic for low reactor vessel water level signal or the one-out-of-two logic for reactor high pressure (low pressure permissive to open) signals.

Closure of outboard drywell chiller water isolation valves HV-87-120A&B, 121A&B, 220A&B and 221A&B, and the inboard drywell chilled water isolation valves is initiated by any one of the following conditions in a two-out-of-two logic: reactor level below level 1 trip; high drywell pressure.

Outboard drywell chilled water isolation valves HV-87-124A&B, 125A&B, 224A&B, and 225A&B do not receive isolation signals. These valves are normally closed in accordance with the Technical Specifications and Technical Requirements Manual.

Closure of the inboard and outboard reactor water sample AOVs and reactor steam sample AOVs is initiated by low reactor vessel water level utilizing two-out-of-two logic. Logic trip A closes the inboard valves and logic trip B closes the outboard valves.

Retraction of the TIP drives is initiated by low reactor vessel water level 2 and high drywell pressure in a two-out-of-two logic. Logic trip A initiates retraction of the TIP system drives.

Closure of the primary containment purge valves is initiated by any one of the following conditions in a two-out-of-two logic: reactor level below level 2; high drywell pressure; high radiation in the reactor enclosure ventilation exhaust duct; high radiation in the refueling floor ventilation exhaust duct.

CHAPTER 07 7.3-38 REV. 19, SEPTEMBER 2018

LGS UFSAR Closure of the inboard and outboard RWCU isolation MOVs is initiated by low reactor vessel water level utilizing two-out-of-two logic or by high area temperature or high differential RWCU flow.

Logic trip A closes the inboard valve and logic trip B closes the outboard valves.

Closure of the inboard PCIG suction valve is initiated by any one of the following conditions in a two-out-of-two logic: Reactor level below level 1 trip; high drywell pressure; high radiation in the reactor enclosure ventilation exhaust duct.

Closure of the primary containment atmosphere sample isolation valves and the post-LOCA hydrogen recombiner isolation valves is initiated by any one of the following conditions: Reactor level below level 2 trip; high drywell pressure; high radiation in the reactor enclosure ventilation exhaust duct; high radiation in the refueling floor ventilation exhaust duct.

Closure of outboard PCIG isolation valves not on ADS gas supply lines is initiated by any one of the following conditions in a two-out-of-two logic: Reactor level below level 1 trip; high drywell pressure; high radiation in the reactor enclosure ventilation exhaust duct.

Closure of the RHR suppression pool spray line, the core spray pump test and flush line, and the RHR heat exchanger vent valve discharge lines (Unit 2 only) is initiated by high drywell pressure and low reactor vessel pressure or low reactor vessel water level in a two-out-of-two logic.

Closure of the suppression pool cleanup pump suction valves is initiated by high drywell pressure or low reactor vessel water level in a two-out-of-two logic. The HPCI system logic circuits also initiate closure of the HPCI Pump Flush valve for high drywell pressure or low reactor vessel water level in a one-out-of two-twice logic.

Closure of the drywell equipment drain sump and floor drain sump isolation valves is initiated by any one of the following conditions in a two-out-of-two logic: reactor level below level 2; high drywell pressure.

The circuitry controlling isolation of the HPCI and RCIC systems differs from the general arrangement of the systems previously discussed in that the logic trip relays must be energized to initiate valve isolation.

The sensors which monitor leakage in the HPCI system and the common HPCI/RHR steam line and associated logic circuitry are discussed in subsections 7.3.1.1.2.4.12 and 7.6.1.3.3.5. Closure of the outboard HPCI steam supply isolation MOV is controlled by logic trip B (division 2) and the inboard steam supply isolation MOV by logic trip D (division 4).

The sensors and logic circuits which monitor leakage in the RCIC system and signal the automatic isolation logic circuitry are discussed in Sections 7.3.1.1.2.4.13 and 7.6.1.3.3.3. Closure of the outboard RCIC steam supply line isolation and steam line warm-up isolation MOVs is controlled by logic trip A and the inboard steam supply line isolation MOV by logic trip C.

7.3.1.1.2.7 PCRVICS Bypasses and Interlocks An automatic bypass of the main steam line low pressure signal is effected in all modes of operation except run mode (Section 7.3.1.1.2.4.5.6). The low condenser vacuum trip can be manually bypassed when the turbine stop valves are less than 90% open to allow the condenser vacuum to be established.

CHAPTER 07 7.3-39 REV. 19, SEPTEMBER 2018

LGS UFSAR Key locked switches in the control room provide bypass of isolation signals to the CAC and PCIG containment isolation valves which may be bypassed. Any time a bypass switch is moved to a position that would cause an isolation signal bypass, this condition is annunciated.

Interlocks initiate the SGTS, isolate the reactor building ventilation system, and trip the drywell purge valves and purge fan units. There are no interlocks involved in manual operation of the PCRVICS.

7.3.1.1.2.8 PCRVICS Redundancy and Diversity 7.3.1.1.2.8.1 Main Steam Lines Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four differential pressure transmitters and associated switches, one set in each of four trip logics, monitor low reactor vessel level.
b. Left blank intentionally.
c. Sixteen differential pressure transmitters and associated switches, one set of four in each of four trip logics, monitor high steam line flow.
d. Thirty-six temperature sensors and associated switches, nine sets in each of four trip logics, monitor high temperature along the main steam line in the steam tunnel and the turbine building.
e. Four pressure transmitters and associated switches, one set in each of four trip logics, monitor low pressure in the main steam lines.
f. Four pressure transmitters and associated switches, one set in each of four trip logics, monitor low condenser vacuum.

Diversity in main steam line monitoring is provided by main steam line high flow and low reactor vessel level, for the gross release of RCPB fluid.

7.3.1.1.2.8.2 RWCU Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four differential pressure transmitters and associated switches, one set of two in each of two trip logics, monitor low reactor vessel level.
b. Two instrument channels, one in each of two trip logics, monitor differential flow in the RWCU system.
c. Two instrument channels, one in each of two trip logics, monitor high ambient and differential temperature in the area of the RWCU system.

Diversity in RWCU system monitoring is provided by differential flow, and high ambient or differential temperature. Low reactor vessel level monitoring provides additional diversity for gross release of RCPB fluid.

7.3.1.1.2.8.3 RHR CHAPTER 07 7.3-40 REV. 19, SEPTEMBER 2018

LGS UFSAR Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four differential pressure transmitters and associated switches, one set of two in each of two trip logics, monitor low reactor vessel level.
b. Four pressure transmitters and associated switches, one set of two in each two trip logics, monitor high drywell pressure.

Diversity in RHR system monitoring is provided by low reactor vessel level and high drywell pressure.

7.3.1.1.2.8.4 HPCI Redundancy is provided by instruments monitoring each essential variable as follows:

a. Two instrument channels, one in each of two trip logics, monitor high temperature in HPCI equipment area and in the vicinity of the steam line.
b. Two differential pressure transmitters and associated switches, one set in each of two trip logics, monitor high steam line flow.
c. Four pressure transmitters and associated switches, two sets in each of two trip logics, monitor high turbine diaphragm exhaust pressure.
d. Four pressure transmitters and associated switches, two sets in each of two trip logics, monitor low steam supply pressure.
e. Four pressure transmitters and associated switches, two sets in each of two trip logics, monitor high drywell pressure.

Diversity in HPCI monitoring is provided as follows: the steam lines by area and steam line space temperature; the vacuum relief line by high drywell pressure, and low reactor pressure.

7.3.1.1.2.8.5 RCIC Redundancy is provided by instruments monitoring each essential variable as follows:

a. Two instrument channels, one in each of two trip logics, monitor high temperature in RCIC equipment area and in the vicinity of the steam line.
b. Two differential pressure transmitters and associated switches, one set in each of two trip logics, monitor high steam line flow.
c. Four differential pressure transmitters and associated switches, two sets in each of two trip logics, monitor high turbine exhaust diaphragm pressure.
d. Four pressure transmitters and associated switches, two sets in each of two trip logics, monitor low reactor pressure.
e. Four pressure transmitters and associated switches, two sets in each of two trip logics monitor high drywell pressure.

CHAPTER 07 7.3-41 REV. 19, SEPTEMBER 2018

LGS UFSAR Diversity in RCIC monitoring is provided as follows: the steam lines by area and steam line space temperature; the vacuum relief line by high drywell pressure, and low reactor pressure.

7.3.1.1.2.8.6 Core Spray There are no core spray isolation signals.

7.3.1.1.2.8.7 Containment Atmospheric Control System Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four differential pressure transmitters and associated switches, one set of two in each of two trip logics, monitor low RPV water level.
b. Four pressure transmitters and associated switches, one set of two in each of two trip logics, monitor high drywell pressure.
c. Four radiation monitors, two in each of two trip logics, monitor high refueling floor exhaust duct radiation.
d. Four radiation monitors, two in each of two trip logics, monitor high reactor building exhaust duct radiation.

Diversity in CAC system is provided by RPV water level, and drywell pressure.

7.3.1.1.2.8.8 Containment Instrument Gas Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four radiation monitors, two in each of two trip logics, monitor high reactor enclosure radiation.
b. Four differential pressure transmitters and associated switches, two sets in each of two trip logics, monitor low RPV water level.
c. Four pressure transmitters and associated switches, two sets in each of two trip logics, monitor high drywell pressure.

Diversity in monitoring these lines is provided by RPV water level, and drywell pressure.

7.3.1.1.2.8.9 Recirculation Loop Sample Redundancy is provided by instruments monitoring each essential variable as follows:

a. Four differential pressure transmitters and associated switches, two sets in each of two trip logics, monitor low RPV water level.

There is no diverse isolation signal for this line.

7.3.1.1.2.8.10 Other Lines That Penetrate Containment Redundancy is provided by instruments monitoring each essential variable as follows:

CHAPTER 07 7.3-42 REV. 19, SEPTEMBER 2018

LGS UFSAR

a. Four differential pressure transmitters and associated switches, one set of two in each of two trip logics, monitor RPV low water level.
b. Four pressure transmitters and associated switches, one set of two in each of two trip logics, monitor drywell pressure.

Diversity in monitoring these lines is provided by RPV water level, and drywell pressure.

7.3.1.1.2.9 PCRVICS Actuated Devices To limit the radiological consequences and reduce reactor vessel water inventory loss as a result of a pipeline break, the valve closing mechanisms are designed to meet the minimum closing rates specified in Table 6.2-17.

The MSIVs are spring and pneumatic closing, piston-operated valves. They close on loss of pneumatic pressure to the valve operator. This is a fail-safe design. The control arrangement is shown in Figure 7.3-3. Closure time for the valves is adjustable between 3 seconds and 10 seconds. Each valve is piloted by two three-way, solenoid-operated valves, one powered by 120 V ac and the other powered by 125 V dc. An accumulator located close to each isolation valve provides pneumatic pressure for valve closing if there is failure of the normal air supply system.

The spring is capable of closing the valve without the aid of the pneumatic pressure if accumulator integrity is lost. The logic channel and trip logic relays for the instrumentation used in the systems described are high reliability relays. The relays are selected so that the continuous load does not exceed 50% of the continuous-duty rating. For the minimum number of channels required for functional performance, see Chapter 16, Technical Specifications.

The MOVs used in the PCRVICS are operated by energizing the valve operator motor windings so as to cause motor rotation in the desired direction. Typically, manual valve operation is controlled using a three-position spring return-to-normal switch.

The valves close automatically on receipt of a safety signal. Valve closure is permitted when the valve is fully open or when the seating torque is below the setpoint. A seal-in feature is provided which ensures that autoclosure is completed once initiated. The closure signal also inhibits valve opening.

Valve opening is permitted when the open/inhibit signal is removed and if either the valve is fully closed or if the valve is not fully open and the seating torque is below the setpoint.

Overload protection is provided to valve motors in accordance with Section 8.1.6.1.19.

7.3.1.1.2.10 PCRVICS Separation Redundant sensor devices are separated physically so that no single failure (open, closure, or short) can prevent the safety action. By the use of separated raceways, the single failure criterion is met from the sensors to the logic cabinets in the auxiliary equipment room. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same bay of a cabinet.

Redundant equipment and wiring can be present in control room panels where separation is achieved by surrounding redundant wire and equipment in metal encasements. A bay is a cabinet section separated from other cabinet sections by a fire barrier. Normally the barrier is of full cabinet height and depth. From the logic cabinets to the isolation valves, separated cable trays or a conduit) are employed to complete adherence to the single failure criterion. A complete description of the physical independence between divisions is given in Section 7.1.2.2.

CHAPTER 07 7.3-43 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.2.11 PCRVICS Testability Portions of PCRVICS are not activated or tested during normal operation with an integrated testing procedure. These portions of the system are tested using manual test methods which allow for independent checking of individual components. This testing includes monitoring of installed sensors and circuits to verify proper operation, to assure that isolation will occur when needed. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

PCRVICS is capable of complete testing in overlapping portions during power operation.

Operation of the level, pressure, flow, differential flow, and vacuum sensors may be verified by cross-comparison of instrument channels. In addition, these transmitters may be valved out of service one at a time and functionally tested using a test pressure source. The channel trip units and trip relays can be calibrated and tested by injecting a calibration signal.

The operation of the isolation temperature sensors can be verified by cross-comparison of instrument channels. They can also be functionally tested by applying a heat source to the temperature sensing elements. Control room indications of logic trip include annunciation, panel lights, and computer printout. The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable.

The MSIV logic relays can be tested either by tripping a transmitter or trip unit or by actuating the manual isolation switch in a given logic division. The MSIV indicator lights and trip annunciators indicate a logic trip. Other isolation valve logic can be likewise tested in conjunction with logic test switches provided for this purpose. Indicator lights will indicate a logic trip.

The MSIVs mechanical components can be tested manually to any position at full power in a "slow test" mode. This "slow test" is used to exercise the valve mechanical components, one valve at a time. Full closure, simulating actual autoisolation conditions, can be performed on individual MSIVs when shutdown or at reduced power level by placing the MSIV selector switch in the closed position. This tests the isolation solenoids and valve mechanical components at full isolation speed. In either test, the valve closure can be verified by valve position indicator lights.

Other PCRVICS valve testing must be split into two sections. The motor controls and mechanical components for MOVs that are isolated under normal reactor conditions may be tested only at shutdown. Motor controls and valves that are not normally isolated can be tested by tripping the control logic and verifying valve closure by valve position indicator lights.

7.3.1.1.2.12 PCRVICS Environmental Considerations The physical and electrical arrangement of the PCRVICS was selected so that no single physical event can prevent achievement of isolation functions. Motor operators for valves inside the drywell are of the totally-enclosed type; those outside the containment have weatherproof-type enclosures.

Solenoid valves, whether used for direct valve isolation or as an air pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration has been given to isolation requirements during a LOCA inside the drywell.

Components of the PCRVICS that are located inside the drywell and must operate during a LOCA are the cables, control mechanisms, and valve operators of isolation valves inside the drywell.

CHAPTER 07 7.3-44 REV. 19, SEPTEMBER 2018

LGS UFSAR These isolation components are required to be functional in a LOCA environment Section 3.11.

Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the PCRVICS only after completion of environmental testing under LOCA conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

7.3.1.1.2.13 PCRVICS Operational Considerations 7.3.1.1.2.13.1 PCRVICS General Information The PCRVICS is not required for normal operation. This system automatically isolates the appropriate pipeline when one of the monitored variables exceeds preset limits. No operator action is required for at least 10 minutes following automatic initiation. The operator can manually close all other isolation valves.

All automatic isolation valves can be closed by manual operation of switches in the control room.

7.3.1.1.2.13.2 PCRVICS Reactor Operator Information In general, once isolation is initiated, the valve continues to close even if the condition that caused isolation is restored to normal. The reactor operator must manually reset the tripped logic and operate switches in the control room to reopen a valve that has been automatically closed. The HPCI and RCIC steam line isolation valves are exceptions as discussed in Section 7.1.2.11.

Unless a manual bypass under administrative control is provided, the operator cannot reopen the valve until the conditions that initiated isolation have cleared.

A trip of a PCRVICS channel is annunciated in the control room so that the reactor operator is immediately informed of the condition. All motor-operated and air-operated isolation valves have open/ closed indicating lights.

In addition, isolation of any excess flow check valve is annunciated in the control room.

Inputs to annunciators and the process computer are electrically and physically isolated from safety circuits so that no malfunction of the annunciating or computing equipment can functionally disable the system. Direct signals from the isolation system sensors are not used as inputs to annunciating or data logging equipment.

7.3.1.1.2.13.3 PCRVICS Setpoints See Chapter 16 for the safety setpoint information.

7.3.1.1.3 Main Steam Isolation Valve Leakage Control System - Instrumentation and Controls 7.3.1.1.3.1 Information in this section has been deleted.

7.3.1.1.4 RHR Containment Spray Mode - Instrumentation and Controls 7.3.1.1.4.1 RHR-CSM System Identification Containment spray is an operating mode of the RHR system. It is designed to condense steam in the suppression pool air volume and/or the drywell atmosphere. The system is manually initiated when necessary.

CHAPTER 07 7.3-45 REV. 19, SEPTEMBER 2018

LGS UFSAR The RHR system including containment spray is shown in drawing M-51.

7.3.1.1.4.2 RHR-CSM Classification The RHR containment spray mode is classified as safety Class 3, seismic Class I, and electrical Class 1E.

7.3.1.1.4.3 RHR-CSM Power Sources Power for the two RHR system pumps used for containment spray is supplied from two independent ac buses that can receive standby ac power. Motive and control power for the two loops of containment spray instrumentation and control equipment are the same as those used for LPCI A and LPCI B (Section 7.3.1.1.1.4.2).

7.3.1.1.4.4 RHR-CSM Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:

a. Two RHR system pumps
b. Pump suction valves
c. Containment spray discharge valves
d. Valves used to shut off flow paths used for other modes of RHR system operation The controls and instrumentation for containment spray operation ensure that water is routed from the suppression pool to the containment spray system for use in the drywell and/or suppression pool air volumes.

Containment spray operation uses two pump loops, each loop with its own separate discharge valves. All components pertinent to containment spray operation are located outside of the drywell.

The system can be operated so that the spray can be directed to the drywell and/or suppression pool air volume.

7.3.1.1.4.5 RHR-CSM Initiating Circuits

a. Containment Spray A Drywell spray is initiated manually by means of two remote manual switches, one for each injection valve. Both injection valves may be opened if drywell pressure exceeds the setpoint, the LPCI injection valve is fully closed, and either a LOCA signal is present or the LPCI mode of operation has been manually started.

If any of these required permissives is missing, one of the two injection valves can be opened (for testing) only if the other injection valve is closed. Suppression pool spray is manually initiated from the control room if the LPCI injection valve is fully closed.

Drywell pressure (permissive for manual initiation) is monitored by two pressure sensors mounted in instrument racks outside the primary containment.

CHAPTER 07 7.3-46 REV. 19, SEPTEMBER 2018

LGS UFSAR Cables from these sensors are routed to trip units in the control structure.

The two drywell pressure sensors are electrically connected so that no single sensor failure can prevent initiation of containment spray A. The drywell pressure sensors and trip units used in the containment spray initiating circuits are the same ones used for LPCI initiation. Additional details concerning these instruments are in Section 7.3.1.1.1.4.3 and Table 7.3-4.

b. Containment Spray B Initiation of containment spray B is identical to that of "A".

7.3.1.1.4.6 RHR-CSM Logic and Sequencing Containment spray is manually initiated provided that certain permissive conditions are satisfied as shown in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

The operating sequence of containment spray following receipt of the necessary initiating signals is as follows:

a. The containment spray discharge valves open.
b. The RHR system pumps continue to operate.
c. Valves in other RHR modes are manually positioned or remain as positioned during LPCI.

The containment spray system continues to operate until the operator closes the containment spray injection valves. The operator can then initiate another mode of RHR.

7.3.1.1.4.7 RHR-CSM Bypasses and Interlocks No bypasses are provided for the containment spray system.

The drywell spray injection valves are interlocked such that the system cannot be manually initiated unless drywell pressure exceeds the setpoint, the LPCI injection valve is fully closed, and either a LOCA signal is present or the LPCI mode of operation has been manually initiated. The open circuit of each drywell spray injection valve has an interlock that permits opening one valve for testing if the other valve in its respective loop is closed.

Since the outboard suppression pool spray injection valves may be open for several modes of RHR system operation, the injection valves are signaled to close on a LOCA signal. Once closed, the valves can be opened manually to initiate suppression pool spray as described in Section 7.3.1.1.4.5. The manual opening signal is interlocked with the LOCA signal to keep the valve open until the LPCI signal is manually reset.

7.3.1.1.4.8 RHR-CSM Redundancy and Diversity Redundancy is provided for the containment spray function by two separate logics, one for each loop. Redundancy of initiation permissive sensors is described in Section 7.3.1.1.4.5 under "Initiating Circuits."

No diversity is provided for the initiation sensors.

CHAPTER 07 7.3-47 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.4.9 RHR-CSM Actuated Devices Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003 shows the functional control arrangement of the containment spray system.

The RHR A and RHR B loops are used for containment spray. Therefore, the pump and valves are the same for LPCI and containment spray function except that each has its own discharge valve.

See Section 7.3.1.1.1.4.7 for specific information.

7.3.1.1.4.10 RHR-CSM Separation Separation is as discussed for LPCI mode in Section 7.3.1.1.1.4.8.

Containment spray uses Division I (RHR A) and Division II (RHR B) equipment. Manual controls, logic circuits, cabling, and instrumentation for containment spray are mounted so that Division I and Division II separation is maintained.

7.3.1.1.4.11 RHR-CSM Testability The containment spray mode of the RHR system has components that are not activated or tested during normal operation with an integrated testing procedure. These components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of suppression chamber spray flow such that the motors, pumps and valves are operated. Associated sensors and circuits are monitored to verify proper operation.

Drywell spray injection valves are checked independently and separately by manual initiation. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

The containment spray mode is capable of being tested up to the last discharge valve during normal operation. During testing, only one of the drywell spray discharge valves is opened at a time to prevent discharging water into the drywell. Each valve can be individually opened to verify operability.

7.3.1.1.4.12 RHR-CSM Environmental Considerations See Section 3.11 for environmental qualifications of the system equipment.

7.3.1.1.4.13 RHR-CSM Operational Considerations 7.3.1.1.4.13.1 RHR-CSM General Information Containment spray is a mode of the RHR and is not required during normal operation.

7.3.1.1.4.13.2 RHR-CSM Reactor Operator Information Sufficient pressure, temperature, flow, and valve position indications are provided in the control room for the operator to accurately assess containment spray operation. Alarms and indications are shown in drawings M-51, E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

All valves necessary for proper containment spray mode operation have indications of fully open, intermediate, and fully closed positions. Numerous RHR system performance parameters are CHAPTER 07 7.3-48 REV. 19, SEPTEMBER 2018

LGS UFSAR monitored, including pump discharge pressure, heat exchanger inlet and outlet temperatures, and system flow.

Annunciators are provided to indicate an out-of-service condition, pump running or pump stopped, and abnormal system performance.

7.3.1.1.4.13.3 RHR-CSM Setpoints The setpoint for the drywell pressure permissive is in the Technical Specifications.

7.3.1.1.5 RHR Suppression Pool Cooling Mode - Instrumentation and Controls 7.3.1.1.5.1 RHR-SPCM System Identification Suppression pool cooling is an operating mode of the RHR system. It is designed to provide the capability of removing heat from the suppression pool water volume. The system is manually initiated when necessary.

7.3.1.1.5.2 RHR-SPCM Power Sources Control, instrumentation, and logic power for the two loops of the suppression pool cooling mode of the RHR are the same as those used for LPCI A and LPCI B (Section 7.3.1.1.1.4.2).

7.3.1.1.5.3 RHR-SPCM Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:

a. Two RHR pumps
b. Pump suction valves
c. Suppression pool discharge valves
d. Two RHR heat exchangers Suppression pool cooling uses two pump loops, each loop with its own separate discharge valve.

All components pertinent to suppression pool cooling operation are located outside of the drywell.

The suppression pool cooling mode is manually initiated from the control room. This mode is put into operation to maintain the water temperature in the suppression pool within specified limits.

7.3.1.1.5.4 RHR-SPCM Initiating Circuits Initiation of either suppression pool cooling loop is performed manually by the control room operator by activating the manual override to clear any LOCA signal.

7.3.1.1.5.5 RHR-SPCM Logic and Sequencing There is no engineering safety feature logic or sequencing associated with the suppression pool cooling mode. It is initiated manually. A discussion of suppression pool cooling mode is provided in Section 6.2.2.2.

CHAPTER 07 7.3-49 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.5.6 RHR-SPCM Bypasses and Interlocks No bypasses are provided for the suppression pool cooling mode. The MOVs isolating suppression pool cooling flow are interlocked to close when the reactor low water level setpoint is reached, or when the drywell high pressure and reactor low pressure setpoints are reached. This action automatically lines up the RHR system for coolant injection.

7.3.1.1.5.7 RHR-SPCM Redundancy and Diversity Redundancy is provided for the suppression pool cooling function by two separate logics, one for each loop. There is no diversity provided.

7.3.1.1.5.8 RHR-SPCM Actuated Devices Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003 (RHR FCD) shows the functional control arrangement of the suppression pool cooling mode.

The RHR A and RHR B loops are utilized for suppression pool cooling. Therefore, the pump and valves are the same for LPCI and suppression pool cooling except that each has its own discharge valves.

7.3.1.1.5.9 RHR-SPCM Separation Suppression pool cooling is a Division I (RHR A) and a Division II (RHR B) system. Manual control, logic circuits, cabling, and instrumentation for suppression pool cooling are mounted so that Division I and Division II separation is maintained.

7.3.1.1.5.10 RHR-SPCM Testability Suppression pool cooling is capable of being tested during normal operation; however, the suppression pool cooling mode of the RHR system is a manually actuated mode whose components are operated during normal plant operation. In addition, the associated system components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of flow such that the motors, pumps and valves are operated. Associated sensors and circuits are monitored to verify proper operation. The frequency of these tests and the parameters to be verified are identified in the Technical Specifications.

Testing for functional operability can be accomplished by manual testing of each loop. Adequate indication in the form of panel lamps and annunciators is provided in the control room. Testing of instrumentation and equipment shared by the core spray system and LPCI mode of RHR is discussed in Sections 7.3.1.1.1.3.9 and 7.3.1.1.1.4.9.

7.3.1.1.5.11 RHR-SPCM Environmental Conditions Refer to Sections 3.10 and 3.11 for identification and environmental qualification of the systems' components.

CHAPTER 07 7.3-50 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.5.12 RHR-SPCM Operational Considerations 7.3.1.1.5.12.1 RHR-SPCM General Information Suppression pool cooling is a mode of the RHR and may be operated during normal operation to maintain the suppression pool temperature within specified operating limits.

7.3.1.1.5.12.2 RHR-SPCM Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess suppression pool cooling operation. Alarms and indications are shown in drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

The temperature of the suppression pool is continuously monitored by the SPTMS as described in Appendix 3A.15.1.

7.3.1.1.5.12.3 RHR-SPCM Setpoints There are no operating setpoints for this manually initiated mode of RHR; however, there are setpoints associated with other modes of RHR which will take precedence over the operation of this mode.

7.3.1.1.6 Containment Atmospheric Control System - Instrumentation and Controls 7.3.1.1.6.1 CAC System Description The CAC system incorporates features for accomplishing a number of functions, including purging and venting of the primary containment, limitation of the differential pressure between drywell and wetwell, monitoring of hydrogen and oxygen concentrations in the primary containment, and control of hydrogen concentration in the primary containment after a LOCA.

The purging and venting function of the CAC system is accomplished by a high volume purge. The purging and venting function of the CAC system is not safety-related. This function is accomplished by the reactor enclosure HVAC system discussed in Section 7.7.

The monitoring of hydrogen and oxygen concentrations in the primary containment and control of hydrogen concentrations in the primary containment after a LOCA is accomplished by the CGCS, which is discussed in Section 7.3.1.1.6.1.2.

The limitation of the differential pressure between drywell and wetwell function is accomplished by the PCVR subsystem, which is discussed in Section 7.3.1.1.6.1.1.

7.3.1.1.6.1.1 Primary Containment Vacuum Relief System - Instrumentation and Controls 7.3.1.1.6.1.1.1 PCVR System Identification The PCVR system consists of four PCVR valve assemblies that are provided to limit the degree to which suppression chamber pressure can exceed drywell pressure. The assemblies are located in the suppression chamber, each assembly being mounted on the side of a downcomer. Each assembly consists of two 24 inch (nominal diameter) vacuum relief valves mounted in series.

When suppression chamber pressure exceeds drywell pressure by a specified amount, the vacuum relief valves open automatically and allow air from the suppression chamber to enter the CHAPTER 07 7.3-51 REV. 19, SEPTEMBER 2018

LGS UFSAR downcomer and flow upward into the drywell, thereby equalizing pressure above and below the diaphragm slab. The PCVR system is shown in Figure 9.4-6.

7.3.1.1.6.1.1.2 PCVR System Power Sources The PCVR valves are check valves and do not require electrical power to perform their safety function and therefore are not supplied with safeguard power. Since the solenoid valves are used for remote actuation of the primary containment vacuum relief valves for testing purposes only, the solenoid valves are powered from a non-Class 1E bus. The separation criteria for the test circuitry is given in Section 8.1.

7.3.1.1.6.1.1.3 PCVR Equipment Design Equipment design is described in Section 9.4.5.

7.3.1.1.6.1.1.4 PCVR Initiating Circuits There are no initiating circuits.

7.3.1.1.6.1.1.5 PCVR Logic and Sequencing No sequencing is provided for this system.

7.3.1.1.6.1.1.6 PCVR Bypasses and Interlocks No bypasses or interlocks are provided for this system.

7.3.1.1.6.1.1.7 PCVR Redundancy and Diversity Redundancy is given by the divisionalized system design. Four independent PCVR valve assemblies are provided. Each assembly consists of two vacuum relief valves mounted in series.

Diversity is not required for this system.

7.3.1.1.6.1.1.8 PCVR Actuated Devices The vacuum relief valves are the only actuated devices.

7.3.1.1.6.1.1.9 PCVR Separation The test circuitry for each valve is separated from the other valves.

7.3.1.1.6.1.1.10 PCVR Testability The system is designed to allow periodic testing of all four pairs of PCVR valves to ensure their functional capability. This is accomplished by opening each valve by remote actuation of the solenoid valve. One test selector switch per solenoid valve permits the independent testing of each relief valve. A momentary test push button causes a selective opening of the valve. The valve closes again when the selector switch is returned to the normal position.

Lights indicating the status of the relief valve position verify the operation.

The primary containment vacuum relief valves are tested from the vacuum breaker test panel located in the reactor enclosure.

CHAPTER 07 7.3-52 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.6.1.1.11 PCVR Environmental Considerations See Table 3.11 for environmental considerations.

7.3.1.1.6.1.1.12 PCVR Operational Considerations 7.3.1.1.6.1.1.12.1 PCVR General Information This system functions automatically during normal operation. The ability to test during normal operation is not a requirement.

7.3.1.1.6.1.1.12.2 PCVR Reactor Operator Information Initiation of the system is annunciated in the control room.

7.3.1.1.6.1.1.12.3 PCVR Setpoints Refer to Chapter 16 for the opening set pressure of the valves.

7.3.1.1.6.1.2 Combustible Gas Control Subsystem - Instrumentation and Controls 7.3.1.1.6.1.2.1 CGCS Identification The CGCS is described in Section 6.2.5. The safety-related function of this system is to control the concentration of combustible gases (hydrogen, oxygen) in the containment after a LOCA. Two redundant thermal hydrogen recombiners are provided for this purpose. In the following discussion, when CGCS is used, it refers to the hydrogen recombiner, H2/O2 analyzers, and the isolation valves in the piping to and from the recombiners.

7.3.1.1.6.1.2.2 CGCS Power Sources The CGCS power is provided from Class 1E ac buses.

7.3.1.1.6.1.2.3 CGCS Equipment Design Equipment design is described in Section 6.2.5.

7.3.1.1.6.1.2.4 CGCS Initiating Circuits The CGCS is manually initiated from the control room. There is no automatic system initiation.

The combustible gas analyzer is designed to operate either in standby or continuous mode during normal operation. However, the combustible gas analyzer is required to continuously monitor hydrogen and oxygen concentrations in the primary containment following a LOCA. The combustible gas analyzers will automatically trip on a LOCA. Following the LOCA, the analyzers are realigned to continuously sample the concentration of combustible (Hydrogen & Oxygen) gases.

7.3.1.1.6.1.2.5 CGCS Logic and Sequencing See the recombiner and isolation valve logic shown in drawing M-57FD and electrical schematics listed in Table 1.7-1.

CHAPTER 07 7.3-53 REV. 19, SEPTEMBER 2018

LGS UFSAR The recombiner is manually started and continues to run until manually shut down by the operator or until tripped by one of the following conditions:

a. System inlet pressure high
b. Blower inlet temperature high
c. Heater wall temperature very high
d. Reaction chamber shell temperature very high
e. Return gas temperature high The recombiner heaters are energized by interlock when the blower is started, and continues to run until the blower is shutdown by the operator or until tripped by one of the following conditions:
a. High gas temperature two-thirds through heater
b. High heater outlet gas temperature
c. Blower inlet gas flow low
d. Spray water inlet valve not full open The Post-LOCA Recombiners also receive a trip signal from the PCIS upon actuation of containment isolation.

There is no sequencing for this system since it is manually initiated.

7.3.1.1.6.1.2.6 CGCS Bypasses and Interlocks When in standby, an indicating light in the control room indicates that the recombiner is ready for operation. The light goes out and an alarm sounds if any condition arises that would prevent the recombiner from starting. In addition, a trickle heater keeps the blower and heater section warm during standby. If the trickle heater fails, the general recombiner trouble alarm annunciates.

A level switch is provided in the containment hydrogen recombiner outlet piping that alerts the operator in the control room if the level exceeds a preset value. This alarm is to protect the recombiner from flooding that is due to a leak in the associated cooling water piping.

The recombiners are not interlocked with any other system. However, the recombiners shutdown automatically, and the drywell isolation valves and recombiner isolation valves close on a containment isolation signal. This signal can be bypassed in the control room. The valves can be reopened to permit recombiner operation by key-lock switch (bypass is alarmed). The isolation signal is described in Section 7.3.1.1.2.

7.3.1.1.6.1.2.7 CGCS Redundancy and Diversity The two hydrogen recombiners are identical, physically and functionally. They feed from independent electrical sources and use different piping for connection to the containment.

7.3.1.1.6.1.2.8 CGCS Actuated Devices No devices are actuated by this system.

CHAPTER 07 7.3-54 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.6.1.2.9 CGCS Separation The controls and instrumentation circuits are physically and electrically separated for each recombiner and associated isolation valves. The A recombiner, isolation valves to the A recombiner, and the A water supply valve are in Division III. The B recombiner, isolation valves to the B recombiner, and B water supply valve are in Division IV.

7.3.1.1.6.1.2.10 CGCS Testability The CGCS tested in accordance with the test requirements of the maintenance program and the Technical Requirements Manual (TRM).

7.3.1.1.6.1.2.11 CGCS Environmental Considerations The sensors and transmitters of the CGCS are located in the reactor building. Remaining controls and instrumentation are located on the control panel in the control room. See Section 3.11 for environmental considerations.

7.3.1.1.6.1.2.12 CGCS Operational Considerations 7.3.1.1.6.1.2.12.1 CGCS General Information The combustible gas control function of the CAC system is not required for normal plant operation.

It is manually initiated after a LOCA to control the amount of combustible gases (hydrogen, oxygen) in the containment.

7.3.1.1.6.1.2.12.2 CGCS Reactor Operator Information The operator is provided with sufficient indication to assess accurately the condition of the CGCS.

Alarms for both the recombiners and the analyzers alert the operator of abnormal conditions.

CGCS instrumentation is discussed in Section 6.2.5.6 7.3.1.1.6.1.2.12.3 Deleted 7.3.1.1.7 Standby Gas Treatment System - Instrumentation and Controls 7.3.1.1.7.1 SGTS Identification The SGTS provides the means to control reactor enclosure and refueling floor pressure at a negative value with reference to the outside atmosphere. For description and operation of the SGTS, see Section 6.5.1.

7.3.1.1.7.2 SGTS Power Sources The power for the instruments and controls associated with the SGTS is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.7.3 SGTS Equipment Design Equipment design is described in Section 6.5.1.

7.3.1.1.7.4 SGTS Initiating Circuits CHAPTER 07 7.3-55 REV. 19, SEPTEMBER 2018

LGS UFSAR The initiating circuits of the SGTS are the reactor enclosure isolation system and the refueling area isolation system. Section 7.3.1.1.9 and 7.3.1.1.17 gives a discussion of the isolation systems.

7.3.1.1.7.5 SGTS Logic and Sequencing The two SGTS subsystems are normally set up with both sets of filter valves open. When an isolation signal exists, both of the SGTS fans are started and the associated controls are activated to open or modulate appropriate dampers and valves. The flow control of the operating SGTS uses the lowest appropriate reactor enclosure zone pressure to atmospheric pressure differential as a setpoint to ensure that the reactor enclosure pressure is less than atmospheric. This prevents reactor enclosure exhaust to the outside other than through the SGTS. See drawing M-76FD for the logic diagram.

7.3.1.1.7.6 SGTS Bypasses and Interlocks The hand switch of each SGTS fan when in the off position and the hand switch of each filter train when in the close position provide input to a control room alarm. The SGTS fans are interlocked with the respective reactor enclosure and refueling floor isolation system.

7.3.1.1.7.7 SGTS Redundancy and Diversity Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve to maintain the redundancy of the equipment. Diversity is not applicable.

7.3.1.1.7.8 SGTS Actuated Devices No additional devices or systems are actuated by the SGTS.

7.3.1.1.7.9 SGTS Separation The controls, instrumentation, and power supplies of the SGTS are physically and electrically separated for each of the filter and fan systems. See Section 8.1.6.1 for a discussion of electrical system separation.

7.3.1.1.7.10 SGTS Testability The SGTS initiating circuits do not employ specific test features. SGTS initiating testing requirements are defined by Technical Specifications, and are implemented in conjunction with testing of the reactor enclosure and refueling floor isolation logics, and employ overlap with NSSSS testing to verify SGTS operability for all initiating conditions.

7.3.1.1.7.11 SGTS Environmental Consideration The controls for the SGTS equipment are located in the control enclosure. The environmental consideration for this area and a qualification summary is provided in Section 3.11.

7.3.1.1.7.12 SGTS Operational Considerations 7.3.1.1.7.12.1 SGTS General Information CHAPTER 07 7.3-56 REV. 19, SEPTEMBER 2018

LGS UFSAR The SGTS is required to maintain the reactor enclosure and the refueling area at negative pressure under isolation conditions and to filter reactor enclosure exhaust taken from the RERS and the refueling area exhaust. Section 6.5.1 gives system function.

7.3.1.1.7.12.2 SGTS Reactor Operator Information The operator is provided with fan motor status, a fan system trouble annunciator, filter heater inlet and outlet temperatures, carbon filter outlet air temperature, heater trouble alarm, two carbon filter preignition alarms and carbon filter fire alarm.

7.3.1.1.7.12.3 Deleted 7.3.1.1.8 Reactor Enclosure Recirculation System - Instrumentation and Controls 7.3.1.1.8.1 RERS Identification The recirculation system filters and mixes the air in the reactor enclosure during isolation conditions. For description and operation of the recirculation system, see Sections 6.5.1 and 9.4.2.

7.3.1.1.8.2 RERS Power Sources The power for the instruments and controls associated with the recirculation system is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.8.3 RERS Equipment Design Equipment design is described in Section 6.5.1.

7.3.1.1.8.4 RERS Initiating Circuits The initiating circuit of the recirculation system is the REIS. Section 7.3.1.1.9 gives a discussion of the isolation systems. An operating train is stopped by low air flow, and the standby train is initiated.

7.3.1.1.8.5 RERS Logic and Sequencing Two redundant systems are set up in auto-standby fashion. When an initiation signal exists, the lead (auto-selected) system automatically starts and the other system remains on standby. An air flow switch in the discharge duct monitors the operation of the lead fan. If the lead fan fails and the system loses air flow, the lead fan is tripped, the standby fan starts, after a time delay, to eliminate transient response. See drawing M-76FD for the logic diagram.

7.3.1.1.8.6 RERS Bypasses and Interlocks The hand switch of each recirculation system, when in the off position, provides input to a control room alarm.

7.3.1.1.8.7 RERS Redundancy and Diversity CHAPTER 07 7.3-57 REV. 19, SEPTEMBER 2018

LGS UFSAR To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.8.8 RERS Actuated Devices Recirculation exhaust isolation valves HV-76-109 and HV-76-110 are actuated when their respective recirculation system starts. See Sections 6.5.1 and 9.4.2 for a description of operation.

7.3.1.1.8.9 RERS Separation The controls, instrumentation, and power supplies of the recirculation system are physically and electrically separated for each of the fan systems. See Section 8.1.6.1.14 for a discussion of electrical system separation.

7.3.1.1.8.10 RERS Testability The RERS initiating circuits do not employ specific test features. RERS initiation testing requirements are defined by Technical Specifications, and are implemented in conjunction with testing of the reactor enclosure isolation logic, and employ overlap with NSSSS testing to verify RERS operability for all initiating conditions.

7.3.1.1.8.11 RERS Environmental Considerations The controls for the recirculation system are located in the reactor enclosure and the control enclosure. The environmental considerations for these areas and a control qualification summary is provided in Section 3.11.

