5 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems

ML22111A236
Person / Time
Site:	LaSalle
Issue date:	04/13/2022
From:	Constellation Energy Generation
To:	Office of Nuclear Reactor Regulation
Shared Package
ML22111A258	List: ML22111A228 ML22111A229 ML22111A230 ML22111A232 ML22111A233 ML22111A234 ML22111A236 ML22111A239 ML22111A246 ML22111A247 ML22111A250 ML22111A251 ML22111A252 ML22111A253 ML22111A256 ML22111A257 ML22146A366 ML22146A368 ML22146A369 ML22146A370 ML22146A373 ML22146A376 ML22146A378 ML22146A379 ML22146A380 ML22146A382 RS-22-052, 5 to Updated Final Safety Analysis Report, Chapter 9, Figures, Part 5 of 7 (ML22111A243 Redacted)
References
RS-22-052
Download: ML22111A236 (643)
v • d • e

Text

{{#Wiki_filter:LSCS-UFSAR CHAPTER 7.0 - INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS Page 7.0 Instrumentation and Controls 7.1-1 7.1 Introduction 7.1-1 7.1.1 Identification of Safety-Related Systems 7.1-1 7.1.2 General Description of Individual Systems 7.1-2 7.1.3 Independence of Redundant Safety-Related Systems 7.1-6 7.1.3.1 Mechanical Systems and Equipment 7.1-7 7.1.3.2 Electrical Systems and Equipment 7.1-7 7.1.3.3 Mechanical Systems Separation Criteria 7.1-8 7.1.3.3.1 General 7.1-8 7.1.3.3.2 System Separation Requirements 7.1-9 7.1.3.3.3 Physical Separation Requirements 7.1-10 7.1.3.4 Electrical Systems Separation Criteria 7.1-10 7.1.3.4.1 General 7.1-10 7.1.3.4.2 System Separation Requirements 7.1-12 7.1.3.4.2.1 Reactor Protection System (RPS) 7.1-12 7.1.3.4.2.2 Emergency Core Cooling System (ECCS) and Nuclear Steam Supply Shutoff System (NSSS) 7.1-13 7.1.3.4.3 Physical Separation Requirements 7.1-14 7.1.4 Physical Identification of Safety-Related Equipment 7.1-19 7.1.5 Conformance to IEEE Criteria 7.1-19 7.1.6 Conformance to Regulatory Guides 7.1-19 7.2 Reactor Protection System 7.2-1 7.2.1 Design Bases 7.2-1 7.2.1.1 Safety Design Bases 7.2-1 7.2.1.2 Power Generation Design Bases 7.2-3 7.2.2 System Description 7.2-3 7.2.2.1 General 7.2-3 7.2.2.2 Power Sources 7.2-3 7.2.2.3 Logic 7.2-4 7.2.2.4 Initiating Signals and Circuits 7.2-5 7.2.2.4.1 Neutron Monitoring System Trip 7.2-5 7.2.2.4.2 Nuclear System High Pressure 7.2-6 7.2.2.4.3 Reactor Vessel Low Water Level 7.2-6 7.2.2.4.4 Turbine Stop Valve Closure 7.2-7 7.2.2.4.5 Turbine Control Valve Fast Closure 7.2-8 7.2.2.4.6 Main Steam Isolation Valve Closure 7.2-9 7.2.2.4.7 Scram Discharge Volume High Water Level 7.2-10 7.2.2.4.8 Drywell High Pressure 7.2-11 7.2.2.4.9 Deleted 7.2.2.4.10 CRD Low Charging Pressure 7.2-11 7.2.2.4.11 Manual Scram 7.2-12 7.2.2.4.12 MODE Switch in Shutdown 7.2-12 7.2.2.5 Scram Operating Bypasses 7.2-12 7.2.2.5.1 Neutron Monitoring System 7.2-12 7.0-i REV. 15, APRIL 2004

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.2.2.5.2 Turbine Stop Valve 7.2-13 7.2.2.5.3 Main Steam Isolation Valves 7.2-13 7.2.2.5.4 Scram Discharge Volume Level 7.2-13 7.2.2.5.5 CRD Low Charging Pressure 7.2-13 7.2.2.5.6 Mode Switch in Shutdown 7.2-13 7.2.2.6 Interlocks 7.2-13 7.2.2.7 Redundancy and Diversity 7.2-13 7.2.2.8 Actuated Devices 7.2-14 7.2.2.9 Separation 7.2-14 7.2.2.10 Testability 7.2-15 7.2.2.11 Environmental Considerations 7.2-16 7.2.2.12 Operational Considerations 7.2-17 7.2.2.13 Design Basis Information 7.2-18 7.2.2.14 Final System Drawings 7.2-19 7.2.3 Analysis 7.2-19 7.2.3.1 Conformance to Design Basis Requirements 7.2-19 7.2.3.2 Specific Requirements Conformance 7.2-23 7.2.3.3 Regulatory Guides 7.2-23 7.2.3.4 Regulatory Requirements 7.2-24 7.3 Engineered Safety Feature Systems 7.3-1 7.3.1 Emergency Core Cooling Systems Instrumentation and Control 7.3-1 7.3.1.1 Design Bases 7.3-1 7.3.1.2 System Description 7.3-1 7.3.1.2.1 High-Pressure Core Spray (HPCS) Instrumentation and Controls 7.3-2 7.3.1.2.1.1 Power Sources 7.3-2 7.3.1.2.1.2 Equipment Design 7.3-2 7.3.1.2.1.3 Initiating Circuits 7.3-3 7.3.1.2.1.4 Logic and Sequencing 7.3-4 7.3.1.2.1.5 Bypasses and Interlocks 7.3-4 7.3.1.2.1.6 Redundancy and Diversity 7.3-5 7.3.1.2.1.7 Actuated Devices 7.3-5 7.3.1.2.1.8 Separation 7.3-5 7.3.1.2.1.9 Testability 7.3-6 7.3.1.2.1.10 Environmental Considerations 7.3-6 7.3.1.2.1.11 Operational Considerations 7.3-7 7.3.1.2.2 Automatic Depressurization System (ADS) Instrumentation and Controls 7.3-7 7.3.1.2.2.1 Equipment Design 7.3-7 7.3.1.2.2.2 Initiating Circuits 7.3-8 7.3.1.2.2.3 Logic and Sequencing 7.3-9 7.3.1.2.2.4 Bypasses and Interlocks 7.3-10 7.3.1.2.2.5 Redundancy/Diversity 7.3-10 7.3.1.2.2.6 Actuated Devices 7.3-10 7.3.1.2.2.7 Testability 7.3-11 7.3.1.2.2.8 Environmental Considerations 7.3-11 7.3.1.2.2.9 Operational Considerations 7.3-11 7.3.1.2.2.10 Low-Low Setpoint Relief Logic 7.3-12 7.3.1.2.2.11 Low-Low Setpoint Relief Logic Testability 7.3-13 7.0-ii REV. 15, APRIL 2004

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.3.1.2.3 Low-Pressure Core Spray (LPCS) Instrumentation and Controls 7.3-14 7.3.1.2.3.1 Equipment Design 7.3-14 7.3.1.2.3.2 Initiating Circuits 7.3-14 7.3.1.2.3.3 Logic and Sequencing 7.3-14 7.3.1.2.3.4 Bypasses and Interlocks 7.3-15 7.3.1.2.3.5 Redundancy and Diversity 7.3-15 7.3.1.2.3.6 Actuated Devices 7.3-15 7.3.1.2.3.7 Separation 7.3-16 7.3.1.2.3.8 Testability 7.3-16 7.3.1.2.3.9 Environmental Considerations 7.3-16 7.3.1.2.3.10 Operational Considerations 7.3-17 7.3.1.2.4 Low-Pressure Coolant Injection (LPCI) Instrumentation and Controls 7.3-17 7.3.1.2.4.1 Equipment Design 7.3-17 7.3.1.2.4.2 Initiating Circuits 7.3-18 7.3.1.2.4.3 Logic and Sequencing 7.3-18 7.3.1.2.4.4 Bypasses and Interlocks 7.3-19 7.3.1.2.4.5 Redundancy and Diversity 7.3-20 7.3.1.2.4.6 Actuated Devices 7.3-20 7.3.1.2.4.7 Separation 7.3-21 7.3.1.2.4.8 Testability 7.3-21 7.3.1.2.4.9 Environmental Considerations 7.3-21 7.3.1.2.4.10 Operational Considerations 7.3-22 7.3.1.2.5 Low-Pressure Systems Interlocks 7.3-23 7.3.1.2.6 Design-Basis Information 7.3-24 7.3.1.2.7 Final System Drawings 7.3-25 7.3.1.3 Analysis 7.3-25 7.3.1.3.1 General Functional Requirement Conformance 7.3-25 7.3.1.3.2 Specific Requirements Conformance 7.3-29 7.3.1.3.2.1 Regulatory Guides 7.3-29 7.3.1.3.2.2 10CFR50 Appendix A 7.3-29 7.3.1.3.2.3 IEEE Criteria 7.3-29 7.3.2 Primary Containment and Reactor Vessel Isolation Control Instrumentation and Control 7.3-29 7.3.2.1 Design Bases 7.3-29 7.3.2.2 System Description 7.3-32 7.3.2.2.1 Power Sources 7.3-33 7.3.2.2.2 Equipment Design 7.3-33 7.3.2.2.3 Initiating Circuits 7.3-33 7.3.2.2.3.1 Reactor Vessel Low Water Level 7.3-35 7.3.2.2.3.2 Deleted 7.3.2.2.3.3 Main Steamline Space High Temperature and Differential Temperature 7.3-36 7.3.2.2.3.4 Main Steamline High Flow 7.3-37 7.3.2.2.3.5 Low Steam Pressure at Turbine Inlet 7.3-38 7.3.2.2.3.6 Drywell High Pressure 7.3-38 7.3.2.2.3.7 Reactor Building Ventilation Exhaust Plenum Monitor Subsystem 7.3-39 7.3.2.2.3.8 Reactor Water Cleanup System High Differential Flow 7.3-39 7.0-iii REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.3.2.2.3.9 Reactor Water Cleanup System Area High Temperature and Differential Temperature 7.3-39 7.3.2.2.3.10 Deleted 7.3-39 7.3.2.2.3.11 Main Steamline Leak Detection Description 7.3-39 7.3.2.2.3.12 Turbine Condenser Vacuum Trip 7.3-40 7.3.2.2.3.13 Residual Heat Removal System High Flow 7.3-40 7.3.2.2.4 Logic 7.3-40 7.3.2.2.5 Bypasses and Interlocks 7.3-42 7.3.2.2.6 Redundancy and Diversity 7.3-42 7.3.2.2.7 Actuated Devices 7.3-42 7.3.2.2.8 Separation 7.3-42 7.3.2.2.9 Testability 7.3-43 7.3.2.2.10 Environmental Considerations 7.3-43 7.3.2.2.11 Operational Considerations 7.3-44 7.3.2.2.12 Design Basis Information 7.3-45 7.3.2.2.13 Final System Drawings 7.3-45 7.3.2.3 Analysis 7.3-45 7.3.2.3.1 General Functional Requirements Conformance 7.3-45 7.3.2.3.2 Specific Requirements Conformance 7.3-46 7.3.2.3.2.1 IEEE Criteria 7.3-46 7.3.2.3.2.1 Conformance to 10CFR50 Appendix A 7.3-46 7.3.2.3.2.3 Regulatory Guide Conformance 7.3-47 7.3.3 Core Standby Cooling System (CSCS) Equipment Cooling Water System (ECWS) Instrumentation and Controls 7.3-47 7.3.3.1 Safety Design Bases 7.3-47 7.3.3.2 Power Generation Design Bases 7.3-47 7.3.3.3 System Description 7.3-47 7.3.3.3.1 Instrumentation and Controls 7.3-47 7.3.3.3.2 Equipment Design and Logic 7.3-48 7.3.3.3.3 Environmental Considerations 7.3-48 7.3.3.3.4 Final System Drawings 7.3-48 7.3.4 Main Control Room and Auxiliary Electric Equipment (AEE) Room Heating, Ventilating and Air-Conditioning Systems Instrumentation and Controls 7.3-48 7.3.4.1 Safety Design Bases 7.3-49 7.3.4.2 Power-Generation Design Bases 7.3-50 7.3.4.3 System Description 7.3-50 7.3.4.3.1 Power Supply 7.3-51 7.3.4.3.2 Initiating Circuits, Logic, and Sequencing 7.3-51 7.3.4.3.3 Bypasses and Interlocks 7.3-52 7.3.4.3.4 Redundancy/Diversity 7.3-53 7.3.4.3.5 Actuated Devices 7.3-53 7.3.4.3.6 Separation 7.3-53 7.3.4.3.7 Testability 7.3-54 7.3.4.3.8 Environmental Considerations 7.3-54 7.3.4.3.9 Operational Considerations 7.3-54 7.3.4.3.10 Operating Bypasses 7.3-54 7.3.4.3.11 Outdoor Air Intake Radiation Protection Portion of the Control Room and Auxiliary Electric Equipment Room HVAC Systems 7.3-54 7.3.4.3.12 Deleted 7.3-55 7.0-iv REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.3.4.3.13 Ionization Detection Portion of Control Room and Auxiliary Electric Equipment Room HVAC Systems 7.3-55 7.3.4.3.14 Outdoor Air Intake Ammonia Protection Portion of Control Room and the Auxiliary Electric Equipment Room HVAC Systems 7.3-56 7.3.4.3.15 Final System Drawings 7.3-57 7.3.4.4 Analysis 7.3-57 7.3.5 Combustible Gas Control System Instrumentation and Controls 7.3-57 7.3.5.1 Safety Design Bases 7.3-57 7.3.5.2 System Description 7.3-58 7.3.5.2.1 Power Sources 7.3-59 7.3.5.2.2 Initiating Circuits 7.3-59 7.3.5.2.3 Logic and Sequencing 7.3-59 7.3.5.2.4 Redundancy and Diversity 7.3-59 7.3.5.2.5 Actuated Devices 7.3-59 7.3.5.2.6 Separation 7.3-60 7.3.5.2.7 Testability 7.3-60 7.3.5.2.8 Environmental Considerations 7.3-60 7.3.5.2.9 Operational Considerations 7.3-60 7.3.5.2.10 Operating Bypasses 7.3-60 7.3.5.2.11 Final System Drawings 7.3-61 7.3.6 Standby Power System Instrumentation and Controls 7.3-61 7.3.6.1 Design Basis 7.3-61 7.3.6.2 Description 7.3-61 7.3.6.3 Analysis 7.3-68 7.3.7 Reactor Building Ventilation and Pressure Control System 7.3-69 7.3.7.1 Design Bases 7.3-69 7.3.7.2 Description 7.3-69 7.3.7.3 Analysis 7.3-69 7.3.8 Standby Gas Treatment System Instrumentation and Controls 7.3-69 7.3.8.1 Design Bases 7.3-69 7.3.8.2 System Description 7.3-70 7.3.8.2.1 Power Sources 7.3-71 7.3.8.2.2 Initiating Circuits, Logic, and Sequencing 7.3-71 7.3.8.2.3 Bypasses and Interlocks 7.3-72 7.3.8.2.4 Redundancy and Diversity 7.3-73 7.3.8.2.5 Actuated Devices 7.3-73 7.3.8.2.6 Separation 7.3-73 7.3.8.2.7 Testability 7.3-73 7.3.8.2.8 Environmental Considerations 7.3-73 7.3.8.2.9 Operational Considerations 7.3-73 7.3.8.2.10 Operating Bypasses 7.3-74 7.3.8.2.11 Final System Drawings 7.3-74 7.3.8.3 Analysis 7.3-74 7.3.9 RHR/Containment Spray Cooling System Instrumentation and Controls 7.3-75 7.3.9.1 System Description 7.3-75 7.3.9.1.1 Power Sources 7.3-75 7.0-v REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.3.9.1.2 Equipment Design 7.3-76 7.3.9.1.3 Initiating Circuits 7.3-76 7.3.9.1.4 Logic and Sequencing 7.3-77 7.3.9.1.5 Bypasses and Interlocks 7.3-77 7.3.9.1.6 Redundancy and Diversity 7.3-77 7.3.9.1.7 Actuated Devices 7.3-77 7.3.9.1.8 Electrical Separation 7.3-77 7.3.9.1.9 Testability 7.3-77 7.3.9.1.10 Environmental Considerations 7.3-78 7.3.9.1.11 Operational Considerations 7.3-78 7.3.9.1.11.1 General Information 7.3-78 7.3.9.1.11.2 Reactor Operator Information 7.3-78 7.3.9.1.11.3 Setpoints 7.3-78 7.3.9.2 Analysis 7.3-78 7.3.9.2.1 General Functional Requirement Conformance 7.3-78 7.3.9.2.2 Conformance to Industry Codes and Standards 7.3-78 7.4 Systems Required for Safe Shutdown 7.4-1 7.4.1 Reactor Core Isolation Cooling System Instrumentation and Controls 7.4-1 7.4.1.1 Design Bases 7.4-1 7.4.1.2 System Description 7.4-1 7.4.1.2.1 Power Sources 7.4-2 7.4.1.2.2 Equipment Design 7.4-2 7.4.1.2.3 Initiating Circuits 7.4-3 7.4.1.2.3.1 Shutdown Initiation 7.4-3 7.4.1.2.4 Bypasses and Interlocks 7.4-4 7.4.1.2.5 Redundancy 7.4-5 7.4.1.2.6 Actuated Devices 7.4-5 7.4.1.2.7 Separation 7.4-7 7.4.1.2.8 Testability 7.4-7 7.4.1.2.9 Environmental Considerations 7.4-7 7.4.1.2.10 Operational Considerations 7.4-7 7.4.1.3 Analysis 7.4-9 7.4.1.3.1 General Functional Requirement Conformance 7.4-9 7.4.1.3.2 Specific Requirement Conformance 7.4-9 7.4.1.3.3 10CFR50 Appendix A 7.4-9 7.4.1.3.4 NRC Regulatory Guides 7.4-10 7.4.2 Standby Liquid Control (SBLC) System Instrumentation and Controls 7.4-10 7.4.2.1 Design Bases 7.4-10 7.4.2.2 System Description 7.4-10 7.4.2.2.1 Power Sources 7.4-11 7.4.2.2.2 Initiating Circuits 7.4-11 7.4.2.2.3 Logic/Sequencing 7.4-11 7.4.2.2.4 Bypasses/Interlocks 7.4-11 7.4.2.2.5 Redundancy/Diversity 7.4-12 7.4.2.2.6 Actuated Devices 7.4-12 7.4.2.2.7 Testability 7.4-12 7.4.2.2.8 Environmental Considerations 7.4-12 7.4.2.2.9 Operational Considerations 7.4-12 7.4.2.3 Analysis 7.4-14 7.0-vi REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.4.3 Reactor Shutdown Cooling (RHR) Instrumentation and Controls 7.4-14 7.4.3.1 Design Bases 7.4-14 7.4.3.2 System Description 7.4-15 7.4.3.2.1 Equipment Design 7.4-15 7.4.3.2.2 Initiating Circuits 7.4-16 7.4.3.2.3 Bypasses/Interlocks 7.4-16 7.4.3.2.4 Redundancy 7.4-16 7.4.3.2.5 Actuated Devices 7.4-16 7.4.3.2.6 Separation 7.4-16 7.4.3.2.7 Testability 7.4-17 7.4.3.2.8 Environmental Considerations 7.4-17 7.4.3.2.9 Operational Considerations 7.4-17 7.4.3.3 Analysis 7.4-17 7.4.4 Shutdown Outside the Control Room 7.4-18 7.4.4.1 Conditions Assumed to Exist as the Main Control Room Becomes Inaccessible 7.4-18 7.4.4.2 Description 7.4-19 7.4.4.3 Procedure for Reactor Shutdown from Outside the Control Room 7.4-19 7.4.4.4 Analysis 7.4-21 7.5 Safety-Related Display Instrumentation 7.5-1 7.5.1 General 7.5-1 7.5.2 Post Accident Tracking 7.5-1 7.5.2.1 Reactor and Primary Containment Process Instrumentation 7.5-2 7.5.2.1.1 Reactor Water Level 7.5-2 7.5.2.1.2 Reactor Pressure 7.5-2 7.5.2.1.3 Containment Pressure 7.5-2 7.5.2.1.4 Suppression Pool Water Level 7.5-3 7.5.2.1.5 Containment Temperature 7.5-3 7.5.2.2 Post-Accident Primary Containment Atmosphere Monitoring System Instrumentation and Controls 7.5-4 7.5.2.2.1 Design Bases 7.5-4 7.5.2.2.2 Description 7.5-6 7.5.2.2.2.1 Drywell Hydrogen and Oxygen Monitoring Subsystem 7.5-6 7.5.2.2.2.2 Drywell Gross Gamma Monitoring 7.5-8 7.5.2.3 Primary Containment Integrity 7.5-9 7.5.3 Shutdown, Isolation, and Core Cooling Indication 7.5-9 7.5.4 Analysis 7.5-11 7.5.4.1 General 7.5-11 7.5.4.2 Accident Conditions 7.5-12 7.6 Other Instrumentation Required For Safety 7.6-1 7.6.1 Process Radiation Monitoring System Instrumentation and Controls 7.6-1 7.6.1.1 Main Steamline Radiation Monitoring Subsystem 7.6-1 7.6.1.2 Reactor Building Vent Exhaust Plenum Radiation Monitoring Subsystem 7.6-2 7.6.1.2.1 Design Bases 7.6-2 7.6.1.2.1.1 Safety Design Bases 7.6-2 7.0-vii REV. 20, APRIL 2014