7.3.1.1.8.12 RERS Operational Considerations 7.3.1.1.8.12.1 RERS General Information The recirculation system is required to filter and mix the air in the reactor enclosure under isolation conditions. See Section 6.5.1.3 for system function.

7.3.1.1.8.12.2 RERS Reactor Operator Information The operator is provided with fan motor status, a charcoal temperature detection failure alarm, carbon filter inlet air temperature, filter system differential, two carbon filter preignition alarms, and carbon filter fire alarm.

7.3.1.1.8.12.3 Deleted CHAPTER 07 7.3-58 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.9 Reactor Enclosure Isolation System - Instrumentation and Controls 7.3.1.1.9.1 REIS Identification The REIS provides signals to isolate the reactor enclosure and start the recirculation and SGTS systems under emergency conditions. For description and operation of the isolation system, see Section 9.4.2.

7.3.1.1.9.2 REIS Power Sources The power for the instruments and controls associated with the isolation system is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.9.3 REIS Equipment Design Equipment design is described in Section 9.4.2.

7.3.1.1.9.4 REIS Initiating Circuits Each trip logic of the reactor enclosure isolation system may be manually initiated or automatically initiated in a protective function mode as follows:

a. A trip logic may be initiated on low reactor water level (level 2) or high drywell pressure.
b. A trip logic may be initiated by high radiation sensed by both of the two gamma sensors located in the reactor enclosure exhaust duct. (Section 7.6.1.1.2)
c. A trip logic may be initiated by loss of reactor enclosure differential pressure with respect to pressure external to the building.

7.3.1.1.9.5 REIS Logic and Sequencing Each trip logic of the redundant isolation system is normally held in an energized (fail-safe) mode so that an initiating signal or loss of power de-energizes the trip logic and starts all the related systems. The isolation signal seals-in upon initiation, and removal of the initiating signal does not deactivate the channel. The trip logic may be reset to a normal condition only if the initiating condition, other than low building differential pressure, is no longer present. A key-lock reset is provided to bypass low building differential pressure to re-establish it with the normal ventilation system. See drawing M-76FD for the logic diagram.

7.3.1.1.9.6 REIS Bypasses and Interlocks The hand switch of each isolation system, when in the RESET position, provides input to a control room alarm. The isolation system is interlocked with the SGTS and the RERS.

7.3.1.1.9.7 REIS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve.

The diversity of the NSSS-furnished LOCA signal is used.

CHAPTER 07 7.3-59 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.9.8 REIS Actuated Devices The SGTS, RERS, and the reactor enclosure isolation valves are actuated by this system. See Sections 7.3.1.1.7 and 7.3.1.1.8, respectively, for descriptions of the actuated systems.

7.3.1.1.9.9 REIS Separation The controls, instruments, and power supplies of the isolation system are physically separated and electrically independent for each of the redundant trip channels. See Section 8.1.6.1 for a discussion of electrical system separation.

7.3.1.1.9.10 REIS Testability Verification of the operability of the initiating circuits may be made as follows:

a. By tripping the individual radiation monitor circuits
b. By tripping the differential pressure input circuits
c. By manually initiating the channels with hand switches located in the control room
d. By tripping the LOCA signal circuits (REIS only)

The REIS system may be tested as discussed above during plant operation.

7.3.1.1.9.11 REIS Environmental Considerations The controls for the isolation systems are located in the reactor enclosure and the control enclosure. The environmental considerations for these areas are in Section 3.11.

7.3.1.1.9.12 REIS Operational Considerations 7.3.1.1.9.12.1 REIS General Information The isolation systems are required to provide for reactor enclosure isolation during emergency conditions. See Sections 6.5.1 and 9.4.2 for system function.

7.3.1.1.9.12.2 REIS Reactor Operator Information The operator is provided with an isolation initiation alarm and an isolation incomplete alarm in the control room for each of the two redundant isolation system logics. In addition, a common system (REIS and RAIS) "armed/bypassed" alarm is provided in the control room.

7.3.1.1.9.12.3 REIS Setpoints Refer to Technical Specifications for REIS radiation setpoints.

7.3.1.1.10 Habitability and Control Room Isolation System - Instrumentation and Controls 7.3.1.1.10.1 HCRIS Identification The control room isolation system provides means to isolate the control room from radiation or chlorine entering through the control room ventilation system. The emergency fresh air system CHAPTER 07 7.3-60 REV. 19, SEPTEMBER 2018

LGS UFSAR provides a means of pressurizing the control room during radiation isolation. The control room HVAC system provides the proper environment for the control room and adjacent areas. For description and operation, see Sections 9.4.1.1 and 6.4.

7.3.1.1.10.2 HCRIS Power Sources Power for the instruments and controls associated with the isolation system, the emergency fresh air system, and the control room HVAC system is supplied from the Class 1E 120 V ac system.

See Chapter 8 for a description of the electrical system.

7.3.1.1.10.3 HCRIS Equipment Design Equipment design is described in Section 9.4.

7.3.1.1.10.4 HCRIS Initiating Circuits The control room isolation system is initiated by outside air high-high radiation (Section 11.5) or a high concentration of chlorine gas. The control room supply and return fans initiate identically to the auxiliary equipment room ventilation system (Section 7.3.1.1.15.6). The CREFAS is initiated by the isolation signals.

7.3.1.1.10.5 HCRIS Logic and Sequencing Two modes of isolation are provided: complete intake and exhaust isolation of the control room upon chlorine detection, and intake air diverted through the emergency fresh air supply system upon radiation detection and control room isolation. See Sections 9.4 and 6.4 for details. The control room supply and return fans operate identically to the auxiliary equipment room ventilation system (Section 7.3.1.1.15.6), except the control room supply fans do not trip on high fan discharge temperature. See drawing M-78FD for the HCRIS control logic diagram.

7.3.1.1.10.6 HCRIS Bypasses and Interlocks The hand switch of each fan in the emergency fresh air system and the control room HVAC system, when in the OFF position, provides input to a control system alarm. One hand switch of each isolation channel, when in the TEST position, provides input to a control system alarm. The isolation system is interlocked with the emergency fresh air system to maintain ventilation within the control room during isolation. The control room HVAC supply fans are interlocked with the purge system, and the chilled water pumps in a way identical to the auxiliary equipment room ventilation system (Section 7.3.1.1.15.6).

7.3.1.1.10.7 HCRIS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve.

7.3.1.1.10.8 HCRIS Actuated Devices The associated control enclosure chilled water system pumps are actuated by the control room HVAC supply fans (Section 7.3.1.1.13).

7.3.1.1.10.9 HCRIS Separation CHAPTER 07 7.3-61 REV. 19, SEPTEMBER 2018

LGS UFSAR The controls, instrumentation, and power supplies of the isolation system, emergency fresh air system, and control room HVAC are physically separated and electrically independent for each of the redundant trip channels. See Section 8.1.6.1.14 for a discussion of the electrical system separation.

7.3.1.1.10.10 HCRIS Testability Verification of the operability of the initiating circuits of the isolation system may be made as follows:

a. By tripping the individual radiation monitor circuits
b. By tripping the individual chlorine monitor circuits
c. By manually initiating the channels by hand switches located in the control room.

Verification of the operability of the initiating circuits of the emergency fresh air system may be made as follows:

1. By putting each fan in the AUTO mode and tripping the isolation channel
2. By putting each fan in the STANDBY mode and tripping the isolation channel when the other fan is shut down Verification of the operability of the initiating circuits of the control room HVAC fans may be made by putting each fan in the AUTO mode when the other fan of the pair is shut down. In addition, all fans may be manually tested by hand switches from the control room.

The HCRIS may be tested as discussed above during plant operation.

7.3.1.1.10.11 HCRIS Environmental Consideration The controls for these systems are located in the control enclosure. The environmental consideration for this area and the control qualification summary is provided in Section 3.11.

7.3.1.1.10.12 HCRIS Operational Considerations 7.3.1.1.10.12.1 HCRIS General Information The control room HVAC system is required for normal operation of the control room. The isolation system and the emergency fresh air system are required for emergency operation of the control room.

7.3.1.1.10.12.2 HCRIS Reactor Operator Information Alarms that are common to all four redundant trip channels are provided in the control room for Chlorine Isolation Initiated, Radiation Isolation Initiated, Isolation System Armed, Isolation Not Complete, and Isolation Circuit In Test. Individual alarms from each trip channel are provided in the control room for Chlorine Detector Hi (concentration)/System Malfunction.

The information provided for the control room HVAC system is identical to the auxiliary equipment room ventilation system (Section 7.3.1.1.15.6).

CHAPTER 07 7.3-62 REV. 19, SEPTEMBER 2018

LGS UFSAR The following safety-related information is provided for the emergency fresh air system:

a. Fan motor status and damper position status.
b. System flow rate indication
c. Carbon filter leaving air temperature 7.3.1.1.10.12.3 HCRIS Setpoints For setpoints, see Chapter 16.

7.3.1.1.11 Emergency Service Water System - Instrumentation and Controls 7.3.1.1.11.1 ESW Identification The ESW system is described in Section 9.2.2. This system provides cooling water to the diesel generator units, RHR pumps, and room coolers required during emergency conditions to safely shut down the plant. The ESW system is shown in drawing M-11.

7.3.1.1.11.2 ESW Power Sources The power for the ESW pump motors and its associated loop MOVs is supplied from Class 1E ac buses. Control power for the ESW pumps is supplied from Class 1E dc buses. Instrumentation power is supplied from Class 1E ac buses.

7.3.1.1.11.3 ESW Equipment Design Equipment design is described in Section 9.2.2.

7.3.1.1.11.4 ESW Initiating Circuits Start signals from both the Unit 1 and Unit 2 diesel generators in the same electrical division initiate the auto start of the associated ESW pump. The diesel generator that supplies power to the ESW pump in a loop provides two start signals. The first signal monitors bus voltage and diesel generator speed. The second signal monitors bus voltage and diesel generator output breaker position. The diesel generator in the same division that does not supply power to the associated ESW pump only provides the start signal associated with bus voltage and diesel generator speed.

The start signals have different time delays to ensure proper load sequencing. Diesel generators D11 and D21 start ESW pump A (Division I); D12 and D22 start ESW pump B (Division II); D13 and D23 start ESW pump C (Division III); and D14 and D24 start ESW pump D (Division IV).

A start signal from each ESW pump initiates the associated loop valve action.

Manual control for all four pumps and remote-operated loop configuration control valves is available in the control room. Manual control of ESW pump A and specific A ESW and A RHRSW return header valves is available on the remote shutdown panel. In addition, the "B" and "C" ESW pump can be operated using local controls located at the "B" and "C" ESW pump motor circuit breaker cubicles.

7.3.1.1.11.5 ESW Logic and Sequencing See drawing M-11FD for the logic diagram and Table 1.7-1 for reference to the electrical schematic diagrams.

CHAPTER 07 7.3-63 REV. 19, SEPTEMBER 2018

LGS UFSAR See Chapter 8 for the diesel generator control circuits.

Automatic start of each pump is initiated on the following conditions:

a. Forty-five seconds after the associated diesel generator bus breaker is in and closed and the bus voltage is available
b. Fifty-three seconds after the associated diesel generator is operating (i.e. speed detection) and the bus voltage is available The time delay is for bus loading considerations.

The starting of an ESW pump automatically opens or closes the associated cooling water loop configuration valves. Also, the start signal closes the cooling tower inlet to the associated pump wet pit and opens the sluice gate from the spray pond. The return valve from the ESW system to the cooling tower is closed, and the associated return valves to the spray pond are opened.

Once an ESW pump is started, it continues to operate until any of the following conditions occurs:

a. Manually stopped by the operator in the control room or, for pump A, from the remote shutdown room, or for pumps B and C, from the local circuit breaker cubicle.
b. Bus lockout
c. Phase overcurrent
d. Ground fault
e. Bus undervoltage During Unit 1 operation and Unit 2 construction, ESW supplies and returns to Unit 2 were valved off. During this period ESW pumps "C" and "D" were temporarily powered from safeguard buses D13 and D14, respectively.

7.3.1.1.11.6 ESW Bypasses and Interlocks An interlock is provided so that if an ESW pump is running and a LOCA signal is initiated the pump trips and restarts automatically after a time delay on the signals described in Section 7.3.1.1.11.5.

This interlock is for diesel generator loading considerations.

7.3.1.1.11.7 ESW Redundancy and Diversity To maintain the redundancy of the mechanical equipment described in Section 9.2.2, controls are provided on a one-to-one basis with the mechanical equipment.

MCR instrumentation of each process loop is redundant to the other process loop.

7.3.1.1.11.8 ESW Actuated Devices The devices actuated by the initiation of the ESW pumps are the loop valving and the water source and return valving and/or sluice gates.

CHAPTER 07 7.3-64 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.11.9 ESW Separation The controls and instrumentation are physically and electrically separated for each of the four ESW pumps. ESW pump A controls and instruments are in Division I; ESW pump B is in Division II; ESW pump C is in Division III; and ESW pump D is in Division IV.

The controls for the ESW valves are assigned to various divisions so that a single active failure cannot disable a complete ESW loop. In cases where two valves are in series to shut off a flow path, the valves are assigned to two different divisions. Likewise, in cases where two valves are used to provide redundant flow paths in a single loop, the valves are assigned to two different divisions.

Loop A valves are in Divisions I and III, and loop B valves are in Divisions II and IV. The manual control loop selection valves for each diesel generator are in the same division as the associated diesel generator.

Loop A pressure and differential flow indication are in Division I, and the Loop B instruments are in Division II.

7.3.1.1.11.10 ESW Testability Verification of operability of initiation circuits is made when the associated diesel generator is tested. Circuits that are actuated by ESW pump starts are tested by manipulating the associated components to the nonsafety-related positions, starting the ESW pump and verifying the proper safety-related position is obtained.

7.3.1.1.11.11 ESW Environmental Considerations The control equipment for the ESW system is located in the reactor enclosure, diesel generator enclosures, spray pond pump house, control enclosure, and the control room. See Section 3.11 for environmental considerations.

7.3.1.1.11.12 ESW Operational Considerations 7.3.1.1.11.12.1 ESW General Information The ESW system is not required for normal operation. The system is initiated automatically on a signal based on the status of the diesel generators.

7.3.1.1.11.12.2 ESW Reactor Operator Information The operator is provided with pump motor status and valve position indicators for the ESW system in the control room. An indicator is provided for each loop to show the differential between the loop inflow and the loop return flow. Also, pump A status and position indication for certain loop A valves is provided in the remote shutdown room.

In addition, the following nonsafety-related instrumentation and alarms are provided in the main control room:

a. ESW loop A discharge header pressure indication
b. ESW loop B discharge header pressure indication CHAPTER 07 7.3-65 REV. 19, SEPTEMBER 2018

LGS UFSAR

c. Control room annunciators:
1. ESW loop A(B) high differential flow
2. Pump discharge pressure low (one/pump)
3. Diesel generator compartment flooding (one/diesel generator)
4. Pump control transferred to remote shutdown panel (pump A only)
5. Pump motor overcurrent (one/pump)
6. Pump autostart (one/pump)
7. ESW system out of service (one/pump)
8. Division I (II, III, and IV) any ESW auto initiated valve not fully open/closed
9. Division I (II, III, and IV) ESW MOVs overload or loss of power
d. Plant computer alarms
1. ESW pump motor high bearing temperature
2. ESW pump motor high stator temperature See Section 7.4.1.4 for a description of the indications provided on the remote shutdown panel.

7.3.1.1.11.12.3 ESW Setpoints There are no safety setpoints for the ESW system.

7.3.1.1.12 RHR Service Water System - Instrumentation and Controls 7.3.1.1.12.1 RHRSW Identification The RHRSW system is described in Section 9.2.3. This system provides cooling water to the RHR heat exchangers of both units. The RHRSW system is shown in drawing M-12.

7.3.1.1.12.2 RHRSW Power Sources The power for the RHRSW pump motors and cooling water loop MOVs is supplied from Class 1E ac buses. Control power for the RHRSW pump motors is supplied from Class 1E dc buses.

Instrumentation power is supplied from Class 1E ac buses.

7.3.1.1.12.3 RHRSW Equipment Design Equipment design is described in Section 9.2.3.

CHAPTER 07 7.3-66 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.12.4 RHRSW Initiating Circuits The RHRSW system is a manually initiated system. However, as noted in Section 7.3.1.1.12.5, the common ESW and RHRSW supply and return valves and the spray pond sluice gates are automatically oriented to the spray pond on a start signal from the ESW system.

Manual controls for the RHRSW pumps, cooling water loop valves, and the spray pond sluice gate are available in the control room. Also, manual control of the "A" and "C" RHRSW pumps and the cooling water loop A valves and associated sluice gates is available in the remote shutdown room.

In addition, the "B and D" RHRSW pumps can be operated using local controls located at "B and D" RHRSW pumps motor circuit breaker cubicle.

7.3.1.1.12.5 RHRSW Logic and Sequencing See drawings M-12FD and M-51FD for the RHRSW and the RHR heat exchanger inlet and outlet valve logic diagrams and Table 1.7-1 for reference to electrical schematic diagrams.

The RHRSW pumps are started manually. Once a pump is started, it continues to operate until any of the following conditions occurs:

a. Manually stopped by the operator in the control room, or, for pumps A and C, from the remote shutdown room
b. Bus lockout
c. Phase overcurrent
d. Ground fault
e. Bus undervoltage
f. Associated cooling water loop heat exchanger return line high radiation signal
g. High pump discharge pressure Each RHR heat exchanger inlet and outlet valve is opened manually from the control room. The loop A RHR heat exchanger inlet and outlet valves can also be manually operated from the remote shutdown room.

The system is normally aligned to the spray pond for cooling water source and loop return.

However, the system can be manually aligned to the cooling towers, if available. The starting of the ESW system, the cooling water source, and return for the ESW and RHRSW system automatically aligns to the spray pond if the systems are not already in that mode. Manual alignment of the loop A valve to the cooling tower or the spray pond is also available in the remote shutdown room.

7.3.1.1.12.6 RHRSW Bypasses and Interlocks A key-locked manual switch bypass is provided to inhibit the ESW signal that automatically aligns the ESW and RHRSW system from the cooling tower mode to the spray pond mode. This bypass is provided to permit alignment to the cooling tower if available. A control room alarm indicates that the ESW system is out-of-service whenever this bypass is activated.

CHAPTER 07 7.3-67 REV. 19, SEPTEMBER 2018

LGS UFSAR A key-locked manual bypass switch is provided to inhibit the high radiation signal of the monitor in the associated cooling water loop return to provide the capability to restart the pumps. The bypass switch will also bypass the high discharge pressure trip of the pumps. A control room alarm indicates that the high radiation and high discharge pressure trips are bypassed.

7.3.1.1.12.7 RHRSW Redundancy and Diversity Controls are provided on a one-to-one basis with the mechanical equipment described in Section 9.2.3.

Instrumentation of each process loop is redundant to the other process loop.

7.3.1.1.12.8 RHRSW Actuated Devices Starting an RHRSW pump does not actuate any associated components. The actuation of loop valving, the water source and return valving, and/or sluice gates is limited by ESW pump start.

7.3.1.1.12.9 RHRSW Separation The controls and instrumentation are physically and electrically separated for each RHRSW loop.

The controls for the loop A RHR heat exchanger inlet valves and for RHRSW pumps A and C are in Division I, and controls for RHRSW pumps B and D, and the loop B RHR heat exchanger inlet valves are in Division II. Controls for the loop A RHR heat exchanger outlet valve are Division III and the controls for loop BRHR heat exchanger are in Division IV.

The controls of the RHRSW Loop A valves that are common with the ESW system are in either Division I or III, and the Loop B valves that are common with the ESW system are in either Division II or IV as described in Section 7.3.1.1.11.9.

Similarly the Loop A instrumentation for pressure, flow, and radiation is in either Division I or III, and the Loop B instrumentation is in either Division II or IV.

7.3.1.1.12.10 RHRSW Testability The RHRSW system is capable of being tested during normal plant operation by the manual testing of each RHRSW loop component. Manual control switches with status lights are provided in the control room for the system pumps and valves.

7.3.1.1.12.11 RHRSW Environmental Considerations The control equipment for the RHRSW system is located in the spray pond pump house, and control structure. See Section 3.11 for environmental considerations.

7.3.1.1.12.12 RHRSW Operational Considerations 7.3.1.1.12.12.1 RHRSW General Information The RHRSW system is not required for normal plant operations. The RHRSW system is required for normal plant shutdowns. The system is manually initiated to supply cooling water to the RHR heat exchangers.

CHAPTER 07 7.3-68 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.12.12.2 RHRSW Reactor Operator Information The operator is provided with pump motor status and valve position indication for the RHRSW system components in the control room. A recording of the radiation level of each of the RHRSW return loops is provided.

In addition, the following nonsafety-related instrumentation and alarms are provided in the control room:

a. RHRSW pumps A and C discharge header pressure indicator. This pressure indication is also provided in the remote shutdown room.
b. RHR heat exchanger service water outlet pressure indicator (one/heat exchanger).

This pressure indication is also provided in the remote shutdown room.

c. RHR heat exchanger service water outlet temperature recording (one/heat exchanger)
d. Control room annunciators:
1. RHRSW pump discharge low pressure (one/pump)
2. RHRSW pump discharge high pressure (one/pump)
3. RHRSW header low pressure (two/loop)
4. RHRSW pump motor high bearing or stator temperature alarms. Alarms are via the plant computer (three/pump motor).
5. RHRSW pump control transferred to the remote shutdown panel (pumps A and C only)
6. RHRSW pump motor overcurrent (one/motor)
7. RHRSW high radiation trip signal bypassed (one/loop)
8. RHR heat exchanger service water valves not open (one/loop)
9. RHR out-of-service (input from each RHRSW loop)
10. DELETED
11. RHRSW drain high/low level
12. Spray pond MOVs overload on loss of power (one/ division) 7.3.1.1.12.12.3 RHRSW Setpoints There are no safety setpoints for the RHRSW system.

CHAPTER 07 7.3-69 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.13 Control Enclosure Chilled Water System - Instrumentation and Controls 7.3.1.1.13.1 CECWS Identification The CECWS provides chilled water to the control room air supply fan cabinets, the auxiliary equipment room air supply fan cabinets, the emergency switchgear and battery room air supply fan cabinets, and the SGTS room and access area unit coolers. For description and operation, see Section 9.4.1.

7.3.1.1.13.2 CECWS Power Sources The power for the instruments and controls associated with the CECWS is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.13.3 CECWS Equipment Design Equipment design is described in Section 9.4.1.

7.3.1.1.13.4 CECWS Initiating Circuits The CECWS chillers and pumps may be manually started from hand switches in the control room.

The circulating water pumps, when in the auto mode, can be started by any one of the five fan units served by the CECWS. The chiller can be automatically started, when in the auto mode, by the starting of its circulating water pump.

7.3.1.1.13.5 CECWS Logic and Sequencing One circulating water pump and its associated chiller are started manually to correspond with the cooling coils in use. The other pump and chiller remain in a standby mode. If a fan unit fails or is shut down, its standby unit starts and sends a signal to its corresponding circulating water pump and chiller to start. If a pump or chiller shuts down, the corresponding fan units shut down due to high temperature, except for the main control room fan unit(s). The operating main control fan unit can be manually shut down if required, which causes the standby fan unit to start and send a signal to the corresponding circulating water pump and chiller to start.

Upon receipt of a LOCA signal the operating chiller is automatically tripped, and the operating circulating pump continues to run. The standby circulating pump automatically starts approximately 116 seconds (126 sec if LOOP/LOCA) later. Both chillers automatically start approximately 167 seconds (117 if LOOP/LOCA) later. See drawing M-90FD for the control logic diagram.

7.3.1.1.13.6 CECWS Bypasses and Interlocks The hand switch of each pump, when in the "off" position, provides input to a computer alarm. The hand switch of each chiller, when in the off position, provides input to a control system alarm. Each safeguard channel pump and chiller is interlocked with each other and with the 5 fan/coil units that are serviced by it.

7.3.1.1.13.7 CECWS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, the controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

CHAPTER 07 7.3-70 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.13.8 CECWS Actuated Devices The pump and chiller can be actuated by each other under certain circumstances as described in Section 7.3.1.1.13.4.

7.3.1.1.13.9 CECWS Separation The controls, instrumentation, and power supplies of the CECWS are physically and electrically separated for each of the redundant systems. See Section 8.1.6.1 for the electrical system separation.

7.3.1.1.13.10 CECWS Testability Verification of the operability of the initiating circuits may be made as follows:

a. By manually testing the pumps and chillers by hand switches located in the control room.
b. By putting the chiller and pump pair in the automatic mode and starting one of the 5 fan units interlocked with that pair.

7.3.1.1.13.11 CECWS Environmental Consideration The controls for the CECWS are located in the control enclosure; the environmental consideration for this area and control qualification summary is provided Section 3.11.

7.3.1.1.13.12 CECWS Operational Considerations 7.3.1.1.13.12.1 CECWS General Information The CECWS is required for normal and emergency operation of its service areas.

7.3.1.1.13.12.2 CECWS Reactor Operator Information The operator is provided with pump motor status and flow indication for the pumps. Chiller motor status, and entering and leaving chilled water temperature indication is provided for the chillers. A chilled water return high temperature alarm is also provided to the computer.

7.3.1.1.13.12.3 Deleted 7.3.1.1.14 Class 1E Power System Descriptions of the standby power system and supporting system can be found in the following:

a. See Section 8.3.1 for a description of the onsite Class 1E ac power systems.
b. See Section 8.3.2 for a description of the onsite Class 1E dc power system.
c. See Section 9.5.5 for the diesel generator cooling water system.
d. See Section 9.5.6 for the diesel generator starting system.

CHAPTER 07 7.3-71 REV. 19, SEPTEMBER 2018

LGS UFSAR

e. See Section 9.5.7 for the diesel generator lubrication system.
f. See Section 9.5.8 for the diesel generator combustion air intake and exhaust system.

7.3.1.1.15 Safety-Related Equipment Area Cooling Ventilation Systems - Instrumentation and Controls 7.3.1.1.15.1 SGTS Filter Room and Access Area Unit Coolers - Instrumentation and Controls 7.3.1.1.15.1.1 SGTS-UC System Identification The SGTS unit coolers provide cooling to the SGTS filter room and access areas. For description and operation, see Section 9.4.1.

7.3.1.1.15.1.2 SGTS-UC Power Sources The power for the instruments and controls associated with the SGTS unit coolers is supplied from the Class 1E 120 V ac system. See Section 8 for a description of the electrical system.

7.3.1.1.15.1.3 SGTS-UC Equipment Design Equipment design is described in Section 9.4.1.

7.3.1.1.15.1.4 SGTS-UC Initiating Circuits Each of the unit coolers may be initiated as follows:

a. The tripping of the high temperature switch in auto mode
b. The tripping of the high-high temperature switch in the standby mode 7.3.1.1.15.1.5 SGTS-UC Logic and Sequencing When the temperature of the area exceeds the high temperature setting, the lead fan starts. If the temperature continues to rise, the standby fan starts. When a fan starts, air flow is sensed by differential pressure instrumentation which sends a signal to start the associated control structure chilled water pump and chiller and opens the chilled water coil inlet valve. Once started, a fan runs until the area temperature drops below the low temperature setting. See drawings M-78FD for the control logic diagram.

7.3.1.1.15.1.6 SGTS-UC Bypasses and Interlocks The hand switch of each unit, when in the off position, provides input to a computer alarm. The unit coolers are interlocked with the control enclosure chilled water pumps.

7.3.1.1.15.1.7 SGTS-UC Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

CHAPTER 07 7.3-72 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.1.8 SGTS-UC Actuated Devices The associated control enclosure chilled water system pumps are actuated by the unit coolers.

See Section 7.3.1.1.13 for a description of CECWS controls.

7.3.1.1.15.1.9 SGTS-UC Separation The controls, instrumentation, and power supplies of the SGTS unit coolers are physically and electrically separated for each of the units. See Section 8.1.6.1 for a discussion of electrical system separation.

7.3.1.1.15.1.10 SGTS-UC Testability Verification of the operability of the initiating circuits may be made as follows:

a. The fans can be manually tested by hand switches from the local control panel.
b. In the auto mode, the unit can be started by tripping the high temperature switch.
c. In the standby mode, the unit can be started by tripping the high-high temperature switch.

7.3.1.1.15.1.11 SGTS-UC Environmental Considerations The controls for the subject equipment are located in the control enclosure. The environmental considerations for this area and the control qualification summary is provided in Section 3.11.

7.3.1.1.15.1.12 SGTS-UC Operational Considerations 7.3.1.1.15.1.12.1 SGTS-UC General Information The SGTS unit coolers are required to maintain environmental conditions in their service areas when the SGTS fan is operating.

7.3.1.1.15.1.12.2 SGTS-UC Reactor Operator Information The following safety-related information is provided on a local control panel:

a. Fan motor status for each unit cooler
b. Area temperature for each unit cooler In addition, a fan trouble alarm is relayed to the computer alarm for each unit cooler.

7.3.1.1.15.1.12.3 Deleted 7.3.1.1.15.2 Diesel Generator Enclosure Ventilation System - Instrumentation and Controls 7.3.1.1.15.2.1 DGEVS System Identification The diesel generator enclosure ventilation system cools the diesel generator cells and equipment.

For description and operation, see Section 9.4.6.

CHAPTER 07 7.3-73 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.2.2 DGEVS Power Sources The power for the instruments and controls associated with the diesel generator enclosure ventilation system is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.15.2.3 DGEVS Equipment Design Equipment design is described in Section 9.4.6.

7.3.1.1.15.2.4 DGEVS Initiating Circuits Each of the four diesel generators has its own corresponding ventilation system which may be initiated in a protective function mode as follows:

a. The starting of an associated diesel and the receipt of a temperature permissible (temperature >36°F)
b. The initiation of the high temperature switch will start the standby fan if the diesel is running.
c. With the diesel not running, the initiation of the high- high temperature switch will start both the lead and standby fans.

7.3.1.1.15.2.5 DGEVS Logic and Sequencing When the diesel start signal is initiated and the cell temperature exceeds the thermostat setting, the lead fan starts. If the temperature continues to rise, the standby fan starts.

Once started, a fan runs until the cell temperature drops below the low temperature switch setting.

The fan blades modulate to maintain the discharge air temperature setting. See drawings M-81FD for the control logic diagram.

7.3.1.1.15.2.6 DGEVS Bypasses and Interlocks The hand switch of each ventilation fan, when in the off position, provides input to a local panel alarm that is relayed to the control room.

The diesel generator enclosure fans are interlocked with their respective diesel start signal.

7.3.1.1.15.2.7 DGEVS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.15.2.8 DGEVS Actuated Devices No additional devices or systems are actuated by the diesel generator enclosure ventilation system.

CHAPTER 07 7.3-74 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.2.9 DGEVS Separation The controls, instrumentation, and power supplies of the diesel generator enclosure ventilation fans are physically and electrically separated for each of the fan systems. See Section 8.1.6.1 for a discussion of electrical system separation.

7.3.1.1.15.2.10 DGEVS Testability Verification of the operability of the initiating circuits may be made as follows:

a. By manually testing the fans by hand switches from the local panel
b. In the auto mode, by tripping the diesel start signal or the cell high-high temperature switch
c. In the standby mode, by tripping the diesel start signal and cell high temperature switch or by tripping the cell high-high temperature switch 7.3.1.1.15.2.11 DGEVS Environmental Consideration The controls for the subject equipment are located in the diesel generator enclosure. The environmental consideration for these areas and a control qualification summary is provided in Section 3.11.

7.3.1.1.15.2.12 DGEVS Operational Considerations 7.3.1.1.15.2.12.1 DGEVS General Information The diesel generator enclosure ventilation system is required for normal operation and testing of the diesel generators when the plant is in operation.

7.3.1.1.15.2.12.2 DGEVS Reactor Operator Information The operator is provided with a fan system trouble alarm.

7.3.1.1.15.2.12.3 Deleted 7.3.1.1.15.3 Spray Pond Pump Structure Ventilation System - Instrumentation and Controls 7.3.1.1.15.3.1 SPPSVS System Identification The spray pond pump structure ventilation system provides ventilation and heating for the ESF pumps located in the spray pond pump structure. For description and operation, see Section 9.4.7.

7.3.1.1.15.3.2 SPPSVS Power Sources The power for the instruments and controls associated with the spray pond pump structure ventilation system is supplied from the Class 1E 120 V ac system.

7.3.1.1.15.3.3 SPPSVS Equipment Design Equipment design is described in Section 9.4.7.

CHAPTER 07 7.3-75 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.3.4 SPPSVS Initiating Circuits Each of the fans may be initiated or stopped in a protective function mode as follows:

a. The initiation of a high temperature switch (for cooling)
b. The initiation of a low temperature switch (for heating)
c. The tripping of a low temperature switch (for cooling)
d. The tripping of a high temperature switch (for heating) 7.3.1.1.15.3.5 SPPSVS Logic and Sequencing Each train of the SPPSVS may be operated in either the Run or Standby mode. See drawings M-81FD for control logic diagrams and Table 1.7-1 for reference to electrical schematic diagrams.

Fans in the run mode operate continuously and structure temperature is controlled automatically by a temperature controller that modulates dampers which mix outside and recirculated air. If temperature drops below setpoint, heaters will be energized automatically.

As the SPPSVS temperature rises;

a. Fans in Run mode run continuously. Dampers are energized and modulated when structure temperature exceeds a high temperature setpoint.
b. Fans in the Standby mode have a higher setpoint, and will start if the temperature rises above the automatic setpoint.

As the SPPSVS temperature decreases;

a. Fans in the Run mode will operate continuously. Dampers are deenergized when structure temperature exceeds a low temperature setpoint, and the associated heaters will be energized.
b. Fans in the Standby mode also have a lower setpoint; they will start if the temperature falls below the automatic setpoint, and the associated heaters will be energized.
c. In all modes of operation, if structure temperature continues to decrease, the SPPSVS will be automatically tripped before reaching the freezing point.

Fans that have started in the Run mode will operate continuously. Fans that have started in the standby mode will stop after the initiating temperature switch has reset.

7.3.1.1.15.3.6 SPPSVS Bypasses and Interlocks The hand switch of each fan, when in the off position, provides input to a control room alarm.

The electric heating coils are interlocked with the LOCA signals and trip off upon receipt of these signals.

7.3.1.1.15.3.7 SPPSVS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

CHAPTER 07 7.3-76 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.3.8 SPPSVS Actuated Devices No additional devices or systems are actuated by the spray pond pump structure ventilation system.

7.3.1.1.15.3.9 SPPSVS Separation The controls, instrumentation, and power supplies for the spray pond pump structure ventilation fans are physically and electrically separated for each of the fan systems. See Section 8.1.6.1.14 for a discussion of the electrical system separation.

7.3.1.1.15.3.10 SPPSVS Testability Verification of operability of the cooling modes initiation circuits may be made when the applicable pumps are operationally tested. Verification of operability of the heating mode initiating circuits may be made by tripping the low temperature switch. The units may be manually tested by hand switches located in the control room.

7.3.1.1.15.3.11 SPPSVS Environmental Consideration The controls for the subject equipment are located in the control enclosure and the spray pond pump structure. The environmental consideration for these areas and the control qualification summary is provided in Section 3.11.

7.3.1.1.15.3.12 SPPSVS Operational Considerations 7.3.1.1.15.3.12.1 SPPSVS General Information The spray pond pump structure ventilation system is required for normal heating and cooling of the pump structure as well as for safeguard cooling of the pumps enclosed therein.

7.3.1.1.15.3.12.2 SPPSVS Reactor Operator Information The operator is provided with fan motor status, building high temperature annunciator, and a fan system trouble annunciator.

7.3.1.1.15.3.12.3 Deleted 7.3.1.1.15.4 Emergency Switchgear and Battery Rooms Cooling System - Instrumentation and Controls 7.3.1.1.15.4.1 ESBRCS System Identification The ESBRCS provides ventilation and cooling to the emergency switchgear rooms, inverter rooms, battery rooms, and the chiller equipment rooms in the control structure. For description and operation, see Section 9.4.1. See Chapter 8 for a description of the electrical system.

7.3.1.1.15.4.2 ESBRCS Power Sources The power for the instruments and controls associated with the ESBRCS is supplied from the Class 1E 120 V ac system.

CHAPTER 07 7.3-77 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.4.3 ESBRCS Equipment Design Equipment design is described in Section 9.4.1.

7.3.1.1.15.4.4 ESBRCS Initiating Circuits Each of the fans may be initiated in a protective function mode as follows: a standby fan may be automatically started by a low flow signal.

7.3.1.1.15.4.5 ESBRCS Logic and Sequencing See drawings M-78FD for the control logic diagram.

One fan is started manually, and the other is placed on standby. An operating fan may be shut down automatically due to the following:

a. Loss of flow
b. Discharge temperature exceeding setpoint
c. Discharge temperature below setpoint The standby fan starts upon detection of a loss of flow in the primary fan system and sends a signal to start the associated control structures chilled water pump and chiller. When a fan is operating, its temperature controls operate its cooling coil to maintain a constant environment in its service area.

7.3.1.1.15.4.6 ESBRCS Bypasses and Interlocks The hand switch of each fan, when in the off position, provides input to a local panel alarm that is relayed to the control room. The fans are interlocked with the control enclosure chilled water pumps. Operation of a fan initiates operation of the associated chilled water pump.

7.3.1.1.15.4.7 ESBRCS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.15.4.8 ESBRCS Actuated Devices The associated control enclosure chilled water system pumps are activated by the emergency switchgear and battery rooms supply fan units. These pumps are described in Section 7.3.1.1.13.4.

7.3.1.1.15.4.9 ESBRCS Separation The controls, instrumentation, and power supplies of the emergency switchgear and battery rooms supply fans are physically and electrically separated for each of the fan systems. See Section 8.1.6.1 for a discussion of the electrical system separation.

CHAPTER 07 7.3-78 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.4.10 ESBRCS Testability Verification of the operability of the initiating circuits may be made as follows:

a. By putting each fan in the auto mode when the complementary fan of the pair is shut down
b. By manually testing the fans by hand switches located in the control room 7.3.1.1.15.4.11 ESBRCS Environmental Consideration The controls for the subject equipment are located in the control enclosure. The environmental consideration for these areas and the control qualification summary is provided in Section 3.11.

7.3.1.1.15.4.12 ESBRCS Operational Considerations 7.3.1.1.15.4.12.1 ESBRCS General Information The emergency switchgear and battery rooms HVAC system is required for normal operation of its service areas.

7.3.1.1.15.4.12.2 ESBRCS Reactor Operator Information The operator is provided with a relayed fan system trouble alarm.

7.3.1.1.15.4.12.3 Deleted 7.3.1.1.15.5 ECCS Pump Compartment Unit Coolers - Instrumentation and Controls 7.3.1.1.15.5.1 ECCS-UC System Identification The ECCS pump compartment unit coolers provide cooling to the core spray, HPCI, and RHR pump rooms. For description and operation, see Section 9.4.2.

7.3.1.1.15.5.2 ECCS-UC Power Sources The power for the instruments and controls associated with the ECCS pump compartment unit coolers is supplied from the Class 1E 120 V ac system. See Chapter 8 for a description of the electrical system.

7.3.1.1.15.5.3 ECCS-UC Equipment Design Equipment design is described in Section 9.4.2.

7.3.1.1.15.5.4 ECCS-UC Initiating Circuits Each of the fans may be initiated in a protective function mode as follows:

a. A unit cooler will start when the respective pump starts.
b. A unit cooler may be manually started from the local control panel.
c. A fan may be started by the initiation of a high temperature switch.

CHAPTER 07 7.3-79 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.5.5 ECCS-UC Logic and Sequencing See drawings M-76FD for the control logic diagram.

When each pair of unit coolers is set up in a lead lag mode, automatic start is initiated under the following conditions:

a. When the area temperature exceeds 100F, the lead fan starts.
b. When the area temperature exceeds 110°F, the standby fan starts.

The starting of a fan automatically opens a valve in the ESW system to supply cooling water to the unit.

The fan shuts down when the area temperature drops to 80°F.

7.3.1.1.15.5.6 ECCS-UC Bypasses and Interlocks The hand switch of each fan, when in the off position, provides input to a local panel alarm that is relayed to the control room.

7.3.1.1.15.5.7 ECCS-UC Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.15.5.8 ECCS-UC Actuated Devices No additional devices or systems are actuated by the ECCS pump compartment unit coolers.

7.3.1.1.15.5.9 ECCS-UC Separation The controls, instrumentation, and power supplies are physically and electrically separated for each of the ECCS unit coolers. See Section 8.1.6.1 for a discussion of the electrical system separation.

7.3.1.1.15.5.10 ECCS-UC Testability Verification of operability of initiation circuits may be made when the applicable pumps are operationally tested. The units may be manually tested by hand switches located on local control cabinets.

7.3.1.1.15.5.11 ECCS-UC Environmental Consideration The controls for the subject equipment are located in the reactor enclosure. The environmental consideration for this area and the control qualification summary is provided in Section 3.11.

CHAPTER 07 7.3-80 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.5.12 ECCS-UC Operational Considerations 7.3.1.1.15.5.12.1 ECCS-UC General Information The ECCS pump compartment unit coolers are not required for normal cooling of these areas when the ECCS pumps are not operating.

7.3.1.1.15.5.12.2 ECCS-UC Reactor Operation Information The operator is provided with a relayed unit cooler system trouble alarm.