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.6.1.2.1.2 Power Generation Design Bases 7.6-2 7.6.1.2.2 System Description 7.6-2 7.6.1.2.3 Analysis 7.6-3 7.6.1.2.3.1 General Functional Requirement Conformance 7.6-3 7.6.1.2.3.2 Specific Requirement Conformance 7.6-4 7.6.1.2.3.3 Regulatory Guides 7.6-4 7.6.1.2.3.4 10CFR50 Appendix A 7.6-4 7.6.1.3 Fuel Pool Ventilation Exhaust Plenum Radiation Monitoring Subsystem 7.6-5 7.6.1.3.1 Design Bases 7.6-5 7.6.1.3.1.1 Safety Design Bases 7.6-5 7.6.1.3.1.2 Power Generation Design Bases 7.6-5 7.6.1.3.2 Description 7.6-5 7.6.1.3.3 Analysis 7.6-6 7.6.2 Reactor Coolant Pressure Boundary Leakage Detection 7.6-6 7.6.2.1 Design Bases 7.6-6 7.6.2.1.1 Safety Design Bases 7.6-6 7.6.2.1.2 Power Generation Design Basis 7.6-6 7.6.2.2 General System Description 7.6-6 7.6.2.2.1 Power Sources 7.6-7 7.6.2.2.2 Equipment Design 7.6-7 7.6.2.2.3 Main Steamline Leak Detection 7.6-7 7.6.2.2.4 RCIC System Leak Detection 7.6-9 7.6.2.2.5 RHR System Leak Detection 7.6-10 7.6.2.2.6 Reactor Water Cleanup System Leak Detection 7.6-11 7.6.2.2.7 Testability 7.6-12 7.6.2.2.8 Environmental Considerations 7.6-13 7.6.2.3 Analysis 7.6-13 7.6.2.3.1 General Functional Requirement Conformance 7.6-13 7.6.2.3.2 Specific Requirement Conformance 7.6-14 7.6.2.3.3 Regulatory Guides 7.6-14 7.6.2.3.4 10CFR50 Appendix A 7.6-14 7.6.3 Neutron Monitoring System Instrumentation and Controls 7.6-15 7.6.3.1 General System Description 7.6-15 7.6.3.1.1 Power Source 7.6-16 7.6.3.2 Intermediate Range Monitor Subsystem 7.6-16 7.6.3.2.1 Design Bases 7.6-16 7.6.3.2.1.1 Safety Design Bases 7.6-16 7.6.3.2.1.2 Power Generation Design Bases 7.6-16 7.6.3.2.2 System Description 7.6-17 7.6.3.2.3 Analysis 7.6-19 7.6.3.2.3.1 General Functional Requirement Conformance 7.6-19 7.6.3.2.3.2 Specific Requirement Conformance 7.6-20 7.6.3.2.3.3 Regulatory Guides 7.6-20 7.6.3.2.3.4 10CFR50 Appendix A 7.6-20 7.6.3.3 Average Power Range Monitor Subsystem 7.6-20 7.6.3.3.1 Design Bases 7.6-20 7.6.3.3.1.1 Safety Design Bases 7.6-20 7.6.3.3.1.2 Power Generation Design Bases 7.6-21 7.6.3.3.2 System Description 7.6-21 7.0-viii REV. 15, APRIL 2004

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.6.3.3.3 Analysis 7.6-23 7.6.3.3.3.1 General Functional Requirement Conformance 7.6-23 7.6.3.3.3.2 Specific Requirement Conformance 7.6-23 7.6.3.3.3.3 Compliance with 10CFR50 Criteria 13,19,20,21,22, 23, 24, and 29 7.6-24 7.6.3.4 Oscillation Power Range Monitor Subsystem 7.6-24 7.6.3.4.1 Design Basis 7.6-24 7.6.3.4.1.1 Safety Design Basis 7.6-24 7.6.3.4.1.2 Power Generation Design Basis 7.6-26 7.6.3.4.2 System Description 7.6-26 7.6.3.4.3 Analysis 7.6-29 7.6.3.4.3.1 Conformance to Functional Requirements 7.6-29 7.6.3.4.3.2 Regulatory Guides 7.6-29 7.6.3.4.3.3 General Design Criteria 7.6-29 7.6.4 Recirculation Pump Trip 7.6-29 7.6.4.1 System Description 7.6-29 7.6.4.2 Analysis 7.6-29 7.6.4.2.1 General Functional Requirements Conformance 7.6-29 7.6.4.2.2 Specific Requirement Conformance 7.6-30 7.6.4.2.3 Regulatory Guides 7.6-30 7.6.5 Alternate Rod Insertion (ARI) System Controls and Instrumentation 7.6-30 7.6.5.1 Safety Design Bases 7.6-31 7.6.5.2 Equipment Design 7.6-33 7.6.5.3 Theory of Operation 7.6-34 7.6.5.4 Alternate Rod Insertion System Operator Information 7.6-34 7.6.5.5 Power Supply 7.6-35 7.6.5.6 Cabling and Wiring 7.6-35 7.6.5.7 Testability 7.6-35 7.6.5.8 Redundancy and Diversity 7.6-36 7.6.5.9 Environment Considerations 7.6-36 7.6.6 References 7.6-36 7.7 Control Systems Not Required for Safety 7.7-1 7.7.1 Reactor Vessel Power Generation Instrumentation and Controls 7.7-2 7.7.1.1 Design Basis 7.7-2 7.7.1.2 System Description 7.7-3 7.7.1.2.1 Power Sources 7.7-3 7.7.1.2.2 Equipment Design 7.7-3 7.7.1.2.3 Environmental Considerations 7.7-7 7.7.1.2.4 Operational Considerations 7.7-7 7.7.1.3 Analysis 7.7-9 7.7.2 Rod Control Management System 7.7-9 7.7.2.1 Design Bases 7.7-9 7.7.2.1.1 General 7.7-9 7.7.2.1.2 DELETED 7.7-10 7.7.2.2 System Description 7.7-10 7.7.2.2.1 General 7.7-10 7.7.2.2.2 Rod Movement Controls Systems 7.7-11 7.7.2.2.2.1 Rod Drive Control System 7.7-11 7.7.2.2.2.2 Control Rod Drive Hydraulic System Control 7.7-14 7.7.2.2.2.3 Rod Position Information System 7.7-15 7.7.2.2.2.4 Power Supplies 7.7-17 7.7.2.2.2.5 Inspection and Testing 7.7-17 7.7.2.2.2.6 Environmental Considerations 7.7-17 7.0-ix REV. 19, APRIL 2012

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.7.2.2.2.7 Operational Considerations 7.7-18 7.7.2.2.3 Rod Block Trip Instrumentation and Control System 7.7-19 7.7.2.2.3.1 Power Supply 7.7-19 7.7.2.2.3.2 Grouping of Channels 7.7-19 7.7.2.2.3.3 Rod Block Functions 7.7-20 7.7.2.2.3.4 Rod Block Bypasses 7.7-24 7.7.2.2.3.5 Rod Block Interlocks 7.7-25 7.7.2.2.3.6 Redundancy 7.7-25 7.7.2.2.4 DELETED 7.7-25 7.7.2.2.4.1 DELETED 7.7-25 7.7.2.2.4.2 DELETED 7.7-25 7.7.2.2.4.3 DELETED 7.7-25 7.7.2.2.4.4 DELETED 7.7-25 7.7.2.2.4.5 DELETED 7.7-25 7.7.2.3 Analysis 7.7-25 7.7.2.3.1 Rod Movement Controls 7.7-25 7.7.2.3.1.1 General Functional Requirement Conformance 7.7-26 7.7.2.3.1.2 Specific Requirements 7.7-27 7.7.2.3.2 DELETED 7.7-27 7.7.2.3.2.1 DELETED 7.7-27 7.7.2.3.2.2 DELETED 7.7-27 7.7.3 Recirculation Flow Control System Instrumentation 7.7-27 7.7.3.1 Design Bases 7.7-27 7.7.3.1.1 Safety Design Basis 7.7-27 7.7.3.1.2 Power Generation Design Bases 7.7-27 7.7.3.2 Description 7.7-28 7.7.3.2.1 Power Sources 7.7-28 7.7.3.2.2 Equipment Design 7.7-28 7.7.3.2.3 Environmental Considerations 7.7-33 7.7.3.2.4 Operational Considerations 7.7-33 7.7.3.3 Analysis 7.7-35 7.7.3.3.1 General Functional Requirement Conformance 7.7-35 7.7.3.3.2 DELETED 7.7-36 7.7.4 Feedwater Control System Instrumentation and Controls 7.7-36 7.7.4.1 Design Bases 7.7-36 7.7.4.2 System Description 7.7-36 7.7.4.2.1 Power Sources 7.7-38 7.7.4.2.2 Equipment Design 7.7-38 7.7.4.2.3 Environmental Considerations 7.7-41 7.7.4.2.4 Operational Considerations 7.7-41 7.7.4.3 Analysis 7.7-41 7.7.4.3.1 General Functional Requirement Conformance 7.7-41 7.7.4.3.2 Specific Regulatory Requirement Conformance 7.7-42 7.7.5 Pressure Regulator and Turbine-Generator Instrumentation and Control 7.7-42 7.7.5.1 Power Generation Design Bases 7.7-42 7.7.5.2 System Description 7.7-43 7.7.5.2.1 Power Sources 7.7-43 7.7.5.2.2 Equipment Design 7.7-44 7.7.5.2.3 Environmental Considerations 7.7-47 7.7.5.2.4 Operational Considerations 7.7-47 7.7.5.3 Analysis 7.7-47 7.7.5.3.1 Power Generation Design Base Conformance 7.7-48 7.7.5.3.2 Specific Requirement Conformance 7.7-48 7.0-x REV. 19, APRIL 2012

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.7.6 Neutron Monitoring System Instrumentation and Controls 7.7-48 7.7.6.1 Source Range Monitor Subsystem 7.7-49 7.7.6.1.1 Design Bases 7.7-49 7.7.6.1.2 Description 7.7-50 7.7.6.1.3 Analysis 7.7-52 7.7.6.2 Local Power Range Monitor Subsystem 7.7-52 7.7.6.2.1 Design Bases 7.7-52 7.7.6.2.2 System Description 7.7-53 7.7.6.2.3 Analysis 7.7-56 7.7.6.3 Rod Block Monitor Subsystem 7.7-56 7.7.6.3.1 Design Bases 7.7-56 7.7.6.3.2 Description 7.7-57 7.7.6.3.3 Analysis 7.7-59 7.7.6.4 Traversing Incore Probe Subsystem 7.7-60 7.7.6.4.1 Design Bases 7.7-60 7.7.6.4.2 System Description 7.7-60 7.7.6.4.3 Analysis 7.7-61 7.7.7 Process Computer System Instrumentation and Controls 7.7-62 7.7.7.1 Design Basis 7.7-62 7.7.7.1.1 Safety Design Bases 7.7-62 7.7.7.1.2 Power Generation Design Bases 7.7-62 7.7.7.2 System Description 7.7-62 7.7.7.2.1 Power Sources 7.7-63 7.7.7.2.2 Instrument Monitoring and Processing Equipment Design 7.7-63 7.7.7.2.3 Rod Worth Minimizer Equipment Design 7.7-64 7.7.7.2.4 Environmental Considerations 7.7-67 7.7.7.2.5 Reactor Calculations 7.7-67 7.7.7.3 Analysis 7.7-68 7.7.8 Reactor Water Cleanup (RWCU) System Instrumentation and Controls 7.7-68 7.7.8.1 Design Bases 7.7-68 7.7.8.2 System Description 7.7-68 7.7.8.2.1 Power Sources 7.7-68 7.7.8.2.2 Equipment Design 7.7-68 7.7.8.2.3 Environmental Considerations 7.7-69 7.7.8.2.4 Operational Considerations 7.7-70 7.7.8.3 Analysis 7.7-70 7.7.9 Area Radiation Monitoring System Instrumentation 7.7-71 7.7.9.1 Design Basis 7.7-71 7.7.9.1.1 Safety Design Bases 7.7-71 7.7.9.1.2 Power Generation Design Bases 7.7-71 7.7.9.2 System Description 7.7-71 7.7.9.2.1 Power Sources 7.7-71 7.7.9.2.2 Equipment Design 7.7-71 7.7.9.2.3 Environmental Considerations 7.7-72 7.7.9.2.4 Operational Considerations 7.7-72 7.7.9.3 Analysis 7.7-73 7.7.10 Gaseous Radwaste System Instrumentation and Controls 7.7-73 7.0-xi REV. 15, APRIL 2004

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.7.10.1 Design Bases 7.7-73 7.7.10.2 System Description 7.7-73 7.7.10.2.1 Power Source 7.7-74 7.7.10.2.2 Equipment Design 7.7-74 7.7.10.2.3 Environmental Considerations 7.7-77 7.7.10.2.4 Operational Considerations 7.7-77 7.7.10.2.5 Setpoints 7.7-78 7.7.10.3 Analysis 7.7-78 7.7.11 Liquid Radwaste System Instrumentation and Control 7.7-78 7.7.11.1 Design Bases 7.7-78 7.7.11.2 System Description 7.7-78 7.7.11.2.1 Power Sources 7.7-79 7.7.11.2.2 Equipment Design 7.7-79 7.7.11.2.3 Environmental Considerations 7.7-80 7.7.11.2.4 Operational Considerations 7.7-80 7.7.11.3 Analysis 7.7-81 7.7.12 Spent Fuel Pool Cooling and Cleanup System Instrumentation and Controls 7.7-81 7.7.12.1 Design Bases 7.7-81 7.7.12.2 System Description 7.7-81 7.7.12.2.1 Power Sources 7.7-81 7.7.12.2.2 Equipment Design 7.7-82 7.7.12.2.3 Environmental Considerations 7.7-82 7.7.12.2.4 Operational Considerations 7.7-82 7.7.12.3 Analysis 7.7-82 7.7.13 Refueling Interlocks System Instrumentation and Controls 7.7-83 7.7.13.1 Design Bases 7.7-83 7.7.13.2 System Description 7.7-83 7.7.13.2.1 Power Sources 7.7-83 7.7.13.2.2 Equipment Design 7.7-84 7.7.13.2.3 Bypasses and Interlocks 7.7-85 7.7.13.2.4 Redundancy 7.7-85 7.7.13.2.5 Testability 7.7-85 7.7.13.2.6 Environmental Considerations 7.7-86 7.7.13.2.7 Operational Considerations 7.7-86 7.7.13.3 Analysis 7.7-86 7.7.13.3.1 Conformance to Functional Requirements 7.7-86 7.7.13.3.2 Specific Requirements Conformance 7.7-87 7.7.14 Process Radiation Monitoring System Instrumentation and Controls 7.7-87 7.7.14.1 Air Ejector Off-Gas Radiation Monitor and Sampler Subsystem 7.7-88 7.7.14.1.1 Design Bases 7.7-88 7.7.14.1.1.1 Safety Design Bases 7.7-88 7.7.14.1.1.2 Power Generation Design Bases 7.7-89 7.7.14.1.2 System Description 7.7-89 7.7.14.1.2.1 Power Sources 7.7-89 7.7.14.1.2.2 Equipment Design 7.7-90 7.0-xii REV. 19, APRIL 2012

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.7.14.1.2.3 Testability 7.7-91 7.7.14.1.2.4 Environmental Considerations 7.7-91 7.7.14.1.2.5 Operational Considerations 7.7-91 7.7.14.1.3 Analysis 7.7-91a 7.7.14.2 Stack Radiation Monitoring System 7.7-92 7.7.14.2.1 Design Bases 7.7-92 7.7.14.2.1.1 Safety Design Bases 7.7-92 7.7.14.2.1.2 Power Generation Design Bases 7.7-92 7.7.14.2.2 System Description 7.7-93 7.7.14.2.2.1 Power Sources 7.7-93 7.7.14.2.2.2 Equipment Design 7.7-93 7.7.14.2.2.3 Environmental Considerations 7.7-94 7.7.14.2.2.4 Operational Considerations 7.7-94 7.7.14.2.3 Analysis 7.7-94 7.7.14.3 Process Liquid Radiation Monitoring Subsystems 7.7-94 7.7.14.3.1 Design Bases 7.7-94 7.7.14.3.1.1 Safety Design Bases 7.7-94 7.7.14.3.1.2 Power Generation Design Basis 7.7-95 7.7.14.3.2 System Description 7.7-95 7.7.14.3.2.1 Power Sources 7.7-95 7.7.14.3.2.2 Equipment Design 7.7-95 7.7.14.3.2.3 Environmental Considerations 7.7-96 7.7.14.3.2.4 Operational Considerations 7.7-96 7.7.14.3.3 Analysis 7.7-96 7.7.14.4 Carbon Bed Vault Radiation Monitoring Subsystem 7.7-97 7.7.14.4.1 Design Bases 7.7-97 7.7.14.4.2 System Description 7.7-97 7.7.14.4.2.1 Power Sources 7.7-97 7.7.14.4.2.2 Equipment Design 7.7-97 7.7.14.4.2.3 Environmental Considerations 7.7-98 7.7.14.4.2.4 Operational Considerations 7.7-98 7.7.14.4.3 Analysis 7.7-98 7.7.14.5 Main Steam Radiation Monitoring Subsystem 7.7-98 7.7.14.5.1 Design Basis 7.7-98 7.7.14.5.2 Power Generation Design Basis 7.7-99 7.7.14.5.3 System Description 7.7-99 7.7.14.5.3.1 Subsystem Identification 7.7-99 7.7.14.5.3.2 Power Sources 7.7-99 7.7.14.5.3.3 Equipment Design 7.7-99 7.7.14.5.3.4 Redundancy and Diversity 7.7-100 7.7.14.5.3.5 Testability 7.7-100 7.7.14.5.3.6 Environmental Considerations 7.7-100 7.7.14.5.3.7 Operational Considerations 7.7-100 7.7.14.5.4 Analysis 7.7-100 7.7.15 Leak Detection System Instrumentation and Controls 7.7-100 7.7.15.1 Design Basis 7.7-100 7.7.15.2 System Description 7.7-101 7.7.15.2.1 Power Sources 7.7-101 7.7.15.2.2 Equipment Design 7.7-101 7.7.15.2.3 Recirculation Pump Leak Detection 7.7-102 7.7.15.2.4 Spent Fuel Pool System Leak Detection 7.7-103 7.7.15.2.5 Drywell and Reactor Building Leak Detection 7.7-103 7.0-xiii REV. 23, APRIL 2018

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.7.15.2.6 Safety/Relief Valve Leak Detection 7.7-104 7.7.15.2.7 Reactor Vessel Head Seal Ring Leak Detection 7.7-104 7.7.15.2.8 Sump Monitoring System 7.7-104 7.7.15.2.9 Testability 7.7-105 7.7.15.2.10 Environmental Considerations 7.7-106 7.7.15.3 Analysis 7.7-106 7.7.15.3.1 General Functional Requirement Conformance 7.7-106 7.7.15.3.2 Specific Requirement Conformance 7.7-106 7.7.16 Additional Analysis 7.7-107 7.7.17 References 7.7-108 7.8 Status Displays 7.8-1 7.8.1 Engineered Safety Features Display 7.8-1 7.8.2 Safety Parameter Display System 7.8-2 7.8.2.1 General 7.8-2 7.8.2.2 Description 7.8-3 7.8.2.2.1 Primary Display 7.8-3 7.8.2.2.2 Safety Parameters and Associated Displays 7.8-4 7.8.2.2.2.1 Core Cooling 7.8-4 7.8.2.2.2.2 Reactivity Control 7.8-5 7.8.2.2.2.3 Reactor Coolant System Integrity 7.8-6 7.8.2.2.2.4 Containment Integrity 7.8-8 7.8.2.2.2.5 Radioactive Effluents 7.8-9 7.8.2.3 Alarms and Messages 7.8-10 7.8.2.3.1 Audible Alarms 7.8-10 7.8.2.3.2 Error Messages 7.8-11 7.A Analysis of Conformance of Instrumentation and Control Systems with IEEE Criteria 7.A.1-1 7.A.1 Introduction 7.A.1-1 7.A.2 Reactor Protection System 7.A.2-1 7.A.2.1 Criteria for Protecting Systems for Nuclear Power Generating Stations (IEEE 279-1971) 7.A.2-1 7.A.2.1.1 Scram Discharge Volume High Water Level Scram 7.A.2-1 7.A.2.1.2 Main Steamline Isolation Valve Closure Scram Trip 7.A.2-5 7.A.2.1.3 Turbine Stop Valve Closure Scram 7.A.2-11 7.A.2.1.4 Turbine Control Valve Fast Closure Scram 7.A.2-16 7.A.2.1.5 Reactor Vessel Low Water Level Scram Trip 7.A.2-20 7.A.2.1.6 Main Steamline High Radiation Scram Trip (Deleted) 7.A.2-24 7.A.2.1.7 Neutron Monitoring System Scram Trip 7.A.2-24 7.A.2.1.8 Drywell High-Pressure Scram 7.A.2-29 7.A.2.1.9 Reactor Vessel High Pressure Scram 7.A.2-33 7.A.2.1.10 CRD Low Charging Pressure Scram 7.A.2-37 7.A.2.1.11 Manual Pushbutton Scram 7.A.2-40 7.A.2.1.12 Reactor System Mode Switch 7.A.2-43 7.A.2.1.13 Scram Discharge Volume High Water Level Trip Bypass 7.A.2-47 7.A.2.1.14 Main Steamline Isolation Valve Closure Trip Bypass 7.A.2-51 7.A.2.1.15 Turbine Stop Valve and Control Valve Trip Bypass 7.A.2-54 7.A.2.1.16 Neutron Monitoring System Trip Bypass 7.A.2-58 7.0-xiv REV. 15, APRIL 2004

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.A.2.1.17 RPS Trip Logic, Trip Actuators, and Trip Actuator Logic 7.A.2-58 7.A.2.1.18 Reactor Protection System Reset Switch 7.A.2-62 7.A.2.1.19 Alternate Rod Insertion System 7.A.2-65 7.A.2.2 Criteria for Class 1E Electric Systems (IEEE 308-1971). 7.A.2-71 7.A.2.3 General Guide for Qualifying Class 1 Electric Equipment (IEEE 323-1971) 7.A.2-72 7.A.2.4 Periodic Testing of Protection Systems (IEEE 338-1971) 7.A.2-72 7.A.2.5 Seismic Qualification of Class 1 Electric Equipment (IEEE 344-1971) 7.A.2-72 7.A.2.6 Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems (IEEE 379-1972) 7.A.2-72 7.A.3 Engineered Safety Features Systems 7.A.3-1 7.A.3.1 Emergency Core Cooling Systems 7.A.3-1 7.A.3.1.1 IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations 7.A.3-1 7.A.3.1.1.1 LPCI 7.A.3-1 7.A.3.1.1.2 LPCS 7.A.3-10 7.A.3.1.1.3 Automatic Depressurization System (ADS) 7.A.3-18 7.A.3.1.1.4 High-Pressure Core Spray (HPCS) 7.A.3-27 7.A.3.1.2 IEEE 308-1971 (IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations) 7.A.3-34 7.A.3.1.3 IEEE 323-1971 (Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations) 7.A.3-35 7.A.3.1.4 IEEE 338-1971 (Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems) 7.A.3-35 7.A.3.1.5 IEEE 344-1971 (Guide for Seismic Qualification of Class 1E Electrical Equipment of Nuclear Power Generating Stations) 7.A.3-35 7.A.3.1.6 IEEE 379-1972 7.A.3-35 7.A.3.2 Primary Containment and Reactor Vessel Isolation Instrumentation and Controls 7.A.3-35 7.A.3.2.1 Conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations 7.A.3-35 7.A.3.2.2 Conformance to IEEE 338-1971 7.A.3-45 7.A.3.2.3 Conformance to IEEE 344-1971 7.A.3-45 7.A.3.2.4 Conformance to IEEE 323-1971 7.A.3-45 7.A.3.2.5 Conformance to IEEE 379-1972 7.A.3-45 7.A.3.3 Main Control Room and Auxiliary Electric Equipment (AEE) Room Atmospheric Control Systems 7.A.3-45 7.A.3.3.1 Specific Conformance of the Instrumentation and Control to IEEE 279-1971 7.A.3-46 7.A.3.4 Containment Spray Cooling System-Instrumentation and Controls 7.A.3-48 7.A.3.4.1 IEEE 279-1971 7.A.3-48 7.0-xv REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.A.3.4.1.1 General Functional Requirement (IEEE 297-1971, Paragraph 4.1) 7.A.3-49 7.A.3.4.1.2 Single-Failure Criterion (IEEE 279-1971, Paragraph 4.2) 7.A.3-51 7.A.3.4.1.3 Quality Components (IEEE 279-1971, Paragraph 4.3) 7.A.3-52 7.A.3.4.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4) 7.A.3-53 7.A.3.4.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5) 7.A.3-53 7.A.3.4.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6) 7.A.3-53 7.A.3.4.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7) 7.A.3-53 7.A.3.4.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8) 7.A.3-54 7.A.3.4.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9) 7.A.3-54 7.A.3.4.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10) 7.A.3-54 7.A.3.4.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11) 7.A.3-54 7.A.3.4.1.12 Operation Bypasses (IEEE 279-1971, Paragraph 4.12) 7.A.3-55 7.A.3.4.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13) 7.A.3-55 7.A.3.4.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14) 7.A.3-55 7.A.3.4.1.15 Multiple Trip Settings (IEEE 279-1971, Paragraph 4.15) 7.A.3-55 7.A.3.4.1.16 Completion of Protection Action Once It Is Initiated (IEEE 279-1971, Paragraph 4.16) 7.A.3-55 7.A.3.4.1.17 Manual Actuation (IEEE 279-1971, Paragraph 4.17) 7.A.3-56 7.A.3.4.1.18 Access to Setpoint Adjustment (IEEE 279-1971, Paragraph 4.18) 7.A.3-56 7.A.3.4.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19) 7.A.3-56 7.A.3.4.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20) 7.A.3-56 7.A.3.4.1.21 System Repair (IEEE 279-1971, Paragraph 4.21) 7.A.3-56 7.A.3.4.1.22 Identification (IEEE 279-1971, Paragraph 4.22) 7.A.3-57 7.A.3.4.2 IEEE 308-1971 7.A.3-57 7.A.3.4.3 IEEE 379-1972 7.A.3-57 7.A.4 Systems Required for Safe Shutdown 7.A.4-1 7.A.4.1 Reactor Core Isolation Cooling System Instrumentation and Controls 7.A.4-1 7.A.4.1.1 IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations 7.A.4-1 7.A.4.1.2 IEEE 323-1971, Trial-Use Standard-General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations 7.A.4-6 7.A.4.1.3 IEEE 338-1971, Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems 7.A.4-7 7.0-xvi REV. 13