7.3.1.1.15.5.12.3 ECCS-UC Setpoints For setpoints, see Section 7.3.1.1.15.5.5 (logic and sequencing).

7.3.1.1.15.6 Auxiliary Equipment Room Ventilation System - Instrumentation and Controls 7.3.1.1.15.6.1 AERVS System Identification The auxiliary equipment room ventilation system provides ventilation and cooling to the auxiliary equipment room, computer room, remote shutdown room, control enclosure fan room, SGTS access area, and SGTS room. For description and operation, see Section 9.4.1.

7.3.1.1.15.6.2 AERVS Power Sources The power for the instruments and controls associated with the auxiliary equipment room ventilation system is supplied from the Class 1E 120 V ac system.

7.3.1.1.15.6.3 AERVS Equipment Design Equipment design is described in Section 9.4.1.

7.3.1.1.15.6.4 AERVS Initiating Circuits Each of the supply fans can be initiated in a protective function mode as follows: a standby fan can be started by a low condition sensed in the other fans INTAKE.

Each of the return fans can be initiated in a protective function mode as follows: a standby fan can be started by a low condition sensed in the other fans INTAKE.

7.3.1.1.15.6.5 AERVS Logic and Sequencing See drawings M-78FD for the control logic diagram. One supply and one return fan are started manually. The other fan in each pair is put on standby. An operating supply fan can be shut down automatically, due to the following:

a. Loss of flow
b. Discharge temperature exceeding setpoint
c. Discharge temperature below setpoint CHAPTER 07 7.3-81 REV. 19, SEPTEMBER 2018

LGS UFSAR The standby supply fan starts upon detection of loss of flow in the primary fan system and sends a signal to start the associated control structure chilled water pump and chiller. A return fan shuts down upon detection of loss of flow in its own system. When a supply fan is operating, its temperature controls operate its cooling and Class II heating and humidifying equipment to maintain a constant environment in its service area.

7.3.1.1.15.6.6 AERVS Bypasses and Interlocks The hand switch of each fan, when in the off position, provides input to a control system alarm.

The supply fans are interlocked with the control enclosure chilled water pumps and the supply fan low temperature cut-out is interlocked with the control enclosure purge system. The purge system, described in Section 9.4.1, is not an ESF. It has been upgraded to safeguard power status for convenience in interfacing with the control enclosure HVAC systems.

7.3.1.1.15.6.7 AERVS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.15.6.8 AERVS Actuated Devices The associated control enclosure chilled water pumps are actuated by the supply fans.

7.3.1.1.15.6.9 AERVS Separation The controls, instrumentation, and power supplies of the AERVS are physically and electrically separated for each of the fan systems. See Section 8.1.6.1 for a discussion of the electrical system separation.

7.3.1.1.15.6.10 AERVS Testability Verification of the operability of the initiating circuits can be made as follows:

a. By putting each fan in the auto mode when the complementary fan of the pair is shut down
b. By manually testing the fans by hand switches located on local control cabinets 7.3.1.1.15.6.11 AERVS Environmental Consideration The controls for the subject equipment are located in the control enclosure. The environmental consideration for this area and the control qualification summary is provided in Section 3.11.

7.3.1.1.15.6.12 AERVS Operational Considerations 7.3.1.1.15.6.12.1 AERVS General Information The auxiliary equipment room ventilation system is required for normal operation of its service areas.

CHAPTER 07 7.3-82 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.1.15.6.12.2 AERVS Reactor Operator Information The following safety-related information is provided on a local control panel that has a trouble alarm relayed to the control room:

a. Fan motor status and damper position status for the supply and return fans
b. Supply fan electric heater leaving air temperatures
c. Supply fan leaving air temperature The following nonsafety-related information is also provided on the local control panel:
a. Supply fan mixed air entering temperature
b. Auxiliary equipment room humidity level
c. Return fan leaving air temperature 7.3.1.1.15.6.12.3 Deleted 7.3.1.1.16 Drywell Unit Coolers - Instrumentation and Controls 7.3.1.1.16.1 DUC System Identification The drywell unit coolers provide cooling and atmosphere mixing in the primary containment. For description and operation, see Section 9.4.5. Atmosphere mixing is the only safety-related function of this system.

7.3.1.1.16.2 DUC Power Sources The power for the instruments and controls associated with the drywell unit coolers is supplied from the Class 1E 120 V ac system.

7.3.1.1.16.3 DUC Equipment Design Equipment design is described in Section 9.4.5.

7.3.1.1.16.4 DUC Initiating Circuits Each of the fans can be initiated or stopped in a protective function mode as follows:

a. A fan can be manually started from the control room.
b. A standby fan can be automatically started by a low flow signal.

7.3.1.1.16.5 DUC Logic and Sequencing See drawings M-77FD for the control logic diagram.

Each pair of fans is set up in a run/auto mode.

CHAPTER 07 7.3-83 REV. 19, SEPTEMBER 2018

LGS UFSAR The run fan is manually started and normally operates continuously. If loss of flow is detected by the flow switch, the unit is shut down and the autofan starts. Each fan may be manually stopped from the control room.

7.3.1.1.16.6 DUC Bypasses and Interlocks The hand switch of each fan, when in the off position, provides input to a computer alarm.

7.3.1.1.16.7 DUC Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Diversity is not applicable.

7.3.1.1.16.8 DUC Actuated Devices No additional devices or systems are actuated by the drywell unit coolers.

7.3.1.1.16.9 DUC Separation The controls, instrumentation, and power supplies of the drywell unit coolers are physically and electrically separated for each redundant pair of fans. See Section 8.1.6.1 for discussion of electrical system separation.

7.3.1.1.16.10 DUC Testability Verification of operability of the initiation circuits may be made by putting each fan in the auto mode when the complementary fan of the pair is shut down. The units may be manually tested by hand switches located in the control room.

7.3.1.1.16.11 DUC Environmental Considerations The controls for the subject equipment are located in the control enclosure, the reactor enclosure, and primary containment. The environmental considerations for these areas and the control qualification summary is provided in Section 3.11.

7.3.1.1.16.12 DUC Operational Considerations 7.3.1.1.16.12.1 DUC General Information The drywell unit coolers are required to maintain uniform mixing of combustible gases in the drywell.

7.3.1.1.16.12.2 DUC Reactor Operator Information The operator is provided with fan motor status and a fan system trouble alarm. In addition, the following nonsafety-related instrumentation and alarms are provided in the control room for each pair of fans:

a. Drywell area temperature (unit cooler inlet temperature) indicator
b. Unit cooler supply temperature indicator CHAPTER 07 7.3-84 REV. 19, SEPTEMBER 2018

LGS UFSAR

c. Unit cooler temperature trouble 7.3.1.1.16.12.3 Deleted 7.3.1.1.17 Refueling Area Isolation System - Instrumentation and Controls 7.3.1.1.17.1 RAIS Identification The RAIS provides signals to isolate the refueling area and start the SGTS under emergency conditions. A description and operation of the isolation system are given in Section 9.4.2.

7.3.1.1.17.2 RAIS Power Sources The power for the instruments and controls associated with the isolation system is supplied from the Class 1E 120 V ac system. Chapter 8 gives a description of the electrical system.

7.3.1.1.17.3 RAIS Equipment Design Equipment design is described in Section 9.4.2.

7.3.1.1.17.4 RAIS Initiating Circuits Each channel of the isolation system may be manually initiated or automatically initiated in a protective function mode as follows:

a. A channel may be initiated by high radiation sensed by both of the two gamma sensors located in the refueling area exhaust duct.
b. A channel may be initiated by loss of refueling area differential pressure with respect to outside pressure.

7.3.1.1.17.5 RAIS Logic and Sequencing Each channel of the redundant isolation system is normally held in an energized (fail-safe) mode so that an initiating signal or loss of power activates the channel and starts all the related systems.

The isolation signal seals-in upon initiation, and removal of the initiating signal does not deactivate the channel. The channel may be reset to a normal condition only if the initiating condition, other than low building differential pressure, is no longer present. A key-lock reset is provided to bypass low building differential pressure to re-establish it with the normal ventilation system. Drawings M-76FD shows the logic diagram.

7.3.1.1.17.6 RAIS Bypasses and Interlocks The hand switch of each isolation system, when in the RESET position, provides input to a control room alarm. The isolation system is interlocked with the SGTS exhaust fan start and SGTS filter valves auto change-over circuit.

7.3.1.1.17.7 RAIS Redundancy and Diversity To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve.

7.3.1.1.17.8 RAIS Actuated Devices CHAPTER 07 7.3-85 REV. 19, SEPTEMBER 2018

LGS UFSAR The SGTS and the refueling area isolation are actuated by this system. Section 7.3.1.1.7 gives a description of the actuated system.

7.3.1.1.17.9 RAIS Separation The controls, instruments, and power supplies of the isolation system are physically separated and electrically independent for each of the redundant trip channels. Section 8.1.6.1 gives a discussion of electrical system separation.

7.3.1.1.17.10 RAIS Testability Verification of the operability of the initiating circuits may be made as follows:

a. By tripping the individual radiation monitor circuits
b. By tripping the differential pressure input circuits
c. By manually initiating the channels with hand switches located in the control room The RAIS system may be tested as discussed above during plant operation.

7.3.1.1.17.11 RAIS Environmental Considerations The controls for the isolation system are located in the refueling area, reactor enclosure, and the control enclosure. The environmental considerations for these areas are in Section 3.11.

7.3.1.1.17.12 RAIS Operational Considerations 7.3.1.1.17.12.1 RAIS General Information The isolation systems are required to provide for refueling area isolation during emergency conditions. Sections 6.5.1 and 9.4.2 give system function.

7.3.1.1.17.12.2 RAIS Reactor Operator Information The operator is provided with an isolation initiation alarm and an isolation incomplete alarm in the control room for each of the two channels. In addition, a common system (REIS and RAIS)

"armed/bypassed" alarm is provided in the control room.

7.3.1.1.17.12.3 RAIS Setpoints Refer to Technical Specifications for RAIS radiation setpoints.

7.3.1.2 IEEE 279 (1971) Design Basis Information IEEE 279 (1971) defines the requirements for design bases. Using the IEEE 279 format, the following nine paragraphs fulfill the requirement for systems and equipment described in this section. Additional design basis information is given in Section 7.1.

CHAPTER 07 7.3-86 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.2.1 IEEE 279 Design Basis Information - Conditions The plant conditions that require protective action involving the systems of this section and other sections are examined and presented in Chapter 15.

7.3.1.2.2 IEEE 279 Design Basis Information - Variables The plant variables that require monitoring to provide protective action are:

a. HPCI (Section 7.3.1.1.1.1.)
1. Reactor vessel water level
2. Primary containment pressure
b. ADS (Section 7.3.1.1.1.2.)
1. Reactor vessel water level
2. Primary containment pressure
3. Core spray and RHR pump discharge pressure
c. Core Spray (Section 7.3.1.1.1.3)
1. Reactor vessel water level
2. Primary containment pressure
3. Reactor vessel pressure
d. LPCI (Section 7.3.1.1.1.4)
1. Reactor vessel water level
2. Primary containment pressure
3. Reactor vessel pressure
e. PCRVICS (Section 7.3.1.1.2)

See Table 7.3-5.

f. Deleted
g. Containment Spray (Section 7.3.1.1.4)
1. Reactor vessel water level
2. Primary containment pressure
3. Reactor vessel pressure
h. CAC System (Section 7.3.1.1.6)
1. Containment hydrogen concentration
2. Containment oxygen concentration CHAPTER 07 7.3-87 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.1.2.3 IEEE 279 Design Basis Information - Number and Location of Sensors with Spatial Dependence Only For the minimum number of channels required for functional performance, see the Technical Specifications. There are no sensors in the ECCS, PCRVICS, or RHR/containment spray systems that have a spatial dependence. Therefore, location information is not relevant.

7.3.1.2.4 IEEE 279 Design Basis Information - Operational Limits Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious ESF initiation is prevented. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel, or the nuclear system process barrier, is kept within acceptable bounds. Design basis operational limits as referenced in Chapter 16 are based on operating experience and constrained by the safety design basis and the safety analyses.

7.3.1.2.5 IEEE 279 Design Basis Information - Margin Between Operational Limits The margin between operational limits and the limiting conditions for ESF systems operation are those parameters listed in Chapter 16. The margin includes the consideration of calibration error, sensor accuracy, response times, and sensor and setpoint drift. Annunciators are actuated at the setpoints to alert the reactor operator of the onset of unsafe conditions.

7.3.1.2.6 IEEE 279 Design Basis Information - Levels Requiring Protective Action Levels requiring protective action for the ESF systems are provided in Chapter 16.

7.3.1.2.7 IEEE 279 Design Basis Information - Range of Energy Supply and Environmental Conditions of Safety Systems See Section 3.11 for environmental conditions and Chapter 8 for the range of energy supply.

PCRVICS channel, logic, and MSIV 120 V ac power is provided by the RPS uninterruptible power source discussed in Section 7.2.1.1.3.

ECCS 125 V dc power is provided by the station safeguard batteries. ECCS 120 V ac power is provided by the instrument ac system.

ESF system MOV power is supplied from MCCs connected to the safeguard power system.

7.3.1.2.8 IEEE 279 Design Basis Information - Malfunctions, Accidents, and Other Unusual Events That Could Cause Damage to the Safety System

a. Floods The structures containing ESF systems components are designed to meet the PMF at the site location. This ensures that the structures remain watertight under PMF conditions, including wind-generated wave action and wave run-up (Section 3.4.1).
b. Storms and tornados The structures containing ESF components are designed to withstand the meteorological events described in Section 3.3.2. Superficial damage may occur to CHAPTER 07 7.3-88 REV. 19, SEPTEMBER 2018

LGS UFSAR miscellaneous station property during a postulated tornado, but this does not impair the ESF capabilities.

c. Earthquakes The structures containing ESF components are seismically qualified as described in Section 3.7 and 3.8 and are designed to remain functional during and following a SSE. Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.
d. Fires If there is a fire, the redundant portions of the systems are separated by fire barriers to protect the ESF systems. If a fire were to occur within one of the sections or in the area of one of the panels, the ESF systems functions would not be affected by the fire. The use of separation and fire barriers ensures that, even though some portion of the systems may be affected, the ESF systems continue to provide the required protective action.

The ESFs are protected by different fire detection systems (heat and smoke detectors). The fire detection and the fire suppression systems are not ESF.

For further fire protection discussion, see Section 9.5.1.

e. LOCA The following ESF components are located inside the drywell and are affected by a design basis LOCA:
1. Reactor vessel pressure, reactor vessel water level instrument taps and sensing lines, and drywell pressure sensing lines
2. Most inboard isolation valves and the SRVs, actuators, actuated equipment, and cables
3. Drywell unit coolers and associated cables This equipment, which is located outside the containment, and the remainder of the ESF equipment is environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11
f. Pipe Break Outside Containment This condition does not prevent ESFs from performing their safety functions (Section 3.6).
g. Feedwater Break This condition does not prevent the ESFs from performing their safety functions (Section 3.6).
h. Missiles CHAPTER 07 7.3-89 REV. 19, SEPTEMBER 2018

LGS UFSAR See Section 3.5.

7.3.1.2.9 IEEE 279 Design Basis Information - Minimum Performance Requirements The minimum performance requirements are identified in Chapter 16 for each of the ESF systems.

These requirements include those for accuracy, which is accounted for in setpoint selection, in addition to the system response times. The instrument ranges of the initiating variables are contained in Tables 7.3-1, 7.3-2, 7.3-3, and 7.3-4 and are selected to accurately span normal, abnormal, and accident conditions. The ESF systems performance has been analyzed to bound the systems instrument capability.

See Table 7.3-5 for PCRVICS performance requirements.

Within ECCS, performance requirements refer only to a system as a whole and not specifically to individual components, except for ECCS instrument accuracy and range.

7.3.1.3 Final System Drawings The following final system drawings are included in the UFSAR:

a. Piping and instrumentation diagrams
b. Functional control diagrams
c. Instrument and electrical drawings
d. Instrument location drawings
e. Logic diagrams Electrical schematic diagrams are supplied under separate cover as the regulations allow. A list of the drawings is provided in Section 1.7.

There are no design basis differences for the subject systems between the PSAR and the FSAR.

Direct comparison between the PSAR and FSAR verifies this.

Changes in the following areas have been made in the system design between the PSAR and the FSAR:

a. Analog transmitters and trip units replace the switches used in the ESF initiating circuits.
b. Additional testability has been designed into the ESF logic to allow complete testing.
c. Physical separation is maintained by the use of four divisions as opposed to the two divisions described in the PSAR.
d. The LPCI mode of RHR injects directly into the reactor instead of the recirculation piping.
e. The HPCI injects into the core spray sparger instead of the feedwater sparger.

CHAPTER 07 7.3-90 REV. 19, SEPTEMBER 2018

LGS UFSAR

f. The SRVs have dual solenoids. This allows the ADS to meet the single failure criteria.
g. Four additional diesel generators have been added to eliminate the sharing of diesels between units.
h. Additional bypass and inoperable status indication has been provided.
i. MSIV closure on low condenser vacuum has been added.
j. The isolation logic for the reactor water sample lines and the main steam line sample lines have been changed from initiation by low water level.
k. HPCI and RCIC steam line isolation valves no longer receive an automatic opening signal on system initiation.
l. The MSIV-LCS was replaced with the MSIV Leakage Alternate Drain Pathway.
m. CAC - containment recombiners included.

7.3.2 ANALYSIS Presented below is an analysis to demonstrate how the various general functional requirements and specific regulatory requirements listed under the ESF design bases (Section 7.1.2) are satisfied.

7.3.2.1 Emergency Core Cooling Systems - Instrumentation and Controls 7.3.2.1.1 ECCS General Functional Requirements Conformance

a. Design basis 7.1.2.1.3.1.a Chapter 15 and Chapter 6 evaluate the individual and combined capabilities of the emergency core cooling systems. For the entire range of the RCPB break sizes, the cooling systems prevent fuel cladding temperatures from exceeding 2200°F.
b. Design basis 7.1.2.1.3.1.b Instrumentation for the ECCS must respond to the potential inadequacy of core cooling regardless of the location of a breach in the RCPB. Such a breach inside or outside the containment is sensed by reactor low water level. The reactor vessel low water level signal is the only ECCS initiating function that is completely independent of breach location. Consequently, it can actuate HPCI, CS, and LPCI.

The other major initiating function, drywell high pressure, is provided because pressurization of the drywell results from any significant RCPB breach anywhere inside the drywell. Consequently, it can actuate HPCI, CS, and LPCI.

Initiation of the ADS, which employs both reactor vessel low water level and drywell high pressure in coincidence, requires that the RCPB breach be inside the drywell.

This control arrangement is satisfactory in view of the automatic isolation of the reactor vessel for breaches outside the drywell.

CHAPTER 07 7.3-91 REV. 19, SEPTEMBER 2018

LGS UFSAR

c. Design basis 7.1.2.1.3.1.c An evaluation of ECCS controls shows that no operator action is required earlier than 10 minutes after a LOCA to initiate the correct responses of the ECCS.

However, the control room operator can manually initiate every essential operation of the ECCS. Alarms and indications in the control room allow the operator to assess situations that require the ECCS and verify the responses of each system.

This arrangement limits safety dependence on operator judgment, yet provides sufficient information for operator action when such action is determined to be necessary.

Capability for emergency core cooling following a postulated accident may be verified by observing the following indications:

a. Annunciators for HPCI, CS, LPCI, and ADS sensor and logic trips
b. Flow and pressure indications for each HPCI, CS, and LPCI
c. Valve position lights indicating open or closed valves
d. Relief valve position may also be inferred from reactor pressure indications
e. Process computer logging of trips in the emergency core cooling network
f. Relief valve discharge pipe temperature monitors and alarm A NSOA is provided for the ECCS in Chapter 15.

7.3.2.1.2 ECCS Specific Regulatory Requirements Conformance The conformance of the transmitter trip unit system is covered by Licensing Topical Report NEDO-21697A.

7.3.2.1.2.1 ECCS Conformance to Regulatory Guides 7.3.2.1.2.1.1 ECCS - Regulatory Guide 1.6 (1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6)

See Section 8.1.6.1.1.

7.3.2.1.2.1.2 ECCS - Regulatory Guide 1.11 (1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11)

Instrument lines have automatic isolation.

7.3.2.1.2.1.3 ECCS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

Conformance to this regulatory guide is achieved by providing system and component testing capability, either during reactor power operation or shutdown.

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it operates properly when called upon. Testing incorporates all elements of the system CHAPTER 07 7.3-92 REV. 19, SEPTEMBER 2018

LGS UFSAR under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.

7.3.2.1.2.1.4 ECCS - Regulatory Guide 1.29 (1978) - Seismic Design Classification Instrumentation is classified as seismic Category I and is covered under Section 3.10.

7.3.2.1.2.1.5 ECCS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5.

7.3.2.1.2.1.6 ECCS - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Conformance is described in the conformance to GDC 17 and industry standard IEEE 308 (1971).

7.3.2.1.2.1.7 ECCS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems Indication is provided in the control room to inform the operator that a system is inoperable.

Annunciation is provided to indicate that either a system or a part of a system is not operable.

Indicator lights indicate the reason why the system is not operable. Conditions expected to occur more than once per year are automatically alarmed. In addition, there is a switch in the control room that the operator can use to manually bring up the system out-of-service annunciator.

All the annunciators can be tested by depressing the annunciator test switches on the control room bench boards.

The importance of providing accurate information for the reactor operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system is discussed in the following paragraphs:

a. Individual indicators are arranged together on the control room panel to indicate what function of the system is out-of-service, bypassed, or otherwise inoperable.

All bypass and inoperability indicators, both at a system level and component level, are grouped only with those items that prevent a system from operating if needed.

b. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated.
c. These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not directly provide safety functions.
d. The annunciator initiation signals are provided by contacts and cannot prevent required protective actions.

CHAPTER 07 7.3-93 REV. 19, SEPTEMBER 2018

LGS UFSAR

e. Each indicator can be individually tested and is provided with dual lamps. Testing of these indicators is accomplished when the associated equipment is periodically tested.

7.3.2.1.2.1.8 ECCS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 (1973) is achieved by specifying, designing, and constructing the ECCS so that it meets the single failure criterion described in section 4.2 of IEEE 279 (1971), "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 (1972), "IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant sensors, instrument tubing, wiring, logic, actuators, and power supplies are used to ensure that a single failure in any portion of the ESF system does not prevent protective action. Separated divisions are employed, so that a fault affecting one division does not prevent the other division from operating properly.

7.3.2.1.2.1.9 ECCS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Means are provided for manual initiation of emergency core cooling at the system level through the following armed push button switches:

a. HPCI: one switch in Division 2
b. ADS A: two switches in Division 1
c. ADS C: two switches in Division 3
d. CS A: one switch in Division 1
e. CS C: one switch in Division 3
f. CS B: one switch in Division 2
g. CS D: one switch in Division 4
h. RHR A: one switch in Division 1
i. RHR B: one switch in Division 2
j. RHR C: one switch in Division 3
k. RHR D: one switch in Division 4 Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.

These switches are located in the control room on the designated ECCS division portions of the reactor core cooling vertical board and are easily accessible to the operator so that action can be taken expeditiously.

The ADS system initiation is interlocked to prohibit the ADS valves from opening unless both pumps in either of the two CS loops, or any of the four RHR pumps are running. However, each individual ADS valve can be remote-manually operated from the control room independent of interlocks. A failure in the automatic, manual, or common portions of the ADS protective function CHAPTER 07 7.3-94 REV. 19, SEPTEMBER 2018

LGS UFSAR logic will not prevent the performance of a protective action by redundant system or component level controls located in the control room.

ECCS systems are not required to meet single failure criterion. A failure in the automatic, manual, or common portions of an individual ECCS loop protective function will not prevent the performance of the protective action because ECCS function will be met by a redundant loop.

The HPCI system is not required to meet single failure criteria. ADS and low pressure injection systems, CS and LPCI, provide the HPCI backup safety functions in the event of a HPCI system failure. A failure in the automatic, manual, or common portions of the HPCI protective function logic will not prevent the performance of a protective action by redundant systems or component level controls located in the control room.

7.3.2.1.2.1.10 ECCS - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants See Section 8.1.6.1 for a discussion of the degree of conformance.

7.3.2.1.2.1.11 ECCS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 7.1.2.2.3 for separation criteria.

7.3.2.1.2.1.12 ECCS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants See Section 3.11.

7.3.2.1.2.1.13 ECCS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for a discussion of the degree of conformance.

7.3.2.1.2.1.14 ECCS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is discussed in Section 3.10.

7.3.2.1.2.1.15 ECCS - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for a discussion of the degree of conformance.

7.3.2.1.2.1.16 ECCS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for a discussion of the degree of conformance.

7.3.2.1.2.2 ECCS - Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.1.2.2.1 ECCS - GDC 1 - Quality Standards and Records The quality assurance program for the system ensures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application. The quality assurance program during construction is discussed in the CHAPTER 07 7.3-95 REV. 19, SEPTEMBER 2018

LGS UFSAR document "Limerick Generating Station Units 1 and 2; Summary Description of the Quality Assurance Program for Design and Construction," referenced in FSAR Section 17.1.

Documents are maintained that demonstrate that all the requirements of the quality assurance program are being satisfied. These records will be maintained during the life of the operating licenses.

7.3.2.1.2.2.2 ECCS - GDC 2 - Design Bases for Protection Against Natural Phenomena Wind and tornado loadings are discussed in Section 3.3, flood design is described in Section 3.4, and seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.

7.3.2.1.2.2.3 ECCS - GDC 3 - Fire Protection The fire protection system and its design basis are discussed in Section 9.5.1, and fire protection in the cable systems is described in Section 8.3.3.

7.3.2.1.2.2.4 ECCS - GDC 4 - Environmental and Dynamic Effects Design Bases The system is designed to accommodate the effects of and be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs.

The system is appropriately protected against dynamic effects including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures. Missile protection is discussed in Section 3.5, pipe whip in Section 3.6, and environmental qualification of equipment in Section 3.11.

7.3.2.1.2.2.5 ECCS - GDC 10 - Reactor Design The ECCS has been designed with appropriate margin to ensure that acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrence.

7.3.2.1.2.2.6 ECCS - GDC 13 - Instrumentation and Control Conformance to this requirement is achieved by monitoring appropriate variables over the range expected and providing emergency core cooling as required to maintain the variables within the prescribed ranges.

7.3.2.1.2.2.7 ECCS - GDC 17 - Electric Power Systems See Chapters 8.3.1.2.1 and 8.3.2.2.1.

7.3.2.1.2.2.8 ECCS - GDC 18 - Inspection and Testing of Electric Power Systems See Chapters 8.3.1.2.1 and 8.3.2.2.1 7.3.2.1.2.2.9 ECCS - GDC 19 - Control Room Controls and instrumentation are provided in the control room.

CHAPTER 07 7.3-96 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.1.2.2.10 ECCS - GDC 20 - Protection Systems Functions The system is automatically initiated after a LOCA as evidenced by high drywell pressure or reactor vessel low water level displayed in the control room.

7.3.2.1.2.2.11 ECCS - GDC 21 - Protection System Reliability and Testability The components used are selected to meet specific requirements to ensure high functional reliability. The system can be tested and failures determined during normal plant operations.

7.3.2.1.2.2.12 ECCS - GDC 22 - Protection System Independence The four divisions are independent and physically separated with separate instruments and controls to provide assurance that the protective function is not lost.

7.3.2.1.2.2.13 ECCS - GDC 23 - Protection System Failure Modes The system is designed to tolerate malfunctions. See the NSOA provided for the ECCS in Chapter 15.

7.3.2.1.2.2.14 ECCS - GDC 29 - Protection Against Anticipated Operational Occurrences The ECCS network is designed to remain functional during anticipated operating occurrences and initiate protective action if accident conditions develop (Section 7.3.2.1.2.3.1.1).

7.3.2.1.2.2.15 ECCS - GDC 33 - Reactor Coolant Makeup Reactor coolant makeup for small breaks is provided to ensure that specified acceptable fuel design limits are not exceeded.

7.3.2.1.2.2.16 ECCS - GDC 35 - Emergency Core Cooling The system initiates emergency core cooling (Section 6.3).

7.3.2.1.2.2.17 ECCS - GDC 37 - Testing of Emergency Core Cooling System Testing the ECCS conforms to the criteria as demonstrated in Sections 6.3.4, 7.3.2.1.2.3.1.9, and 7.3.2.1.2.3.1.10.

7.3.2.1.2.3 ECCS Conformance to Industry Codes and Standards The conformance of the transmitter trip unit system is covered by Licensing Topical Report NEDO-21617-A.

7.3.2.1.2.3.1 ECCS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the ECCS with IEEE 279 (1971) is detailed below.

7.3.2.1.2.3.1.1 ECCS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The ECCS is automatically initiated by instruments that sense the requirement for the initiation of protective action. The following systems are individually initiated by automatic means:

CHAPTER 07 7.3-97 REV. 19, SEPTEMBER 2018

LGS UFSAR

a. HPCI
b. ADS
c. CS
d. LPCI mode of the RHR system This automatic initiation is accomplished with precision and reliability commensurate with the overall ECCS objective and is effective over the full range of environmental conditions cited below:
a. Power supply voltages -

ECCS:

Equipment is designed to operate over the voltage ranges specified in Section 8.3.1 for ac power, and Section 8.3.2 for dc power.

HPCI:

Tolerance is provided to complete loss of station ac power, but not loss of the dc source of power for the HPCI system.

ADS:

Tolerance is provided to complete loss of station ac power.

CS:

Tolerance is provided to complete loss of ac or dc power within one division.

LPCI:

Tolerance is provided to ac power supply failure so that failures cannot negate successful low pressure cooling. Dc power supply failure affects only one LPCI division.

b. Power supply frequency -

HPCI:

System control does not depend on ac power sources.

ADS:

No ac controls are used.

CS:

CHAPTER 07 7.3-98 REV. 19, SEPTEMBER 2018

LGS UFSAR Excessive frequency reduction is indicative of an onsite power supply failure, and equipment shutdown in that division is required. Core spray equipment is designed to operate over the frequency range specified in Section 8.3.1.

LPCI:

Excessive frequency reduction is indicative of an onsite power supply failure, and equipment shutdown in that division is required. LPCI equipment is designed to operate over the frequency range specified in Section 8.3.1.

c. Temperature -

HPCI, ADS, CS, and LPCI:

These are operable at all temperatures that can result from any design basis LOCA.

Also see Section 3.11.

d. Humidity -

HPCI, ADS, CS, and LPCI:

These are operable at all humidities, including steam, that can result from a LOCA.

Also see Section 3.11.

e. Pressure -

HPCI, ADS, CS, and LPCI:

These are operable at all pressures resulting from a LOCA as required. Also see Section 3.11.

f. Radiation -

HPCI, ADS, CS, and LPCI:

These are designed to operate at all radiation levels expected for any design basis LOCA. Also see Section 3.11.

g. Vibration -

HPCI, ADS, CS, and LPCI:

Tolerance to conditions is stated in Section 3.10.

h. Malfunctions -

Overall ECCS:

Network tolerance to any single component failure to operate on command

i. Accidents -

HPCI, ADS, CS, and LPCI:

CHAPTER 07 7.3-99 REV. 19, SEPTEMBER 2018

LGS UFSAR Network tolerance to all DBAs without malfunction

j. Fire -

Overall ECCS:

Network tolerance to raceway fires in a single division

k. Explosion -

HPCI, ADS, CS, and LPCI:

Explosions are not defined in design bases.

l. Missiles -

ADS:

Separate routing of the ADS conduits within the drywell reduces to a very low probability the potential for missile damage to more than one conduit to ADS or damage to the pilot solenoid assemblies of ADS valves.

Overall ECCS:

Network tolerance to any single missile destroying pipe, raceway, cabinet, or equipment in one division

m. Lightning -

HPCI, ADS, CS, and LPCI:

Ungrounded dc system not subject to lightning strikes CS and LPCI:

Tolerance to lightning damage of ac power system is limited to one auxiliary bus system. See comments under (a) and (b).

n. Flood -

HPCI, ADS, CS, and LPCI:

All control equipment is located above level by design or below level in watertight compartments.

o. Earthquake -

HPCI, ADS, and LPCI:

Tolerance to conditions stated in Section 3.10

p. Wind and tornado -

CHAPTER 07 7.3-100 REV. 19, SEPTEMBER 2018

LGS UFSAR HPCI, ADS, CS, and LPCI:

Seismic Category I structure houses all control equipment. See Section 3.3 for wind loadings.

q. System response time -

HPCI, ADS, CS, and LPCI:

Response times are within the requirements of need to start ECCS.

r. System accuracies -

HPCI, ADS, CS, and LPCI:

Accuracies are within those needed for correct timely action.

s. Abnormal ranges of sensed variables -

HPCI, ADS, CS, and LPCI:

Sensors are designed for the expected ranges and rates of change of variables.

7.3.2.1.2.3.1.2 ECCS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion

a. HPCI:

The HPCI system, by itself, is not required to meet the single failure criterion. The single failure criterion is met by providing separation between ADS and HPCI systems. The control logic circuits for the HPCI system initiation and control are housed in a single relay cabinet, and the power supply for the control logic and other HPCI system equipment is from a single dc power source. The control logic for the ADS is housed in cabinets and is powered by sources that are separate from both the HPCI initiation logic and the HPCI isolation logic.

Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line or pipe failure can prevent both HPCI and ADS initiation. Wiring separation between divisions also provides tolerance to wireway destruction, including shorts, opens, and grounds of the wireways in a single division.

b. ADS:

The ADS system, comprised of two independent sets of controls consisting of two channels each for the two pilot solenoids, meets the single failure criterion.

Tolerance to the following single failures or events has been incorporated into the control system design and installation:

1. Single open circuit
2. Single short circuit CHAPTER 07 7.3-101 REV. 19, SEPTEMBER 2018

LGS UFSAR

3. Single relay failure to pickup
4. Single relay failure to drop out
5. Single module failure (including multiple shorts, opens, and grounds)
6. Single control relay cabinet destruction (including multiple shorts, opens, and grounds)
7. Single instrument rack destruction (including multiple shorts, opens, and grounds)
8. Single raceway destruction (including multiple shorts, opens, and grounds)
9. Single control power supply failure (any mode)
10. Single control circuit failure
11. Single sensing line (pipe) failure
12. Single electrical component failure
c. CS:

The CS system, comprising two independent sets of controls for the two physically separated pumping systems, meets the single failure criterion. Tolerance to the following single failures or events has been incorporated into the control system design and installation:

1. Single open circuit
2. Single short circuit
3. Single relay failure to pickup
4. Single relay failure to drop out
5. Single module failure (including multiple shorts, opens, and grounds)
6. Single control relay cabinet destruction (including multiple shorts, opens, and grounds)
7. Single instrument rack destruction (including multiple shorts, opens, and grounds)
8. Single raceway destruction (including multiple shorts, opens, and grounds)
9. Single control power supply failure (any mode)
10. Single motive power supply failure (any mode)
11. Single control circuit failure CHAPTER 07 7.3-102 REV. 19, SEPTEMBER 2018

LGS UFSAR

12. Single sensing line (pipe) failure
13. Single electrical component failure
d. LPCI:

Redundancy in equipment and control logic circuitry is provided so that it is highly unlikely that the complete LPCI subsystem can be rendered inoperative.

Four control logic circuits are provided. Control logic "A" initiates loop A pumps and valves. Control logic "B" initiates loop B pumps and valves. Control logics "C" and "D" initiate pumps C and D, respectively. Tolerance to the following single failures or events is provided in the control system design and installation.

1. Single open circuit
2. Single short circuit
3. Single relay failure to pickup
4. Single relay failure to drop out
5. Single module failure (including multiple shorts, opens, and grounds)
6. Single control relay cabinet destruction (including multiple shorts, opens, and grounds)
7. Single local instrument rack destruction (including multiple shorts, opens, and grounds)
8. Single raceway destruction (including multiple shorts, opens, and grounds)
9. Single control power supply failure
10. Single motive power supply failure
11. Single control circuit failure
12. Single sensing line (pipe) failure
13. Single electrical component failure 7.3.2.1.2.3.1.3 ECCS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules
a. HPCI:

The discussion in this section regarding CS system equipment applies equally to the HPCI system.

b. ADS:

CHAPTER 07 7.3-103 REV. 19, SEPTEMBER 2018

LGS UFSAR Components used in the ADS control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure that there is no significant deterioration over the lifetime of the plant.

These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test before shipment of each panel. Only components that have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the ADS.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

c. CS:

Components used in the CS control system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS discussed in Section 7.2.1.1. Ratings have sufficient conservatism to ensure that there is no significant deterioration during anticipated duty over the lifetime of the plant.

These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test before shipment of each panel. Only components that have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the CS control system.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

d. LPCI:

The discussion in this section regarding CS system equipment applies equally to the LPCI subsystem.

7.3.2.1.2.3.1.4 ECCS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification The ECCS safety-related controls and instrumentation have been qualified according to the requirements outlined in IEEE 323-1971 as highlighted in Section 7.1.2.7.4. The conditions for which the equipment has been qualified are those identified in Sections 3.10 and 3.11. The conditions identified cover normal, abnormal, and accident environments both inside and outside the drywell.

7.3.2.1.2.3.1.5 ECCS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The ECCS control system is designed to tolerate the spectrum of failures listed under the general requirements, meets the single failure criterion, and has been qualified for the accident environment and thus satisfies the channel integrity objective of this paragraph.

7.3.2.1.2.3.1.6 ECCS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence CHAPTER 07 7.3-104 REV. 19, SEPTEMBER 2018

LGS UFSAR

a. HPCI, ADS:

Channel independence for the initiation sensor is provided by electrical and mechanical separation of the ADS and HPCI. The ADS sensors A and E for reactor vessel water level, for instance, are located on one local instrument rack identified as Division 1 equipment, and the ADS sensors C and G are located on another instrument rack widely separated from the first and identified as Division 3 equipment. The HPCI sensors B and F are located on an instrument rack widely separated from the ADS instruments and identified as Division 2 equipment. The sensors of each division have a common pair of process taps that are widely separated from the corresponding taps of equipment in other divisions.

The disabling of one or both sensors in one location does not disable the control for both HPCI and ADS initiation. Likewise, HPCI sensors used for the inboard isolation valve logic are identified as Division 4 equipment and are separated from the ADS instruments. This ensures that failures cannot cause a false HPCI isolation at the same time that the ADS is disabled. Channel independence does not strictly apply to the HPCI system when considered alone, since the ADS is redundant to the HPCI.

Logic relays for the ADS are separated into Division 1 and Division 3 located in separate cabinets. ADS controls are separated on the control panels.

b. CS:

Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The sensors used to initiate each core spray pump are located on instrument panels widely separated from each other and are identified as belonging in one of four divisions. Sensor taps for each division are widely separated from each other. The disabling of one or all sensors in one location does not disable the control for both of the two CS loops.

Relay cabinets for each CS division are in separate physical divisions. Each division is complete in itself, with its own station battery, control and instrument power bus, power distribution buses, and MCCs. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies. Although there are only two sensors for each variable in each division, the drywell pressure and reactor water level sensors backup each other so that the logic for each division is one-out-of-two-twice, energized to operate.

c. LPCI:

Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E, B and F, C and G, and D and H sensors for reactor vessel low water level, for instance, are located on racks that are identified as division 1, 2, 3, and 4 equipment and are widely separated from each other. The sensors of each division have a common process tap, which is widely separated from the corresponding tap for sensors of other divisions.

Disabling of one or all sensors in one location does not disable the control for the other division.

CHAPTER 07 7.3-105 REV. 19, SEPTEMBER 2018

LGS UFSAR Relay cabinets for each division are in a separate location from that of other divisions, and each division is complete in itself, with its own station battery, control and instrument power bus, power distribution buses, and MCCs. The divisional split is carried all the way from the process taps to the final control element and includes both control and motive power supplies.

Although there are only two sensors for each variable in each division, these sensors back each other up as described in the preceding paragraph describing core spray independence.

7.3.2.1.2.3.1.7 ECCS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The HPCI, ADS, CS, and LPCI systems are designated as safety systems and are designed to be independent of plant control systems.

7.3.2.1.2.3.1.8 ECCS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs

a. HPCI:

Inputs that start the HPCI system are direct measures of the variables that indicate the need for high pressure core cooling, i.e., reactor vessel low water level or high drywell pressure. Reactor vessel water level and drywell pressure sensors are described in this section for the CS system and apply equally to the HPCI system.

b. ADS:

Inputs that start the ADS are direct measures of the variables that indicate both the need and acceptable conditions for rapid depressurization of the reactor vessel, i.e.,

the reactor vessel low water level is verified by high drywell pressure and at least one low pressure core cooling subsystem developing adequate discharge pressure plus adequate time delay to allow HPCI to operate if available. Reactor vessel water level and drywell pressure sensors are described in this section for the CS system and apply equally to the ADS system.

c. CS:

Inputs that start the CS system are direct measures of the variables that indicate the need for low pressure core cooling, i.e., reactor vessel low water level or high drywell pressure, coincident with reactor low pressure. The reactor vessel water level is sensed by level indicating sensors that are operated by the differential pressure between a reference leg and the pressure due to the actual height of water in the vessel.

Drywell high pressure is sensed by transducers on separate sensing lines connected to the four separate penetrations. Each sensing line has its own root valve, and each pressure sensor has its own instrument valve. Eight reactor vessel pressure sensors are used for the low pressure injection valve opening permissive.

Four of the sensors used for the open permissive, plus four other reactor pressure sensors, in conjunction with drywell pressure are used in system initiation. These sensors are on four separate instrument lines going through the drywell at four different locations (Refer to Figure 7.3-26 for a diagram of level sensor CHAPTER 07 7.3-106 REV. 19, SEPTEMBER 2018

LGS UFSAR connections). Trip units connected to these sensors provide a signal to the logic for the CS system valve opening permissives.

d. LPCI:

Inputs that initiate the LPCI mode are the same as those described above for CS.

The permissive for opening the injection valves is derived from P sensors across the injection valves.

7.3.2.1.2.3.1.9 ECCS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks All HPCI, ADS, CS, and LPCI sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown.

The reactor low pressure sensors can be checked for operability during plant operation by closing the instrument valve and bleeding off pressure to the low pressure actuation point to observe channel trip.

The reactor vessel level sensors and the drywell high pressure sensors can be checked by application of gas pressure from a low pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve.

7.3.2.1.2.3.1.10 ECCS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration

a. HPCI:

The discussion in this section regarding CS system testing and calibration applies equally to the HPCI system, except that the turbine (rather than the pump) is started by opening the steam inlet valve. One of the injection valves is kept closed during the test. The operability of the closed injection valve can be verified by repeating the test with the other valve interlocked closed or by opening it when the HPCI turbine is not operating.

b. ADS:

The ADS is not tested in its entirety during actual plant operation, but provisions are incorporated so that operability of all elements of the system can be verified at periodic intervals. The system is designed such that there is no isolation between the RPV and the ADS valves which prevents testing without depressurizing the RPV. The operability of each individual MSRV may be verified by the individual control switches on the control room panels, preferably during plant shutdown.

Sensor open circuit or short circuit failures are immediately detected and annunciated by action from the trip units. In addition, the analog transmitter outputs can be monitored in the auxiliary equipment room and can be cross-checked by comparison with the other redundant channels that monitor the same parameter.

Therefore, transmitters need only be surveillance tested once per operating cycle.

The ADS uses safety-grade instrumentation and control equipment. All parts of the system except the valves can be checked during operation. The entire system can be tested during shutdown. Testing the circuitry is accomplished at the control relay cabinets by test jacks, switches, and indicator lights while exercising one logic at a time. The test method is described in detail in Section 7.3.1.1.1.2.9.

CHAPTER 07 7.3-107 REV. 19, SEPTEMBER 2018

LGS UFSAR

c. CS:

The CS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers to pump water against system check valves or return it to the suppression pool through test valves, while the reactor is at pressure. MOVs can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. Check valves are testable by a remotely operable pneumatic piston. CS water is not actually introduced into the vessel, except initially before fuel loading.

d. LPCI:

The discussion in this section regarding CS system testing and calibration applies equally to the LPCI subsystem.

7.3.2.1.2.3.1.11 ECCS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation

a. HPCI:

Calibration of a sensor that introduces a single instrument channel trip does not cause a protective action without the coincident trip of a second channel. Removal of a sensor or trip unit from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur.

b. ADS:

Calibration of each sensor introduces a single instrument channel trip. This does not cause a protective action without the coincident trip of the other channel.

Removal of an instrument channel from service during calibration is brief and does not significantly increase the probability of failure to operate. Removal of a sensor or instrument channel from operation during calibration does not prevent the redundant division from functioning if accident conditions occur. The manual reset buttons can interrupt the autodepressurization for a limited time. However, releasing either one of the two reset buttons allows automatic timing and action to restart if the permissives so dictate.

c. CS:

The discussion in this section regarding HPCI channel bypass is equally applicable to the CS system.

d. LPCI:

The discussion in this section regarding HPCI channel bypass is equally applicable to the LPCI mode.

CHAPTER 07 7.3-108 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.1.2.3.1.12 ECCS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses

a. HPCI:

There are no operating bypasses in the HPCI system.

b. ADS:

When the high drywell pressure bypass timer runs out, the high drywell pressure trip is bypassed and ADS is initiated on low water level alone.

c. CS:

There are no operating bypasses in the CS system.

d. LPCI:

There are no operating bypasses in the LPCI mode.

7.3.2.1.2.3.1.13 ECCS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses HPCI, ADS, CS, LPCI:

Automatic indication, accompanied by an audible alarm, is provided in the control room to inform the operator that the ECCS and the systems actuated or controlled by the ECCS are inoperable.

Manual capability also exists in the control room to activate each system level indicator provided.

7.3.2.1.2.3.1.14 ECCS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing LPCI, HPCI, ADS, CS:

Access to switchgear, MCCs, and valves is procedurally controlled by the following means:

a. Seals (or locks) on valves, administrative procedure on instrument valves.
b. Lockable breaker control switch handles in the MCCs.

The logic test plugs are under the administrative control of plant supervisory personnel.

7.3.2.1.2.3.1.15 ECCS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints This section is not applicable to the HPCI, ADS, CS, or LPCI systems because all trip setpoints are fixed.

7.3.2.1.2.3.1.16 ECCS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It is Initiated

a. HPCI:

The final control elements for the HPCI system are essentially bistable, i.e., MOVs stay open or closed once they have reached their desired position even though their starter may drop out, which occurs when the limit of valve travel is reached. In the case of the turbine, the autoinitiation signal is electrically sealed-in. Thus protective action, once initiated (i.e, once flow is established), must go to completion CHAPTER 07 7.3-109 REV. 19, SEPTEMBER 2018

LGS UFSAR or continue until terminated by deliberate operator action or automatically stopped on vessel high water level or system malfunction trip signals.

b. ADS:

Each of the redundant autodepressurization control subsystems seals-in electrically and remains energized until manually reset by one of the two reset push buttons.

c. CS:

The final control elements for the CS system are essentially bistable, i.e., pump breakers stay closed without control power, and MOVs stay open once they have reached their open position even though the motor starter may drop out, which occurs when the valve open limit is reached. If there is an interruption in ac power, the load sequencing timers recycle, resulting in a time delay for pump restart and completion of the MOVs' motion. Thus, protective action, once initiated, goes to completion or continues until terminated by deliberate operator action.

d. LPCI:

The discussion provided in this section for the CS system is equally applicable to the LPCI mode.

7.3.2.1.2.3.1.17 ECCS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation The emergency core cooling system (HPCI, ADS, CS and LPCI) as a whole meets IEEE 279, paragraph 4.17 because each individual subsystem has a provision for its own manual initiation. In addition, no single failure in the initiation portion of the network of systems will prevent manual or automatic initiation of redundant portions of the network.

a. HPCI:

The HPCI has a manual initiation armed push button in parallel with the automatic initiation logic. In addition, each piece of HPCI system actuation equipment required to operate the pumps and valves is capable of manual initiation from the control panel in the control room, although failures of active components or a control circuit failure that produces a turbine trip may disable the manual actuation of the HPCI system. In no event can failure of the automatic, manual, or common control circuit for the HPCI system disable the ADS, which provides backup to the HPCI system.

b. ADS:

The ADS has four manual initiation switches. One switch is in each of the four logics. Both switches for one trip system have to be closed to manually initiate the ADS. To further preclude inadvertent actuation, each switch is equipped with a collar that must be turned before the electrical contacts of the push button are effective. Thus, to initiate the ADS manually, the operator must turn two collars and depress two push buttons. Whenever a collar is turned, an annunciator is actuated.

The switches have the low pressure ECCS pumps running as a permissive interlock.

The ADS automatic initiation delay timer is provided to give HPCI ample time to automatically restore vessel level so that ADS actuation is not needed. This delay timer is not provided for manual initiation since the operator does not initiate ADS CHAPTER 07 7.3-110 REV. 19, SEPTEMBER 2018

LGS UFSAR until he/she determines it necessary. No single failure in the automatic, manual, or common portion of the ADS can prevent ADS initiation.

c. CS:

The CS system can be manually initiated at the system level in the control room.

Each piece of CS system actuation equipment, such as a pump, valve, breaker, or starter, is capable of individual manual initiation electrically from the control panel in the control room.

Failures within the logic circuitry of a single CS logic may cause the failure of one CS loop. In no event can failure of the automatic, manual, or common portions of the control circuit for one CS loop disable the electrical control circuit for the other CS loop.

d. LPCI:

The discussion provided in this section for the CS system is equally applicable to the LPCI mode.

The HPCI, ADS, CS, and LPCI systems of ECCS share permissive logic between automatic and system level manual initiation logic. The design is acceptable because the individual subsystems of ECCS are not required to meet the single failure criterion. The ECCS function will be met with one of its subsystems inoperative.

7.3.2.1.2.3.1.18 ECCS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points The adjustable setpoint for the HPCI system flow controller is in the control room and is administratively controlled.

Setpoint adjustments for the HPCI, ADS, CS, and LPCI system trip units are integral with the trip units and cannot be changed without removal of a bar key-locked over these adjustments. Access to control relay cabinets is under administrative control.

7.3.2.1.2.3.1.19 ECCS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions For HPCI, ADS, LPCI, and CS, protective actions are directly indicated and identified by annunciator operation or instrument channel trip unit indicating lights.

7.3.2.1.2.3.1.20 ECCS - IEEE 279 (1971), Paragraph 4.20 - Information Readout

a. HPCI:

The HPCI control system is designed to provide the operator with accurate and timely information pertinent to its status. The design minimizes conditions that could cause anomalous indications confusing to the operator. Periodic testing is the means provided for verifying the operability of the components and, by proper selection of test periods compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the HPCI function is available and/or operating properly.

CHAPTER 07 7.3-111 REV. 19, SEPTEMBER 2018

LGS UFSAR Annunciators are provided as shown on the functional control diagram, drawings E41-1030-F-004, E41-1030-F-005, E41-1030-F-006, E41-1030-F-007, E41-1030-F-008, and E41-1030-F-009. In addition to these, there are other indications for the HPCI system in the control room. These indications include:

1. Valve position lights
2. Pump suction pressure indicator
3. Pump discharge pressure indicator
4. Pump flow indicator
5. Turbine exhaust line pressure indicator
6. Turbine steam supply pressure indicator
7. Turbine steam supply pipe area temperature indicator
8. Turbine speed indicator
9. Shaft vibration indication
10. Temperature recorder for:

(a) Oil cooler discharge temperature (b) High pressure bearing oil temperature (c) Low pressure bearing oil temperature (d) Thrust bearing temperature (e) Pump oil temperature

b. ADS:

The information provided to the operator pertinent to ADS status is as follows:

1. Annunciators shown in drawings B21-1030-F-002, B21-1030-F-002, B21-1030-F-003, B21-1030-F-004, and B21-1030-F-005
2. Logic command position lights for each valve
3. Recorder for relief valve discharge pipe temperature From the foregoing it can be seen that the change of state of any active component from its normal condition is called to the operator's attention; therefore, the indication is considered to be complete and timely. The condition of the ADS pertinent to plant safety is also considered to be adequately covered by the indications and alarms delineated above (Section 7.3.1.1.1.2.11.2).
c. CS:

CHAPTER 07 7.3-112 REV. 19, SEPTEMBER 2018

LGS UFSAR The CS control system is designed to provide the operator with accurate and timely information pertinent to its status. The design minimizes conditions that could cause anomalous indications confusing to the operator. Testing is the means provided for verifying the operation of the components, and the test period is properly selected to be compatible with the historically established reliability of the components tested. In addition, trip units are provided with analog indications that allow operability checks through channel cross-comparisons. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the CS function is available and/or operating properly.

Annunciation is provided as shown in Figure 7.3-9. In addition to those annunciators, other indications are included on the main control panel as follows:

1. Valve position lights for each MOV
2. Pump breaker position lights for each pump
3. Position lights for the locked open valves in the drywell
4. Position lights for the testable check valves
5. Flow indication of loop flow in each loop
6. Indication of pump discharge pressure for each loop
7. CS pump current meter for each pump.
d. LPCI:

The LPCI control mode is designed to provide the operator with accurate and timely indication of its status. Signals are not transmitted to other systems if doing so could cause indications confusing to the operator. Operability of components is verified by periodic testing. Sufficient information is continuously provided to enable the operator to be confident that the LPCI mode is available and/or operating properly.

Annunciators are provided as shown on the functional control diagram, drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003.

7.3.2.1.2.3.1.21 ECCS - IEEE 279 (1971), Paragraph 4.21 - System Repair The HPCI, ADS, CS, and LPCI control systems are designed to permit repair or replacement of components.

Recognition and location of a failed component is accomplished during periodic testing. The simplicity of the logic makes the detection and location of the component relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time.

7.3.2.1.2.3.1.22 ECCS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems The ECCS panels for HPCI, ADS, CS, and LPCI are distinctively identified as being in the protection system. Cables and raceways are distinctively colored according to their divisional assignment.

CHAPTER 07 7.3-113 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.1.2.3.2 ECCS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Class 1 ac and dc power supply system ECCS loads are physically separated and electrically isolated into independent load groups so that safety actions provided by redundant counterparts are not compromised. See Section 8.1.6.2.

7.3.2.1.2.3.3 ECCS - IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations See Section 8.1.

7.3.2.1.2.3.4 ECCS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electrical Equipment for Nuclear Power Generating Stations See Section 3.11.2.

7.3.2.1.2.3.5 ECCS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Section 8.1.6.1 and Table 7.1-3.

7.3.2.1.2.3.6 ECCS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems The design of the ECCS permits periodic testing as described in Sections 7.3.1.1.1.1.9, 7.3.1.1.1.2.9, 7.3.1.1.1.3.9, and 7.3.1.1.1.4.9.

7.3.2.1.2.3.7 ECCS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 3.10.

7.3.2.1.2.3.8 ECCS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 279 (1971), paragraph 4.2, as further defined in IEEE 379 (1972), "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems," is met as described in Section 7.3.2.1.2.3.1.2.

The redundancy of the control equipment for the ECCS is consistent with the redundancy of the cooling systems themselves, as shown in Figure 7.3-6. The arrangement of the initiating signals for the ECCS is shown in Figures 7.3-4 and 7.3-5.

An evaluation of the control schemes for each ECCS component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation, the redundancy of components and cooling systems was considered.

For the minimum number of channels required for functional performance, see the Technical Specifications. The determinations of these minimums considered the use and redundancy of sensors in control circuitry and the reliability of the controlled equipment in any individual cooling system.

CHAPTER 07 7.3-114 REV. 19, SEPTEMBER 2018

LGS UFSAR The control arrangement used for the ADS is designed to avoid spurious actuation (Table 7.3-9).

The ADS relief valves are controlled by two trip logics per trip system; both trip logics must be in the tripped state to allow system initiation. Low pressure injection system operation must also be verified.

The conditions represented by Tables 7.3-8, 7.3-9, 7.3-10, and 7.3-11, and the Technical Specifications are a result of a functional analysis of each individual ECCS. Because of the redundant methods of supplying cooling water to the fuel in a LOCA and because fuel cooling must be ensured in such a situation, the minimum trip channel conditions in the Technical Specifications exceed those required operationally to ensure core cooling capability.

The only equipment protective devices that can interrupt planned ECCS operation are those that must act to prevent complete failure of the component or system. In no case can the action of a protective device prevent other redundant cooling systems from providing adequate cooling to the core.

Manual controls for the ECCS systems are located in the control room and are under supervision of the control room operator.

Some controls for one LPCI loop are located in the remote shutdown control room. Access to these controls is administratively controlled. Transfer of control to the remote shutdown panel is alarmed in the control room.

Components located inside the drywell and essential to ECCS performance are qualified to operate in the drywell environment resulting from a LOCA. Essential instruments located outside the drywell are qualified for the environment in which they must perform their essential function.

7.3.2.1.2.3.9 ECCS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.1.3 ECCS Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed.

a. Loss of the plant instrument air system does not prevent the ECCS from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the ECCS from performing its protective function.

7.3.2.2 Primary Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.3.2.2.1 PCRVICS General Functional Requirements Conformance The PCRVICS is analyzed in this section. This system is described in Section 7.3.1.1.2, and that description is used as the basis for this analysis. The safety design bases and specific regulatory requirements of the system are stated in Section 7.1.2.1.2. This analysis shows conformance to the requirements given in that section.

CHAPTER 07 7.3-115 REV. 19, SEPTEMBER 2018

LGS UFSAR The PCRVICS, in conjunction with other safety systems, is designed to provide timely protection against the onset and consequences of the gross release of radioactive materials from fuel and RCPBs. Chapter 15 identifies and evaluates postulated events that can result in gross failure of fuel and RCPB. The consequences of such gross failures are described and evaluated. Chapter 15 also evaluates a gross breach in a main steam line outside the containment during operation at rated power. The evaluation shows that the main steam lines are automatically isolated in time to prevent the loss of coolant from being great enough to allow the uncovering of the core. This is true even if the longest closing time of the valve is assumed.

The shortest possible main steam line valve closure time is 3 seconds. The transient resulting from a simultaneous closure of all MSIVs in 3 seconds during reactor operation at rated power is discussed in Chapter 15.

7.3.2.2.2 PCRVICS Specific Regulatory Requirements Conformance The conformance of the transmitter/trip unit system is covered by Licensing Topical Report NEDO 21617-A.

7.3.2.2.2.1 PCRVICS Conformance to Regulatory Guides 7.3.2.2.2.1.1 PCRVICS - Regulatory Guide 1.11 (1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11)

The PCRVICS system is in conformance with this guide, except that position indication of excess flow check valves is provided locally, rather than in the control room as suggested in paragraph C.1.c. of the regulatory guide. However, annunciation in the control room is provided upon isolation of any excess flow check valve.

7.3.2.2.2.1.2 PCRVICS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when required. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.

a. MSIV:

The MSIVs, associated logic, and sensor devices may be tested from the sensor device to one of the two solenoids required for valve closure. The valve may be exercised closed with a slow-acting test solenoid to verify that there are no obstructions to the valve stem at full power. Before performing a valve closure using two fast-acting, main solenoids, a reduction in power is necessary to avoid reactor scram.

b. Other isolation valves:

Except for the MSIVs, all isolation valves may be tested from sensor to actuator during plant operation. The test may cause isolation of the process lines involved, but this is tolerable.

CHAPTER 07 7.3-116 REV. 19, SEPTEMBER 2018

LGS UFSAR

c. PRPM subsystem:

This subsystem conforms to Regulatory Guide 1.22 in that provisions that allow periodic testing of individual channels have been built into the monitoring instruments and the trip systems.

7.3.2.2.2.1.3 PCRVICS - Regulatory Guide 1.29 (1978) - Seismic Design Classification All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as seismic Category I (Section 3.2).

See Section 7.1.2.5.6.

7.3.2.2.2.1.4 PCRVICS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5.

7.3.2.2.2.1.5 PCRVICS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems

a. MSIV and other isolation valves:

Automatic indication is provided in the control room to inform the reactor operator that a system is inoperable. Annunciation is provided to indicate that a system or part of a system is not operable.

Control switches are provided to manually initiate the system out of service annunciator, for situations that are not automatically annunciated.

Instruments that form part of a one-out-of-two-twice logic can be removed from service for calibration. Removal of the instrument from service is indicated in the control room by manual actuation of the "system out-of-service" annunciator.

Bypassing is not allowed in the trip logic or actuator logic. CAC system isolation valves associated with POST-LOCA combustible gas control may be overridden using key-locked bypass switches. Isolation signals to the CIGS isolation valves associated with long term operation of ADS valves may also be overridden using key-locked bypass switches.

b. These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions.
c. Each annunciator can be tested and is provided with dual lamps.

7.3.2.2.2.1.6 PCRVICS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems MSIV and other isolation valves:

CHAPTER 07 7.3-117 REV. 19, SEPTEMBER 2018

LGS UFSAR Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the engineered safeguards systems to meet the single failure criterion, section 4.2 of IEEE 279 (1971),

and IEEE 379 (1972). Redundant sensors, wiring, instrument tubing, logic, actuators, and power supplies are used to insure that a single failure in any portion of the PCRVICS does not prevent protective action.

7.3.2.2.2.1.7 PCRVICS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions MSIV and other isolation valves:

Means are provided in the control room for manual initiation of reactor isolation at the system level through the use of four armed push button switches.

Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.

The equipment common to initiation of both manual reactor isolation and automatic isolation is kept to a minimum through implementation of manual reactor isolation as close as practicable to the final devices (relays) of the protective system. No single failure in the manual, automatic, or common portions of the protection system prevents initiation of reactor isolation by manual or automatic means.

Manual initiation of reactor isolation, once initiated, goes to completion as required by IEEE 279 (1971), section 4.16.

7.3.2.2.2.1.8 PCRVICS - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants See Section 8.1.6.1.12.

7.3.2.2.2.1.9 PCRVICS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 8.1.6.1.14 for a discussion of the degree of conformance.

7.3.2.2.2.1.10 PCRVICS - Regulatory Guide 1.89 (1974) - Qualification Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the PCRVICS is covered by Section 3.11.

7.3.2.2.2.1.11 PCRVICS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for a discussion of the degree of conformance.

7.3.2.2.2.1.12 PCRVICS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.2.2.1.13 PCRVICS - Regulatory Guide 1.105 (1976) - Instrument Setpoints CHAPTER 07 7.3-118 REV. 19, SEPTEMBER 2018

LGS UFSAR See Section 7.1.2.5.25 for a discussion of the degree of conformance.

7.3.2.2.2.1.14 PCRVICS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for a discussion of the degree of conformance.

7.3.2.2.2.2 PCRVICS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.2.2.2.1 PCRVICS - GDC 1 - Quality Standards and Records See Section 7.1.2.6.1.

7.3.2.2.2.2.2 PCRVICS - GDC 2 - Design Bases for Protection Against Natural Phenomena See Section 7.1.2.6.2.

7.3.2.2.2.2.3 PCRVICS - GDC 3 - Fire Protection See Section 7.1.2.6.3.

7.3.2.2.2.2.4 PCRVICS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 7.1.2.6.4.

7.3.2.2.2.2.5 PCRVICS - GDC 10 - Reactor Design See Section 7.1.2.6.6.

7.3.2.2.2.2.6 PCRVICS - GDC 13 - Instrumentation and Control

a. MSIV and other isolation valves: The integrity of the reactor core and the RCPB is ensured by monitoring the appropriate plant variables and automatically closing various isolation valves if the variables exceed predetermined values.
b. Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions.

7.3.2.2.2.2.7 PCRVICS - GDC 19 - Control Room See Section 7.1.2.6.10.

7.3.2.2.2.2.8 PCRVICS - GDC 20 - Protection System Functions

a. MSIV and other isolation valves: The PCRVICS automatically isolates the appropriate process lines.
b. DELETED
c. PRPM subsystem: The subsystem conforms to GDC 20 in that activation of the trip circuit results in alarm annunciator activation and, depending on the specific trip, a CHAPTER 07 7.3-119 REV. 19, SEPTEMBER 2018

LGS UFSAR trip signal being sent to the plant vent system, the SGTS, and the containment system.

7.3.2.2.2.2.9 PCRVICS - GDC 21 - Protection System Reliability and Testability MSIV, other isolation valves, and PRPM subsystems: The high reliability components are separated into four instrument and logic channels so that no single failure can incapacitate the system. Testing is covered in the discussion on conformance to Regulatory Guide 1.22 (Section 7.3.2.2.2.1.2).

7.3.2.2.2.2.10 PCRVICS - GDC 22 - Protection System Independence

a. MSIV and other isolation valves: Four redundant instrument and logic channels are physically separated so that no single failure can prevent an isolation. Functional diversity of sensed variables is used.
b. PRPM subsystem: This subsystem conforms to GDC 22 in that the effects of natural phenomena and normal operation (including testing) do not result in the loss of protection.

7.3.2.2.2.2.11 PCRVICS - GDC 23 - Protection System Failure Modes

a. MSIV and other isolation valves: The system logic and actuator signals are fail-safe. The MOVs will fail "as-is" on loss of power.
b. PRPM subsystem: This subsystem conforms to GDC 23 in that the trip circuits associated with each channel are specifically designed to fail-safe if there is loss of power.

7.3.2.2.2.2.12 PCRVICS - GDC 24 - Separation of Protection and Control Systems MSIV, other isolation valves, and PRPM subsystems: The system has no control functions. The equipment is physically separated from the control system equipment to the extent that no single failure in the control system can prevent isolation.

7.3.2.2.2.2.13 PCRVICS - GDC 29 - Protection Against Anticipated Operational Occurrences MSIV, other isolation valves, and PRPM subsystems: No anticipated operational occurrences prevent this equipment from performing its safety function. No anticipated operational occurrence can prevent an isolation.

7.3.2.2.2.2.14 PCRVICS - GDC 34 - Residual Heat Removal Isolation signals are provided for the shutdown cooling subsystem of the RHR system.

7.3.2.2.2.3 PCRVICS Conformance to Industry Codes and Standards The conformance of the transmitters/trip unit system is covered by Licensing Topical Report NEDO-21617.

7.3.2.2.2.3.1 PCRVICS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Systems CHAPTER 07 7.3-120 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.2.2.3.1.1 PCRVICS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement

a. PCRVICS: The PCRVICS initiates automatic closure of specific isolation valves from trip signals generated by specified process variables and maintains the valves in a closed position without further application of power until a manual reset is permissible.

The control system is capable of initiating appropriate action and accomplishing it in a time commensurate with the need for valve closure. Total time, from the point where a process out-of-limits condition is sensed to the energizing or de-energizing of appropriate valve actuators, is less than 1.0 second. The closure time of valves ranges upward from a minimum of 3 seconds for the MSIVs, depending on the urgency for isolation considering the possible release of radioactivity. Thus it can be seen that the control initiation time is at least one order of magnitude lower than the minimum required valve closure time. The chosen speed of the sensors and valve actuators is compatible with the isolation function considered.

The minimum performance requirements are identified in Chapter 16 for the PCRVICS. These requirements include those for accuracy, which is accounted for in setpoint selection, in addition to the system response times. The instrument ranges of the initiating variables are contained in Table 7.3-5 and are selected to accurately span normal, abnormal, and accident conditions. The PCRVICS performance has been analyzed to bound the system's instrument capability.

The reliability of the isolation control system is compatible with the reliability of the actuated equipment (valves).

The PCRVICS equipment is designed for the full range of environmental conditions enumerated as follows:

1. Power supply voltage - Tolerance exists to any degree of power supply failure in one motive power system or one control power system. The PCRVICS is designed to operate over the range of voltage specified in Sections 8.3.1 and 8.3.2.
2. Power supply frequency - Tolerance exists to any degree of power supply failure in one power system or one control power system. The PCRVICS is designed to operate at the range of frequency specified in Section 8.3.1.
3. Temperature - The system operates within the required time limit at all temperatures that could result from an accident.
4. Humidity - The system operates within the required time limit at humidities (steam) that can result from a LOCA.
5. Radiation - PCRVICS equipment operates at all radiation levels expected and defined in Section 3.11.
6. Pressure - As required, the system operates at all pressures resulting from a LOCA.
7. Vibration - Tolerance to conditions is stated in Section 3.10.

CHAPTER 07 7.3-121 REV. 19, SEPTEMBER 2018

LGS UFSAR

8. Malfunctions - The system is tolerant to any single component malfunction.
9. Accidents - Tolerance exists for any DBA without malfunction of either subsystem.
10. Fire - The system is tolerant to any raceway fire in one division, or fire within a single enclosure.
11. Explosion - Explosions are not defined in design bases.
12. Missiles - The system has tolerances to any single missile destroying no more than one pipe, raceway, or cabinet.
13. Lightning - Tolerance to lightning damage is limited to one auxiliary bus system.
14. Flood - All control equipment is located above flood level by design.
15. Earthquake - Tolerance to conditions is stated in Section 3.10.
16. Wind and tornado - A seismic Class I structure houses all isolation control equipment. See Section 3.3 for wind loadings.
17. System response time - Responses are within the requirements dictated by the need to initiate the PCRVICS.
18. System accuracies - Accuracies are within those needed for correct timely action.
19. Abnormal ranges of sensed variables - Sensors are not subject to saturation when overranged.
b. DELETED
c. Reactor enclosure radiation monitoring system: The subsystem detects and promptly indicates excessive radiation in the reactor enclosure. On detection, an isolation is effected (Section 11.5).
d. Refueling floor radiation monitoring subsystem: The physical location and monitoring characteristics of the refueling floor radiation monitoring channels are adequate to detect abnormal amounts of radioactivity in the refueling floor exhaust duct and to initiate isolation. The redundancy and arrangement of channels ensure that no single failure can prevent isolation when required. During refueling operation (including criticality tests) the monitoring system acts as an engineered safeguard against the consequences of a refueling accident and a rod-drop accident. The response of the refueling floor radiation monitoring subsystem to a refueling accident is presented in Chapter 15.

The purpose of this subsystem is to initiate isolation of potentially contaminated refueling area ventilation effluent paths and initiate SGTS if there are excessive amounts of radioactive gases and particulate in the refueling area. For each of the two channels, two high-high radiation trips perform the following:

CHAPTER 07 7.3-122 REV. 19, SEPTEMBER 2018

LGS UFSAR

1. Close one of the two sets of Refueling Area supply and Refueling Area exhaust isolation valves.
2. Close one of the two sets of drywell and suppression pool purge and vent valves
3. Initiate one of two SGTS fans Alternative trip functions are achieved by each of the two channels.

7.3.2.2.2.3.1.2 PCRVICS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion

a. PCRVICS: Tolerance to the following single failures is incorporated into the isolation control system design and installation:
1. Single open circuit
2. Single short circuit
3. Single relay failure to pickup
4. Single relay failure to drop out
5. Single module failure (including multiple shorts, opens, and ground)
6. Single control cabinet bay destruction (including multiple shorts, opens, and grounds)
7. Single instrument panel destruction (including multiple shorts, opens, and grounds)
8. Single raceway destruction (including multiple shorts, opens, and grounds)
9. Single control power supply failure (any mode)
10. Single motive power supply failure (any mode)
11. Single control circuit failure
12. Single sensing line (pipe) failure
13. Single electrical component failure
b. PRMS: This criterion is met, since there are two independent channels that initiate redundant equipment. One failure affects only one channel.

The single failure criterion is met by the use of redundant sensors and logic to provide isolation functions and by seismic and environmental testing of the subsystem components. A single failure in any portion of the subsystem channel circuitry or trip system logic does not prevent a required isolation function from being accomplished.

CHAPTER 07 7.3-123 REV. 19, SEPTEMBER 2018

LGS UFSAR Two separate power supplies are provided to ensure that a single power failure does not cause a spurious isolation; however, a complete power failure causes an isolation to occur.

7.3.2.2.2.3.1.3 PCRVICS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules

a. PCRVICS: Components used in the isolation system are carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS. Ratings are selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:
1. Switch and relay contacts carry no more than 50% of their continuous current rating.
2. Isolation control is de-energized to trip, instead of energized to trip, and is thus made to call attention to the failures that may occur in coil circuits, connections, or contacts.
3. Instrumentation and controls are heavy duty industrial types that have been subjected to type qualification testing and the manufacturer's normal quality control; components and systems undergo functional testing on the panel assembly floor as part of the integrated module test before shipment of each panel. Only components that have demonstrated a high degree of reliability and serviceability in other functionally similar applications or have been qualified by tests are selected for use in the isolation system.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors to comply with the requirements set forth in 10CFR50, Appendix B.

b. PRMS: The sensor and converters as well as the indicator and trip units have been used in other BWR power plants.

7.3.2.2.2.3.1.4 PCRVICS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification The PCRVICS safety-related controls and instrumentation have been qualified according to the requirements outlined in IEEE 323 (1971) (as highlighted in Section 7.1.2.7.4.) The conditions for which the equipment has been qualified are those identified in Sections 3.10 and 3.11. The identified conditions cover normal, abnormal, and accident environments both inside and outside the drywell.

7.3.2.2.2.3.1.5 PCRVICS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity

a. PCRVICS: The isolation system is designed to withstand the spectrum of failures listed under the general requirements, with the following exceptions. The structures containing PCRVICS components, except the turbine enclosure, are seismic Category I as described in Sections 3.7 and 3.8. The turbine enclosure is designed to withstand an SSE without structural elements exceeding yield strength. The only PCRVICS components located in the nonseismic Category I turbine enclosure are the sensors and associated cables for the main steam high temperature leak detection MSIV trip, main steam line low CHAPTER 07 7.3-124 REV. 19, SEPTEMBER 2018

LGS UFSAR pressure MSIV trip, and low condenser vacuum MSIV trip (Table 7.3-6). Because reactor low level, and main steam line high flow are diverse to these MSIV isolation variables, placing these sensors or cables in the turbine enclosure does not compromise the ability of the PCRVICS to provide protective action when required.

b. PRMS: The channel components are operable under the predetermined normal and abnormal circumstances.

The trip channel components are selected to fulfill these minimum requirements.

7.3.2.2.2.3.1.6 PCRVICS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The redundant trip channels of this protective function are electrically isolated and physically separated to meet this design requirement.

Channel independence for redundant sensors exposed to each process variable is provided by electrical and mechanical separation. Physical separation is maintained between redundant elements of the PCRVICS to ensure that no credible single failure can prevent the safety action.

7.3.2.2.2.3.1.7 PCRVICS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction

a. PCRVICS: There is no control function in the system. It is strictly a protection system. There are no transmissions of signals from this protection system equipment to control system equipment, therefore no isolation is required. No single random failure of a control system can prevent the isolation safety function.
b. PRMS: The four monitors for this protective function comply with this design requirement. Isolated contacts are used to provide isolation signals to close appropriate valves. Separation of inboard and outboard circuitry prevents postulated failures from impairing subsystem operation.

7.3.2.2.2.3.1.8 PCRVICS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs

a. PCRVICS: The inputs that initiate isolation valve closure are direct measures of loss-of-coolant related variables that indicate a need for isolation, namely, reactor vessel low level, drywell high pressure, and pipe break detection. Pipe break detection is effected by measuring main steam line high flow or main steam line tunnel temperature to detect loss of coolant rather than actual physical damage to the pipe itself.
b. PRMS: The measurement of radiation of each of the designated exhaust plenums is the appropriate variable to use to determine radioactive releases into the containment.

7.3.2.2.2.3.1.9 PCRVICS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks

a. PCRVICS: The RCPB instruments can be checked by cross- comparing instrument channels, or the instruments can be checked one at a time by application of simulated signals. These include level, pressure, temperature, and flow. During operation, radiation sensors are cross-checked, and during shutdowns they may be bench calibrated. Temperature sensors used for leak detection are cross-checked periodically against other channels to provide assurance of operability.

CHAPTER 07 7.3-125 REV. 19, SEPTEMBER 2018

LGS UFSAR

b. PRMS: Due to the two-out-of-two configuration of the trip logic, one channel at a time may be removed from service to perform periodic tests.

7.3.2.2.2.3.1.10 PCRVICS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration

a. PCRVICS: All active components of the PCRVICS can be tested or calibrated during plant operation. Pressure and level instrument channels can be cross-checked or valved out of the system and calibrated with a test signal. The radiation and temperature sensors can be cross-checked for verification or operability, and since they are used with reference to background, they do not require actual sensitivity verification on a frequent basis. The sensors may be bench calibrated during shutdown. The log radiation monitor can be tested by placing the monitor switch out of the "operate" position.
b. PRMS: An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a trip. All trip circuits are the latching-type and must be manually reset at the front panel.

Facilities for calibrating these monitor units are provided. It is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit. It provides several gamma radiation levels between 1 mrem/hr and 250 mrem/hr. The calibration unit source is an approved source.

A cavity in the calibration unit receives the sensor and converter unit. Located on the back wall of the cylindrical lower half of the cavity is a window through which radiation from the source emanates. A chart on each unit indicates the radiation levels available from the unit for the various control settings.

7.3.2.2.2.3.1.11 PCRVICS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation

a. PCRVICS: Valving out and calibration of each sensor is annunciated by manual activation of the system out-of- service annunciator by the operator as well as individual sensor and channel trip annunciators. Calibration of a single sensor does not cause a protective action.

In the case of the MOVs, automatic or manual closure can be prevented by shutting off electric power to the motor starters. This action is indicated by annunciation in the control room.

b. PRMS: During the periodic testing of any given channel, the controls associated with a monitor permit the monitor to be tested for proper operation, and the two-out-of-two trip system logic prevents system level protective action. The two-out-of-two trip system logic channel, when in the test mode, provides an inoperative trip signal to meet the single failure requirements.

To bypass a channel for calibration, it is switched out of the "operate" position. This results in a downscale alarm and actuation of the upscale trip, thereby making isolation possible in the vent that high radiation would cause an upscale trip in the CHAPTER 07 7.3-126 REV. 19, SEPTEMBER 2018

LGS UFSAR remaining channel of the same logic. Whenever instrument trouble occurs, the downscale alarm sounds.

The above discussion is applicable to the RMS in Section 7.6 that initiates protective functions. In all cases, removal of the monitor from service causes actuation of the channel input to the system trip logic. In all cases, except the MSL-RMS, instrument trouble does not actuate the individual channel trip but causes a downscale alarm. The MSL-RMS isolation logic is configured such that either an upscale or downscale trip will cause a channel trip.

Administrative procedures are followed in all cases to remove from service a channel that is alarmed due to instrument trouble to ensure that system protective function is not inhibited.

In all cases, except the RHRSW-RMS, removal from service of one channel does not result in inadvertent actuation of the protective function. The RHRSW-RMS are arranged in a one-out-of-one logic configuration, and their removal from service will initiate protective action. Administrative procedures are followed in all cases to prevent removal from service of more than one channel at a time. For the RHRSW-RMS that trip the RHRSW pumps, bypass switches are provided as described in Section 7.3.1.1.12.6 that allow inhibiting the upscale trips.

7.3.2.2.2.3.1.12 PCRVICS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses

a. PCRVICS: The isolation valve control system has two bypasses. One is the main steam line low pressure operating bypass, which is imposed by the mode switch in the other-than-run mode. The mode switch cannot be left in this position above 15% of rated power without initiating a neutron flux scram. Therefore the bypass is removed by the normal operational sequence, in accordance with the intent of IEEE 279 (1971), although it is a manual action that removes it, rather than an automatic one.

The low condenser vacuum bypass is imposed by a manual bypass switch in conjunction with closure of the turbine stop valves. Bypass removal is accomplished automatically by the opening of the turbine stop valves and manually by placing the bypass switch in normal position. Hence, the bypass is considered an operating bypass in accordance with IEEE 279 (1971).

Isolation signals to the CAC system isolation valves associated with POST-LOCA combustible gas control and to the CIGS isolation valves associated with long term operation of the ADS valves may be overridden by key-locked bypass switches by manually placing the switches in the bypass position after an isolation signal. The bypass switches are normally key-locked in the normal position to allow isolation of the applicable valves upon receipt of an isolation signal.

b. PRMS: This design requirement is not applicable to this protective function.

7.3.2.2.2.3.1.13 PCRVICS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses

a. PCRVICS: The operating bypasses of the main steam line isolation valve closure trip and main condenser low vacuum trip are indicated in the control room.

CHAPTER 07 7.3-127 REV. 19, SEPTEMBER 2018

LGS UFSAR The operating bypasses of the CAC system and CIGS valves isolation signal are indicated in the control room by annunciation of the bypassed condition and by valve position indicating lights.

Instrument bypass from calibration and certain other bypass conditions cannot be automatically annunciated. They are manually indicated by operator actuation of the system out-of-service annunciator.

b. PRMS: A downscale annunciation is produced during the monitor tests with the PRMS front panel controls. Substitution of the process input with a simulated input to the monitor produces downscale and upscale annunciation in the control room under specific conditions of the tests.

7.3.2.2.2.3.1.14 PCRVICS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing

a. PCRVICS: The mode switch and condenser vacuum bypass switch are centrally located in the control room and are key-locked.

The CAC system and CIGS isolation valves bypass switches are centrally located in the control room and are key-locked.

b. PRMS: During the periodic test, administrative control procedures must be followed to remove one monitor from service and subsequently return it to service.

7.3.2.2.2.3.1.15 PCRVICS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints Paragraph 4.15 of IEEE 179 (1971) is not applicable, because all setpoints are fixed.

7.3.2.2.2.3.1.16 PCRVICS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated

a. PCRVICS: All isolation actions are sealed-in by logic, so valves go to the close position completing the protective action. Manual reset action is provided by independent reset switches, so that inboard valves can be reset independently of outboard valves. This feature is incorporated only to augment the electrical separation of the inboard and outboard valves and not because of any need to reset them separately.
b. PRMS: The monitor output trip circuit remains in a tripped state whenever the gamma radiation level exceeds the established setpoint.

7.3.2.2.2.3.1.17 PCRVICS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation

a. PCRVICS: The PCRVICS has four divisionally separated manual initiation switches that separately activate four MSIV logics and initiate the isolation system at the system level.

The logic for manual initiation is one-out-of-two-twice for the MSIVs. The manual initiation logic for other isolation valves is one-out-of-one by activating one of the system manual initiation switches (S28A for inboard, S28B for outboard), or two-out-of-two by activating both of the subsystem manual initiation switches.

CHAPTER 07 7.3-128 REV. 19, SEPTEMBER 2018

LGS UFSAR Redundant manual controls are separated so that a single failure does not inhibit an isolation. The separation of redundant devices is maintained in both the manual and automatic portion of the system so that no single failure in either the manual or automatic portions can prevent an isolation by either manual or automatic means.

b. PRMS: This design requirement is not applicable to this protective function.