LSCS-UFSAR TABLE OF CONTENTS (Cont'd) Page 7.A.4.1.4 IEEE 344-1971, Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations 7.A.4-7 7.A.5 Other Instrumentation Systems Required for Safety 7.A.5-1 7.A.5.1 Main Steamline Radiation Monitoring Subsystem 7.A.5-1 7.A.5.1.1 Specific Requirement Conformance 7.A.5-1 7.A.5.2 Reactor Building Ventilation Exhaust Plenum Radiation Monitoring 7.A.5-1 7.A.5.2.1 Specific Requirement Conformance 7.A.5-1 7.A.5.3 Recirculation Pump Trip System 7.A.5-5 7.A.5.3.1 Specific Requirements Conformance 7.A.5-5 7.A.5.4 Leak Detection System 7.A.5-9 7.A.5.4.1 Specific Requirement Conformance 7.A.5-9 7.A.5.5 Intermediate Range Monitor Subsystem 7.A.5-9 7.A.5.5.1 Specific Requirement Conformance 7.A.5-9 7.A.5.6 Average Power Range Monitor Subsystem 7.A.5-10 7.A.5.6.1 Specific Requirement Conformance 7.A.5-10 7.0-xvii REV. 13

LSCS-UFSAR CHAPTER 7.0 - INSTRUMENTATION AND CONTROL SYSTEMS LIST OF TABLES NUMBER TITLE 7.1-1 System Classification 7.1-2 Codes and Standards Applicability Matrix 7.1-3 Reactor Protection System Codes and Standards 7.1-4 Containment and Reactor Vessel Isolation Control System Codes and Standards 7.1-5 High-Pressure ECCS (HPCS, ADS A, ADS B NETWORK) Codes and Standards 7.1-6 HPCS and Low Pressure ECCS (LPCS, RHR A, RHR B NETWORK) Codes and Standards 7.1-7 Process Radiation Monitoring Codes and Standards 7.1-8 Leak Detection System Codes and Standards 7.1-9 Reactor Protection System and Deenergize-to-Operate Sensor Suffix Letters and Division Allocation 7.1-10 Four-Division Grouping of the Neutron Monitoring System Utilizing Four, Six, or Eight Drywell Penetrations 7.1-11 Emergency Core Cooling System Standby Cooling and RCIC Sensor Suffix Letters and Division Allocation Energize-to-Operate 7.1-12 System and Subsystem Separation 7.2-1 Reactor Protection System Instrument Limits 7.2-2 Channels Required for Functional Performance of RPS: Startup Mode 7.2-3 Channels Required for Functional Performance of RPS: Run Mode 7.3-1 ECCS Instrumentation Limits 7.3-2 Primary Containment, Secondary Containment, and Reactor Vessel Isolation Instrument Limits 7.3-3 Process Radiation System Instrumentation Setpoints 7.3-4 [Deleted] 7.3-5 Control Rod Block Instrumentation Limits 7.3-6 Trip Channel Required for Primary Containment and Reactor Vessel Isolation Control System 7.3-7 Trip Channels Required for Functional Performance of HPCS System 7.3-8 Trip Channels Required for Functional Performance of Automatic Depressurization System 7.3-9 Trip Channels Required for Functional Performance of LPCI "B" and "C" 7.3-10 Trip Channels Required for Functional Performance of LPCS System and LPCI "A" 7.3-11 Instrument Specifications for Primary Containment and Reactor Vessel Isolation Control System 7.4-1 Reactor Core Isolation Cooling Instrument Limits 7.4-2 Reactor Shutdown Cooling Bypasses and Interlocks 7.5-1 Position Indication for Reg. Guide 1.97 PCIVs 7.0-xviii REV. 15, APRIL 2004

LSCS-UFSAR LIST OF TABLES (Cont'd) NUMBER TITLE 7.6-1 IRM Trips 7.6-2 APRM System Trips 7.6-3 ARI System Instrumentation Specifications and Setpoints 7.6-4 OPRM System Trips 7.7-1 DELETED 7.7-2 Gaseous Radwaste Process Instruments 7.7-3 Area Radiation Monitors 7.7-4 SRM System Trips 7.7-5 LPRM System Trips 7.7-6 RBM System Trips 7.7-7 Refueling Interlock Effectiveness 7.7-8 Process Radiation Monitoring Systems Characteristics 7.7-9 Matrix of Non-safety Control Systems Affected by HELB Events 7.0-xix REV. 18, APRIL 2010

LSCS-UFSAR CHAPTER 7.0 - INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES AND DRAWINGS FIGURES NUMBER TITLE 7.1-1 Schematic Arrangement of RPV Nozzles for ECCS and Instruments 7.1-2 RPS Separation Concept 7.1-3 Emergency Core Cooling Systems (ECCS) Separation Scheme 7.1-4 NSSS Separation Concept 7.1-5 Main Steamline Isolation Separation Concept 7.1-6 RCIC Sensor Separation Scheme 7.2-1 Reactor Protection System IED 7.2-2 Reactor Protection System Scram Functions 7.2-3 Actuators and Actuator Logics (Schematic) 7.2-4 Logics in One Trip System (Schematic) 7.2-5 Relationship Between Neutron Monitoring System and Reactor Protection System 7.2-6 Configuration for Turbine Stop Valve Closure Reactor Trip 7.2-7 Configuration for Main Steamline Isolation Reactor Trip 7.2-8 Block Diagram - RPS Protective Circuit Electrical Protection Assembly (EPA) 7.3-1 Piping Arrangement 7.3-2 ECCS-Mechanical and Instrumentation Network Models 7.3-3 Emergency Core Cooling System (ECCS) Separation Scheme 7.3-4 Initiation Logic - RHR B and C, HPCS, and RCIC 7.3-5 Auto Depressurization System - Elementary Diagram 7.3-6 Initiation Logic - ADS, LPCS, RHR A 7.3-7 Leak Detection System IED 7.3-8 Vessel Penetrations for Nuclear Instrumentation 7.3-9 Isolation Control System for Main Steamline Isolation Valves 7.3-10 Isolation Control System Using Motor-Operated Valves 7.3-11 Main Steamline Isolation Valve (Schematic) 7.3-12 Control Room Panels 7.3-13 Vent and Purge Isolation Valve (Schematic) 7.5-1 Reactor Control Benchboard Panel Arrangement 7.5-2 Reactor Core Cooling Benchboard Panel Arrangement 7.5-3 Reactor Water Cleanup and Recirculation Benchboard Panel Arrangement 7.6-1 Area Temperature Monitoring System Block Diagram 7.6-2 Neutron Monitoring System IED 7.6-3 SRM/IRM Neutron Monitoring Unit 7.0-xx REV. 15, APRIL 2004

LSCS-UFSAR LIST OF FIGURES (Contd) NUMBER TITLE 7.6-4 Detector Drive System Schematic 7.6-5 Functional Block Diagram of IRM Channel 7.6-6 APRM Circuit Arrangement for Reactor Protection System Input 7.6-7 Ranges of Neutron Monitoring System 7.6-8 Control Rod Withdrawal Error from Cold Condition 7.6-9 Normalized Flux Distribution for Rod Withdrawal Error 7.6-10 APRM Tracking with Reduction in Power by Flow Control 7.6-11 APRM Tracking with On-Limits Control Rod Withdrawal 7.6-12 OPRM Interconnection Block Diagram 7.7-1 Reactor Vessel Water Level Ranges 7.7-2 DELETED 7.7-2a Rod Control Management System 7.7-3 DELETED 7.7-4 Eleven-Wire Position Probe 7.7-5 DELETED 7.7-5A Configuration of the RRFC System 7.7-5B RRFC System Control Algorithm Overview 7.7-5C Principal Configuration of the RWLC System 7.7-5D RWLC System Control Algorithm Overview 7.7-6 Simplified Diagram of Turbine Pressure and Speed/Load Control Requirements 7.7-7 Traversing Incore Probe Assembly 7.7-8 Area Radiation Block Diagram 7.7-9 Functional Block Diagram of SRM Channel 7.7-10 Power Range Monitor Detector Assembly Location 7.7-11 Assignment of LPRM Input to RBM System 7.7-12 RBM Response to Control Rod Motion (Channels A and C) 7.7-13 RBM Response to Control Rod Motion (Channels B and D) 7.7-14 Recirculation Pump Leak Detection Diagram 7.7-15 DELETED 7.8-1 SPDS Primary Display DRAWINGS CITED IN THIS CHAPTER*

• The listed drawings are included as "General References" only; i.e., refer to the drawings to obtain additional detail or to obtain background information. These drawings are not part of the UFSAR. They are controlled by the Controlled Documents Program.

DRAWING* SUBJECT M-55 Main Steam System P&ID, Unit 1 M-87 CSCS - Equipment Cooling Water System P&ID, Unit 1 M-89 Standby Gas Treatment System P&ID, Units 1 & 2 M-93 Nuclear Boiler and Reactor Recirculation System P&ID, Unit 1 M-94 Low-Pressure Core Spray System P&ID, Unit 1 7.0-xxi REV. 24, APRIL 2020

LSCS-UFSAR DRAWINGS CITED IN THIS CHAPTER*(Contd) DRAWING* SUBJECT M-95 High-Pressure Core Spray P&ID, Unit 1 M-96 Residual Heat Removal System P&ID, Unit 1 M-97 Reactor Water Cleanup System P&ID, Unit 1 M-99 Standby Liquid Control System P&ID, Unit 1 M-100 Control Rod Hydraulic System P&ID, Unit 1 M-101 Reactor Core Isolation Cooling System P&ID, Unit 1 M-116 Main Steam System P&ID, Unit 2 M-130 Containment Combustible Gas Control System P&ID M-134 CSCS - Equipment Cooling Water System P&ID, Unit 2 M-139 Nuclear Boiler and Reactor Recirculation System P&ID, Unit 2 M-140 Low-Pressure Core Spray System P&ID, Unit 2 M-141 High-Pressure Core Spray P&ID, Unit 2 M-142 Residual Heat Removal System P&ID, Unit 2 M-143 Reactor Water Cleanup System P&ID, Unit 2 M-145 Standby Liquid Control System P&ID, Unit 2 M-146 Control Rod Hydraulic System P&ID, Unit 2 M-147 Reactor Core Isolation Cooling System P&ID, Unit 2 M-153 Process and Effluent Radiation Monitoring System P&ID M-155 Leak Detection System P&ID, Unit 1 M-156 Containment Monitoring System P&ID, Unit 1 M-157 Leak Detection System P&ID, Unit 2 M-158 Containment Monitoring System P&ID, Unit 2 M-311 Drywell Piping Plan El. 777-11, Unit 1 M-327 Drywell Piping, Upper Section L-L, Unit 1 M-333 Drywell Piping, Upper M-M, Unit 1 M-1443 Control Room/Auxiliary Electrical Equipment Rooms Air Conditioning System P&ID M-1468 Control Room/Auxiliary Electrical Equipment Rooms HVAC System Refrigerant Piping P&ID M-3443 Control Room/Auxiliary Electrical Equipment Rooms HVAC System C & I Details 1E-1(2)-4201 Schematic Diagram - Auto Depressurization Sys. NB 1E-1(2)-4206 Schematic Diagram - Reactor Manual Control System RD 1E-1(2)-4215 Schematic Diagram - Reactor Protection System RP 1E-1(2)-4601 Front Elevation Reactor Core Cooling Benchboard 1E-1(2)-4602 Front Elevation Reactor Water Cleanup and Recirculation Benchboard 1E-1(2)-4603 Front Elevation Reactor Control Benchboard 7.0-xxii REV. 14, APRIL 2002

LSCS-UFSAR THE FOLLOWING CROSS REFERENCE IS PROVIDED FOR INFORMATION

• The listed drawings are included as "General References" only; i.e., refer to the drawings to obtain additional detail or to obtain background information.

These drawings are not part of the UFSAR. They are controlled by the Controlled Documents Program. DRAWING* CORRESPONDING NUMBER GE DRAWING* NUMBER SUBJECT 1E-X-4216 Series 115D6268TD RPS MG Set Control 1E-X-4000 Series 731E302AA HPCS-One Line Diagram 1E-X-4205 Series 761E792TD Reactor Recirculation System 1E-X-4214 Series 807E151TD Remote Shutdown System 1E-X-4203 Series & 807E152TD Nuclear Steam Supply Shutoff 1E-X-4232 Series System 1E-X-4200 Series 807E153TD Nuclear Boiler Process Instrumentation System 1E-X-4224 Series 807E154TD Leak Detection System 1E-X-4201 Series 807E155TD Automatic Depressurization System (ADS) 1E-X-4202 Series 807E156TD Jet Pump Instrumentation System 1E-X-4206 Series 807E158TD Reactor Manuel Control System 1E-X-4207 Series 807E159TD Control Rod Drive-Hydraulic System 1E-X-4208 Series 807E160TD Feedwater Control System 1E-X-4209 Series 807E161TD Standby Liquid Control System(SLC) 1E-X-4210 Series 807E162TD NMS-Startup Range 1E-X-4211 Series 807E163TD NMS-Power Range 1E-X-4212 Series 807E164TD Neutron Monitoring System (NMS)- Startup Range Detector Drive Control 1E-X-4213 Series 807E165TD NMS-Traversing Incore Probe 1E-X-4215-Series 807E168TD Reactor Protection System (RPS) 1E-X-4481 Series & 807E168TD Process Radiation Monitoring System 1E-X-4218 Series 1E-X-4480 Series & 807E169TD Area Radiation Monitoring System 1E-X-4219 Series Unit 1 1E-X-4220 Series 807E170TD Residual Heat Removal system(RHR) 7.0-xxiii REV. 14, APRIL 2002

LSCS-UFSAR DRAWINGS (Cont'd) NUMBER TITLE THE FOLLOWING CROSS REFERENCE IS PROVIDED FOR INFORMATION (Contd) DRAWING* CORRESPONDING NUMBER GE DRAWING* NUMBER SUBJECT 1E-X-4221 Series 807E171TD Low-Pressure Core Spray System(LPCS) 1E-X-4222 Series 807E172TD High-Pressure Core Spray System (HPCS) 1E-X-4226 Series 807E173TD Reactor Core Isolation Cooling System RCIC) 1E-X-4228 Series 807E175TD Reactor Water Cleanup System(RWCU) 1E-X-4223 Series 807E183TD HPCS-Power Supply 1E-X-4229 Series 828E155TD Off-Gas System 1E-X-4206 Series 828E230 Reactor Manual Control System 1E-X-4225 Series 851E708TD Main Steamline Isolation Valve Leakage Control System(MSIV-LCS) 7.0-xxiv REV. 14, APRIL 2002

LSCS-UFSAR CHAPTER 7.0 - INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents details of the safety-related and power generation control and instrumentation systems in the plant. It identifies the safety classifications applicable to instrument and control systems, and it also delineates applicable criteria and discusses physical and electrical independence of safety-related instrumentation and control systems. 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS Instrumentation and control systems may be classified as either power generation systems or safety systems, depending on their function. Some portions of a system may have a safety function, while other portions of the same system may be classified as power generation. The systems presented in Chapter 7.0 have also been grouped according to the NRC Standard Format for Safety Analysis Reports, Revision 2; namely, Reactor Trip System, Engineered Safety Feature Systems, Safe Shutdown Systems, Safety-Related Display Instrumentation, Other Systems Required for Safety, and Control Systems Not Required for Safety. Many systems, however, have safety design bases and power generation design bases. Safety systems provide actions necessary to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material. These systems may be components, subsystems, systems, or groups of systems. These are distinct from the engineered safety systems, which have the sole function of mitigating the consequences of an accident. Power generation systems are not required to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material. The instrumentation and control portions of these systems may, by their actions, prevent the plant from exceeding preset limits, which would cause action of the safety systems. In order to visualize the relationship between safety systems, power generation systems, and the Standard Format classifications, see Table 7.1-1. Table 7.1-1 lists safety-related instrumentation, control, and supporting systems. The safety design basis states in functional terms the unique design requirements that establish limits for the operation of the system. The general functional 7.1-1 REV. 18, APRIL 2010

LSCS-UFSAR requirements portion of the safety design basis includes those requirements which have been determined to be sufficient to ensure the adequacy and reliability of the system from a safety viewpoint. Many of these have been introduced into various codes, safety criteria, and regulatory requirements. The control and instrumentation supplied systems have been examined with respect to specific safety regulatory requirements applicable to the instrumentation and controls. These requirements consist of all applicable industry codes, 10 CFR 50 Appendix A (General Design Criteria), 10 CFR 50 Appendix B (Quality Assurance Criteria), and NRC Regulatory Guides. The specific safety requirements applicable to the instrumentation and control for each system are listed in Table 7.1-2. The RPS, PCRVICS, ECCS, process radiation monitoring system, and leak detection systems have been reduced to the subsystem level and the applicable requirements specified. This information is contained in Tables 7.1-3 through 7.1-8. 7.1.2 GENERAL DESCRIPTION OF INDIVIDUAL SYSTEMS

a. The reactor protection system instrumentation and controls initiate an automatic reactor shutdown (scram) if monitored system variables exceed preestablished limits. This action prevents fuel damage, limits system pressure, and thus restricts the release of radioactive material.

b. The primary containment and reactor vessel isolation control system (PCRVICS) instrumentation and controls initiate closure of various automatic isolation valves if monitored system variables exceed preestablished limits. This action limits the loss of coolant from the reactor vessel and minimizes the release of radioactive materials from either the reactor vessel or the primary containment. The nuclear steam supply shutoff system is a subsystem of PCRVICS.

c. The emergency core cooling systems instrumentation and control provides initiation and control of specific core cooling systems such as high-pressure core spray system, automatic depressurization system, low-pressure core spray system, and the low-pressure coolant injection system.

d. The neutron monitoring system instrumentation and controls use incore neutron detectors to monitor core neutron flux. The neutron monitoring system provides signals to the RPS to shut down the reactor when an overpower condition is detected. High average neutron flux is used as the overpower indicator during 7.1-2 REV. 13

LSCS-UFSAR power operation. Intermediate range detectors are used as overpower indicators during startup and shutdown. The neutron monitoring system also provides power level indication during planned operation. The neutron monitoring system consists of the following seven major subsystems:

1. source range monitor (SRM) subsystem,

2. intermediate range monitor (IRM) subsystem,

3. local power range monitor (LPRM) subsystem,

4. average power range monitor (APRM) subsystem,

5. oscillation power range monitor (OPRM) subsystem,

6. rod block monitor (RBM) subsystem, and

7. traversing incore probe (TIP) subsystem.

e. The refueling interlocks instrumentation and controls serve as a backup to procedural control on core reactivity during refueling operation.

f. The rod control management system instrumentation and controls allow the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to prevent multiple operator errors or equipment malfunctions from requiring the action of the reactor protection system.

The rod control management system includes the rod worth minimizer programming, which supplements procedural requirements for limiting the rod worth by restricting the control rod movements to pre-established patterns during startup and shutdown.

g. (deleted)

h. The reactor vessel instrumentation monitors and transmits information concerning key reactor vessel operating variables.

i. The recirculation flow control system instrumentation and controls regulate the reactor recirculation pumps and valve position to vary the coolant flow rate through the core. The system permits manual control.

7.1-3 REV. 18, APRIL 2010

LSCS-UFSAR

j. The feedwater system instrumentation and controls regulate the feedwater system flow rate so that proper reactor vessel water level is maintained. The system is arranged to permit single-element operation (reactor vessel water level only), three-element operation (level, main steam flow, feedwater flow), or manual operation.

7.1-3a REV. 18, APRIL 2010

LSCS-UFSAR

k. The pressure regulator and turbine-generator instrumentation and controls work together to allow proper generator and reactor response to load demand changes. To maintain constant turbine inlet pressure, the pressure regulator adjusts the turbine control valves or turbine bypass valves. The turbine-generator controls act to maintain constant turbine speed, and the turbine-generator speed-load controls respond to load or speed changes by adjusting the reactor recirculation flow control system and the pressure regulator setpoint. If the generator electrical load is lost, the turbine-generator speed-load controls initiate rapid closure of the turbine control valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed.

l. The process radiation monitoring system instrumentation and controls for process liquid and gas lines provide sufficient control for knowledgeable radioactive material release from the site.

The main steamline radiation monitors detect gross release of fission products from the fuel and provide an alarm in the control room. The process radiation monitoring system consists of seven major subsystems:

1. main steamline radiation monitoring subsystem,

2. air ejector off-gas radiation monitor and sampler (off-gas pretreatment radiation monitor) subsystem,

3. off-gas vent pipe radiation monitoring (off-gas post-treatment monitor) subsystem,

4. process liquid radiation monitoring subsystem,

5. carbon bed vault radiation monitor subsystem,

6. reactor building ventilation exhaust plenum radiation monitoring subsystem, and

7. station vent stack exhaust sampling subsystem.

m. The area radiation monitoring system instrumentation provides gamma-sensitive detectors throughout the plant whose outputs are recorded on multipoint recorders.