7.3.2.2.2.3.1.18 PCRVICS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points

a. PCRVICS: Setpoint adjustments for the PCRVICS system sensors are integral with the trip unit located in the auxiliary equipment room, with suitable key-locked barriers, and are therefore under the administrative control of the operator.
b. PRMS: Access to the monitors is under the administrative control of plant personnel.

Operation of the monitor front panel controls, whether for calibration or test purposes, results in a downscale annunciation from the channel in the control room.

7.3.2.2.2.3.1.19 PCRVICS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions

a. PCRVICS: Any one of the sensor relays actuates an annunciator, so that no single channel "trip" goes unnoticed. In addition, indicator lights are provided to show instrument channel trip. This combination of annunciation and visible verification relay actuation fulfills the requirements of this criterion.
b. PRMS: Actuation of any radiation monitor to produce a tripped condition initiates a control room annunciation for this protective function.

7.3.2.2.2.3.1.20 PCRVICS - IEEE 279 (1971), Paragraph 4.20 - Information Readout

a. PCRVICS: The information presented to the reactor operator by the isolation control system is as follows:
1. Annunciation of each process variable that has reached a trip point
2. Computer readout of trips on main steam line tunnel temperature or main steam line high flow
3. Annunciation of steam leaks in each of the systems monitored, namely, main steam, cleanup, and RHR
4. Open and closed position indicator lights for each isolation valve
5. Annunciation of any excess flow check valve isolation
b. PRMS: Actuation of any radiation monitor to produce a tripped condition initiates a control room annunciation for this protective function.

This information is considered to fulfill the requirements for information readout.

7.3.2.2.2.3.1.21 PCRVICS - IEEE 279 (1971), Paragraph 4.21 - System Repair CHAPTER 07 7.3-129 REV. 19, SEPTEMBER 2018

LGS UFSAR

a. PCRVICS: The components that are expected to have a moderate need for replacement are designed for convenient removal. These include the temperature signals, amplifier units, and thermocouples. The amplifier units are of the circuit card or replaceable module construction, and the temperature sensors are replaceable units. Pressure, vessel level, flow, and temperature, sensors can be replaced in a reasonable length of time. The pressure, level, and flow devices are considered to be permanently installed although they have nonwelded connections at the instrument, which allows replacement. Failures can be detected during periodic testing, and replacement time is nominal.

The main steam tunnel temperature sensors are not accessible during normal plant operation because of radiation from the main steam lines. However, duplicate sensors are provided that may be substituted for a failed sensor during operation.

The failed sensor can be replaced during shutdown.

b. PRMS: The one-to-one relationship of detector, monitor, and trip circuitry permits the operator to identify a faulty channel and determine the defective component.

Provisions are made to facilitate repair of the channel components during plant operation.

7.3.2.2.2.3.1.22 PCRVICS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems

a. PCRVICS: Panels and racks that house isolation system equipment are identified by a distinctive color marker plate identifying the equipment as being in the protective system and listing the system name and designation of the particular redundant portion of the system. Cables, conduits, and raceways are color coded, displaying the appropriate redundant portion of the system.
b. PRMS: Special identification is provided for these monitors by special colored marker plates that identify the RPS division with which the units are associated.

Cables, conduits, and raceways are color coded, displaying the appropriate redundant portion of the system.

Control room devices are identified by tags on the panels. These tags indicate the functions of the devices.

7.3.2.2.2.3.2 PCRVICS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Station Class 1E ac power supply systems are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised (Section 8.3). The fail-safe logic for PCRVICS is powered from a non-Class 1E source.

7.3.2.2.2.3.3 PCRVICS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Conformance of the components of the PCRVICS are covered by Section 7.1.2.7.4.

7.3.2.2.2.3.4 PCRVICS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems CHAPTER 07 7.3-130 REV. 19, SEPTEMBER 2018

LGS UFSAR The system is completely testable in overlapping segments during reactor operation. The tests test the sensors through to the final actuators, demonstrate independence of channels, and detect failures.

7.3.2.2.2.3.5 PCRVICS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations The seismic qualification of components of the PCRVICS is covered by Section 3.10. This standard does not apply to the low steam line pressure MSIV trip, high condenser pressure MSIV trip, and high steam line temperature MSIV trip during or after an SSE as discussed in Section 7.3.2.2.2.3.1.5.

7.3.2.2.2.3.6 PCRVICS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 279 as defined by IEEE 379 (1972) is fully complied with in the design of the PCRVICS. All redundant sensors cabling, logic and actuators are physically separated so that any credible single failure cannot incapacitate the safety function. Section 7.3.2.2.2.3.1.2 contains more information.

7.3.2.2.2.3.7 PCRVICS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11 for discussion of degree of conformance.

7.3.2.2.3 PCRVICS Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the PCRVICS from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the PCRVICS from performing its protective function.

7.3.2.3 Information in this section has been deleted.

7.3.2.4 RHR - Containment Spray Mode - Instrumentation and Controls 7.3.2.4.1 RHR-CSM General Functional Requirements Conformance The following analysis shows how the RHR-CSM meets the safety design bases identified in Section 7.1.2.1.30.1. When the RHR system is in the containment spray cooling mode, the pumps take suction from the suppression pool, pass it through the RHR heat exchangers and inject it through spray spargers located in the upper drywell and in the suppression pool air space.

Operation of this system condenses steam present in these areas and mixes the drywell atmosphere to prevent pockets of hydrogen accumulation. The system is manually initiated as described in Section 7.3.1.1.4.5.

CHAPTER 07 7.3-131 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.4.2 RHR-CSM Specific Regulatory Requirements Conformance 7.3.2.4.2.1 RHR-CSM Conformance to Regulatory Guides 7.3.2.4.2.1.1 RHR-CSM - Regulatory Guide 1.11 (1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11)

Instrument lines penetrating the primary reactor containment have excess flow check valves to isolate the lines in the event of line rupture.

7.3.2.4.2.1.2 RHR-CSM - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

Conformance to this regulatory guide is achieved by providing system and component testing capability, either during reactor power operation or shutdown.

7.3.2.4.2.1.3 RHR-CSM - Regulatory Guide 1.29 (1978) - Seismic Design Classification All electrical and mechanical devices and circuitry between process instrumentation, protective actuators, and monitoring of systems important to safety are classified as Seismic Category I.

7.3.2.4.2.1.4 RHR-CSM - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5.

7.3.2.4.2.1.5 RHR-CSM - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Conformance is described in the conformance to IEEE 308 (1971).

7.3.2.4.2.1.6 RHR-CSM - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems Indication and annunciation is provided in the control room to inform the operator that a system or part of a system is inoperable. See Section 7.3.1.1.4.13.2 for a discussion of the bypass indication capability provided.

7.3.2.4.2.1.7 RHR-CSM - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems The system is designed with two independent and redundant portions to ensure that no single failure can prevent the safety function.

7.3.2.4.2.1.8 RHR-CSM - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions System initiation is manual from the control room. Interlocks are provided to prevent inadvertent manual initiation during normal reactor power operation. The manual controls are easily accessible to the operator so that action can be taken in an expeditious manner. Operation of the manual initiation accomplishes all of the actions performed by the automatic initiation circuitry.

CHAPTER 07 7.3-132 REV. 19, SEPTEMBER 2018

LGS UFSAR No single failure in the manual, automatic or common portion of the protection system will prevent initiation by manual means. Manual initiation, once initiated, goes to completion as required by IEEE 279 (1971), section 4.16, unless overridden by a higher priority safety function, such as LPCI mode.

7.3.2.4.2.1.9 RHR-CSM - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 7.1.2.5.19 for a discussion of the degree of conformance.

7.3.2.4.2.1.10 RHR-CSM - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The identification and qualification of Class 1E equipment is discussed in Section 3.11.

7.3.2.4.2.1.11 RHR-CSM - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for a discussion of the degree of conformance.

7.3.2.4.2.1.12 RHR-CSM - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants See Section 3.10 for a discussion of the degree of conformance.

7.3.2.4.2.1.13 RHR-CSM - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for discussion of the degree of conformance.

7.3.2.4.2.1.14 RHR-CSM - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for discussion of the degree of conformance.

7.3.2.4.2.2 RHR-CSM Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.4.2.2.1 RHR-CSM - GDC 1 - Quality Standards and Records All systems required for safety are designed and built in accordance with an established quality assurance program.

7.3.2.4.2.2.2 RHR-CSM - GDC 2 - Design Bases for Protection Against Natural Phenomena All systems required for safety have been designed to withstand the effects of natural phenomena without losing the capacity to perform their safety functions.

7.3.2.4.2.2.3 RHR-CSM - GDC 3 - Fire Protection All systems and components required for safety have been designed and are located to minimize the probability and effect of fires and explosions. Materials that are heat-resistant and noncombustible are used wherever practicable.

CHAPTER 07 7.3-133 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.4.2.2.4 RHR-CSM - GDC 4 - Environmental and Dynamic Effects Design Bases All safety-related systems and components are designed to withstand and function within the environmental conditions resulting from normal operations, maintenance, testing, and postulated accidents, including LOCAs. These systems and components are appropriately protected against dynamic events such as missiles and pipe whip.

7.3.2.4.2.2.5 RHR-CSM - GDC 13 - Instrumentation and Control Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions to ensure adequate safety.

7.3.2.4.2.2.6 RHR-CSM - GDC 19 - Control Room A control room is provided where actions can be taken to operate the nuclear power unit under normal and abnormal conditions.

7.3.2.4.2.2.7 RHR-CSM - GDC 22 - Protection System Independence The protection systems are designed to be redundant and diverse.

7.3.2.4.2.2.8 RHR-CSM - GDC 24 - Separation of Protection and Control Systems The protection systems are separated from the control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.

7.3.2.4.2.2.9 RHR-CSM - GDC 29 - Protection Against Anticipated Operational Occurrences The protection and reactivity control systems are designed to ensure an extremely high probability of fulfilling their safety functions in the event of anticipated operational occurrences.

7.3.2.4.2.2.10 RHR-CSM - GDC 38 - Containment Heat Removal This mode is provided to assure heat removal from the reactor containment following any LOCA.

7.3.2.4.2.2.11 RHR-CSM - GDC 40 - Testing of Containment Heat Removal System The containment heat removal system is designed to permit appropriate periodic and functional testing including the controls which bring the system into operation.

7.3.2.4.2.3 RHR-CSM Conformance to Industry Codes and Standards 7.3.2.4.2.3.1 RHR-CSM - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations 7.3.2.4.2.3.1.1 RHR-CSM - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement

a. Autoinitiation - Containment spray is not automatically initiated, however, its safety function is adequately ensured by manual initiation.

CHAPTER 07 7.3-134 REV. 19, SEPTEMBER 2018

LGS UFSAR

b. Appropriate Action - Appropriate action for the containment spray control system is defined as activating equipment for introducing water into the containment spray spargers.
c. Precision - The term precision does not apply strictly to the containment spray mode because of the wide range of setpoint values that could give the appropriate signal to allow manual initiation.
d. Reliability - Reliability of the control system is compatible with the controlled equipment.
e. Performance Under Adverse Conditions -
1. Power Supply Voltage - Tolerance is provided to any degree of ac power supply voltage fluctuation within one division such that voltage regulation failures in one division cannot prevent successful containment cooling. Dc power supply failure will likewise affect only one of the two containment spray divisions.
2. Power Supply Frequency - Same as Item e.1 above. Excessive frequency reduction is indicative of an onsite power supply failure, and equipment shutdown in that division is required.
3. Temperature - The RHR-CSM is operable at all temperatures that can result from any DBA.
4. Humidity - The RHR-CSM is operable at humidities (steam) that can result from any DBA.
5. Pressure - The RHR-CSM is operable at all pressures resulting from any DBA.
6. Vibration - Tolerance to such conditions is as stated in Section 3.10.
7. Malfunctions - Tolerance to any single component failure is provided.
8. Accidents - Tolerance to all DBAs has been provided.
9. Fire - Tolerance to a single raceway or enclosure fire or mechanical damage has been provided.
10. Explosions - Explosions are not defined in design basis.
11. Missiles - Tolerance to any single missile destroying no more than one pipe, raceway, or electrical enclosure has been provided.
12. Lightning - Tolerance to lightning damage of ac power system limited to one auxiliary bus system has been provided. See comments under Item e.1.
13. Flood - All control equipment is located above flood level by design or protected against flooding.

CHAPTER 07 7.3-135 REV. 19, SEPTEMBER 2018

LGS UFSAR

14. Earthquake - Tolerance has been provided to conditions stated in Section 3.10 and seismic Class 1 structures are used to house all control equipment.
15. Wind and Tornado - The structures containing ESF components have been designed to withstand meteorological events described in Section 3.3.2.

Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair ESF capabilities.

16. System Response Time - Responses are within the requirements of the need to start containment spray. Manual initiation has been shown to be acceptable for initiation of this RHR mode.
17. System Accuracies - Accuracies are within those needed for proper system functioning and operational display.
18. Abnormal Ranges of Senses Variables - Sensors do not saturate when overranged.

7.3.2.4.2.3.1.2 RHR-CSM - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion Two 100% capacity systems are provided. Redundancy in equipment and control logic circuitry is provided so that a single failure will not render the complete containment spray system inoperative.

Two division logics are provided. Division 1 logic is provided to initiate loop A equipment and Division 2 logic is provided to initiate loop B equipment.

Tolerance to the following single failures or events is provided in the sensing channels, trip logic, actuator logic, and actuated equipment so that these failures will be limited to the possible disabling of the initiation of only one loop:

a. Single open circuit
b. Single short circuit
c. Single component failure open
d. Single component failure shorted or grounded
e. Single module failure (including multiple shorts, opens, and grounds)
f. Single electrical enclosure involvement (including multiple shorts, opens and grounds)
g. Single raceway destruction (including multiple shorts, opens, and grounds)
h. Single control power supply failure
i. Single motive power supply failure
j. Single control circuit failure CHAPTER 07 7.3-136 REV. 19, SEPTEMBER 2018

LGS UFSAR

k. Single sensing line (pipe) failure
l. Single electrical component failure.

7.3.2.4.2.3.1.3 RHR-CSM - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules Components used in the containment spray control mode have been carefully selected for their specific application. Ratings have sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant.

These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel assembly. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications or which have been qualified by tests are selected for use.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.4.2.3.1.4 RHR-CSM - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification No components of the containment spray system are required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation with wider variations in ambient temperature than results from normal or abnormal (loss of ventilation and LOCA) conditions. All components used in the containment spray system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial operation (Section 3.11.2).

7.3.2.4.2.3.1.5 RHR-CSM - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The containment spray system instrument channels are designed to maintain necessary functional capability under extreme conditions, thus satisfying the objective of channel integrity.

7.3.2.4.2.3.1.6 RHR-CSM - IEEE 279 (1971), Paragraph 4.6 - Channel Independence Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E sensors for reactor vessel low water levels, for instance, are located on one local instrument panel that is identified as Division 1 equipment, and the B and F sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common process tap which is widely separated from the corresponding tap for sensors B and F. Disabling of one or all sensors in one location does not disable the control for the other division.

Relay cabinets for Division 1 are in a separate physical location from that of Division 2. Each division is complete in itself, with its own station battery, control and instrument bus, power distribution buses, and MCCs. The divisional split is carried all the way from the process taps to the final activated equipment, and includes both control and motive power supplies.

Although there are only two sensors for each variable in each division, these sensors back up each other as described in the preceding paragraph.

CHAPTER 07 7.3-137 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.4.2.3.1.7 RHR-CSM - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The containment spray system is a safety system designed to be independent of plant control systems.

7.3.2.4.2.3.1.8 RHR-CSM - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The inputs which are permissive for the containment spray system are direct measures of the variables that indicate the need for containment cooling. Drywell high pressure is sensed by drywell pressure sensors. Low reactor vessel water (level 1) is sensed by vessel water level sensors. Reactor low pressure is sensed by vessel pressure sensors.

7.3.2.4.2.3.1.9 RHR-CSM - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. The drywell high pressure sensors can be checked only by application of gas pressure from a low pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve.

The trip units mounted in the control structure are calibrated separately by introducing a calibration source and verifying the setpoint through the use of a digital readout on the trip calibration module.

7.3.2.4.2.3.1.10 RHR-CSM - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The containment spray system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. MOVs can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed as the system is tested.

The pumps can be started by use of the control switches in the control room. Sensors can be exercised by applying test pressures. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests.

7.3.2.4.2.3.1.11 RHR-CSM - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation Calibration of each sensor will induce a single instrument channel trip. This does not cause a protective function.

Removal of a sensor from operation during calibration does not prevent the redundant instrument channels from functioning if accident conditions occur. Removal of an instrument channel from service during calibration will be brief.

7.3.2.4.2.3.1.12 RHR-CSM - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses Containment spray has no operating bypasses.

7.3.2.4.2.3.1.13 RHR-CSM - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses See Section 7.1.2.7.1.

CHAPTER 07 7.3-138 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.4.2.3.1.14 RHR-CSM - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Access to switchgear, MCCs, and instrument valves is procedurally controlled by the following means:

a. Administrative control of access to instrument valves
b. Lockable doors on emergency switchgear rooms 7.3.2.4.2.3.1.15 RHR-CSM - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints There are no multiple trip settings.

7.3.2.4.2.3.1.16 RHR-CSM - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated The final control elements for the containment spray system are essentially bistable, i.e., pump breakers stay closed without control power, and MOVs stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached.

Thus, once initiated, protective action will go to completion and continue until terminated by deliberate operator action or in the use of the suppression pool spray.

7.3.2.4.2.3.1.17 RHR-CSM - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation Containment spray is a manually initiated system.

7.3.2.4.2.3.1.18 RHR-CSM - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Setpoint adjustments for the containment spray system sensors are integral with the trip units located in the auxiliary equipment room and cannot be changed without removal of covers over these adjustments. Access to test points in the control relay cabinets is under administrative control. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete.

7.3.2.4.2.3.1.19 RHR-CSM - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions Protective actions are directly indicated and identified by annunciator operation and trip unit indicator lights. This combination of annunciation and visible verification fulfills the requirements of this criterion.

7.3.2.4.2.3.1.20 RHR-CSM - IEEE 279 (1971), Paragraph 4.20 - Information Readout Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the containment spray function is available and/or operating properly.

The design minimizes conditions that could cause inconsistent indications confusing to the operator.

7.3.2.4.2.3.1.21 RHR-CSM - IEEE 279 (1971), Paragraph 4.21 - System Repair CHAPTER 07 7.3-139 REV. 19, SEPTEMBER 2018

LGS UFSAR The containment spray control system is designed to permit repair or replacement of components.

All devices in the system are designed for a 40 year lifetime under the imposed duty cycles with periodic maintenance. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous-duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months.

Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time.

7.3.2.4.2.3.1.22 RHR-CSM - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems A nameplate distinctively identifies the equipment as being in the protective system for each logic cabinet and instrument panel that is part of the containment spray system. The nameplate shows the division to which each panel or cabinet is assigned.

Identification of cables and raceways is discussed in Section 8.3.1.3.

Panels in the control room are identified by tags which indicate the system and logic contained in each panel.

7.3.2.4.2.3.2 RHR-CSM - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Class 1E power supply system containment spray loads are physically separated and electrically isolated into independent load groups so that safety action provided by redundant counterparts are not compromised. Refer to Section 8.1.6.1.6 for details of the Class 1E power system.

7.3.2.4.2.3.3 RHR-CSM - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4 for a discussion of system compliance to this standard.

7.3.2.4.2.3.4 RHR-CSM - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Station See Section 8.1.6.1.5.

7.3.2.4.2.3.5 RHR-CSM - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems The design of the containment spray cooling system permits periodic testing as described in Sections 7.3.1.1.4.10 and 7.3.2.4.3.1.10.

7.3.2.4.2.3.6 RHR-CSM - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7 for a discussion of system compliance to this standard.

CHAPTER 07 7.3-140 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.4.2.3.7 RHR-CSM - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 279 (1971), paragraph 4.2 as further defined in IEEE 379 (1972), "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection System," is met as described in Section 7.3.2.4.2.3.1.2.

7.3.2.4.2.3.8 RHR-CSM - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Independence of containment spray equipment is demonstrated in the Section on conformance to IEEE 279 (1971), paragraph 4.6 and IEEE 308 (1976). See Sections 7.3.1.1.4.10 and 7.3.2.4.2.3.1.6.

7.3.2.4.3 RHR-CSM Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the containment spray mode from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the containment spray mode from performing its protective function.

7.3.2.5 RHR - Suppression Pool Cooling Mode - Instrumentation and Controls 7.3.2.5.1 RHR-SPCM General Functional Requirements Conformance The following analysis shows how the safety design bases identified for the RHR-SPCM in Section 7.1.2.1.32.1 are met. The RHR-SPCM is designed to limit the water temperature in the suppression pool such that the temperature immediately after a blowdown does not exceed the established limit when reactor pressure is above the limit for cold shutdown. During this mode of operation, water is pumped from the suppression pool, through the RHR system heat exchangers, and back to the suppression pool. The RHR-SPCM thus maintains the suppression pool as a heat sink for reactor and containment blowdown and as a source of water for ECCS, containment spray, and shutdown cooling.

7.3.2.5.2 RHR-SPCM Specific Regulatory Requirements Conformance 7.3.2.5.2.1 RHR-SPCM Conformance to Regulatory Requirements 7.3.2.5.2.1.1 RHR-SPCM - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

Conformance to this guide is discussed in Section 7.3.2.4.2.1.2.

7.3.2.5.2.1.2 RHR-SPCM - Regulatory Guide 1.29 (1978) - Seismic Design Classification Conformance to this guide is discussed in Section 7.3.2.4.2.1.3.

7.3.2.5.2.1.3 RHR-SPCM - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

CHAPTER 07 7.3-141 REV. 19, SEPTEMBER 2018

LGS UFSAR Conformance to this guide is discussed in Section 7.3.2.4.2.1.4.

7.3.2.5.2.1.4 RHR-SPCM - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Conformance is described in the conformance to IEEE 308 (1971).

7.3.2.5.2.1.5 RHR-SPCM - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems Conformance to this guide is discussed in Section 7.3.2.4.2.1.6.

7.3.2.5.2.1.6 RHR-SPCM - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems The system is designed with two independent and redundant portions to assure that no single failure can prevent the safety function.

7.3.2.5.2.1.7 RHR-SPCM - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions System initiation is manual from the control room. The manual controls are easily accessible to the operator so that required actions can be performed quickly. Once initiated, system initiation goes to completion unless overridden by a higher priority function or interlock.

7.3.2.5.2.1.8 RHR-SPCM - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants The electric penetration assemblies are designed so that the containment structure can, without exceeding the design leakage rate, accommodate the calculated pressure, temperature and other environmental conditions resulting from any LOCA.

7.3.2.5.2.1.9 RHR-SPCM - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Conformance to this guide is discussed in Section 8.1.6.1.14.

7.3.2.5.2.1.10 RHR-SPCM - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants Conformance to this guide is discussed in Section 3.11.

7.3.2.5.2.1.11 RHR-SPCM - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following An Accident Conformance to this guide is discussed in Section 7.5.2.5.1.1.2.

7.3.2.5.2.1.12 RHR-SPCM - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance to this guide is discussed in Section 3.10.

CHAPTER 07 7.3-142 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.5.2.1.13 RHR-SPCM - Regulatory Guide 1.105 (1976) - Instrument Setpoints Conformance to this guide is discussed in Section 7.1.2.5.25.

7.3.2.5.2.1.14 RHR-SPCM - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Conformance to this guide is discussed in Section 7.1.2.5.26.

7.3.2.5.2.2 RHR-SPCM - Conformance to 10CFR50, Appendix A, General Design Criteria Conformance to GDC 1, 2, 3, 4, 13, 19, 22, 24, 29, 38, and 40 is described in Section 7.3.2.4.2.2.

7.3.2.5.2.3 RHR-SPCM Conformance to Industry Codes and Standards 7.3.2.5.2.3.1 RHR-SPCM - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations 7.3.2.5.2.3.1.1 RHR-SPCM - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement

a. Autoinitiation - The suppression pool cooling mode has no autoinitiation feature, but is manually initiated from the control room. Proper and timely system operation is assured with manual initiation, because sufficient time and information is available to the operator. The monitored parameters which would indicate satisfactory system performance, or operator error include fluid temperature, flow, pressure, and valve positions.
b. Appropriate Protective Action - The suppression pool cooling instrumentation and controls allow manual initiation of cooling flow to control suppression pool temperature.
c. Precision - Since suppression pool cooling is manually initiated based on one or more parameters, precision does not strictly apply to this system's control circuitry.
d. Reliability - Reliability of the control system is compatible with controlled equipment.
e. Performance Under Adverse Conditions -
1. Power supply voltage and frequency - An electrical fault in one division cannot impair proper suppression pool cooling mode operation due to the redundant control circuits, each being supplied by different power sources.
2. Temperature - The suppression pool cooling mode is designed to function properly in the high temperature environment expected during DBAs.
3. Humidity - The system is designed to function properly in the high humidity (steam) environment expected during DBAs.
4. Pressure - The system is designed to function properly in the full range of pressures expected during DBAs.
5. Vibration - Tolerance to environmentally induced vibration (earthquake, wind) is discussed in Section 3.10.

CHAPTER 07 7.3-143 REV. 19, SEPTEMBER 2018

LGS UFSAR

6. Accidents - The system is tolerant to any DBA.
7. Fire - The system is tolerant to a fire in a single division raceway or enclosure.
8. Explosions - Explosions are not defined in the design basis.
9. Missiles - The system is tolerant to any single missile destroying no more than one pipe, raceway, or electrical enclosure.
10. Lighting - The system is tolerant to lightning damage to one auxiliary ac bus.
11. Flood - All instrumentation and controls are located above flood level or are protected from flood damage.
12. Earthquake - All control equipment is housed in a seismic Class I structure.

Tolerance to earthquake damage is discussed in Section 3.10.

13. Wind and Tornado - The structures containing ESF components have been designed to withstand meteorological events described in Section 3.3.2.

Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair ESF capabilities.

14. System Response Time - Manual initiation has been shown to provide adequate response time for initiation of this RHR mode.
15. System Accuracies - Instrumentation accuracy is covered in the Technical Specifications.
16. Ranges of Monitored Parameters - Instrument sensors and processing equipment are capable of displaying the full ranges of parameters expected during DBAs.

7.3.2.5.2.3.1.2 RHR-SPCM - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion Two independent fluid systems are provided, each with the capacity for removing the total design heat load. Two division logic networks are provided: Division 1 logic initiates loop A equipment and Division 2 logic initiates loop B equipment.

Redundancy in equipment and control logic circuitry is provided so that a single failure will not interfere with proper operation of the redundant portions of the system.

Tolerance to specific single failures or events is discussed in Section 7.3.2.4.2.3.1.2.

7.3.2.5.2.3.1.3 RHR-SPCM - IEEE 279 (1971), Paragraph 4.3 - Quality of Component and Modules Components used in the RHR-SPCM have been carefully selected for their specific applications.

Ratings have sufficient conservatism to prevent significant deterioration during expected duty over the lifetime of the plant.

These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel assembly. Only components which have demonstrated a high degree of CHAPTER 07 7.3-144 REV. 19, SEPTEMBER 2018

LGS UFSAR reliability and serviceability in other functionally similar applications, or which have been qualified type testing, are selected for use. Additionally, equipment vendors are required to implement and document a quality control and assurance program in accordance with the requirements of 10CFR50, Appendix B.

7.3.2.5.2.3.1.4 RHR-SPCM - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Components of the suppression pool cooling mode instrumentation have undergone qualification testing to evaluate their suitability for reliable service in their installed locations, or have demonstrated reliable operation in similar nuclear power plant installations and industrial applications (Section 3.11).

No component of the control system is required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation in wide variations of environmental conditions.

7.3.2.5.2.3.1.5 RHR-SPCM - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The RHR-SPCM instrumentation and controls are designed to remain operable under extreme environmental conditions as detailed in Section 3.11.

7.3.2.5.2.3.1.6 RHR-SPCM - IEEE 279 (1971), Paragraph 4.6 - Channel Independence Channel independence is maintained for all suppression pool cooling control circuitry. Channel sensor instrumentation is physically and electrically separated and identified as belonging to the respective divisions. Relay cabinets are physically and electrically separated. Each division has its own battery, control and instrumentation bus, power distribution buses, and MCCs.

7.3.2.5.2.3.1.7 RHR-SPCM - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RHR-SPCM is a safety function and is independent of plant control systems.

7.3.2.5.2.3.1.8 RHR-SPCM - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The inputs to the interlock circuit for suppression pool cooling flow control are the same as those used for LPCI (Section 7.3.1.1.1.4.4 and 7.3.1.1.1.4.5) 7.3.2.5.2.3.1.9 RHR-SPCM - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks Discussion of checks on sensors used in the interlock circuit are discussed in Section 7.3.1.1.1.4.9.

7.3.2.5.2.3.1.10 RHR-SPCM - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The RHR-SPCM can be tested completely during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. MOVs can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed during the test.

7.3.2.5.2.3.1.11 RHR-SPCM - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation CHAPTER 07 7.3-145 REV. 19, SEPTEMBER 2018

LGS UFSAR The suppression pool cooling controls have no operating bypasses.

7.3.2.5.2.3.1.12 RHR-SPCM - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses The suppression pool cooling controls have no operating bypasses.

7.3.2.5.2.3.1.13 RHR-SPCM - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses The suppression pool cooling controls have no operating bypasses.

7.3.2.5.2.3.1.14 RHR-SPCM - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Since there are no bypasses, this criterion is not strictly applicable. Means of disabling instrumentation and controls is administratively controlled, including control of access to instrument valves and emergency switchgear.

7.3.2.5.2.3.1.15 RHR-SPCM - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints There are no multiple trip settings.

7.3.2.5.2.3.1.16 RHR-SPCM - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated The final control elements for the containment spray mode are essentially bistable; for example, MOVs stay open once they have reached their open position even after the motor starter drops out.

Thus, once manually initiated, an action will go to completion and will continue unless deliberately terminated by the operator, or overridden by a higher priority function or interlock.

7.3.2.5.2.3.1.17 RHR-SPCM - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation Suppression pool cooling is manually initiated. Each separated loop is independently controlled by the operator.

7.3.2.5.2.3.1.18 RHR-SPCM - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points The suppression pool cooling mode does not require setpoints.

7.3.2.5.2.3.1.19 RHR-SPCM - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions Suppression pool cooling flow initiation is indicated by the Full Flow Test Return Valve indicating lights and flow indicators on the control panel.

7.3.2.5.2.3.1.20 RHR-SPCM - IEEE 279 (1971), Paragraph 4.20 - Information Readout Continuous reading indications are provided to enable the operator to verify proper system operation. The design minimizes the possibility of confusion due to inconsistent indications.

7.3.2.5.2.3.1.21 RHR-SPCM - IEEE 279 (1971), Paragraph 4.21 - System Repair CHAPTER 07 7.3-146 REV. 19, SEPTEMBER 2018

LGS UFSAR The suppression pool cooling mode is designed for efficient maintainability. Easy recognition of malfunctioning equipment is provided through proper test procedures. Accessibility is provided for the sensors and controls to facilitate repair or adjustment.

7.3.2.5.2.3.1.22 RHR-SPCM - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Nameplates distinctively identify the equipment as being in the protective system for each logic cabinet and instrument panel that is part of the RHR system. The nameplates also indicate the division to which each panel or cabinet is assigned. Panels in the control room are identified by tags which indicate the system and logic contained therein. Identification of cables and raceways is discussed in Section 8.3.1.3.

7.3.2.5.2.3.2 RHR-SPCM - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Class 1E electrical loads in the suppression pool cooling instrumentation and control system are physically separated and electrically isolated into independent load groups. A failure in one group will not interfere with proper operation of the redundant portions of the system. Details of the Class 1E power system are discussed in Section 8.1.6.1.6.

7.3.2.5.2.3.3 RHR-SPCM - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4 for a discussion of system compliance to this standard.

7.3.2.5.2.3.4 RHR-SPCM - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Section 8.1.6.1.5.

7.3.2.5.2.3.5 RHR-SPCM - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems The capability for testing the suppression pool cooling instrumentation and control system is discussed in Sections 7.3.1.1.1.4.9 and 7.3.1.1.5.10.

7.3.2.5.2.3.6 RHR-SPCM - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7 for a discussion of system compliance to this standard.

7.3.2.5.2.3.7 RHR-SPCM - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 279 (1971), paragraph 4.2 as further defined in IEEE 379 (1972), "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection System," is met as described in Section 7.3.2.5.2.3.1.2.

7.3.2.5.2.3.8 RHR-SPCM - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits CHAPTER 07 7.3-147 REV. 19, SEPTEMBER 2018

LGS UFSAR Independence of suppression pool cooling equipment is demonstrated in the Section on conformance to IEEE 279 (1971), paragraph 4.6 and IEEE 308 (1974) (Sections 7.3.2.5.2.3.1.6 and 7.3.2.5.2.3.2).

7.3.2.5.3 RHR-SPCM Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the containment spray mode from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the containment spray mode from performing its protective function.

7.3.2.6 Containment Atmospheric Control System - Instrumentation and Controls 7.3.2.6.1 CAC Primary Containment Vacuum Relief System - Instrumentation and Controls 7.3.2.6.1.1 PCVR General Functional Requirements Conformance The following analysis shows how the PCVR meets the safety design bases identified in Section 7.1.2.1.16.2.1.

The simplicity of design of the primary containment vacuum relief valve assemblies ensures their ability to operate when necessary to limit the differential pressure across the diaphragm slab. The valves are of the swing-check configuration and require no motive power other than the differential pressure across the valve.

The use of two valves in series within each assembly prevents failure of any single valve in the stuck open position from compromising the pressure-suppression capability of the primary containment.

7.3.2.6.1.2 PCVR Specific Regulatory Requirements Conformance 7.3.2.6.1.2.1 PCVR Conformance to Regulatory Guides 7.3.2.6.1.2.1.1 PCVR - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

A valve operator is provided to test the operation of the valve and disc position indication system.

Associated switches located on a test panel in the reactor enclosure permit the periodic testing of the valves in accordance with the requirements of Chapter 16.

7.3.2.6.1.2.1.2 PCVR - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The PCVR system is an automatic system and cannot be bypassed. Status indicating lights in the control room, provide indication of valve operability.

7.3.2.6.1.2.1.3 PCVR - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems The PCVR system is an automatic system requiring only a differential pressure across the valve discs to initiate the system.

CHAPTER 07 7.3-148 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.6.1.2.1.4 PCVR - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for discussion of the degree of conformance.

7.3.2.6.1.2.1.5 PCVR - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants See Section 3.10 for a discussion of Regulatory Guide 1.100 (1977).

7.3.2.6.1.2.1.6 PCVR - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for discussion of the degree of conformance.

7.3.2.6.1.2.1.7 PCVR - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.2.1.5.26 for discussion of the degree of conformance.

7.3.2.6.1.2.2 PCVR Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.6.1.2.2.1 PCVR - GDC 1 - Quality Standards and Records The PCVR system is designed and built in accordance with an established quality assurance program.

7.3.2.6.1.2.2.2 PCVR - GDC 2 - Design Bases for Protection Against Natural Phenomena The PCVR system is designed to withstand the effects of natural phenomena without loss of capability to perform its safety functions.

7.3.2.6.1.2.2.3 PCVR - GDC 3 - Fire Protection Section 7.1.2.6.3 gives compliance with GDC 3.

7.3.2.6.1.2.2.4 PCVR - GDC 4 - Environmental and Dynamic Effects Design Bases Section 7.1.2.6.4 gives compliance with GDC 4.

7.3.2.6.1.2.2.5 PCVR - GDC 19 - Control Room The PCVR is automatic, requiring only a differential pressure to operate. Annunciation is provided in the control room to alert the operator when any PCVR valve is not fully closed. Hand switches associated with the valves (and located on a panel in the reactor enclosure) are provided for test and containment purge purposes only.

7.3.2.6.1.2.2.6 PCVR - GDC 21 - Protection System Reliability and Testability High functional reliability is implemented in the system design by redundant and separate PCVR valve assemblies. Each PCVR valve assembly is capable of being tested during normal plant operation.

CHAPTER 07 7.3-149 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.6.1.2.2.7 PCVR - GDC 22 - Protection System Independence There are four redundant PCVR valve assemblies that are physically separate. Operational tests do not affect the operation of the system in any way.

7.3.2.6.1.2.2.8 PCVR - GDC 29 - Protection Against Anticipated Operational Occurrences No anticipated operational occurrence can prevent this equipment from performing its safety function.

7.3.2.6.1.2.3 PCVR Conformance to Industry Codes and Standards 7.3.2.6.1.2.3.1 PCVR - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations This standard is not applicable to this system because the controls for PCVR are for test purposes only. The PCVR system is a fully independent system and does not require an external power source for actuation. Other requirements such as reliability, testing, and equipment qualification requirements, have been discussed in Section 7.3.2.6.1.2.1 and Section 7.3.2.6.1.2.2. Channel bypass or removal from operation is discussed in Section 7.3.2.6.1.2.1.2.

7.3.2.6.1.2.3.2 PCVR - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12 for a discussion of this standard.

7.3.2.6.1.2.3.3 PCVR - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.4.

7.3.2.6.1.2.3.4 PCVR - IEEE 338 (1971) - Criteria for the Periodic Testing of Nuclear Power Generating Stations Protection Systems See Section 7.1.2.7.6.

7.3.2.6.1.2.3.5 PCVR - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.7 for seismic qualification.

7.3.2.6.1.2.3.6 PCVR - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits This standard is not applicable as this system does not have an external power supply or wiring to safety-related equipment.

7.3.2.6.2 CAC Combustible Gas Control System - Instrumentation and Controls 7.3.2.6.2.1 CGCS General Functional Requirement Conformance CHAPTER 07 7.3-150 REV. 19, SEPTEMBER 2018

LGS UFSAR The containment hydrogen recombiner subsystem and the combustible gas analyzer subsystem both consist of two separate packages that are fully redundant and independent. If there is a LOOP, the redundant packages are powered from different divisions of Class 1E power. A single failure in either subsystem would only render the affected package unavailable, with the redundant package being fully capable of serving the intended function at full capacity. FMEAs for the containment hydrogen recombiner subsystem and the combustible gas analyzer subsystem are provided in Tables 6.2-20 and 6.2-21, respectively. See also the safety design basis identified in Section 7.1.2.1.16.1.1.

Refer to Section 6.2.5 for additional details.

7.3.2.6.2.2 CGCS Specific Regulatory Requirements Conformance 7.3.2.6.2.2.1 CGCS Conformance to Regulatory Guides 7.3.2.6.2.2.1.1 CGCS - Regulatory Guide 1.7 (1978) - Control of Combustible Gas Concentrations in Containment Following a Loss-of-Coolant Accident See Section 6.2.5.4 for discussion of this regulatory guide.

7.3.2.6.2.2.1.2 CGCS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

Actuation devices are periodically tested in accordance with the requirements of the maintenance program and the Technical Requirements Manual (TRM).

7.3.2.6.2.2.1.3 CGCS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The CGCS is manually actuated and cannot be bypassed. A light for each recombiner in the control room indicates system readiness. The light is extinguished if a recombiner is taken out-of-service.

7.3.2.6.2.2.1.4 CGCS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 (1973) is achieved by specifying, designing, and constructing the CGCS so that it meets the single failure criterion as described in paragraph 4.2 of IEEE 279 (1971).

7.3.2.6.2.2.1.5 CGCS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the control room to manually initiate the recombiners.

7.3.2.6.2.2.1.6 CGCS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems The electrical separation criteria and degree of conformance to Regulatory Guide 1.75 (1975) are discussed in Sections 7.1.2.2.3 and 8.1.6.1.14.

7.3.2.6.2.2.1.7 CGCS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident CHAPTER 07 7.3-151 REV. 19, SEPTEMBER 2018

LGS UFSAR See Section 7.5.2.5.1.1.2 for discussion of the degree of conformance.

7.3.2.6.2.2.1.8 CGCS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants See Section 3.10.2.1.1 for a discussion of Regulatory Guide 1.100 (1977).

7.3.2.6.2.2.1.9 CGCS - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for discussion of the degree of conformance.

7.3.2.6.2.2.1.10 CGCS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for discussion of the degree of conformance.

7.3.2.6.2.2.2 CGCS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.6.2.2.2.1 CGCS - GDC 1 - Quality Standards and Records The CGCS is designed and built in accordance with an established quality assurance program.

7.3.2.6.2.2.2.2 CGCS - GDC 2 - Design Bases for Protection Against Natural Phenomena The CGCS can withstand an SSE and function after the SSE.

7.3.2.6.2.2.2.3 CGCS - GDC 3 - Fire Protection The CGCS is designed to minimize the probability and effects of fire and explosions by using noncombustible and heat-resistant materials.

7.3.2.6.2.2.2.4 CGCS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 3.11 for environmental conditions and Section 3.10 for dynamic effects.

7.3.2.6.2.2.2.5 CGCS - GDC 13 - Instrumentation and Control Instrumentation is selected to operate within expected ranges required for the safety of the plant in all anticipated operational considerations. Controls are designed to maintain the system within expected operating ranges.

7.3.2.6.2.2.2.6 CGCS - GDC 19 - Control Room The CGCS can be controlled from the control room. Instrumentation is provided so that the operator can be assured of correct operation.

7.3.2.6.2.2.2.7 CGCS - GDC 21 - Protection System Reliability and Testability High functional reliability is implemented in the system design by redundant and separate recombiners. Each recombiner is capable of being tested during normal plant operation.