7.1-4 REV. 13

LSCS-UFSAR

n. The process computer performs several calculations to optimize plant performance. The rod worth minimizer supplements procedural requirements for limiting the rod worth by restricting certain control rod manipulations during reactor startup and shutdown. The rod worth minimizer is integrated into the rod control management system.

o. The reactor building ventilation and pressure control system senses abnormal pressure and radiation levels in the ECCS pump rooms and initiates the pressure control system.

p. The main control room and auxiliary electric equipment room heating, ventilating and air conditioning systems instrumentation and control system senses abnormal radiation levels in the control room and initiates changes in the sources of circulating air.

q. The CSCS equipment cooling water system (CSCS-ECWS) instrumentation and controls initiate and monitor cooling water flow to vital equipment during abnormal conditions and unit shutdown.

r. The post-LOCA hydrogen recombiner system instrumentation and controls monitor and provide means for controlling the hydrogen concentration in the primary containment following a postulated LOCA. The hydrogen recombining function of the hydrogen recombiners is abandoned in place.

s. The reactor core isolation cooling system instrumentation and controls provide makeup water to the reactor vessel in the event the reactor becomes isolated from the main condensers during plant operation by a closure of the main steamline isolation valves.

t. The standby liquid control system instrumentation and controls provide manual initiation of a redundant reactivity control system which can shut the reactor down from rated power to the cold condition in the event that all withdrawn control rods cannot be inserted to achieve reactor shutdown.

u. The primary containment atmosphere monitoring system instrumentation senses abnormal gamma radiation, oxygen, and hydrogen concentration in the containment and initiates alarms in the control room.

7.1-5 REV. 18, APRIL 2010

LSCS-UFSAR

v. The radwaste system instrumentation and controls support manual processing and disposing of the radioactive process 7.1-5a REV. 18, APRIL 2010

LSCS-UFSAR wastes generated during power operation. The radwaste control system includes liquid radwaste and gaseous radwaste subsystems.

w. The reactor water cleanup system instrumentation and controls provide manual initiation of system equipment to maintain high water purity and reduce concentrations of fission products in the reactor water.

x. The standby power systems instrumentation and controls monitor all important standby power parameters and annunciate abnormal conditions within the system.

y. The leak-detection system instrumentation and controls use various temperature, pressure, level, and flow sensors to detect, annunciate, and isolate (in certain cases) water and steam leakages in selected reactor systems.

z. The reactor shutdown cooling system (RHR) instrumentation and controls provide manual initiation of cooling to remove the decay and sensible heat from the reactor vessel so that the reactor can be refueled and serviced.

aa. The fuel pool cooling and cleanup system instrumentation senses abnormal water temperatures. ab. The standby gas treatment system instrumentation and controls automatically line up airflow from various sources to the treatment filters. ac. The alternate rod insertion (ARI) system instrumentation and controls initiate an automatic reactor scram if monitored system variables exceed preestablished limits. The ARI function is to exhaust the scram valve pilot air header through valves different from the reactor protection system-initiated scram valves, therein providing an alternate means of initiating control rod insertion. 7.1.3 Independence of Redundant Safety-Related Systems This section defines separation criteria for safety and safety-related mechanical and electrical equipment. Safety-related equipment to which the criteria apply are those necessary to mitigate the effects of abnormal operational transients or accidents. The objective of the criteria is to delineate the separation requirements 7.1-6 REV. 13

LSCS-UFSAR necessary to achieve true independence of safety-related functions compatible with the redundant equipment provided. The subsections to follow individually address mechanical and electrical equipment separation. The specific systems and equipment to which the criteria apply are listed followed by the corresponding criteria. 7.1.3.1. Mechanical Systems and Equipment The affected mechanical systems and related equipment (i.e., piping, valves, pumps, and heat exchangers) include: ECCS

a. low-pressure coolant injection (LPCI) system (subsystem of RHR),

b. low-pressure core spray (LPCS) system,

c. high-pressure core spray (HPCS) system, and

d. automatic depressurization (ADS) system.

Other

a. reactor core isolation cooling (RCIC) system,

b. core standby cooling system equipment cooling water (CSCS-ECWS) system, and

c. portions of the supporting systems for the previous systems which are required to enable the main system to perform its safety function.

7.1.3.2 Electrical Systems and Equipment The affected electrical systems and equipment, including supporting systems, are described in the following:

a. Reactor protection system (RPS)

The overall complex of instrument channels, power supplies, trip system, trip actuators and all wiring involved in generating a reactor scram trip signal. 7.1-7 REV. 13

LSCS-UFSAR

b. Nuclear steam supply shutoff system (NSSSS)

The instrument channels (except those common to RPS), power supplies, trip systems, manual controls and interconnecting wiring involved in generating a NSSSS function. Instrument channels for the isolation functions which are shared with the reactor protection system are considered a part of the RPS as far as segregation is concerned.

c. Emergency core cooling system (ECCS)

This includes that combination of systems which takes automatic action to provide the cooling necessary to limit or prevent melting of fuel cladding in the event of a design-basis reactor accident. These systems include:

1. low-pressure core spray (LPCS) system,

2. automatic depressurization system (ADS),

3. high-pressure core spray (HPCS) system, and

4. residual heat removal (RHR) system.

d. Reactor core isolation cooling (RCIC) system This system maintains adequate core cooling in the event of reactor isolation accompanied by a loss of feedwater.

This system is not an ECCS. The steam supply valves for this system are part of the NSSSS. 7.1.3.3 Mechanical Systems Separation Criteria 7.1.3.3.1 General

a. Separation of the affected mechanical systems and equipment (Subsection 7.1.3.1) shall be accomplished so that the substance and intent of 10 CFR 50 are fulfilled.

b. Consideration is given to the redundant and diverse requirements of the affected systems.

7.1-8 REV. 13

LSCS-UFSAR

c. Consideration is given to the type, size, and orientation of possible breaks of the reactor coolant pressure boundary specified in Subsection 3.6.2.2.

d. The protection afforded by the ECCS network satisfies the single-failure criterion. A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be part of the single failure.

Fluid systems are considered to be designed against an assumed single failure if a single failure of any active component (assuming passive components function properly) does not result in a loss of capability of the system to perform its safety function.

e. The affected mechanical systems and equipment along with their associated structures are appropriately separated so that they are adequately protected against:

1. the LOCA dynamic effects outlined in Section 3.6,

2. missiles as defined in Section 3.5, and

3. fires capable of damaging redundant mechanical safety equipment.

The need for and the adequacy of separation are determined in conjunction with the criteria specified in Sections 3.5 and 3.6. 7.1.3.3.2 System Separation Requirements

a. Piping for a redundant safety system is run independently of its counterpart. Supports, restraints, and mechanical components of redundant piping of the same system are not shared in common, unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions.

b. Entrance penetrations to the containment are separated so that damage to or failure of one branch of a system shall not render its redundant counterpart(s) inoperable.

7.1-9 REV. 13

LSCS-UFSAR 7.1.3.3.3 Physical Separation Requirements

a. Mechanical equipment and piping, including control safety conduit and tubing for the emergency core cooling systems, are separated so that no single credible event is capable of disabling sufficient equipment to prevent reactor shutdown, removal of decay heat from the core, or isolation of the containment.

b. The ADS system is separated from the HPCS system such that no break location within the normally pressurized portion of the HPCS influent line is located within jet impingement or pipe movement damage distance of any component considered essential to the operation of the ADS.

c. The ECCS shall be separated into three functional groups:

1. HPCS,

2. LPCS + one LPCI with RHR heat exchanger and 100% service water, and

3. two LPCI pumps with one RHR heat exchanger and 100% service water.

d. The equipment in each group is separated from that in the other two groups by the maximum practical distance. In addition, the distance between the HPCS and the RCIC (which is not an ECCS) is maximized (Figure 7.1-1). The HPCS is in ESF division 3 and the RCIC is in ESF division 1.

e. Separation barriers are constructed between the functional groups as required to assure that environmental disturbances (such as fire, pipe rupture phenomena, falling objects, etc.)

affecting one functional group will not affect the remaining groups. In addition, separation barriers are provided as required to assure that such disturbances do not affect both the RCIC and HPCS. 7.1.3.4 Electrical Systems Separation Criteria 7.1.3.4.1 General Major electrical equipment comprising the systems listed in Subsection 7.1.3.2 shall be identified so that two facts are physically apparent to the operating and maintenance personnel: first, that the equipment is part of the RPS or ESF 7.1-10 REV. 13

LSCS-UFSAR equipment; and second, the grouping (or division) of enforced segregation with which the equipment is associated. Panel and division markers are compatible with this objective. Electrical system separation criteria for non-GE furnished equipment is considered in Subsections 8.3.1.3 and 8.3.1.4.

a. Panels and racks Panels and racks associated with the RPS or ESF shall be labeled with marker plates which are conspicuously different from those for other similar panels; the difference may be in color, shape, or color of engraving-fill. The marker plates include identification of the proper division of the equipment included. The colors of panel and division markers are compatible if color coding is used as the primary mechanism of differentiation between divisions.

b. Junction or pull boxes Junction and/or pull boxes enclosing wiring for the RPS or ESF have identification similar to and compatible with the panels and racks.

c. Cables Cables external to cabinets and/or panels for the RPS or ESF are marked to distinguish them from other cables and identify their separation division as applicable. This identification requirement does not apply to individual conductors.

d. Raceways Those trays or conduits which carry RPS or ESF wiring are identified at entrance points of each room through which they pass (and exit points unless the room is small enough to facilitate convenient following of cable) with a permanent marker identifying their division. Non-ESF cables routed with ESF cables assume the ESF cables divisional identification for extended routing and must not subsequently be routed with a different ESF division.

e. Sensory Equipment Grouping and Designation Letters Redundant sensory equipment for RPS or ESF is identified by suffix letters in accordance with Table 7.1-9 for the RPS, Table 7.1-10 for the neutron monitoring system, and 7.1-11 REV. 13

LSCS-UFSAR Table 7.1-11 for ECCS and RCIC. These tables also show the allocation of sensors to their separated divisions. 7.1.3.4.2 System Separation Requirements 7.1.3.4.2.1 Reactor Protection System (RPS) The following general rules apply to both RPS and NSSSS wiring associated with RPS:

a. RPS cable in raceways outside of the main protection system cabinets may not be run with other wiring and is conspicuously identified to facilitate auditing. Undervessel neutron monitoring cables are not placed in any enclosure which unduly restricts their flexibility. Neutron monitoring cables (SRM, IRM, OPRM and APRM) may be run in the same raceway provided that the four-divisional separation is maintained.

b. Wiring to duplicate sensors on a common process tap are run in separate raceways to its separate destinations in order to meet the single-failure criterion.

c. Wiring for sensors of more than one variable in the same trip channel may be run in the same raceway.

d. Wires from both RPS trip system trip actuators to a single group of scram solenoids may be run in a single raceway, however, a single raceway shall not contain wires to more than one group of scram solenoids. Wiring for two solenoids on the same control rod may be run in the same raceway.

e. Cables through the primary containment penetrations are so grouped that failure of all cabling in a single penetration cannot prevent a scram. (This applies specifically to the neutron monitoring cables and the main steam isolation valve position switch cables.)

f. Power supplies to systems which deenergize to operate (so called "fail-safe" power supplies) are routed in accordance with Subsection 8.3.1.4.2.2. Therefore, the protection system flywheel motor-generator (MG) sets and load circuit breakers are not required to comply with these separation requirements even though the load circuits go to separated panels.

7.1-12 REV. 13

LSCS-UFSAR

g. The RPS has a minimum of four independent input instrument channels for each measured variable. The four separate conduits for the four sensors for a specific variable may (in some cases) be combined into two groupings or divisions for routing purposes if desired by combining divisions IA and IB and IIA and IIB shown in Table 7.1-9 and Figure 7.1-2.