7.3.2.6.2.2.2.8 CGCS - GDC 22 - Protection System Independence CHAPTER 07 7.3-152 REV. 19, SEPTEMBER 2018

LGS UFSAR There are two redundant recombiners, physically and electrically separate. Operational tests, maintenance being performed, or failure of one unit does not affect the other in any way.

7.3.2.6.2.2.2.9 CGCS - GDC 23 - Protection System Failure Modes On a loss of power, valves in the system fail as-is. The blower and heaters are deactivated, effecting a system shutdown.

7.3.2.6.2.2.2.10 CGCS - GDC 24 - Separation of Protection and Control Systems See the discussion for GDC 22.

7.3.2.6.2.2.2.11 CGCS - GDC 29 - Protection Against Anticipated Operational Occurrences No anticipated operational occurrence can prevent this equipment from performing its safety function.

7.3.2.6.2.2.2.12 CGCS - GDC 56 - Primary Containment Isolation Instrument lines that penetrate containment conform to the requirements of Regulatory Guide 1.11 as discussed in Section 7.3.2.2.2.1.1.

7.3.2.6.2.2.3 CGCS Conformance to Industry Codes and Standards 7.3.2.6.2.2.3.1 CGCS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generation Systems Compliance of the CGCS with IEEE 279 (1971) is detailed below.

7.3.2.6.2.2.3.1.1 CGCS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The CGCS is manually initiated. The system safety function is adequately ensured by manual initiation.

7.3.2.6.2.2.3.1.2 CGCS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The hydrogen recombiners are fully redundant and physically and electrically separate; therefore, the system meets the single failure criterion.

7.3.2.6.2.2.3.1.3 CGCS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the application. A quality assurance program is required to be implemented.

7.3.2.6.2.2.3.1.4 CGCS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification The CGCS safety-related controls and instrumentation have been qualified according to the requirements outlined in IEEE 323 (1971) as highlighted in Section 7.1.2.7.4. The qualifications that have been met are those identified in Sections 3.10 and 3.11. The parameters identified cover normal, abnormal, and accident environments, both inside and outside the drywell.

7.3.2.6.2.2.3.1.5 CGCS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity CHAPTER 07 7.3-153 REV. 19, SEPTEMBER 2018

LGS UFSAR The CGCS meets the channel integrity objective by using the design features described in the other paragraphs of this section.

7.3.2.6.2.2.3.1.6 CGCS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control, instrumentation, and power circuits to each recombiner are physically and electrically separated.

7.3.2.6.2.2.3.1.7 CGCS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The CGCS has no interaction with the plant control systems. Control room annunciator circuits taking input from this system are electrically isolated from the system and cannot impair its operability.

7.3.2.6.2.2.3.1.8 CGCS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The CGCS is manually initiated.

7.3.2.6.2.2.3.1.9 CGCS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks Sensors can be checked by cross-checking from the control room between redundant instruments.

The sensors can be calibrated by introducing calibration gas to the sensors.

7.3.2.6.2.2.3.1.10 CGCS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The CGCS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.6.2.2.3.1.11 CGCS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation The two recombiners are separate electrically and physically. Removal of a component for maintenance prevents the operation of one recombiner; however, the operation of the other is unaffected. The recombiners cannot be bypassed, because they are manually initiated.

7.3.2.6.2.2.3.1.12 CGCS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses A light in the control room indicates the availability of each redundant package in the CGCS subsystem. The operator can manually initiate the available package. The CGCS is manually initiated and cannot be bypassed.

7.3.2.6.2.2.3.1.13 CGCS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses An indicating light for each recombiner in the control room is lit if the recombiner is ready for operation. If the recombiner is removed from service for maintenance, the light goes out.

7.3.2.6.2.2.3.1.14 CGCS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing CHAPTER 07 7.3-154 REV. 19, SEPTEMBER 2018

LGS UFSAR Access to the recombiners, power cabinets, and control panels is procedurally controlled by administrative means.

7.3.2.6.2.2.3.1.15 CGCS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints This paragraph is not applicable to the CGCS.

7.3.2.6.2.2.3.1.16 CGCS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated The CGCS, once initiated, operates until stopped by the operator.

7.3.2.6.2.2.3.1.17 CGCS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation The CGCS is manually initiated.

7.3.2.6.2.2.3.1.18 CGCS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to the recombiners, power cabinets, and control panels is procedurally controlled by administrative procedures.

7.3.2.6.2.2.3.1.19 CGCS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions The status of each recombiner is shown by indicating lights in the control room.

7.3.2.6.2.2.3.1.20 CGCS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout provides information so that the operator can be assured of correct operation. Instrumentation is described in Sections 7.3.1.1.6.1.2.12.2 and 7.5.

7.3.2.6.2.2.3.1.21 CGCS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components is accomplished during periodic testing. The control logic is not complex, so that locating failed components is straightforward. The components are mounted so as to facilitate removal and replacement.

7.3.2.6.2.2.3.1.22 CGCS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems The control cabinets and power cabinets are identified with nameplates that distinctively identify them as being a safety system. Cables and cable trays are identified by a color code and tags that identify them as being a separation channel.

7.3.2.6.2.2.3.2 CGCS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12 for a discussion of IEEE 308 (1974).

7.3.2.6.2.2.3.3 CGCS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.4.

CHAPTER 07 7.3-155 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.6.2.2.3.4 CGCS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems See Section 7.1.2.7.6.

7.3.2.6.2.2.3.5 CGCS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.7 for seismic qualification.

7.3.2.6.2.2.3.6 CGCS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.6.2.2.3.1.2.

7.3.2.6.2.2.3.7 CGCS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to section 7.1.2.7.11 for the degree of conformance.

7.3.2.6.3 CAC Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the CAC system from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the CAC system from performing its protective function.

7.3.2.7 Standby Gas Treatment System - Instrumentation and Controls 7.3.2.7.1 SGTS General Functional Requirements Conformance The SGTS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure does not prevent the system from performing its safety-related functions. The SGTS is automatically initiated by the REIS or RAIS. See Section 7.1.2.1.26.1 for the safety design basis and Sections 7.3.2.9 and 7.3.2.17 for additional details.

7.3.2.7.2 SGTS Specific Regulatory Requirements Conformance 7.3.2.7.2.1 SGTS Conformance to Regulatory Guides 7.3.2.7.2.1.1 SGTS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The SGTS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located in the control room allow periodic testing of emergency fans in accordance with the requirements of Chapter 16.

7.3.2.7.2.1.2 SGTS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The SGTS complies with this regulatory guide as discussed in Section 3.2.

CHAPTER 07 7.3-156 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.7.2.1.3 SGTS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5 and Chapter 17.

7.3.2.7.2.1.4 SGTS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The fan motor status and fan system trouble annunciator in the control room provide the required information.

7.3.2.7.2.1.5 SGTS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the SGTS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator does not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel does not prevent the redundant channel from operating properly.

7.3.2.7.2.1.6 SGTS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the SGTS.

7.3.2.7.2.1.7 SGTS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.7.2.1.8 SGTS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the SGTS is discussed in Section 8.1.6.1.16.

7.3.2.7.2.1.9 SGTS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident Conformance is discussed in Section 7.5.2.5.1.1.2.

7.3.2.7.2.1.10 SGTS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.7.2.1.11 SGTS - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to ensure initiation of the SGTS in conjunction with the isolation of the reactor enclosure or the refueling area before the uncontrolled release of airborne contaminates to the atmosphere.

CHAPTER 07 7.3-157 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.7.2.1.12 SGTS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26.

7.3.2.7.2.2 SGTS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.7.2.2.1 SGTS - GDC 1 - Quality Standards and Records The SGTS is included in an established quality assurance program discussed in Section 7.1.2.6 and Chapter 17.

7.3.2.7.2.2.2 SGTS - GDC 2 - Design Bases for Protection Against Natural Phenomena See Section 7.1.2.6.

7.3.2.7.2.2.3 SGTS - GDC 3 - Fire Protection See Section 7.1.2.6.

7.3.2.7.2.2.4 SGTS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 7.1.2.6.

7.3.2.7.2.2.5 SGTS - GDC 5 - Sharing of Structures, Systems, and Components The SGTS is common to LGS Units 1 and 2. There are two independent divisions that are each capable of providing 100% exhaust requirements to maintain either Unit 1 and/or 2 reactor enclosure and/or refueling area at a negative pressure. Therefore, sharing this system does not impair its ability to perform its safety function. The SGTS maintains the reactor enclosures and/or the refueling area at a negative pressure depending on the signal received as discussed in Section 6.5.1.1.

7.3.2.7.2.2.6 SGTS - GDC 13 - Instrumentation and Control Instrumentation for the SGTS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.7.2.2.7 SGTS - GDC 20 - Protection System Functions See Section 7.3.2.7.1.

7.3.2.7.2.2.8 SGTS - GDC 21 - Protection System Reliability and Testability The SGTS is designed with redundancy and separation so that a single failure does not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.7.2.2.9 SGTS - GDC 22 - Protection System Independence CHAPTER 07 7.3-158 REV. 19, SEPTEMBER 2018

LGS UFSAR The components of the SGTS are designed so that the thermal environment resulting from any potential accident in which the components are required to function does not interfere with that function. The controls for the two SGTS divisions are electrically and physically separated so that a single failure does not result in the loss of both divisions. Power for the components of each division is provided from separate Class 1E power sources.

7.3.2.7.2.2.10 SGTS - GDC 23 - Protection System Failure Modes Each SGTS division is designed to fail in a safe state, permitting its redundant division to operate.

7.3.2.7.2.2.11 SGTS - GDC 24 - Separation of Protection and Control Systems The control system for the SGTS does not interact with the plant control systems.

7.3.2.7.2.2.12 SGTS - GDC 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the SGTS is achieved through system redundancy, physical and electrical independence, fail-safe design, and inservice testability and equipment suitable for normal and accident environments.

7.3.2.7.2.2.13 SGTS - GDC 60 - Control of Releases of Radioactive Materials to the Environment The SGTS maintains the reactor enclosures and/or refueling area at a negative pressure with respect to outdoor atmospheric pressure during isolation. This prevents the uncontrolled exfiltration of air within the secondary containment to the environment.

7.3.2.7.2.3 SGTS Conformance to Industry Codes and Standards 7.3.2.7.2.3.1 SGTS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the SGTS with IEEE 279 (1971) is detailed below.

7.3.2.7.2.3.1.1 SGTS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The SGTS is an automatically initiated system as discussed in Section 7.3.2.7.1.

7.3.2.7.2.3.1.2 SGTS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The SGTS consists of redundant exhaust fans, filter trains, isolation valves, and independent sets of controls and power that meet the single failure criterion.

7.3.2.7.2.3.1.3 SGTS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.7.2.3.1.4 SGTS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification See Section 3.11 for a discussion of equipment qualification.

7.3.2.7.2.3.1.5 SGTS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity CHAPTER 07 7.3-159 REV. 19, SEPTEMBER 2018

LGS UFSAR The SGTS meets the channel integrity by using the design features described in the other paragraphs of this section.

7.3.2.7.2.3.1.6 SGTS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each SGTS component are physically and electrically separated.

7.3.2.7.2.3.1.7 SGTS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The SGTS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the SGTS control because of electrical isolation.

7.3.2.7.2.3.1.8 SGTS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the SGTS is derived from conditions discussed in Section 7.3.2.7.1.

7.3.2.7.2.3.1.9 SGTS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The SGTS can be tested for operational availability as discussed in Section 7.3.1.1.7.10.

7.3.2.7.2.3.1.10 SGTS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The SGTS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.7.2.3.1.11 SGTS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel does not prevent the SGTS itself from complying with the single failure criterion.

7.3.2.7.2.3.1.12 SGTS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses SGTS bypasses are discussed in Section 7.3.1.1.7.6.

7.3.2.7.2.3.1.13 SGTS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.7.6 is automatically indicated in the control room. In addition, each of these bypasses initiates a system out-of-service annunciator.

7.3.2.7.2.3.1.14 SGTS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.7.2.3.1.15 SGTS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints CHAPTER 07 7.3-160 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.7.2.3.1.16 SGTS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the SGTS is initiated it continues to operate until the operator terminates system operation by manual override.

7.3.2.7.2.3.1.17 SGTS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the SGTS cannot disable the automatic or manual operation of the other SGTS division.

7.3.2.7.2.3.1.18 SGTS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to pressure differential setpoints is restricted by administrative control. See Section 11.5 for access to radiation monitoring setpoints.

7.3.2.7.2.3.1.19 SGTS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high radiation and low pressure differential alarms.

7.3.2.7.2.3.1.20 SGTS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the SGTS is described in Section 7.3.1.1.7.12.2.

7.3.2.7.2.3.1.21 SGTS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components is accomplished during periodic testing.

7.3.2.7.2.3.1.22 SGTS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate that identifies the safety system. Cables and cable trays are identified by a color code and tags that identify them as being of a separate channel.

7.3.2.7.2.3.2 SGTS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12.

7.3.2.7.2.3.3 SGTS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.4.

7.3.2.7.2.3.4 SGTS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Station The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

CHAPTER 07 7.3-161 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.7.2.3.5 SGTS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems See Section 7.1.2.7.6.

7.3.2.7.2.3.6 SGTS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.7.

7.3.2.7.2.3.7 SGTS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.7.2.3.1.2.

7.3.2.7.2.3.8 SGTS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11.

7.3.2.8 Reactor Enclosure Recirculation System - Instrumentation and Controls 7.3.2.8.1 RERS General Functional Requirements Conformance The RERS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure does not prevent the system from performing its safety-related functions. The RERS is automatically initiated by the REIS. See Section 7.1.2.1.25.1 for the safety design basis and Section 7.3.2.9.1 for additional details.

7.3.2.8.2 RERS Specific Regulatory Requirements Conformance 7.3.2.8.2.1 RERS Conformance to Regulatory Guides 7.3.2.8.2.1.1 RERS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The RERS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located in the control room are provided for periodic testing of the recirculation fans in accordance with the requirements of Chapter 16.

7.3.2.8.2.1.2 RERS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The RERS complies with the regulatory guide as discussed in Section 3.2.

7.3.2.8.2.1.3 RERS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5 and Chapter 17.

7.3.2.8.2.1.4 RERS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indications for Nuclear Power Plant Safety Systems The fan motor status and filter status information meets the intent of the regulatory guide.

CHAPTER 07 7.3-162 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.8.2.1.5 RERS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the RERS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element, the decision logic, or an actuator does not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel does not prevent the redundant channel from operating properly.

7.3.2.8.2.1.6 RERS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the RERS.

7.3.2.8.2.1.7 RERS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.8.2.1.8 RERS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the RERS is discussed in Section 8.1.6.1.16.

7.3.2.8.2.1.9 RERS - Regulatory Guide 1.100 (1978) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.8.2.1.10 RERS - Regulatory Guide 1.105 (1976) - Instrument Setpoints The RERS response time is limited by diesel loading criteria rather than instrument error and setpoints.

7.3.2.8.2.1.11 RERS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26.

7.3.2.8.2.2 RERS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.8.2.2.1 RERS - GDC 1 - Quality Standards and Records The RERS is included in an established quality assurance program discussed in Section 7.1.2.6 and Chapter 17.

7.3.2.8.2.2.2 RERS - GDC 2 - Design Bases for Protection Against Natural Phenomena See Section 7.1.2.6.

7.3.2.8.2.2.3 RERS - GDC 3 - Fire Protection See Section 7.1.2.6.

CHAPTER 07 7.3-163 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.8.2.2.4 RERS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 7.1.2.6.

7.3.2.8.2.2.5 RERS - GDC 13 - Instrumentation and Control Instrumentation for the RERS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.8.2.2.6 RERS - GDC 20 - Protection System Functions See Section 7.3.2.8.1.

7.3.2.8.2.2.7 RERS - GDC 21 - Protection System Reliability and Testability The RERS is designed with redundancy and separation so that a single failure does not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.8.2.2.8 RERS - GDC 22 - Protection System Independence The components of the RERS are designed so that the thermal environment resulting from any potential accident conditions in which the components are required to function does not interfere with that function. The controls for the two RERS divisions are electrically and physically separated so that a single failure does not result in the loss of both divisions. Power for the components of each division is provided from separate Class 1E power sources.

7.3.2.8.2.2.9 RERS - GDC 23 - Protection System Failure Modes Each RERS division is designed such that a failure in one division will not prevent the redundant division from providing the necessary recirculation and filtration.

7.3.2.8.2.2.10 RERS - GDC 24 - Separation of Protection and Control Systems The control system for the RERS does not interact with the plant control systems.

7.3.2.8.2.2.11 RERS - GDC 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the RERS is achieved through system redundancy, physical and electrical independence, fail-safe design, inservice testability, and equipment suitable for normal and accident environments.

7.3.2.8.2.2.12 RERS - GDC 60 - Control of Releases of Radioactive Materials to the Environment The RERS filters and mixes the air within the reactor enclosure during isolation.

7.3.2.8.2.3 RERS Conformance to Industry Codes and Standards 7.3.2.8.2.3.1 RERS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the RERS with IEEE 279 (1971) is detailed below.

CHAPTER 07 7.3-164 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.8.2.3.1.1 RERS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The RERS is an automatically initiated system as discussed in Section 7.3.2.8.1.

7.3.2.8.2.3.1.2 RERS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The RERS consists of redundant recirculation fans, filter trains, isolation valves, and independent sets of controls and power that meet the single failure criterion.

7.3.2.8.2.3.1.3 RERS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.8.2.3.1.4 RERS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification See Section 3.11 for a discussion of equipment qualification.

7.3.2.8.2.3.1.5 RERS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The RERS meets the channel integrity objective by using the design features described in the other paragraphs of this section.

7.3.2.8.2.3.1.6 RERS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each RERS component are physically and electrically separated.

7.3.2.8.2.3.1.7 RERS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RERS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the RERS control because of electrical isolation.

7.3.2.8.2.3.1.8 RERS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the RERS is derived from conditions discussed in Section 7.3.2.8.1.

7.3.2.8.2.3.1.9 RERS - IEEE 279 (1971), Paragraph 4.9 - Capability of Sensor Checks The RERS can be tested for operational availability as described in Section 7.3.1.1.8.10.

7.3.2.8.2.3.1.10 RERS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The RERS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

CHAPTER 07 7.3-165 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.8.2.3.1.11 RERS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel does not prevent the RERS itself from complying with the single failure criterion.

7.3.2.8.2.3.1.12 RERS - IEEE 279 (1971), Paragraph 4.12 - Operation Bypasses RERS bypasses are discussed in Section 7.3.1.1.8.6.

7.3.2.8.2.3.1.13 RERS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.8.6 is automatically indicated in the control room. In addition, each of these bypasses initiates a system out-of-service annunciator.

7.3.2.8.2.3.1.14 RERS - IEEE 279 (1971) - Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.8.2.3.1.15 RERS - IEEE 279 (1971) - Paragraph 4.15 - Multiple Setpoints The RERS radiation detectors are designed to allow the adjustment of trip setpoints to more stringent settings if required.

7.3.2.8.2.3.1.16 RERS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the RERS is initiated, it continues to operate until the operator terminates system operation by manual override.

7.3.2.8.2.3.1.17 RERS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the RERS cannot disable the automatic or manual operation of the other RERS division.

7.3.2.8.2.3.1.18 RERS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points See Section 11.5 for access to radiation monitoring setpoints.

7.3.2.8.2.3.1.19 RERS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high radiation alarms.

7.3.2.8.2.3.1.20 RERS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the RERS is described in Section 7.3.1.1.8.12.2.

7.3.2.8.2.3.1.21 RERS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components is accomplished during periodic testing.

CHAPTER 07 7.3-166 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.8.2.3.1.22 RERS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate that identifies the safety system. Cables and cable trays are identified by a color code and tags that identify them as being of a separate channel.

7.3.2.8.2.3.2 RERS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12.

7.3.2.8.2.3.3 RERS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.4.

7.3.2.8.2.3.4 RERS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction for safety-related items.

7.3.2.8.2.3.5 RERS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems See Section 7.1.2.7.6.

7.3.2.8.2.3.6 RERS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.7.

7.3.2.8.2.3.7 RERS - IEEE 379 (1972) - Guide for the Application of Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.8.2.3.1.2.

7.3.2.8.2.3.8 RERS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11.

7.3.2.9 Reactor Enclosure Isolation System - Instrumentation and Controls 7.3.2.9.1 REIS General Functional Requirements Conformance The REIS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure does not prevent the system from performing its safety-related functions. The REIS is automatically initiated by detection of high radiation in the reactor enclosure exhaust ducts, low pressure differential between the reactor enclosure and the atmosphere, and/or a LOCA signal. See Section 7.1.2.1.39.1 for the safety design basis and Section 11.5 for information on radiation detectors.

CHAPTER 07 7.3-167 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2 REIS Specific Regulatory Requirements Conformance 7.3.2.9.2.1 REIS Conformance to Regulatory Guides 7.3.2.9.2.1.1 REIS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Function (Safety Guide 22)

The REIS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located in the control room allow periodic testing of the isolation valves in accordance with the requirements of Chapter 16.

7.3.2.9.2.1.2 REIS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The REIS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.9.2.1.3 REIS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

See Section 8.1.6.1.5 and Chapter 17.

7.3.2.9.2.1.4 REIS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The isolation system armed, initiation, and isolation incomplete alarms meet the intent of this regulatory guide.

7.3.2.9.2.1.5 REIS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the REIS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element, the decision logic, or an actuator does not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel does not prevent the redundant channel from operating properly.

7.3.2.9.2.1.6 REIS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the REIS.

7.3.2.9.2.1.7 REIS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.9.2.1.8 REIS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the REIS is discussed in Section 8.1.6.1.16.

CHAPTER 07 7.3-168 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2.1.9 REIS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.9.2.1.10 REIS - Regulatory Guide 1.105 (1976) - Instrument Setpoints To ensure initiation of the REIS in conjunction with the SGTS to prevent the uncontrolled release of airborne contaminants to the atmosphere, instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations. Refer to Chapter 16 for safety setpoints.

7.3.2.9.2.1.11 REIS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26.

7.3.2.9.2.2 REIS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.9.2.2.1 REIS - GDC 1 - Quality Standards and Records The REIS is included in an established quality assurance program discussed in Section 7.1.2.6 and Chapter 17.

7.3.2.9.2.2.2 REIS - GDC 2 - Design Bases for Protection Against Natural Phenomena See Section 7.1.2.6.

7.3.2.9.2.2.3 REIS - GDC 3 - Fire Protection See Section 7.1.2.6.

7.3.2.9.2.2.4 REIS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 7.1.2.6.

7.3.2.9.2.2.5 REIS - GDC 13 - Instrumentation and Control Instrumentation for the REIS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.9.2.2.6 REIS - GDC 20 - Protection System Functions See Section 7.3.2.9.1.

7.3.2.9.2.2.7 REIS - GDC 21 - Protection System Reliability and Testability The REIS is designed with redundancy and separation so that a single failure does not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

CHAPTER 07 7.3-169 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2.2.8 REIS - GDC 22 - Protection System Independence The components of the REIS are designed so that the thermal environment resulting from any potential accident conditions in which the components are required to function does not interfere with that function. The controls for the two REIS divisions are electrically and physically separated so that a single failure does not result in the loss of both divisions. Power for the components of each division is provided from separate Class 1E power sources.

7.3.2.9.2.2.9 REIS - GDC 23 - Protection System Failure Modes Each REIS division is designed to fail in a safe state, permitting its redundant division to provide isolation.

7.3.2.9.2.2.10 REIS - GDC 24 - Separation of Protection and Control Systems The control system for the REIS does not interact with the plant control systems.

7.3.2.9.2.2.11 REIS - GDC 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the REIS is achieved through system redundancy, physical and electrical independence, fail-safe design, inservice testability, and equipment suitable for normal and accident environments.

7.3.2.9.2.2.12 REIS - GDC 60 - Control of Releases of Radioactive Materials to the Environment The REIS isolates the reactor enclosure from the environment to prevent uncontrolled exfiltration of air to the environment.

7.3.2.9.2.3 REIS Conformance to Industry Codes and Standards 7.3.2.9.2.3.1 REIS - IEEE 279 (1971) - Criteria for Protection for Nuclear Power Generating Stations Compliance of the REIS with IEEE 279 (1971) is detailed below.

7.3.2.9.2.3.1.1 REIS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The REIS is an automatically initiated system as discussed in Section 7.3.2.9.1.

7.3.2.9.2.3.1.2 REIS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The REIS consists of redundant sets of isolation valves and independent sets of controls and power that meet the single failure criterion.

7.3.2.9.2.3.1.3 REIS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.9.2.3.1.4 REIS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification See Section 3.11 for a discussion of equipment qualification.

CHAPTER 07 7.3-170 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2.3.1.5 REIS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The REIS meets the channel integrity objective by using the design features described in the other paragraphs of this section.

7.3.2.9.2.3.1.6 REIS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each REIS component are physically and electrically separated.

7.3.2.9.2.3.1.7 REIS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The REIS has no interaction with other plant control systems. Annunciator circuits using contact at sensor and logic relays cannot impair the operability of the REIS control because of electrical isolation.

7.3.2.9.2.3.1.8 REIS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the REIS is derived from conditions discussed in Section 7.3.2.9.1.

7.3.2.9.2.3.1.9 REIS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The REIS can be tested for operational availability as described in Section 7.3.1.1.9.10.

7.3.2.9.2.3.1.10 REIS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The REIS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.9.2.3.1.11 REIS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel does not prevent the REIS itself from complying with the single failure criterion.

7.3.2.9.2.3.1.12 REIS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses REIS bypasses are discussed in Section 7.3.1.1.9.6.

7.3.2.9.2.3.1.13 REIS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.9.6 is automatically indicated in the control room. In addition, each of these bypasses initiates a system out-of-service annunciator.

7.3.2.9.2.3.1.14 REIS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.9.2.3.1.15 REIS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The REIS radiation detectors are designed to allow adjustment of trip setpoints to more stringent settings if required.

CHAPTER 07 7.3-171 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2.3.1.16 REIS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the REIS is initiated, it continues to operate until the operator terminates system operation by manual override.

7.3.2.9.2.3.1.17 REIS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the REIS cannot disable the automatic or manual operation of the other REIS division.

7.3.2.9.2.3.1.18 REIS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points See Section 11.5 for access to radiation monitoring setpoints.

7.3.2.9.2.3.1.19 REIS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high radiation alarms.

7.3.2.9.2.3.1.20 REIS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the REIS system is described in Section 7.3.1.1.9.12.2.

7.3.2.9.2.3.1.21 REIS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components is accomplished during periodic testing.

7.3.2.9.2.3.1.22 REIS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate that identifies the safety system. Cables and cable trays are identified by a color code and tags that identify them as being of a separate channel.

7.3.2.9.2.3.2 REIS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12.

7.3.2.9.2.3.3 REIS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 3.11.2.

7.3.2.9.2.3.4 REIS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

CHAPTER 07 7.3-172 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.9.2.3.5 REIS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems See Section 7.1.2.7.6.

7.3.2.9.2.3.6 REIS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 3.10.

7.3.2.9.2.3.7 REIS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.9.2.3.1.2.

7.3.2.9.2.3.8 REIS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11.

7.3.2.10 Habitability and Control Room Isolation System - Instrumentation and Controls 7.3.2.10.1 HCRIS General Functional Requirements Conformance The HCRIS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. The HCRIS is automatically initiated by detection of either radiation or chlorine. See Section 7.1.2.1.14.1 for the safety design basis and Sections 9.4.1 and 6.4.1 for additional details.

7.3.2.10.2 HCRIS Specific Regulatory Requirements Conformance 7.3.2.10.2.1 HCRIS Conformance to Regulatory Guides 7.3.2.10.2.1.1 HCRIS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The HCRIS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located in the control room allow periodic testing of the emergency fans in accordance with the requirements of Chapter 16.

7.3.2.10.2.1.2 HCRIS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The HCRIS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.10.2.1.3 HCRIS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

CHAPTER 07 7.3-173 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.1.4 HCRIS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indications for Nuclear Power Plant Safety Systems The isolation system armed, initiation, and isolation incomplete alarms meet the intent of this regulatory guide.

7.3.2.10.2.1.5 HCRIS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the HCRIS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element of the decision logic or an actuator will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.10.2.1.6 HCRIS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the HCRIS.

7.3.2.10.2.1.7 HCRIS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.10.2.1.8 HCRIS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the HCRIS is discussed in Section 8.1.6.1.16.

7.3.2.10.2.1.9 HCRIS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.10.2.1.10 HCRIS - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the HCRIS degradation of the control room environment. For safety setpoints, refer to Chapter 16.

7.3.2.10.2.1.11 HCRIS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 8.1.6.1.21.

7.3.2.10.2.2 HCRIS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.10.2.2.1 HCRIS - GDC 1 - Quality Standards and Records The HCRIS is included in an established quality assurance program described in Section 7.1.2.6 and Chapter 17.

CHAPTER 07 7.3-174 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.2.2 HCRIS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 7.1.2.6.

7.3.2.10.2.2.3 HCRIS - GDC 3 - Fire Protection Refer to Section 7.1.2.6.

7.3.2.10.2.2.4 HCRIS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 7.1.2.6.

7.3.2.10.2.2.5 HCRIS - GDC 5 - Sharing of Structures, Systems, and Components The HCRIS and control room structure are common to LGS Units 1 and 2. There are two independent divisions of isolation valves, emergency supply fans and filter trains, each capable of providing a safe environment within the control room for the operators to safely shutdown both reactor units. The control room as well as HCRIS components are located inside the control structure, a safety-related structure designed to remain functional during and following the most severe natural phenomena. Hence, sharing of the HCRIS will not impair its ability to perform its safety function.

7.3.2.10.2.2.6 HCRIS - GDC 13 - Instrumentation and Control Instrumentation for the HCRIS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.10.2.2.7 HCRIS - GDC 19 - Control Room Refer to Sections 3.1 and 7.1.2.6.10.

7.3.2.10.2.2.8 HCRIS - GDC 20 - Protection System Functions The HCRIS is automatically initiated by detection of chlorine or radiation in the control room air intake duct.

7.3.2.10.2.2.9 HCRIS - GDC 21 - Protection System Reliability and Testability The HCRIS is designed with redundancy and separation so that a single failure will not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.10.2.2.10 HCRIS - GDC 22 - Protection System Independence The components of the HCRIS are designed so that the thermal environment resulting from any potential accident condition, in which the components are required to function, will not interfere with that function. The controls of the two HCRIS are electrically and physically separated so that a single failure will not result in the loss of both divisions. Power for the components of each division is provided from separate Class 1E power sources.

CHAPTER 07 7.3-175 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.2.11 HCRIS - GDC 23 - Protection System Failure Modes Each HCRIS division is designed to fail in a safe state permitting its redundant divisions to isolate and ventilate the control room.

7.3.2.10.2.2.12 HCRIS - GDC 24 - Separation of Protection and Control Systems The control system for the HCRIS does not interact with the plant control systems.

7.3.2.10.2.2.13 HCRIS - GDC 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the HCRIS is achieved through system redundancy, physical and electrical independence, fail-safe design, inservice testability, and equipment suitable for normal and accident environments.

7.3.2.10.2.3 HCRIS Conformance to Industry Codes and Standards 7.3.2.10.2.3.1 HCRIS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the HCRIS with IEEE 279 (1971) is detailed below.

7.3.2.10.2.3.1.1 HCRIS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The HCRIS is an automatically initiated system based upon chlorine or radiation detection in the control room intake duct as discussed in Section 6.4.1.

7.3.2.10.2.3.1.2 HCRIS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The HCRIS consists of redundant supply fans, filter trains, isolation valves, and independent sets of controls and power which meet the single failure criterion.

7.3.2.10.2.3.1.3 HCRIS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.10.2.3.1.4 HCRIS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.10.2.3.1.5 HCRIS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The HCRIS meets the channel integrity objective by utilizing the design features described in the other paragraphs of this section.

7.3.2.10.2.3.1.6 HCRIS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each HCRIS component are physically and electrically separated.

CHAPTER 07 7.3-176 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.3.1.7 HCRIS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The HCRIS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the HCRIS control because of electrical isolation.

7.3.2.10.2.3.1.8 HCRIS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the HCRIS is derived from high chlorine or radiation signals from the control room air supply duct.

7.3.2.10.2.3.1.9 HCRIS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The HCRIS can be tested for operational availability as described in Section 7.3.1.1.10.10.

7.3.2.10.2.3.1.10 HCRIS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The HCRIS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.10.2.3.1.11 HCRIS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will not prevent the HCRIS from isolating the control room.

7.3.2.10.2.3.1.12 HCRIS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses HCRIS bypasses are discussed in Section 7.3.1.1.10.6.

7.3.2.10.2.3.1.13 HCRIS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.10.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.10.2.3.1.14 HCRIS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.10.2.3.1.15 HCRIS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The HCRIS radiation and chlorine detectors have been designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.10.2.3.1.16 HCRIS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the HCRIS is initiated, it will continue to operate until the operator terminates system operation by manual override.

CHAPTER 07 7.3-177 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.3.1.17 HCRIS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the HCRIS cannot disable the automatic or manual operation of the other HCRIS divisions.

7.3.2.10.2.3.1.18 HCRIS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to radiation monitor setpoints is restricted by lock and key. Chlorine detectors have internal setpoints requiring deliberate action to adjust.

7.3.2.10.2.3.1.19 HCRIS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high radiation, chlorine, or offsite toxic chemical concentration alarms.

7.3.2.10.2.3.1.20 HCRIS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the HCRIS is described in Section 7.3.1.1.10.12.2.

7.3.2.10.2.3.1.21 HCRIS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

Calibration verification of the chlorine and radiation detectors can be performed at anytime by the use of built-in test circuits.

7.3.2.10.2.3.1.22 HCRIS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.10.2.3.2 HCRIS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.10.2.3.3 HCRIS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.10.2.3.4 HCRIS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Station The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

CHAPTER 07 7.3-178 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.10.2.3.5 HCRIS - IEEE 338 (1977) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.10.2.3.6 HCRIS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Station Refer to Section 3.10.

7.3.2.10.2.3.7 HCRIS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.10.2.3.1.2.

7.3.2.10.2.3.8 HCRIS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.11 Emergency Service Water System - Instrumentation and Controls 7.3.2.11.1 ESW General Functional Requirements Conformance The ESW system is designed with sufficient capacity and redundancy so that a single active failure cannot impair the capability of the system to perform its safety-related functions. The system is common to Units 1 and 2 and consists of two independent loops, with two 50% capacity pumps per loop.

Both loops are designed to provide 100% of the ESW requirements. The ESW pumps start automatically on diesel generator operation after speed, voltage, and bus breaker conditions are met.

The ESW system is designed to supply makeup water to the spent fuel pools. The ESW system has an intertie to the spent fuel pools which can be used to supply makeup water by opening the two normally closed manual valves.

7.3.2.11.2 ESW Specific Regulatory Requirements Conformance 7.3.2.11.2.1 ESW Conformance to Regulatory Guides 7.3.2.11.2.1.1 ESW - Regulatory Guide 1.6 (1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6)

Refer to Section 8.3.2.2.1.7.

7.3.2.11.2.1.2 ESW - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

ESW system actuation circuits can also be tested in conjunction with the periodic testing performed on the associated diesel generator. Testing of an ESW pump will in turn test the actuation circuits to the various loop valving. Bypass indication of the ESW control circuitry is provided in the main control room.

CHAPTER 07 7.3-179 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.1.3 ESW - Regulatory Guide 1.29 (1978) - Seismic Design Classification The ESW system complies with this regulatory guide as discussed in Section 3.2.

7.3.2.11.2.1.4 ESW - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Refer to Section 8.1.6.1.6.

7.3.2.11.2.1.5 ESW - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indications for Nuclear Power Plant Safety Systems The ESW system complies with this regulatory guide. See Section 7.3.1.1.11.12.2 for alarms.

7.3.2.11.2.1.6 ESW - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 (1973) is achieved by specifying, designing, and constructing the ESW system so that it meets the single failure criterion described in paragraph 4.2 of IEEE 279 (1971). The ESW system consists of two loops which have separate and independent sets of controls and power. Each loop consists of two pumps; all four pumps and controls are assigned to separate divisions. The controls for the ESW valves are assigned to various divisions such that a single active or passive electrical or control failure cannot disable a complete ESW loop. In cases where two valves are in series to shutoff a flow path, the valves are assigned to two different divisions. Likewise, in cases where two valves are used to provide redundant flow paths in a single loop, the valves are assigned to two different divisions.

7.3.2.11.2.1.7 ESW - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the ESW system.

7.3.2.11.2.1.8 ESW - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems The electrical separation criteria and degree of conformance to Regulatory Guide 1.75 (1975) are discussed in Sections 7.1.2.2.3 and 8.1.6.1.14.

7.3.2.11.2.1.9 ESW - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for a discussion of the degree of conformance.

7.3.2.11.2.1.10 ESW - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for discussion of the degree of conformance.

7.3.2.11.2.1.11 ESW - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for a discussion of the degree of conformance.

7.3.2.11.2.2 ESW Conformance to 10CFR50 Appendix A, General Design Criteria CHAPTER 07 7.3-180 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.2.1 ESW - GDC 1 - Quality Standards and Records The equipment for ESW and supporting systems is included in an established quality assurance program as discussed in Section 7.1.2.6 and Chapter 17.

7.3.2.11.2.2.2 ESW - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 7.1.2.6.

7.3.2.11.2.2.3 ESW - GDC 3 - Fire Protection The ESW system is designed to minimize the probability and the effects of fire and explosions by using noncombustible and heat-resistant materials. Refer to Section 9.5.1 for a discussion of the fire protection system.

7.3.2.11.2.2.4 ESW - GDC 4 - Environmental and Dynamic Effects Design Bases Environmental design is discussed in Section 3.11. Missile protection is discussed in Section 3.5.

7.3.2.11.2.2.5 ESW - GDC 5 - Sharing of Structures, Systems, and Components Refer to Section 3.1 for a general discussion.

The ESW system is common to both Units 1 and 2 and consists of two independent loops, each having two 50% capacity pumps. Both the A and B loops are designed to provide 100% of the ESW requirements for either unit during a LOOP or LOCA. ESW loop A and B pumps and piping are physically separated or protected such that no single event can render both loops inoperable.

Power is supplied from four independent divisions. Thus, sharing of the ESW system between Units 1 and 2 does not significantly impair the ability of the ESW system to perform its safety function.

7.3.2.11.2.2.6 ESW - GDC 13 - Instrumentation and Control Monitoring instrumentation is provided for the ESW system as detailed in Section 7.3.1.1.11.12.2 to provide the operator with information on the operation of the system.

7.3.2.11.2.2.7 ESW - GDC 19 - Control Room Instrumentation and controls for the ESW system are provided in the main control room.

Instrumentation and controls for one pump and cooling water loop are also provided in the remote shutdown panels. In addition, two of the redundant ESW pumps that are not operable from the remote shutdown panel can be operated using local controls.

7.3.2.11.2.2.8 ESW - GDC 20 - Protection System Functions The ESW system is automatically initiated on the starting of the diesel generators. The diesel generators are automatically started if a LOCA occurs as described in Section 8.3.

CHAPTER 07 7.3-181 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.2.9 ESW - GDC 21 - Protection System Reliability and Testability The ESW system is provided with redundancy and separation so that a single failure will not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.11.2.2.10 ESW - GDC 22 - Protection System Independence The controls for the two ESW cooling water loops are electrically and physically separated so that a single failure will not result in the loss of both cooling water loops. Power for the components of the two cooling water loops is provided by separate Class 1E power sources.

7.3.2.11.2.2.11 ESW - GDC 23 - Protection System Failure Modes Refer to Section 9.2.2.

7.3.2.11.2.2.12 ESW - GDC 24 - Separation of Protection and Control Systems The control system for the ESW system does not interact with the plant control systems.

Annunciator circuits using contacts with sensors and logic relays cannot impair the operability of the ESW system control because of electrical isolation.

7.3.2.11.2.2.13 ESW - GDC 29 - Protection Against Anticipated Operational Occurrences The ESW system is designed to provide cooling water to the components described in Section 9.2.2. The system will start upon the starting of the diesel generators, the diesel generators will start if a LOOP or a LOCA occurs as described in Section 8.3.

7.3.2.11.2.3 ESW Conformance to Industry Codes and Standards 7.3.2.11.2.3.1 ESW - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the ESW system with IEEE 279 (1971) is detailed as follows:

7.3.2.11.2.3.1.1 ESW - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The ESW system is an automatically initiated system based upon a change in status of the components in the diesel generator system as described in Section 7.3.1.1.11.4.

7.3.2.11.2.3.1.2 ESW - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The ESW system consists of two cooling water loops which have separate and independent sets of controls and power and meet the single failure criterion.

7.3.2.11.2.3.1.3 ESW - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

CHAPTER 07 7.3-182 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.3.1.4 ESW - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification The ESW system safety-related controls and instrumentation have been qualified as per the requirements outlined in IEEE 323 (1971) as highlighted in Section 7.1.2.7.4. The conditions for which the equipment has been qualified are those identified in Sections 3.10 and 3.11. The environmental parameters identified cover normal, abnormal, and accident conditions both inside and outside the drywell.

7.3.2.11.2.3.1.5 ESW - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The ESW system meets the channel integrity objective by utilizing the design features described in the other paragraphs of this section.

7.3.2.11.2.3.1.6 ESW - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each pump and associated loop valving are physically and electrically separated. Divisional assignment is described in Section 7.3.1.1.11.4.

7.3.2.11.2.3.1.7 ESW - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The ESW system has no interaction with other plant control systems. Annunciator circuits using contacts with sensors and logic relays cannot impair the operability of the ESW system control because of electrical isolation.

7.3.2.11.2.3.1.8 ESW - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the ESW system is derived from the status of the diesel generator system. The diesel generators are started on receipt of a LOOP or a LOCA signal. The starting of the diesel generators will in turn start the ESW system. The ESW system is not started concurrently with the diesel generators due to bus loading considerations.

7.3.2.11.2.3.1.9 ESW - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The ESW system has no process sensors in the initiation circuits.

7.3.2.11.2.3.1.10 ESW - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The ESW system is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function. The pumps and loop valves can be tested in conjunction with the diesel generator tests.

7.3.2.11.2.3.1.11 ESW - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removed from Operation Channel bypass or removal of a component of an initiation circuit channel will inhibit one of the four divisions of the ESW system. Removal of a component will not affect the operation of the other three divisions.

7.3.2.11.2.3.1.12 ESW - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses ESW bypasses are described in Section 7.3.1.1.11.6.

CHAPTER 07 7.3-183 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.3.1.13 ESW - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.11.1.6 is automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.11.2.3.1.14 ESW - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Access to the switchgear, motor control centers and relay panels is procedurally controlled by administrative means.

7.3.2.11.2.3.1.15 ESW - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints This paragraph is not applicable to the ESW system.

7.3.2.11.2.3.1.16 ESW - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the system is initiated, it will continue to operate until stopped by the operator. However, it is noted that the system could be temporarily stopped for diesel generator loading considerations as discussed in Section 7.3.1.1.11.6.

7.3.2.11.2.3.1.17 ESW - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the ESW system cannot impair the automatic or manual operation of the other ESW divisions.

7.3.2.11.2.3.1.18 ESW - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points ESW system controls do not contain safety-related process setpoints. Refer to Section 7.3.2.11.2.3.1.14 on access to ESW system controls.

7.3.2.11.2.3.1.19 ESW - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions Protective action indication is provided by indicating lights or the status of the system components.

Also, an annunciator is provided to alarm the automatic start of each of the four pumps.

7.3.2.11.2.3.1.20 ESW - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the ESW system is described in Section 7.3.1.1.11.12.2.

7.3.2.11.2.3.1.21 ESW - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components can be accomplished during periodic testing.

The control logic is not complex so that location of failed components should be straight forward.

The components are mounted in such a manner as to facilitate removal and replacement.

7.3.2.11.2.3.1.22 ESW - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

CHAPTER 07 7.3-184 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.11.2.3.2 ESW - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12 for a discussion of this standard.

7.3.2.11.2.3.3 ESW - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.11.2.3.4 ESW - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating System Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.11.2.3.5 ESW - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 3.10 for seismic qualification.

7.3.2.11.2.3.6 ESW - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is described in Section 7.3.2.11.2.3.1.2.

7.3.2.11.2.3.7 ESW - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11 for a discussion of the degree of conformance.

7.3.2.11.3 ESW Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the ESW system from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the ESW system from performing its protective function.

7.3.2.12 RHR Service Water System - Instrumentation and Controls 7.3.2.12.1 RHRSW General Functional Requirements Conformance The RHRSW system is designed to provide a reliable source of cooling water for all operating modes of the RHR system including heat removal under postaccident conditions, and also to provide water to flood the reactor core or to spray the primary containment after an accident, should it be necessary.

There are two RHRSW loops, each loop serving one RHR heat exchanger in each unit, to supply cooling water for plant shutdown. Each loop is isolated from the other by barriers, separate trenches, or distance to ensure that simultaneous loss of both loops cannot occur. Failure of either a MOV, a diesel generator, or a pump will not prevent the system from performing its safety CHAPTER 07 7.3-185 REV. 19, SEPTEMBER 2018

LGS UFSAR function. This arrangement ensures that the full heat removal capacity required is available after the postulated active or passive electrical or control component failure. Refer to Section 7.1.2.1.15.2.1 for the design basis and Section 9.2.3 for additional details.

7.3.2.12.2 RHRSW Specific Regulatory Requirements Conformance 7.3.2.12.2.1 RHRSW Conformance to Regulatory Guides 7.3.2.12.2.1.1 RHRSW - Regulatory Guide 1.6 (1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6)

Refer to Section 8.1.6.1.1 and 8.3.2.2.1.7.

7.3.2.12.2.1.2 RHRSW - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The RHRSW system is a manually initiated system and is capable of being tested during normal plant operation. The system is tested by the manual testing of each of the cooling water loop components. Control switches with status lights are provided in the control room for the system pumps and valves. Also, the cooling water loop flow and pressure indicators will provide an indication of proper system operation.

7.3.2.12.2.1.3 RHRSW - Regulatory Guide 1.29 (1978) - Seismic Design Classification The RHRSW system complies with this regulatory guide as discussed in Section 3.2.

7.3.2.12.2.1.4 RHRSW - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Systems for Nuclear Power Plants Refer to Section 8.1.6.1.6.

7.3.2.12.2.1.5 RHRSW - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indications for Nuclear Power Plant Safety Systems RHRSW system conforms to this regulatory guide as a support system annunciated for status under the RHR system.

7.3.2.12.2.1.6 RHRSW - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 (1973) is achieved by specifying, designing, and constructing the RHRSW system so that it meets the single failure criterion described in paragraph 4.2 of IEEE 279 (1971). The RHRSW system consists of two independent cooling water loops with separate and independent controls and power which are segregated by division.

7.3.2.12.2.1.7 RHRSW - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions The RHRSW system is a manually initiated system. All controls necessary to operate the system are in the main control room.

7.3.2.12.2.1.8 RHRSW - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems CHAPTER 07 7.3-186 REV. 19, SEPTEMBER 2018

LGS UFSAR The electrical separation criteria and degree of conformance to Regulatory Guide 1.75 (1975) are discussed in Sections 7.1.2.2.3 and 8.1.6.1.14.

7.3.2.12.2.1.9 RHRSW - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5.2.5.1.1.2 for a discussion of the degree of conformance.

7.3.2.12.2.1.10 RHRSW - Regulatory Guide 1.105 (1976) - Instrument Setpoints See Section 7.1.2.5.25 for a discussion of the degree of conformance.

7.3.2.12.2.1.11 RHRSW - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26 for a discussion of the degree of conformance.

7.3.2.12.2.2 RHRSW Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.12.2.2.1 RHRSW - GDC 1 - Quality Standards and Records The equipment for ESF and supporting systems is included in an established quality assurance program as discussed in Section 3.1 and Chapter 17.

7.3.2.12.2.2.2 RHRSW - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.12.2.2.3 RHRSW - GDC 3 - Fire Protection The RHRSW system is designed to minimize the probability and the effects of fire and explosions by using noncombustible and heat-resistant materials. Refer to Section 9.5.1 for a discussion of the fire protection system.

7.3.2.12.2.2.4 RHRSW - GDC 4 - Environmental and Dynamic Effects Design Bases Environmental design is discussed in Section 3.11. Missile protection design is discussed in Section 3.5.

7.3.2.12.2.2.5 RHRSW - GDC 5 - Sharing of Structures, Systems, and Components Refer to Section 3.1 for a general discussion.

The RHRSW system is common to both Units 1 and 2 and consists of two loops. Each loop services one RHR heat exchanger in each unit and provides sufficient cooling to satisfy its safety function. Each loop has two 50% capacity pumps which are powered from separate power sources. Loss of one loop does not affect the capability of the second loop to safely shutdown either or both units during emergency conditions. Thus, sharing of the RHRSW system between Units 1 and 2 does not significantly impair the ability of the RHRSW system to perform its safety function.

CHAPTER 07 7.3-187 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.12.2.2.6 RHRSW - GDC 13 - Instrumentation and Control Monitoring instrumentation is provided as detailed in Section 7.3.1.1.12.12.2 to provide the operator with information on the operation of the system.

7.3.2.12.2.2.7 RHRSW - GDC 19 - Control Room Instrumentation and controls for the RHRSW system are provided in the main control room.

Instrumentation and controls for two RHRSW pumps are also provided in the remote shutdown panel. In addition, both of the two redundant RHRSW pumps that are not operable from the remote shutdown panel, can be operated using local controls.

7.3.2.12.2.2.8 RHRSW - GDC 20 - Protection System Functions The RHRSW system is a manually initiated system. This system is not required immediately after an accident. The safety function of the system is adequately ensured by manual initiation.

7.3.2.12.2.2.9 RHRSW - GDC 21 - Protection System Reliability and Testability The RHRSW system is provided with redundancy and separation so that a single failure will not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.12.2.2.10 RHRSW - GDC 22 - Protection System Independence The controls for the two RHRSW cooling water loops are electrically and physically separated so that a single failure will not result in the loss of both cooling water loops. Power for the components of the cooling water loops is provided by separate Class 1E power sources.

7.3.2.12.2.2.11 RHRSW - GDC 23 - Protection System Failure Modes The various failure modes of the RHRSW system are described in Section 9.2.3.

7.3.2.12.2.2.12 RHRSW - GDC 24 - Separation of Protection and Control Systems The control system for the RHRSW system does not interact with the plant control system.

Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the RHRSW system control because of electrical isolation.

7.3.2.12.2.2.13 RHRSW - GDC 29 - Protection Against Anticipated Operational Occurrences The RHRSW system is designed to provide cooling water to the components described in Section 9.2.3. The redundancy and separation of the two loops and manual initiation of the system ensure its ability to accomplish its safety function in the event of anticipated operational occurrences.

7.3.2.12.2.2.14 RHRSW - GDC 34 - Residual Heat Removal The RHRSW system provides cooling water to the RHR heat exchangers as described in Section 9.2.3. The RHRSW system is provided with redundancy and separation so that a single failure will not result in the loss of the protective function.

7.3.2.12.2.3 RHRSW Conformance to Industry Codes and Standards CHAPTER 07 7.3-188 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.12.2.3.1 RHRSW - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the RHRSW system with IEEE 279 (1971) is detailed as follows:

7.3.2.12.2.3.1.1 RHRSW - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The RHRSW system is not an automatically initiated system. The system's safety function is adequately ensured by manual initiation.

7.3.2.12.2.3.1.2 RHRSW - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The RHRSW system consists of two cooling water loops which have separate and independent controls and power, and therefore meets the single failure criterion.

7.3.2.12.2.3.1.3 RHRSW - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the application. A quality control and assurance program is required to be implemented by the equipment vendors which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.12.2.3.1.4 RHRSW - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification The RHRSW system safety-related controls and instrumentation have been qualified as per the requirements outlined in IEEE 323 (1971) as highlighted in Section 7.1.2.7.4. The conditions for which the equipment has been qualified are those identified in Sections 3.10 and 3.11. The identified parameters cover normal, abnormal and accident conditions both inside and outside the drywell.

7.3.2.12.2.3.1.5 RHRSW - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The RHRSW system meets the channel integrity objective by utilizing the design features described in the other paragraphs of this Section.

7.3.2.12.2.3.1.6 RHRSW - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control, instrumentation, and power circuits for the components of each of the RHRSW cooling water loop are physically and electrically separated. The divisional assignments of the system components are described in Section 7.3.1.1.12.9.

7.3.2.12.2.3.1.7 RHRSW - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RHRSW system has no interaction with the plant control systems. Annunciator circuits using contacts of circuits of sensors and logic relays cannot impair the operability of the RHRSW system control because of electrical isolation.

7.3.2.12.2.3.1.8 RHRSW - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The RHRSW system is a manually initiated system.

CHAPTER 07 7.3-189 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.12.2.3.1.9 RHRSW - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The RHRSW system is a manually initiated system. However, the system includes radiation instrumentation which trips components of the system as described in Section 7.3.1.1.12.5. These radiation sensors have provisions for a check source for testing this instrumentation during normal plant operation.

7.3.2.12.2.3.1.10 RHRSW - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration RHRSW system is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.12.2.3.1.11 RHRSW - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal From Operation Channel bypass or removal of a component for maintenance will inhibit the proper operation of one of the cooling water loops. However, it will not affect the proper operation of the other cooling water loop.

7.3.2.12.2.3.1.12 RHRSW - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses RHRSW bypasses are described in Section 7.3.1.1.12.6.

7.3.2.12.2.3.1.13 RHRSW - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.12.6 is automatically indicated in the control room. In addition, each of the bypasses will initiate a system annunciator if required.

7.3.2.12.2.3.1.14 RHRSW - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Access to the switchgear and the relay panels will be procedurally controlled by administrative means.

7.3.2.12.2.3.1.15 RHRSW - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints This paragraph is not applicable to the RHRSW system.

7.3.2.12.2.3.1.16 RHRSW - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the system is started, it will continue to operate until stopped by the operator.

7.3.2.12.2.3.1.17 RHRSW - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation The RHRSW system is a manually initiated system.

7.3.2.12.2.3.1.18 RHRSW - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to the switchgear, the relay panels, and setpoint adjustments will be procedurally controlled by administrative means.

CHAPTER 07 7.3-190 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.12.2.3.1.19 RHRSW - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions The RHRSW system is manually initiated. The status of the system components is shown by indicating lights in the control room.

7.3.2.12.2.3.1.20 RHRSW - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout available for the RHRSW system is described in Section 7.3.1.1.12.12.2.

7.3.2.12.2.3.1.21 RHRSW - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components can be accomplished during periodic testing.

The control logic is not complex so that location of failed components should be straight forward.

The components are mounted in such a manner as to facilitate removal and replacement.

7.3.2.12.2.3.1.22 RHRSW - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of separate channels.

7.3.2.12.2.3.2 RHRSW - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12 for a discussion on this standard.

7.3.2.12.2.3.3 RHRSW - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.12.2.3.4 RHRSW - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to discussion on Regulatory Guide 1.118 in Section 7.1.2.5.26.

7.3.2.12.2.3.5 RHRSW - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7 for seismic qualification.

7.3.2.12.2.3.6 RHRSW - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion for Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.12.2.3.1.2.

7.3.2.12.2.3.7 RHRSW - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11 for a discussion of degree of conformance.

CHAPTER 07 7.3-191 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.12.3 RHRSW Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2 the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the RHRSW system from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the RHRSW system from performing its protective function.

7.3.2.13 Control Enclosure Chilled Water System - Instrumentation and Controls 7.3.2.13.1 CECWS General Functional Requirements Conformance The CECWS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. The CECWS is automatically initiated by operation of the control room air supply fan cabinets, the auxiliary equipment room air supply fan cabinets, the emergency switchgear and battery room air supply fan cabinets, and the SGTS room and access area unit coolers. Refer to Section 7.1.2.1.35.1 for the safety design basis.

7.3.2.13.2 CECWS Specific Regulatory Requirements Conformance 7.3.2.13.2.1 CECWS Conformance to Regulatory Guides 7.3.2.13.2.1.1 CECWS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The CECWS can be manually initiated and is capable of being tested during normal plant operation. Hand switches located in the control room allow periodic testing of the chillers and pumps in accordance with the requirements of Chapter 16.

7.3.2.13.2.1.2 CECWS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The CECWS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.13.2.1.3 CECWS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.13.2.1.4 CECWS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The CECWS by providing indication in the control room of pump and chiller status meets the intent of this regulatory guide.

7.3.2.13.2.1.5 CECWS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the CECWS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

CHAPTER 07 7.3-192 REV. 19, SEPTEMBER 2018

LGS UFSAR Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.13.2.1.6 CECWS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the CECWS.

7.3.2.13.2.1.7 CECWS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.13.2.1.8 CECWS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the CECWS system is discussed in Section 8.1.6.1.16.

7.3.2.13.2.1.9 CECWS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is discussed in Section 3.10.

7.3.2.13.2.1.10 CECWS - Regulatory Guide 1.105 (1976) - Instrument Setpoints The CECWS is automatically initiated by unit cooler operation. Refer to Section 7.3.2.15.1.2.10.

7.3.2.13.2.1.11 CECWS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

7.3.2.13.2.2 CECWS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.13.2.2.1 CECWS - GDC 1 - Quality Standards and Records The CECWS is included in an established quality assurance program discussed in Section 7.1.2.6 and Chapter 17.

7.3.2.13.2.2.2 CECWS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 7.1.2.6.

7.3.2.13.2.2.3 CECWS - GDC 3 - Fire Protection Refer to Section 7.1.2.6.

7.3.2.13.2.2.4 CECWS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 7.1.2.6.

7.3.2.13.2.2.5 CECWS - GDC 5 - Sharing of Structures, Systems, and Components CHAPTER 07 7.3-193 REV. 19, SEPTEMBER 2018

LGS UFSAR The CECWS is common to Units 1 and 2. There are two independent divisions, each capable of providing sufficient chilled water for unit cooler operation during safe shutdown conditions. Since the CECWS is designed to remain functional during and after the most severe natural phenomena, sharing this system will not impair its ability to perform its safety function.

7.3.2.13.2.2.6 CECWS - GDC 13 - Instrumentation and Control Instrumentation for the CECWS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.13.2.3 CECWS Conformance to Industry Codes and Standards 7.3.2.13.2.3.1 CECWS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the CECWS with IEEE 279 (1971) is detailed as follows:

7.3.2.13.2.3.1.1 CECWS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The CECWS is automatically initiated by unit cooler operation.

7.3.2.13.2.3.1.2 CECWS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The CECWS consists of redundant chillers, pumps, piping, and independent sets of controls and power which meet the single failure criterion.

7.3.2.13.2.3.1.3 CECWS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.13.2.3.1.4 CECWS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.13.2.3.1.5 CECWS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The CECWS meets the channel integrity objective by utilizing the design features described in the other paragraphs of this section.

7.3.2.13.2.3.1.6 CECWS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each CECWS component are physically and electrically separated.

7.3.2.13.2.3.1.7 CECWS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The CECWS interacts with the operation of the unit coolers as discussed in Section 7.3.2.15.1. No single event or failure of the control system can result in a condition requiring protective action and can concurrently prevent the operation of the CECWS.

CHAPTER 07 7.3-194 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.13.2.3.1.8 CECWS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the CECWS is derived from operation of the control room air supply fan cabinets, the auxiliary equipment room air supply fan cabinets, the emergency switchgear and battery room air supply fan cabinets and/or the SGTS room and access area unit coolers.

7.3.2.13.2.3.1.9 CECWS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The CECWS can be tested for operational availability as per Section 7.3.1.1.13.10.

7.3.2.13.2.3.1.10 CECWS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The CECWS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.13.2.3.1.11 CECWS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will prevent the CECWS itself from complying with the single failure criterion.

7.3.2.13.2.3.1.12 CECWS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses CECWS bypasses are discussed in Section 7.3.1.1.13.6.

7.3.2.13.2.3.1.13 CECWS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.13.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.13.2.3.1.14 CECWS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.13.2.3.1.15 CECWS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints Refer to Section 7.3.2.15.1.2.3.1.15.

7.3.2.13.2.3.1.16 CECWS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once it Is Initiated Once the CECWS is initiated, it will continue to operate until the operator terminates system operation by manual override.

7.3.2.13.2.3.1.17 CECWS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the CECWS cannot disable the automatic or manual operation of the other CECWS division.

CHAPTER 07 7.3-195 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.13.2.3.1.18 CECWS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Refer to Section 7.3.2.15.1.2.3.1.18.

7.3.2.13.2.3.1.19 CECWS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by pump motor status and flow indication for the pumps.

7.3.2.13.2.3.1.20 CECWS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the CECWS is described in Section 7.3.1.1.13.12.2.

7.3.2.13.2.3.1.21 CECWS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components can be accomplished during periodic testing.

7.3.2.13.2.3.1.22 CECWS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.13.2.3.2 CECWS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.13.2.3.3 CECWS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.13.2.3.4 CECWS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.13.2.3.5 CECWS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.13.2.3.6 CECWS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 3.10.

CHAPTER 07 7.3-196 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.13.2.3.7 CECWS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.13.2.1.5.

7.3.2.13.2.3.8 CECWS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.13.3 CECWS Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the CECWS from performing its protective function.
b. Loss of cooling water to any single piece of vital equipment does not prevent the CECWS from performing its protective function.

7.3.2.14 Class 1E Power Systems For an analysis of the Class 1E power systems refer to the following:

a. Refer to Section 8.3.1.2 for an analysis of the Class 1E ac power system.
b. Refer to Section 8.3.2.2 for an analysis of the Class 1E dc power system.

7.3.2.15 Safety-Related Equipment Area Cooling Ventilation Systems 7.3.2.15.1 SGTS Filter Room and Access Area Unit Coolers - Instrumentation and Controls 7.3.2.15.1.1 SGTS-UC General Functional Requirements Conformance The SGTS-UC are designed with sufficient capacity and redundancy so that a single or passive electrical or control component active failure will not prevent the system from performing its safety-related functions. The SGTS-UC are automatically initiated by high temperature switches. Refer to Section 7.1.2.1.33.1 for the safety design basis and Section 9.4.1.5.1 for additional details.

7.3.2.15.1.2 SGTS-UC Specific Regulatory Requirements Conformance 7.3.2.15.1.2.1 SGTS-UC Conformance to Regulatory Guides 7.3.2.15.1.2.1.1 SGTS-UC - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The SGTS-UC can be manually initiated and are capable of being tested during normal plant operation. Hand switches located in the control enclosure allow periodic testing of the unit coolers in accordance with the requirements of Chapter 16.

7.3.2.15.1.2.1.2 SGTS-UC - Regulatory Guide 1.29 (1978) - Seismic Design Classification The unit coolers comply with this regulatory guide as discussed in Section 3.2.

CHAPTER 07 7.3-197 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.1.2.1.3 SGTS-UC - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.1.2.1.4 SGTS-UC - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The SGTS-UC system meets the intent of this regulatory guide through the use of a fan trouble alarm.

7.3.2.15.1.2.1.5 SGTS-UC - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing and constructing the unit coolers to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972). Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.15.1.2.1.6 SGTS-UC - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided on the SGTS local panel to manually initiate the unit coolers.

7.3.2.15.1.2.1.7 SGTS-UC - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance.

7.3.2.15.1.2.1.8 SGTS-UC - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the SGTS-UC is discussed in Section 8.1.6.1.16.

7.3.2.15.1.2.1.9 SGTS-UC - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance is covered by Section 3.10.

7.3.2.15.1.2.1.10 SGTS-UC - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the SGTS-UC prior to potential degradation of the control room environment.

7.3.2.15.1.2.1.11 SGTS-UC - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

CHAPTER 07 7.3-198 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.1.2.2 SGTS-UC Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.1.2.2.1 SGTS-UC - GDC 1 - Quality Standards and Records The SGTS unit coolers included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.1.2.2.2 SGTS-UC - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.1.2.2.3 SGTS-UC - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.1.2.2.4 SGTS-UC - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.1.2.2.5 SGTS-UC - GDC 5 - Sharing of Structures, Systems and Components Refer to Section 3.1 for general discussion. The SGTS-UC are common to Units 1 and 2. There are two independent divisions, each capable of providing 100% of the cooling requirements for either unit. Therefore, sharing these unit coolers will not impair their ability to perform their safety function.

7.3.2.15.1.2.2.6 SGTS-UC - GDC 13 - Instrumentation and Control Instrumentation for the SGTS-UC is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.1.2.3 SGTS-UC Conformance to Industry Codes and Standards 7.3.2.15.1.2.3.1 SGTS-UC - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the SGTS-UC with IEEE 279 (1971) is detailed as follows:

7.3.2.15.1.2.3.1.1 SGTS-UC - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The SGTS-UC are automatically initiated by high temperature switches.

7.3.2.15.1.2.3.1.2 SGTS-UC - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The SGTS-UC consist of redundant unit coolers, and independent sets of controls and power which meet the single failure criterion.

7.3.2.15.1.2.3.1.3 SGTS-UC - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

CHAPTER 07 7.3-199 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.1.2.3.1.4 SGTS-UC - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.1.2.3.1.5 SGTS-UC - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The SGTS-UC meet the channel integrity by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.1.2.3.1.6 SGTS-UC - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for the unit coolers component are physically and electrically separated.

7.3.2.15.1.2.3.1.7 SGTS-UC - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The SGTS-UC have no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the control because of electrical isolation.

7.3.2.15.1.2.3.1.8 SGTS-UC - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the SGTS-UC is derived from high temperature signals from the control enclosure.

7.3.2.15.1.2.3.1.9 SGTS-UC - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The SGTS-UC can be tested for operational availability per Section 7.3.1.1.15.1.10.

7.3.2.15.1.2.3.1.10 SGTS-UC - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The SGTS-UC are capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.15.1.2.3.1.11 SGTS-UC - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will prevent the SGTS-UC themselves from complying with the single failure criterion.

7.3.2.15.1.2.3.1.12 SGTS-UC - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses SGTS-UC bypasses are discussed in Section 7.3.1.1.15.1.6.

7.3.2.15.1.2.3.1.13 SGTS-UC - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.15.1.6 is automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

CHAPTER 07 7.3-200 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.1.2.3.1.14 SGTS-UC - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.1.2.3.1.15 SGTS-UC - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The SGTS-UC temperature switches are suitable for adjustment of trip points to more stringent settings if required.

7.3.2.15.1.2.3.1.16 SGTS-UC - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once it is Initiated Once the SGTS-UC are initiated they will continue to operate until the area temperature drops to the low temperature setting.

7.3.2.15.1.2.3.1.17 SGTS-UC - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the SGTS-UC cannot disable the automatic or manual operation of the other SGTS-UC division.

7.3.2.15.1.2.3.1.18 SGTS-UC - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration and Test Points Access to temperature switch setpoints is restricted by administrative control.

7.3.2.15.1.2.3.1.19 SGTS-UC - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high temperature alarms.

7.3.2.15.1.2.3.1.20 SGTS-UC - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the SGTS-UC is described in Section 7.3.1.1.15.1.12.2.

7.3.2.15.1.2.3.1.21 SGTS-UC - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

7.3.2.15.1.2.3.1.22 SGTS-UC - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.1.2.3.2 SGTS-UC - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

CHAPTER 07 7.3-201 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.1.2.3.3 SGTS-UC - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.15.1.2.3.4 SGTS-UC - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.15.1.2.3.5 SGTS-UC - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.1.2.3.6 SGTS-UC - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Station Refer to Section 3.10.

7.3.2.15.1.2.3.7 SGTS-UC - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.1.2.3.1.2.

7.3.2.15.1.2.3.8 SGTS-UC - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.2 Diesel Generating Enclosure Ventilation System - Instrumentation and Controls 7.3.2.15.2.1 DGEVS General Functional Requirements Conformance The DGEVS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the diesel generators from performing their safety-related functions. The DGEVS system is automatically initiated by detection of high temperature. For the safety design basis refer to Section 7.1.2.1.33.2.1 and for additional details refer to Section 9.4.6.

7.3.2.15.2.2 DGEVS Specific Regulatory Requirements Conformance 7.3.2.15.2.2.1 DGEVS Conformance to Regulatory Guides 7.3.2.15.2.2.1.1 DGEVS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The DGEVS can be manually initiated and is capable of being tested during normal plant operation. Hand switches located on the local panel allow periodic testing of the exhaust fans in accordance with the requirements of Chapter 16.

CHAPTER 07 7.3-202 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.2.2.1.2 DGEVS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The DGEVS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.15.2.2.1.3 DGEVS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.2.2.1.4 DGEVS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The DGEVS meets the intent of this regulatory guide by using a fan system trouble alarm in the control room.

7.3.2.15.2.2.1.5 DGEVS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the DGEVS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator will not affect its redundant counterparts and prevent protective action.

The two fans for each diesel cell are on the same channel as its diesel generator.

7.3.2.15.2.2.1.6 DGEVS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided locally to manually initiate the DGEVS.

7.3.2.15.2.2.1.7 DGEVS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.15.2.2.1.8 DGEVS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the DGEVS is discussed in Section 8.1.6.1.16.

7.3.2.15.2.2.1.9 DGEVS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.15.2.2.1.10 DGEVS - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the DGEVS, to prevent overheating of the diesel generators. For safety setpoints refer to Chapter 16.

CHAPTER 07 7.3-203 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.2.2.1.11 DGEVS - Regulatory Guide 1.118 (1978) - Periodic Testing Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

7.3.2.15.2.2.2 DGEVS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.2.2.2.1 DGEVS - GDC 1 - Quality Standards and Records The DGEVS is included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.2.2.2.2 DGEVS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.2.2.2.3 DGEVS - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.2.2.2.4 DGEVS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.2.2.2.5 DGEVS - GDC 13 - Instrumentation and Control Instrumentation for the DGEVS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.2.2.3 DGEVS Conformance to Industry Codes and Standards 7.3.2.15.2.2.3.1 DGEVS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the DGEVS with IEEE 279 (1971) is detailed as follows:

7.3.2.15.2.2.3.1.1 DGEVS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The DGEVS is automatically initiated by high temperature switches.

7.3.2.15.2.2.3.1.2 DGEVS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The DGEVS consists of independent sets of exhaust fans, controls and power which meet the single failure criteria.

7.3.2.15.2.2.3.1.3 DGEVS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

CHAPTER 07 7.3-204 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.2.2.3.1.4 DGEVS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.2.2.3.1.5 DGEVS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The DGEVS meets the channel integrity criterion by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.2.2.3.1.6 DGEVS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each DGEVS component are physically and electrically separated.

7.3.2.15.2.2.3.1.7 DGEVS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The DGEVS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the DGEVS control because of electrical isolation.

7.3.2.15.2.2.3.1.8 DGEVS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the DGEVS is derived from high temperature signals from the diesel generator enclosure.

7.3.2.15.2.2.3.1.9 DGEVS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The DGEVS can be tested for operational availability as per Section 7.3.1.1.15.2.10.

7.3.2.15.2.2.3.1.10 DGEVS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The DGEVS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.15.2.2.3.1.11 DGEVS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation Removal of an initiation circuit component will not prevent the DGEVS itself from complying with the single failure criterion. The two fans for each diesel cell are on the same channel as its diesel generator.

7.3.2.15.2.2.3.1.12 DGEVS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses DGEVS bypasses are discussed in Section 7.3.1.1.15.2.6.

7.3.2.15.2.2.3.1.13 DGEVS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.15.2.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.15.2.2.3.1.14 DGEVS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing CHAPTER 07 7.3-205 REV. 19, SEPTEMBER 2018

LGS UFSAR Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.2.2.3.1.15 DGEVS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The DGEVS temperature switches have been designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.15.2.2.3.1.16 DGEVS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the DGEVS is initiated it will continue to operate until the diesel cell temperature drops below the low temperature setpoint.

7.3.2.15.2.2.3.1.17 DGEVS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the DGEVS cannot disable the automatic or manual operation of the other DGEVS divisions.

7.3.2.15.2.2.3.1.18 DGEVS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration and Test Points Access to temperature switch setpoints is restricted by administrative control.

7.3.2.15.2.2.3.1.19 DGEVS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high temperature alarms.

7.3.2.15.2.2.3.1.20 DGEVS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the DGEVS is described in Section 7.3.1.1.15.2.12.2.

7.3.2.15.2.2.3.1.21 DGEVS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

7.3.2.15.2.2.3.1.22 DGEVS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.2.2.3.2 DGEVS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.15.2.2.3.3 DGEVS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

CHAPTER 07 7.3-206 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.2.2.3.4 DGEVS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.15.2.2.3.5 DGEVS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.2.2.3.6 DGEVS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Station Refer to Section 7.1.2.7.7.

7.3.2.15.2.2.3.7 DGEVS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.2.2.3.1.2.

7.3.2.15.2.2.3.8 DGEVS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.3 Spray Pond Pump Structure Ventilation System - Instrumentation and Controls 7.3.2.15.3.1 SPPSVS General Functional Requirements Conformance The SPPSVS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. For the safety design basis refer to Section 7.1.2.1.33.3 and for additional details refer to Section 9.4.7.

7.3.2.15.3.2 SPPSVS Specific Regulatory Requirements Conformance 7.3.2.15.3.2.1 SPPSVS Conformance to Regulatory Guides 7.3.2.15.3.2.1.1 SPPSVS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The SPPSVS can be manually initiated and is capable of being tested during normal plant operation. Hand switches located in the control room allow periodic testing of the fan cabinets in accordance with the requirements of Chapter 16.

7.3.2.15.3.2.1.2 SPPSVS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The SPPSVS complies with this regulatory guide as discussed in Section 3.2.

CHAPTER 07 7.3-207 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.3.2.1.3 SPPSVS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.3.2.1.4 SPPSVS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The SPPSVS meets the intent of this regulatory guide by using a fan system trouble alarm in the control room.

7.3.2.15.3.2.1.5 SPPSVS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing and constructing the SPPSVS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator will not affect its redundant counterpart and prevent protective action. Separator channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.15.3.2.1.6 SPPSVS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the SPPSVS.

7.3.2.15.3.2.1.7 SPPSVS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.15.3.2.1.8 SPPSVS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the SPPSVS is discussed in Section 8.1.6.1.16.

7.3.2.15.3.2.1.9 SPPSVS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.15.3.2.1.10 SPPSVS - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the SPPSVS to maintain the spray pond pump enclosure within specified temperature limits.

7.3.2.15.3.2.1.11 SPPSVS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

CHAPTER 07 7.3-208 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.3.2.2 SPPSVS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.3.2.2.1 SPPSVS - GDC 1 - Quality Standards and Records The SPPSVS is included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.3.2.2.2 SPPSVS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.3.2.2.3 SPPSVS - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.3.2.2.4 SPPSVS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.3.2.2.5 SPPSVS - GDC 5 - Sharing of Structures, Systems, and Components The SPPSVS is common to Units 1 and 2. There are four independent divisions, any two of which can provide the required ventilation and heating requirements during and after the most severe natural phenomena to maintain a suitable environment for the other safety-related equipment in this area. Therefore, sharing this system will not impair its ability to perform its safety function.

7.3.2.15.3.2.2.6 SPPSVS - GDC 13 - Instrumentation and Control Instrumentation for the SPPSVS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.3.2.3 SPPSVS Conformance to Industry Codes and Standards 7.3.2.15.3.2.3.1 SPPSVS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the SPPSVS with IEEE 279 (1971) is detailed as follows:

7.3.2.15.3.2.3.1.1 SPPSVS - IEEE 279 (1971), Paragraph 4.1 -

General Functional Requirement The lead SPPSVS fan will run continuously after the control switch is placed in the run position.

The standby fan will automatically start if required. Temperature is controlled automatically by a temperature controller.

7.3.2.15.3.2.3.1.2 SPPSVS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The SPPSVS consists of redundant fan cabinets with electric heaters and independent sets of controls and power which meet the single failure criterion.

7.3.2.15.3.2.3.1.3 SPPSVS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules CHAPTER 07 7.3-209 REV. 19, SEPTEMBER 2018

LGS UFSAR All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.15.3.2.3.1.4 SPPSVS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.3.2.3.1.5 SPPSVS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The SPPSVS meets the channel integrity criterion by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.3.2.3.1.6 SPPSVS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each SPPSVS component are physically and electrically separated.

7.3.2.15.3.2.3.1.7 SPPSVS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The SPPSVS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the SPPSVS control because of electrical isolation.

7.3.2.15.3.2.3.1.8 SPPSVS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the SPPSVS is derived from placing the hand switch in the run position for the lead fan.

The standby fan will automatically start if required. Temperature is controlled automatically by a temperature controller.

7.3.2.15.3.2.3.1.9 SPPSVS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The SPPSVS can be tested for operational availability per Section 7.3.1.1.15.3.10.

7.3.2.15.3.2.3.1.10 SPPSVS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The SPPSVS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.15.3.2.3.1.11 SPPSVS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will not prevent the SPPSVS itself from complying with the single failure criterion.

7.3.2.15.3.2.3.1.12 SPPSVS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses SPPSVS bypasses are discussed in Section 7.3.1.1.15.3.6.

7.3.2.15.3.2.3.1.13 SPPSVS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses CHAPTER 07 7.3-210 REV. 19, SEPTEMBER 2018

LGS UFSAR The bypasses described in Section 7.3.1.1.15.3.6 are automatically indicated in the control room.

In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.15.3.2.3.1.14 SPPSVS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.3.2.3.1.15 SPPSVS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The SPPSVS high and low temperature switches have been designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.15.3.2.3.1.16 SPPSVS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the SPPSVS is initiated, it will continue to operate until the area temperature reaches the initiating setpoint.

7.3.2.15.3.2.3.1.17 SPPSVS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the SPPSVS cannot disable the operation of the other SPPSVS divisions.

7.3.2.15.3.2.3.1.18 SPPSVS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration and Test Points Access to the temperature switch setpoints is restricted by administrative control.

7.3.2.15.3.2.3.1.19 SPPSVS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high temperature and fan system trouble annunciators.

7.3.2.15.3.2.3.1.20 SPPSVS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the SPPSVS is described in Section 7.3.1.1.15.3.12.2.

7.3.2.15.3.2.3.1.21 SPPSVS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

7.3.2.15.3.2.3.1.22 SPPSVS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.3.2.3.2 SPPSVS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.3.2.1.12.

CHAPTER 07 7.3-211 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.3.2.3.3 SPPSVS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.15.3.2.3.4 SPPSVS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.15.3.2.3.5 SPPSVS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.3.2.3.6 SPPSVS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7.

7.3.2.15.3.2.3.7 SPPSVS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.3.2.3.1.2.

7.3.2.15.3.2.3.8 SPPSVS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.4 Emergency Switchgear and Battery Rooms Cooling System - Instrumentation and Controls 7.3.2.15.4.1 ESBRCS General Functional Requirements Conformance The ESBRCS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. The ESBRCS operates continuously during normal and emergency plant operation. For the safety design basis refer to Section 7.1.2.1.33.4.1 and for additional details refer to Section 9.4.1.

7.3.2.15.4.2 ESBRCS Specific Regulatory Requirements Conformance 7.3.2.15.4.2.1 ESBRCS Conformance to Regulatory Guides 7.3.2.15.4.2.1.1 ESBRCS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

CHAPTER 07 7.3-212 REV. 19, SEPTEMBER 2018

LGS UFSAR The ESBRCS can be manually initiated and is capable of being tested during normal plant operation. Hand switches located on the local panel allow periodic testing of the unit coolers in accordance with the requirements of Chapter 16.

7.3.2.15.4.2.1.2 ESBRCS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The ESBRCS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.15.4.2.1.3 ESBRCS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.4.2.1.3A ESBRCS - Regulatory Guide 1.32 (1977) - Criteria for Safety Related Electric Power Systems for Nuclear Power Plants Refer to Section 8.3.2.2.1.8.

7.3.2.15.4.2.1.4 ESBRCS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The ESBRCS meets the intent of this regulatory guide by using a fan system trouble alarm in the control room.

7.3.2.15.4.2.1.5 ESBRCS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the ESBRCS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.15.4.2.1.6 ESBRCS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided locally to manually initiate the ESBRCS.

7.3.2.15.4.2.1.7 ESBRCS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.15.4.2.1.8 ESBRCS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the ESBRCS is discussed in Section 7.1.2.5.21.

7.3.2.15.4.2.1.9 ESBRCS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

CHAPTER 07 7.3-213 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.4.2.1.10 ESBRCS - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the ESBRCS to maintain the associated room temperatures within the specified units.

7.3.2.15.4.2.1.11 ESBRCS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection System Refer to Section 7.1.2.5.26.

7.3.2.15.4.2.2 ESBRCS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.4.2.2.1 ESBRCS - GDC 1 - Quality Standards and Records The ESBRCS is included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.4.2.2.2 ESBRCS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.4.2.2.3 ESBRCS - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.4.2.2.4 ESBRCS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.4.2.2.5 ESBRCS - GDC 5 - Sharing of Structures, Systems, and Components The ESBRCS is common to Units 1 and 2. There are two independent divisions, each capable of maintaining a suitable environment for all safety-related equipment located in the corresponding areas used for the safe shutdown of either unit. Since the ESBRCS and control structure are designed to remain functional during and after the most severe natural phenomena, sharing this system will not impair its ability to perform its safety function.

7.3.2.15.4.2.2.6 ESBRCS - GDC 13 - Instrumentation and Control Instrumentation for the ESBRCS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.4.2.2.7 ESBRCS - GDC 19 - Control Room Refer to Section 3.1 7.3.2.15.4.2.3 ESBRCS Conformance to Industry Codes and Standards 7.3.2.15.4.2.3.1 ESBRCS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations CHAPTER 07 7.3-214 REV. 19, SEPTEMBER 2018

LGS UFSAR Compliance of the ESBRCS with IEEE 279 (1971) is detailed below:

7.3.2.15.4.2.3.1.1 ESBRCS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement Deliberate operator action after an accident is not required to initiate ESBRCS operation because it operates continuously during normal plant operation.

7.3.2.15.4.2.3.1.2 ESBRCS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The ESBRCS consists of redundant unit coolers and independent sets of controls and power which meet the single failure criterion.

7.3.2.15.4.2.3.1.3 ESBRCS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.15.4.2.3.1.4 ESBRCS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.4.2.3.1.5 ESBRCS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The ESBRCS meets the channel integrity criterion by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.4.2.3.1.6 ESBRCS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each ESBRCS component are physically and electrically separated.

7.3.2.15.4.2.3.1.7 ESBRCS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The ESBRCS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the ESBRCS control because of electrical isolation.

7.3.2.15.4.2.3.1.8 ESBRCS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The ESBRCS operates continuously.

7.3.2.15.4.2.3.1.9 ESBRCS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The ESBRCS can be tested for operational availability as per Section 7.3.1.1.15.4.10.

7.3.2.15.4.2.3.1.10 ESBRCS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The ESBRCS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

CHAPTER 07 7.3-215 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.4.2.3.1.11 ESBRCS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will prevent the ESBRCS itself from complying with the single failure criterion.

7.3.2.15.4.2.3.1.12 ESBRCS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses ESBRCS bypasses are discussed in Section 7.3.1.1.15.4.6.

7.3.2.15.4.2.3.1.13 ESBRCS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.15.4.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.15.4.2.3.1.14 ESBRCS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.4.2.3.1.15 ESBRCS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The ESBRCS high temperature switches have been designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.15.4.2.3.1.16 ESBRCS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the ESBRCS is initiated, it will continue to operate until manually terminated by the operator.

7.3.2.15.4.2.3.1.17 ESBRCS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the ESBRCS cannot disable the automatic or manual operation of the other ESBRCS division.

7.3.2.15.4.2.3.1.18 ESBRCS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to the temperature switch setpoints is restricted by administrative control.

7.3.2.15.4.2.3.1.19 ESBRCS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high temperature, filter pressure differential, and low air flow alarms.

7.3.2.15.4.2.3.1.20 ESBRCS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the ESBRCS is described in Section 7.3.1.1.15.4.12.2.

7.3.2.15.4.2.3.1.21 ESBRCS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

CHAPTER 07 7.3-216 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.4.2.3.1.22 ESBRCS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.4.2.3.2 ESBRCS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.15.4.2.3.3 ESBRCS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.15.4.2.3.4 ESBRCS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

Refer to Section 7.1.2.7.5.

7.3.2.15.4.2.3.5 ESBRCS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.4.2.3.6 ESBRCS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7.

7.3.2.15.4.2.3.7 ESBRCS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.4.2.3.1.2.

7.3.2.15.4.2.3.8 ESBRCS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.5 Emergency Core Cooling Systems Pump Compartment Unit Coolers -

Instrumentation and Controls 7.3.2.15.5.1 ECCS-UC General Functional Requirements Conformance The ECCS-UC are designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. The ECCS-UC are automatically initiated by high temperature switches.

CHAPTER 07 7.3-217 REV. 19, SEPTEMBER 2018

LGS UFSAR For the safety design basis refer to Section 7.1.2.1.33.5.1 and for additional details, refer to Section 9.4.2.

7.3.2.15.5.2 ECCS-UC Specific Regulatory Requirements Conformance 7.3.2.15.5.2.1 ECCS-UC Conformance to Regulatory Guides 7.3.2.15.5.2.1.1 ECCS-UC - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The ECCS-UC can be manually initiated and are capable of being tested during normal plant operation. Hand switches located on local control panels allow periodic testing of the unit coolers in accordance with the requirements of Chapter 16.

7.3.2.15.5.2.1.2 ECCS-UC - Regulatory Guide 1.29 (1978) - Seismic Design Classification The ECCS-UC comply with this regulatory guide as discussed in Section 3.2.

7.3.2.15.5.2.1.3 ECCS-UC - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.5.2.1.4 ECCS-UC - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The ECCS-UC meets the intent of this regulatory guide by using a unit cooler system trouble alarm in the control room.

7.3.2.15.5.2.1.5 ECCS-UC - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the ECCS-UC to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

7.3.2.15.5.2.1.6 ECCS-UC - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided locally to manually initiate the unit coolers.

7.3.2.15.5.2.1.7 ECCS-UC - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.15.5.2.1.8 ECCS-UC - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the ECCS-UC is discussed in Section 8.1.6.1.16.

CHAPTER 07 7.3-218 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.5.2.1.9 ECCS-UC - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.15.5.2.1.10 ECCS-UC - Regulatory Guide 1.105 (1976) - Instrument Setpoints Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations to assure initiation of the ECCS-UC to maintain the temperature of the emergency pump rooms within the specified limits.

7.3.2.15.5.2.1.11 ECCS-UC - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

7.3.2.15.5.2.2 ECCS-UC Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.5.2.2.1 ECCS-UC - GDC 1 - Quality Standards and Records The ECCS-UC are included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.5.2.2.2 ECCS-UC - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.5.2.2.3 ECCS-UC - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.5.2.2.4 ECCS-UC - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.5.2.2.5 ECCS-UC - GDC 13 - Instrumentation and Control Instrumentation for the ECCS-UC is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.5.2.3 ECCS-UC Conformance to Industry Codes and Standards 7.3.2.15.5.2.3.1 ECCS-UC - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the ECCS-UC with IEEE 279 (1971) is detailed as follows:

7.3.2.15.5.2.3.1.1 ECCS-UC - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The ECCS-UC are automatically initiated by high temperature switches.

7.3.2.15.5.2.3.1.2 ECCS-UC - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion CHAPTER 07 7.3-219 REV. 19, SEPTEMBER 2018

LGS UFSAR The ECCS-UC include 100% capacity redundant unit coolers and independent sets of controls and power which meet the single failure criterion.

7.3.2.15.5.2.3.1.3 ECCS-UC - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.15.5.2.3.1.4 ECCS-UC - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.5.2.3.1.5 ECCS-UC - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The ECCS-UC meets the channel integrity criterion by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.5.2.3.1.6 ECCS-UC - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each unit cooler are physically and electrically separated.

7.3.2.15.5.2.3.1.7 ECCS-UC - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The ECCS-UC has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the ECCS-UC control because of electrical isolation.

7.3.2.15.5.2.3.1.8 ECCS-UC - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the ECCS-UC is derived from high temperature signals from the corresponding emergency pump rooms.

7.3.2.15.5.2.3.1.9 ECCS-UC - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The ECCS-UC can be tested for operational availability per Section 7.3.1.1.15.5.10.

7.3.2.15.5.2.3.1.10 ECCS-UC - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The ECCS-UC is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.15.5.2.3.1.11 ECCS-UC - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will prevent the other ECCS-UC from complying with the single failure criterion.

CHAPTER 07 7.3-220 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.5.2.3.1.12 ECCS-UC - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses ECCS-UC bypasses are discussed in Section 7.3.1.1.15.5.6.

7.3.2.15.5.2.3.1.13 ECCS-UC - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.15.5.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.15.5.2.3.1.14 ECCS-UC - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.5.2.3.1.15 ECCS-UC - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The ECCS-UC temperature switches have been designed to allow adjustment of trip setpoints to more stringent settings, if required.

7.3.2.15.5.2.3.1.16 ECCS-UC - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the ECCS-UC are initiated they will continue to operate until they are shut down by a low temperature switch.

7.3.2.15.5.2.3.1.17 ECCS-UC - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the ECCS-UC cannot disable the automatic or manual operation of the other ECCS-UC division.

7.3.2.15.5.2.3.1.18 ECCS-UC - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to temperature switch setpoints is restricted by administrative control.

7.3.2.15.5.2.3.1.19 ECCS-UC - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by unit cooler trouble alarms.

7.3.2.15.5.2.3.1.20 ECCS-UC - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the ECCS-UC is described in Section 7.3.1.1.15.5.12.2.

7.3.2.15.5.2.3.1.21 ECCS-UC - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

7.3.2.15.5.2.3.1.22 ECCS-UC - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems CHAPTER 07 7.3-221 REV. 19, SEPTEMBER 2018

LGS UFSAR Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.5.2.3.2 ECCS-UC - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.15.5.2.3.3 ECCS-UC - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.15.5.2.3.4 ECCS-UC - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.15.5.2.3.5 ECCS-UC - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.5.2.3.6 ECCS-UC - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7.

7.3.2.15.5.2.3.7 ECCS-UC - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.5.2.3.1.2.

7.3.2.15.5.2.3.8 ECCS-UC - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.6 Auxiliary Equipment Room Ventilation System - Instrumentation and Controls 7.3.2.15.6.1 AERVS General Functional Requirements Conformance The AERVS is designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related functions. The AERVS operates continuously during normal and emergency plant operation. For the safety design basis refer to Section 7.1.2.1.33.6.1 and for additional details refer to Section 9.4.1.

7.3.2.15.6.2 AERVS Specific Regulatory Requirements Conformance 7.3.2.15.6.2.1 AERVS Conformance to Regulatory Guides CHAPTER 07 7.3-222 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.6.2.1.1 AERVS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The AERVS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located on the local panel allow periodic testing of the unit coolers in accordance with the requirements of Chapter 16.

7.3.2.15.6.2.1.2 AERVS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The AERVS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.15.6.2.1.3 AERVS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for Installation, Inspection, and Testing of Instrumentation and Electric Equipment for Nuclear Power Plants (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.15.6.2.1 3A AERVS - Regulatory Guide 1.32 (1977) - Criteria for Safety Related Electric Power Systems for Nuclear Power Plants Refer to Section 8.1.6.1.6.

7.3.2.15.6.2.1.4 AERVS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indications for Nuclear Power Plant Safety Systems The AERVS meets the intent of this regulatory guide by using a system trouble alarm in the control room.

7.3.2.15.6.2.1.5 AERVS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the AERVS to meet the single failure criterion, section 4.2 of IEEE 279 (1971), and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic or an actuator does not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel does not prevent the redundant channel from operating properly.

7.3.2.15.6.2.1.6 AERVS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided locally to manually initiate the AERVS.

7.3.2.15.6.2.1.7 AERVS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.15.6.2.1.8 AERVS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the AERVS is discussed in Section 8.1.6.1.16.

7.3.2.15.6.2.1.9 AERVS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.15.6.2.1.10 AERVS - Regulatory Guide 1.105 (1976) - Instrument Setpoints CHAPTER 07 7.3-223 REV. 19, SEPTEMBER 2018

LGS UFSAR Instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in calibration, and instrument drift between calibrations to assure initiation of the AERVS to maintain the associated room temperatures within the specified limits.

7.3.2.15.6.2.1.11 AERVS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

7.3.2.15.6.2.2 AERVS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.15.6.2.2.1 AERVS - GDC 1 - Quality Standards and Records The AERVS is included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.15.6.2.2.2 AERVS - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.15.6.2.2.3 AERVS - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.15.6.2.2.4 AERVS - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.15.6.2.2.5 AERVS - GDC 5 - Sharing of Structures, Systems and Components The AERVS is common to Units 1 and 2. There are two independent divisions, each capable of maintaining a suitable environment for the safety-related equipment used for the safe shutdown of either unit. Since the AERVS and control structure are designed to remain functional during and after the most severe natural phenomena, sharing this system will not impair its ability to perform its safety function.

7.3.2.15.6.2.2.6 AERVS - GDC 13 - Instrumentation and Control Instrumentation for the AERVS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

7.3.2.15.6.2.2.7 AERVS - GDC 19 - Control Room Refer to Section 3.1 7.3.2.15.6.2.3 AERVS Conformance to Industry Codes and Standards 7.3.2.15.6.2.3.1 AERVS - IEEE 279 (1971), Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the AERVS with IEEE 279 (1971) is detailed below.

CHAPTER 07 7.3-224 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.6.2.3.1.1 AERVS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement Deliberate operator action after an accident is not required to initiate AERVS operation because the system operates continuously during normal plant operation.

7.3.2.15.6.2.3.1.2 AERVS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The AERVS consists of redundant unit coolers and independent sets of controls and power which meet the single failure criterion.

7.3.2.15.6.2.3.1.3 AERVS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.15.6.2.3.1.4 AERVS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.15.6.2.3.1.5 AERVS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The AERVS meets the channel integrity by utilizing the design features described in the other paragraphs of this section.

7.3.2.15.6.2.3.1.6 AERVS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each AERVS component are physically and electrically separated.

7.3.2.15.6.2.3.1.7 AERVS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The AERVS has no interaction with other plant control systems. Annunciator circuits using contacts at sensor and logic relays cannot impair the operability of the AERVS control because of electrical isolation.

7.3.2.15.6.2.3.1.8 AERVS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The AERVS operates continuously.

7.3.2.15.6.2.3.1.9 AERVS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The AERVS can be tested for operational availability as per Section 7.3.1.1.15.6.10.

7.3.2.15.6.2.3.1.10 AERVS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The AERVS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

CHAPTER 07 7.3-225 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.6.2.3.1.11 AERVS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel will prevent the AERVS itself from complying with the single failure criterion.

7.3.2.15.6.2.3.1.12 AERVS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses AERVS bypasses are discussed in Section 7.3.1.1.15.6.6.

7.3.2.15.6.2.3.1.13 AERVS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.15.6.6 are automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.15.6.2.3.1.14 AERVS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits will be procedurally controlled by administrative means.

7.3.2.15.6.2.3.1.15 AERVS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The AERVS high temperature switches have been designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.15.6.2.3.1.16 AERVS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the AERVS is initiated it will continue to operate until manually terminated by the operator.

7.3.2.15.6.2.3.1.17 AERVS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the AERVS cannot disable the automatic or manual operation of the other AERVS division.

7.3.2.15.6.2.3.1.18 AERVS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points Access to the temperature switch setpoints is restricted by administrative control.

7.3.2.15.6.2.3.1.19 AERVS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high temperature, filter pressure differential, and low air flow alarms.

7.3.2.15.6.2.3.1.20 AERVS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the AERVS is described in Section 7.3.1.1.15.6.12.2.

7.3.2.15.6.2.3.1.21 AERVS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

CHAPTER 07 7.3-226 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.15.6.2.3.1.22 AERVS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.15.6.2.3.2 AERVS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.15.6.2.3.3 AERVS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.4.

7.3.2.15.6.2.3.4 AERVS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

Refer to Section 7.1.2.7.5.

7.3.2.15.6.2.3.5 AERVS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.15.6.2.3.6 AERVS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7.

7.3.2.15.6.2.3.7 AERVS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.15.6.2.3.1.2.

7.3.2.15.6.2.3.8 AERVS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.15.7 Safety-Related Equipment Area Cooling Ventilation Systems Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the safety-related equipment area cooling ventilation systems from performing their protective function.

CHAPTER 07 7.3-227 REV. 19, SEPTEMBER 2018

LGS UFSAR

b. Loss of cooling water to any single piece of vital equipment does not prevent the safety-related equipment area cooling ventilation systems from performing their protective function.

7.3.2.16 Drywell Unit Coolers - Instrumentation and Controls 7.3.2.16.1 DUC General Functional Requirements Conformance The DUC are designed with sufficient capacity and redundancy so that a single active or passive electrical or control component failure will not prevent the system from performing its safety-related function. The DUC are manually initiated and are used during normal plant operation for cooling and ventilation. During emergency conditions, they perform the safety-related function of mixing the containment atmosphere. For the safety design basis refer to Section 7.1.2.1.34.1 and for additional details refer to Section 9.4.5.

7.3.2.16.2 DUC Specific Regulatory Requirements Conformance 7.3.2.16.2.1 DUC Conformance to Regulatory Guides 7.3.2.16.2.1.1 DUC - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)

The DUC are manually initiated and are capable of being tested during normal plant operation.

Hand switches located in the control room allow periodic testing of the unit coolers in accordance with the requirements of Chapter 16.

7.3.2.16.2.1.2 DUC - Regulatory Guide 1.29 (1978) - Seismic Design Classification The DUC comply with this regulatory guide as discussed in Section 3.2.

7.3.2.16.2.1.3 DUC - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)

Refer to Section 8.1.6.1.5 and Chapter 17.

7.3.2.16.2.1.4 DUC - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The DUC meets the intent of this regulatory guide by using a fan system trouble alarm in the control room.

7.3.2.16.2.1.5 DUC - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the DUC to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972). The logic components and wiring are separated to ensure that a failure in a sensing element or the decision logic will not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel will not prevent the redundant channel from operating properly.

CHAPTER 07 7.3-228 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.16.2.1.6 DUC - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Action Controls are provided in the main control room to manually initiate the DUC.

7.3.2.16.2.1.7 DUC - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Refer to Section 8.1.6.1.12.

7.3.2.16.2.1.8 DUC - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Refer to Section 8.1.6.1.14 for compliance.

7.3.2.16.2.1.9 DUC - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the DUC is discussed in Section 8.1.6.1.16.

7.3.2.16.2.1.10 DUC - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance is discussed in Section 3.10.

7.3.2.16.2.1.11 DUC - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems Refer to Section 7.1.2.5.26.

7.3.2.16.2.2 DUC Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.16.2.2.1 DUC - GDC 1 - Quality Standards and Records The DUC are included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.16.2.2.2 DUC - GDC 2 - Design Bases for Protection Against Natural Phenomena Refer to Section 3.1.

7.3.2.16.2.2.3 DUC - GDC 3 - Fire Protection Refer to Section 3.1.

7.3.2.16.2.2.4 DUC - GDC 4 - Environmental and Dynamic Effects Design Bases Refer to Section 3.1.

7.3.2.16.2.3 DUC Conformance to Industry Codes and Standards 7.3.2.16.2.3.1 DUC - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the DUC with IEEE 279 (1971) is detailed as follows:

CHAPTER 07 7.3-229 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.16.2.3.1.1 DUC - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement Deliberate operator action after an accident is not required to initiate DUC operation because they operate continuously during normal plant operation.

7.3.2.16.2.3.1.2 DUC - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The DUC consist of redundant fans within each fan cabinet and independent sets of controls and power which meet the single failure criterion.

7.3.2.16.2.3.1.3 DUC - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.16.2.3.1.4 DUC - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Refer to Section 3.11 for discussion of equipment qualification.

7.3.2.16.2.3.1.5 DUC - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The DUC meet the channel integrity criterion by utilizing the design features described in the other paragraphs of this section.

7.3.2.16.2.3.1.6 DUC - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each DUC fan is physically and electrically separated.

7.3.2.16.2.3.1.7 DUC - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction No single active failure of the DUC can result in a condition requiring protective action.

7.3.2.16.2.3.1.8 DUC - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The DUC fans operate continuously during emergency conditions and are not initiated by signals from a monitored variable.

7.3.2.16.2.3.1.9 DUC - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The DUC can be tested for operational availability as per Section 7.3.1.1.16.10.

7.3.2.16.2.3.1.10 DUC - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The DUC are capable of being tested during normal plant operation to verify that they are capable of performing their intended function.

7.3.2.16.2.3.1.11 DUC - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation CHAPTER 07 7.3-230 REV. 19, SEPTEMBER 2018

LGS UFSAR A channel bypass or removal of a component of an initiation circuit channel will prevent the DUC themselves from complying with the single failure criterion.

7.3.2.16.2.3.1.12 DUC - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses DUC bypasses are discussed in Section 7.3.1.1.16.6.

7.3.2.16.2.3.1.13 DUC - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses Each of the bypasses described in Section 7.3.1.1.16.6 is automatically indicated in the control room. In addition, each of these bypasses will initiate a system out-of-service annunciator.

7.3.2.16.2.3.1.14 DUC - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.16.2.3.1.15 DUC - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The DUC are manually initiated. Flow switches to initiate redundant fan operation are designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.16.2.3.1.16 DUC - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the DUC are initiated, they will continue to operate until the operator terminates system operation by manual override.

7.3.2.16.2.3.1.17 DUC - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the DUC cannot disable the automatic or manual operation of the other DUC division.

7.3.2.16.2.3.1.18 DUC - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points The DUC are manually initiated.

7.3.2.16.2.3.1.19 DUC - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by fan motor status and fan system trouble annunciators.

7.3.2.16.2.3.1.20 DUC - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the DUC is described in Section 7.3.1.1.16.12.2.

7.3.2.16.2.3.1.21 DUC - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components will be accomplished during periodic testing.

7.3.2.16.2.3.1.22 DUC - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems CHAPTER 07 7.3-231 REV. 19, SEPTEMBER 2018

LGS UFSAR Each logic cabinet and control panel is distinctively identified with a nameplate which identifies the safety system. Cables and cable trays are identified by a color code and tags which identify them as being of a separate channel.

7.3.2.16.2.3.2 DUC - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Refer to Section 8.3.2.2.1.12.

7.3.2.16.2.3.3 DUC - IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations Refer to Section 8.1.6.1.12.

7.3.2.16.2.3.4 DUC - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations Refer to Section 3.11.

7.3.2.16.2.3.5 DUC - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.16.2.3.6 DUC - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems Refer to Section 7.1.2.7.6.

7.3.2.16.2.3.7 DUC - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations Refer to Section 7.1.2.7.7.

7.3.2.16.2.3.8 DUC - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.16.2.3.1.2.

7.3.2.16.2.3.9 DUC - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits Refer to Section 7.1.2.7.11.

7.3.2.16.3 DUC Additional Design Considerations Analyses As defined in Regulatory Guide 1.70, paragraph 7.3.2, the following considerations are addressed:

a. Loss of the plant instrument air system does not prevent the DUC from performing their protective function.

CHAPTER 07 7.3-232 REV. 19, SEPTEMBER 2018

LGS UFSAR

b. Loss of cooling water to any single piece of vital equipment does not prevent the DUC from performing their protective function.

7.3.2.17 Refueling Area Isolation System - Instrumentation and Controls 7.3.2.17.1 RAIS General Functional Requirements Conformance The RAIS is designed with sufficient capacity and redundancy so that a single active failure does not prevent the system from performing its safety-related functions. The RAIS is automatically initiated by detection of high radiation in the refueling area exhaust ducts or low pressure differential between the refueling area and the atmosphere. For the safety design basis refer to Section 7.1.2.1.42.1. Section 11.5 gives information on radiation detectors.

7.3.2.17.2 RAIS Specific Regulatory Requirements Conformance 7.3.2.17.2.1 RAIS Conformance to Regulatory Guides 7.3.2.17.2.1.1 RAIS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Function (Safety Guide 22)

The RAIS can be manually initiated and is capable of being tested during normal plant operation.

Hand switches located in the control room allow periodic testing of the isolation valves in accordance with the requirements of Chapter 16.

7.3.2.17.2.1.2 RAIS - Regulatory Guide 1.29 (1978) - Seismic Design Classification The RAIS complies with this regulatory guide as discussed in Section 3.2.

7.3.2.17.2.1.3 RAIS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electrical Equipment (Safety Guide 30)

See Section 8.1.6.1.5 and Chapter 17.

7.3.2.17.2.1.4 RAIS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems The RAIS isolation system armed, initiation, and isolation incomplete alarms meet the intent of this regulatory guide.

7.3.2.17.2.1.5 RAIS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the RAIS to meet the single failure criterion, section 4.2 of IEEE 279 (1971) and IEEE 379 (1972).

Redundant sensors and wiring are separated. The logic components and wiring are separated to ensure that a failure in a sensing element, the decision logic, or an actuator does not affect its redundant counterpart and prevent protective action. Separate channels are employed so that a fault affecting one channel does not prevent the redundant channel from operating properly.

7.3.2.17.2.1.6 RAIS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Controls are provided in the main control room to manually initiate the RAIS.

CHAPTER 07 7.3-233 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.17.2.1.7 RAIS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems See Section 8.1.6.1.14 for compliance with this regulatory guide.

7.3.2.17.2.1.8 RAIS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants The qualification of Class 1E equipment for the RAIS is discussed in Section 8.1.6.1.16.

7.3.2.17.2.1.9 RAIS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants Conformance with this regulatory guide is covered by Section 3.10.

7.3.2.17.2.1.10 RAIS - Regulatory Guide 1.105 (1976) - Instrument Setpoints To ensure initiation of the RAIS in conjunction with the SGTS to prevent the uncontrolled release of airborne contaminants to the atmosphere, instrument setpoints are selected to allow for the inaccuracy of the instrument, uncertainties in the calibration, and instrumentation drift likely to occur between calibrations.

Refer to Chapter 16 for safety setpoints.

7.3.2.17.2.1.11 RAIS - Regulatory Guide 1.118 (1978) - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.5.26.

7.3.2.17.2.2 RAIS Conformance to 10CFR50, Appendix A, General Design Criteria 7.3.2.17.2.2.1 RAIS - GDC 1 - Quality Standards and Records The RAIS is included in an established quality assurance program discussed in Section 3.1 and Chapter 17.

7.3.2.17.2.2.2 RAIS - GDC 2 - Design Bases for Protection Against Natural Phenomena See Section 3.1.

7.3.2.17.2.2.3 RAIS - GDC 3 - Fire Protection See Section 3.1.

7.3.2.17.2.2.4 RAIS - GDC 4 - Environmental and Dynamic Effects Design Bases See Section 3.1.

7.3.2.17.2.2.5 RAIS - GDC 13 - Instrumentation and Control Instrumentation for the RAIS is selected to monitor variables over anticipated ranges during normal and emergency operating conditions.

CHAPTER 07 7.3-234 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.17.2.2.6 RAIS - GDC 20 - Protection System Functions See Section 7.3.2.17.1.

7.3.2.17.2.2.7 RAIS - GDC 21 - Protection System Reliability and Testability The RAIS is designed with redundancy and separation so that a single failure does not result in the loss of the protective function. The system is capable of being tested during normal plant operation.

7.3.2.17.2.2.8 RAIS - GDC 22 - Protection System Independence The components of the RAIS are designed so that the thermal environment resulting from any potential accident conditions in which the components are required to function does not interfere with that function. The controls for the two RAIS divisions are electrically and physically separated so that a single failure does not result in the loss of both divisions. Power for the components of each division is provided from separate Class 1E power sources.

7.3.2.17.2.2.9 RAIS - GDC 23 - Protection System Failure Modes Each RAIS division is designed to fail in a safe state, permitting its redundant division to provide isolation.

7.3.2.17.2.2.10 RAIS - GDC 24 - Separation of Protection and Control Systems The control system for the RAIS does not interact with the plant control systems.

7.3.2.17.2.2.11 RAIS - GDC 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the RAIS is achieved through system redundancy, physical and electrical independence, fail-safe design, inservice testability, and equipment suitable for normal and accident environments.

7.3.2.17.2.2.12 RAIS - GDC 60 - Control of Releases of Radioactive Materials to the Environment The RAIS isolates the refueling area from the environment to prevent uncontrolled exfiltration of air to the environment.

7.3.2.17.2.3 RAIS Conformance to Industry Codes and Standards 7.3.2.17.2.3.1 RAIS - IEEE 279 (1971) - Criteria for Protection for Nuclear Power Generating Stations Compliance of the RAIS with IEEE 279 (1971) is detailed below.

7.3.2.17.2.3.1.1 RAIS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The RAIS is an automatically initiated system as discussed in Section 7.3.2.17.1.

7.3.2.17.2.3.1.2 RAIS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The RAIS consists of redundant sets of isolation valves and independent sets of controls and power that meet the single failure criterion.

CHAPTER 07 7.3-235 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.17.2.3.1.3 RAIS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All safety-related components are selected on the basis of suitability for the specific application. A quality control and assurance program is required to be implemented and documented by equipment vendors, which complies with the requirements set forth in 10CFR50, Appendix B.

7.3.2.17.2.3.1.4 RAIS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification See Section 3.11 for a discussion of equipment qualification.

7.3.2.17.2.3.1.5 RAIS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity The RAIS meets the channel integrity objective by using the design features described in the other paragraphs of this section.

7.3.2.17.2.3.1.6 RAIS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The control and power circuits for each RAIS component are physically and electrically separated.

7.3.2.17.2.3.1.7 RAIS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RAIS has no interaction with other plant control systems. Annunciator circuits using contact at sensor and logic relays cannot impair the operability of the RAIS control because of electrical isolation.

7.3.2.17.2.3.1.8 RAIS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs Initiation of the RAIS is derived from conditions discussed in Section 7.3.2.17.1.1.

7.3.2.17.2.3.1.9 RAIS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks The RAIS can be tested for operational availability as described in Section 7.3.1.1.17.10.

7.3.2.17.2.3.1.10 RAIS - IEEE 279 (1971), Paragraph 4.10 - Capability of Testing and Calibration The RAIS is capable of being tested during normal plant operation to verify that the system is capable of performing its intended function.

7.3.2.17.2.3.1.11 RAIS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation A channel bypass or removal of a component of an initiation circuit channel does not prevent the RAIS itself from complying with the single failure criterion.

7.3.2.17.2.3.1.12 RAIS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses RAIS bypasses are discussed in Section 7.3.1.1.17.6.

7.3.2.17.2.3.1.13 RAIS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses CHAPTER 07 7.3-236 REV. 19, SEPTEMBER 2018

LGS UFSAR Each of the bypasses described in Section 7.3.1.1.17.6 is automatically indicated in the control room. In addition, each of these bypasses initiates a system out-of-service annunciator.

7.3.2.17.2.3.1.14 RAIS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing Manual bypass of initiating circuits is procedurally controlled by administrative means.

7.3.2.17.2.3.1.15 RAIS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The RAIS radiation detectors are designed to allow adjustment of trip setpoints to more stringent settings if required.

7.3.2.17.2.3.1.16 RAIS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated Once the RAIS is initiated, it continues to operate until the operator terminates system operation by manual override.

7.3.2.17.2.3.1.17 RAIS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation A single failure in the control system of a division of the RAIS cannot disable the automatic or manual operation of the other RAIS division.

7.3.2.17.2.3.1.18 RAIS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points See Section 11.5 for access to radiation monitoring setpoints.

7.3.2.17.2.3.1.19 RAIS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions System operation is indirectly indicated and identified by high radiation alarms.

7.3.2.17.2.3.1.20 RAIS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The information readout for the RAIS system is described in Section 7.3.1.1.17.12.2.

7.3.2.17.2.3.1.21 RAIS - IEEE 279 (1971), Paragraph 4.21 - System Repair The recognition and location of failed components is accomplished during periodic testing.

7.3.2.17.2.3.1.22 RAIS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each logic cabinet and control panel is distinctively identified with a nameplate that identifies the safety system. Cables and cable trays are identified by a color code and tags that identify them as being of a separate channel.

7.3.2.17.2.3.2 RAIS - IEEE 308 (1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations See Section 8.3.2.2.1.12.

CHAPTER 07 7.3-237 REV. 19, SEPTEMBER 2018

LGS UFSAR 7.3.2.17.2.3.3 RAIS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1E Electric Equipment for Nuclear Power Generating Stations See Section 7.1.2.7.4.

7.3.2.17.2.3.4 RAIS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations The requirements of this standard have been met by the quality assurance program for construction of safety-related items.

7.3.2.17.2.3.5 RAIS - IEEE 338 (1975) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems See Section 7.1.2.7.6.

7.3.2.17.2.3.6 RAIS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations See Section 3.10.

7.3.2.17.2.3.7 RAIS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The single failure criterion of IEEE 379 (1972) is met as described in Section 7.3.2.17.2.3.1.2.

7.3.2.17.2.3.8 RAIS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11.

CHAPTER 07 7.3-238 REV. 19, SEPTEMBER 2018

LGS UFSAR Table 7.3-1 HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS(2)

HPCI FUNCTION INSTRUMENT RANGE Reactor vessel Level sensor -150/0/+60 inches(1) high water level turbine trip Turbine exhaust Pressure sensor 0-200 psi high pressure HPCI system pump Pressure sensor 0-100 psi high/low suction 0-25 psi pressure Reactor vessel low Level sensor -150/0/+60 inches(1) water level Primary containment Pressure sensor 0-10 psig (drywell) high pressure Pump minimum flow Flow sensor 0-700 gpm HPCI system steam Pressure sensor 0-200 psig supply low pressure Pump discharge Pressure sensor 0-1500 psi pressure CST low level Level sensor -12/0/+45 inches Suppression pool Level sensor 23 feet - 25 feet high water level Turbine overspeed Centrifugal (3) device (1)

Instrument zero equal to 527.5 inches above vessel zero.

(2)

For instrument accuracy and setpoints, see the Technical Specifications.

(3)

Instrument range does not apply to this device.

CHAPTER 07 7.3-239 REV. 15, SEPTEMBER 2010

LGS UFSAR Table 7.3-2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENT SPECIFICATIONS INSTRUMENT ADS FUNCTION INSTRUMENT RANGE ACCURACY Reactor vessel low Level sensor -150/0/+60 +/-6 inches water level inches(1)

Level 1 Reactor vessel low Level sensor 0-60 inches +/-1.5 inches water level Level 3 Primary containment Pressure sensor 0-10 psig +/-0.05 psi high pressure LPCI permissive Pressure sensor 0-500 psi +/-2.5 psi Core Spray Pressure sensor 0-500 psi +/-2.5 psi permissive Automatic Timer 0-180 sec +/-18 sec.

depressurization time delay (1)

Instrument zero equal to 527.5 inches above vessel zero.

CHAPTER 07 7.3-240 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-3 CORE SPRAY SYSTEM INSTRUMENT SPECIFICATIONS(2)

CORE SPRAY FUNCTION INSTRUMENT RANGE Reactor vessel Level sensor -150/0/+60 low water inches (1)

Primary containment Pressure sensor 0-10 psig high pressure Reactor vessel Pressure sensor 0-1200 psi low pressure Core spray sparger Differential -10/0/+10 psid high differential pressure sensor pressure Pump discharge Flow sensor 0-8,800 gpm flow Pump suction Pressure sensor -30" Hg to 60 Pressure psig Pump discharge Pressure sensor 0-500 psig pressure (1)

Instrument zero equal to 527.5 inches above vessel zero.

(2)

For allowable value of applicable core spray function see technical specifications.

CHAPTER 07 7.3-241 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-4 LOW PRESSURE COOLANT INJECTION INSTRUMENT SPECIFICATIONS(2)

LPCI FUNCTION INSTRUMENT RANGE Reactor vessel Level sensor -150/0/+60 low water level inches(1)

(LPCI initiation)

Drywell high Pressure sensor 0-10 psig pressure (LPCI initiation)

LPCI pump delay Timer 1.5-15 sec (on loss of normal auxiliary power)

Injection valve Differential -200/0/+800 psid Differential pressure switch pressure Pump minimum Flow sensor 0-2500 gpm flow bypass Pump discharge Pressure sensor 0-500 psig pressure (signal to ADS)

RHR injection line Differential -10/0/10 psi high differential pressure sensor pressure (1)

Instrument zero equal to 527.5 inches above vessel zero.

(2)

For instrument accuracy and setpoints, see the Technical Specifications.

CHAPTER 07 7.3-242 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-5 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENT SPECIFICATIONS ISOLATION FUNCTION SENSOR RANGE Reactor vessel Level sensor 0-60 inches(1) low water level (isolation of primary system valves except main steam line valves)

Level 3 Reactor vessel Level sensor -150/0/+60 low water level inches(1)

Level 2 Reactor vessel Level sensor -150/0/+60 low water level inches(1)

(isolates main steam line valves)

Level 1 Reactor vessel Level sensor -150/0/+60 low water level inches(1)

Level 1 Main steam line Differential 0-150 psid high flow pressure sensor Main turbine inlet Pressure sensor 0-1200 psi low pressure Drywell high Pressure sensor 0-10 psig pressure RCIC turbine steam Differential 0F-150F(3) line space high temperature & 50F-350F temperature ambient temperature sensors RCIC turbine steam Differential -500/0/+500 line high flow pressure sensor inches CHAPTER 07 7.3-243 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-5 (Cont'd)

ISOLATION FUNCTION SENSOR RANGE RCIC turbine steam Pressure sensor 0-200 psi line low pressure HPCI turbine steam Differential 0F-150F(3) line space high temperature & 50F-350F temperature ambient temperature sensors HPCI turbine steam Differential -1000/0/+1000 inches line high flow pressure sensor HPCI turbine line Pressure sensor 0-200 psi low pressure Reactor enclosure Radiation 0.01-100 mr/hr Ventilation monitor exhaust high radiation Refueling floor Radiation 0.01-100 mr/hr Ventilation monitor exhaust high radiation RWCU space high Differential 0F-150F(3)

Temperature temperature & 50F-350F ambient temperature sensors Main steam line Ambient 50F-350F area high temperature temperature sensor RWCU high Differential 0-100 gpm(3)

Differential flow flow (1)

Instrument zero equal to 527.5 inches above vessel zero.

(2)

For instrument accuracy and setpoints, see the Technical Specifications.

(3)

The range shown is for the instrument channel trip switch which processes multiple sensor inputs to monitor the differential value between the inputs.

CHAPTER 07 7.3-244 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-6 SENSORS OR CIRCUITS IN NONSEISMICALLY QUALIFIED STRUCTURES SENSOR OR CIRCUIT STRUCTURE ZS01-104A->D Turbine stop valve Turbine Enclosure PS01-102A->D Turbine control valve Turbine Enclosure fast closure PT01-1NO52A->D Turbine stop valve bypass Turbine Enclosure PT01-1NO76A->D MSIV pressure trip input Turbine Enclosure PT01-1NO75A->D Condenser Vacuum Turbine Enclosure TE41-1NO10A->D Leak Detection Turbine Enclosure TE41-1NO011A->D Leak Detection Turbine Enclosure TE41-1NO012A->D Leak Detection Turbine Enclosure TE41-1NO14 Leak Detection Turbine Enclosure TE41-1NO16 Leak Detection Turbine Enclosure TE41-1NO17 Leak Detection Turbine Enclosure TE25-115A->D Leak Detection Turbine Enclosure TE25-116A->D Leak Detection Turbine Enclosure TE25-117A->D Leak Detection Turbine Enclosure TE25-118A->D Leak Detection Turbine Enclosure TE25-119A->D Leak Detection Turbine Enclosure CHAPTER 07 7.3-245 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-7 INSTRUMENT CHANNELS REQUIRED FOR PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM I. MSIV ISOLATION(1)

INSTRUMENT CHANNEL DESCRIPTION NORMAL Reactor vessel low water level (level 1) 4 Main steam line high flow (each steam line) 4 Main steam line low pressure 4 Main condenser line low vacuum 4 Main steam line area high temperature 36 ambient II. MAIN STEAM DRAIN VALVE ISOLATION(1)

NORMAL LOGIC CHANNEL PER TRIP INSTRUMENT CHANNEL DESCRIPTION SYSTEM Same as MSIV's instrument channels, 4 however, MSIV logic channels provide inputs to drain valve trip systems.

(1)

The tables show the number of instrument channels provided to monitor each variable required for the functional performance of PCRVICS (MSIV isolation only). For the minimum number of channels required for functional performance, see the Technical Specifications.

CHAPTER 07 7.3-246 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-8 HIGH PRESSURE COOLANT INJECTION SYSTEM NUMBER OF TRIP CHANNELS FOR FUNCTIONAL PERFORMANCE COMPONENT TRIP CHANNELS AFFECTED CHANNEL INSTRUMENT PROVIDED(1)

HPCI initiation Reactor vessel Level sensor 4 low water level (level 2)

HPCI initiation Primary containment Pressure sensor 4 high pressure HPCI turbine HPCI pump discharge Flow indicator 1 Flow controller HPCI turbine Reactor vessel high Level sensor 4 water level (level 8)

HPCI turbine Turbine exhaust Pressure sensor 4 high pressure HPCI turbine HPCI pump low Pressure sensor 1 suction pressure HPCI pump Minimum flow Flow sensor 1 CHAPTER 07 7.3-247 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-8 (Cont'd)

COMPONENT TRIP CHANNELS AFFECTED CHANNEL INSTRUMENT PROVIDED(1)

HPCI steam supply HPCI steam supply Pressure sensor 4 valve and low pressure suppression pool suction valve Suppression pool CST low level and/or Level sensor 4 suction valves suppression pool high level (1)

For the minimum number of channels required for functional performance, see the Technical Specifications.

CHAPTER 07 7.3-248 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-9 AUTOMATIC DEPRESSURIZATION SYSTEM NUMBER OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE NUMBER OF INSTRUMENT TRIP CHANNELS INITIATING FUNCTION TYPE PROVIDED(1)

Reactor vessel low water level 3 Level sensor 2 Reactor vessel low water level 1 Level sensor 4 Primary containment high pressure Pressure sensor 4 Time delay (start) Timer 2 Time delay (bypass) Timer 4 RHR or core spray pump Pressure sensor 4 running interlock (1)

For the minimum number of channels required for functional performance, see the Technical Specifications.

CHAPTER 07 7.3-249 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-10 LOW PRESSURE COOLANT INJECTION SYSTEM NUMBER OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE NUMBER OF COMPONENT TRIP INSTRUMENT TRIP CHANNELS AFFECTED CHANNEL TYPE PROVIDED(1)

LPCI/CS Reactor vessel Level sensor 2 per trip Initiation low water level system (level 1)

LPCI/CS Primary containment Pressure sensor 2 per trip Initiation high pressure system Minimum flow LPCI pumps discharge Flow sensor 1 per trip Valves low flow system LPCI injection P across Pressure 1 per trip Valves valve low sensor system (1)

For the minimum number of channels required for functional performance, see the Technical Specifications.

CHAPTER 07 7.3-250 REV. 13, SEPTEMBER 2006

LGS UFSAR Table 7.3-11 CORE SPRAY SYSTEM NUMBER OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE NUMBER OF COMPONENT TRIP INSTRUMENT TRIP CHANNELS AFFECTED CHANNEL TYPE PROVIDED(1)

Core spray Reactor vessel Level sensor 2 per trip System low water level system (Level 1)

Core spray Primary containment Pressure sensor 2 per trip System high pressure system Core spray Reactor vessel Pressure sensor 2 per trip discharge valves low pressure system Core spray sparger Loop to loop pressure Differential 1 (alarm only) leak detection differential pressure sensor (1)

For the minimum number of channels required for functional performance, see the Technical Specifications.

CHAPTER 07 7.3-251 REV. 13, SEPTEMBER 2006

Retrieved from "https://kanterella.com/w/index.php?title=ML21133A086&oldid=3410578"