However, in no case shall the total disabling of equipment within a single division be capable of preventing a required scram action under permitted bypass conditions.

h. The RPS wiring is run and/or protected such that no common source of potentially damaging energy (e.g., electrical fire in non-RPS wireways, malfunction or misoperation of plant equipment, pipe rupture, etc.) could reasonably result in loss of ability to scram when required.

7.1.3.4.2.2 Emergency Core Cooling System (ECCS) and Nuclear Steam Supply Shutoff System (NSSSS)

a. Separation is such that no single failure can prevent operation of an engineered safeguard function. Redundant (even dissimilar) systems may be required to perform the required function to satisfy the single failure criterion. Figures 7.1-2, 7.1-3, 7.1-4, 7.1-5, and 7.1-6 and Table 7.1-12 illustrate equipment separation into divisions and the allowable interconnections through isolating devices.

b. The inboard/outboard NSSSS and MSL isolation valves are backups for each other, so they must be independent of and protected from each other to the extent that no single failure can prevent the operation of at least one of an inboard/outboard pair of shutoff valves. Figure 7.1-5 illustrates the MSL isolation valve separation concept.

c. Isolation valve circuits require special attention because of their function in limiting the consequences of a pipe break outside the primary containment. Isolation valve control and power circuits shall be protected from the pipelines that they are responsible for isolating as follows:

1. Essential isolation valve wiring in the vicinity of the outboard valve (or downstream of the valve) is run in rigid conduit and routed such as to take advantage of the mechanical protection afforded by the valve operator or 7.1-13 REV. 13

LSCS-UFSAR other available structural barriers not susceptible to disabling damage from the pipe line break. Additional mechanical protection (barriers) is interposed as necessary between wiring and potential sources of disabling mechanical damage consequential to a break downstream of the outboard valve.

2. Isolation valve control and/or power wiring run in a raceway with other cables is protected from secondary effects of damage to those cables which might result from a pipe break in a line requiring isolation (i.e., short circuits which might overheat cables in an ESF raceway).

3. Motor-operated valves which have mechanical check valve backup for their isolation function are included in the division which embraces the system in which the valves are located rather than adhering strictly to the inboard/outboard divisional classification. The testable check valve cable is run in the same division with the cables for the motor-operated valve in the same line. The testable feature, related control switches, and position indicating lights associated with the ECCS testable check valves, have been eliminated. The cables have been de-terminated and left in place.

7.1.3.4.3 Physical Separation Requirements

a. Electrical Divisions Electrical equipment and wiring for the ESF is segregated into separate divisions designated 1, 2 and 3, so that no single credible event is capable of disabling sufficient equipment to prevent reactor shutdown, removal of decay heat from the core, or to prevent isolation of the containment in the event of a design-basis accident. Separation requirements apply to control power and motive power for all systems concerned. These minimum requirements and guidelines are to be applied with good engineering judgment as an aid to prudent and conservative layout of electrical equipment and raceways throughout the plant. Refer to Subsection 8.3.1.4 for detailed separation arrangement.

7.1-14 REV. 13

LSCS-UFSAR

b. Mechanical Damage Zone Arrangement and/or protective barriers are such that no locally generated force or missile can destroy redundant ESF functions.

In the absence of confirming analysis to support less stringent requirements, the following rules shall apply:

1. In rooms or compartments having heavy rotating machinery, such as the main turbine-generator or the reactor feed pumps, or in rooms containing high-pressure feedwater piping or high-pressure steamlines such as those between the reactor and the turbine, a minimum separation of 20 feet or a 6-inch-thick reinforced concrete wall is required between trays containing cables of different divisions.

2. Any switchgear associated with two redundant ESF's and located in a potential mechanical damage zone such as discussed above must have a minimum horizontal separation of 20 feet or must be separated by a protective wall equivalent to a 6-inch-thick reinforced concrete wall.

3. In any compartment containing an operating crane, such as the turbine building main floor and the region above the reactor pressure vessel, there must be a minimum horizontal separation of 20 feet or a 6-inch-thick reinforced concrete wall between trays containing cables from different divisions.

c. Fire Hazard Zone Arrangement of cabling is such as to eliminate, insofar as practical, any potential for fire damage to cables and to separate the redundant divisions so that fire in one division will not propagate to another division. In the absence of confirming analysis to support less stringent requirements, the following general rules are followed:

1. Routing of cables for ESF control or power through rooms or spaces where there is potential for accumulation of large quantities (gallons) of oil or other combustible fluids through leakage or rupture of lube oil or cooling systems should be avoided. Where such routing is unavoidable for practical reasons, see Section 8.3.1.4.2.1 for raceway spearation criteria.

7.1-15 REV. 13

LSCS-UFSAR

2. In any room or compartment in which the only source of fire is of an electrical nature, cable trays of different ESF divisions must have a minimum horizontal separation of 3 feet if no physical barrier exists between trays. If a horizontal separation of 3 feet is unattainable, a fire-resistant barrier is required, extending at least 1 foot above (or to the ceiling) and 1 foot below (or to the floor) line-of-sight communication between the two trays. These trays are of the solid bottom type.

3. For ESF raceways in which the only source of fire is of an electrical nature, there is a minimum vertical separation of 5 feet between horizontal cable trays stacked vertically one above the other; however, vertical stacking of trays from redundant divisions should be avoided wherever possible. In cases where cable trays are run stacked one above the other, and where the trays do not meet the 5-foot vertical separation requirement, the lower tray has a solid metal cover and the upper tray has a solid metal bottom or other effective fire barrier.

4. In the case of crossover of one ESF cable tray over another (or over a panel) in which the only source of fire is of an electrical nature, there is a minimum vertical separation of 12 inches air space between trays with the bottom tray covered with a metal cover and the top tray provided with a metal bottom for a distance of 5 feet on each side of the tray.

5. Any openings in floors for vertical runs of ESF cables are sealed with fireproof or self-extinguishing material.

d. Cable Spreading Room The minimum horizontal and vertical separation and/or barrier requirements in the cable spreading room, provided that power leads are run in their own protective enclosure (i.e., conduit or equivalent), are as follows:

1. Where cables of different separation divisions approach the same or adjacent control panels with spacing less than the 3-feet minimum, at least one cable is run in metal (rigid or flexible) conduit to a point where 3 feet of separation exists.

7.1-16 REV. 14, APRIL 2002

LSCS-UFSAR

2. A minimum horizontal separation of 1 foot exists between cable trays containing cables of different separation divisions if no physical barrier exists between trays. If a horizontal separation of less than 1 foot is not attainable, a fire-resistant barrier is required extending at least 1 foot above (or to the ceiling) and 1 foot below (or to the floor) line-of-sight communication between the two trays.

These trays may be of the open bottom type (ladder type or expanded metal bottom type).

3. Vertical stacking of cable trays carrying cables of different divisions is avoided wherever possible. There is a minimum vertical separation of 3 feet between horizontal trays running parallel one above the other. Where such vertical separation is unobtainable, the top trays have solid metal bottoms and the bottom trays have solid covers. Where not acceptable, a fire-resistant barrier is used between the trays.

4. In the case of crossing of a cable tray of one separation division over a tray of the other division, there is a minimum vertical separation of 1 inch of air space between trays, with the bottom tray covered with a metal cover and the top tray provided with a metal bottom for a distance of 1 foot on each side of the intersection.

e. Main Control Room Panels No single control panel (or local panel or instrument rack) includes wiring essential to the protective function of two systems which are backups for each other except as allowed by item 4 and item 5.

1. If two panels containing circuits of different separation divisions are less than 1 foot apart, there is a steel barrier between the two panels. Panel ends closed by steel end plates are considered to be acceptable barriers provided that terminal boards and wireways are spaced a minimum of 1 inch from the end plate.

2. Floor-to-floor panel fireproof barriers are provided between adjacent panels of different divisions and divisional equipment on the same panel.

7.1-17 REV. 13

LSCS-UFSAR

3. Penetration of separation barriers within a subdivided panel is permitted, provided that such penetrations are sealed or otherwise treated so that an electrical fire could not reasonably propagate from one section to the other and disable a protective function.

4. Where, for operational reasons, locating manual control switches on separate panels is considered to be prohibitively (or unduly) restrictive to manual operation of equipment, the switches may be located on the same panel provided no credible single event in the panel can disable both sets of redundant manual or automatic controls. Wherever wiring of two different divisions exists in a single panel section, separate terminal boards must be provided, and spacing of terminal boards and wiring must be such as to preclude the possibility of fire propagation from one division of wiring to another. One of a redundant pair of devices in close proximity within a single panel will be considered adequately separated from the other if the wiring to one of the devices has flameproof insulation and is totally enclosed in fire-resistant material including outgoing terminals at the control panel boundary as well as at the device itself. However, consideration shall be given to locating redundant switches on opposite sides of the barrier formed by the end closures of adjacent panels wherever operationally acceptable.

5. Wiring for digital information outputs such as those to annunciators or data loggers may be run between sections of subdivided panels if interposing relays or equivalent isolation is provided to prevent interaction. For example, 125-Vdc annunciator circuits may be connected through sensor relay contacts of more than one of the protection system panels to achieve an either-of-two alarm logic, but wiring for the annunciators should be kept separate from the protective wiring by separate cabling or ducting.

f. Steam Leakage Zone Electrical equipment and raceways for systems listed in Subsection 7.1.3.2 are located away from steam leakage zones insofar as practical, or are designed for short-term exposure to the high temperature and humidity associated with a steam leak.

7.1-18 REV. 13

LSCS-UFSAR

g. Suppression Pool Swell Zone Any electrical equipment and/or raceways for ESF located in this zone must be designed to satisfactorily complete their function before being rendered inoperable due to exposure to the environment created by the swell.

7.1.4 Physical Identification of Safety-Related Equipment Physical identification of equipment associated with the RPS, PCRVICS, ECCS and their auxiliary supporting systems is described in Subsection 7.1.3.4.1. 7.1.5 Conformance to IEEE Criteria General conformance to IEEE criteria is discussed in attachment 7.A.1. 7.1.6 Conformance to Regulatory Guides This subject is discussed in Appendix B. 7.1-19 REV. 14, APRIL 2002

LSCS-UFSAR TABLE 7.1-1 (SHEET 1 OF 2) SYSTEM CLASSIFICATION BASIC SAFETY SYSTEMS Reactor protection system Primary containment and RV isolation control system Emergency core cooling systems High-pressure core spray Automatic depressurization system Low-pressure core spray Low-pressure coolant injection (RHR) Neutron monitoring system Intermediate range monitors (IRM) Average power range monitors (APRM) Leak detection systems Process radiation monitoring system Main steamline radiation monitoring Containment ventilation radiation monitoring AUXILIARY SUPPORTING SYSTEMS Standby power systems Standby gas treatment system CSCS equipment cooling water system Residual heat removal system (RHR) Main control room atmospheric control system Reactor building ventilation and pressure control system Combustible gas control system Diesel-generator facilities ventilation system Switchgear heat removal system ECCS equipment area cooling system OTHER SYSTEMS IMPORTANT TO SAFETY Reactor core isolation cooling system Standby liquid control system Reactor shutdown cooling (RHR) Reactor vessel instrumentation Low water level Vessel pressure Refueling interlocks Neutron monitoring system Rod block monitor, source range monitor TABLE 7.1-1 REV.16 - APRIL 2006

LSCS-UFSAR TABLE 7.1-1 (SHEET 2 OF 2) Process radiation monitoring system Area radiation monitoring system Containment atmospheric monitoring system Leak detection system Safety-related display instrumentation Rod Control Management System Alternate rod insertion system POWER GENERATION SYSTEMS Reactor water cleanup system Reactor manual control system Recirculation flow control system Feedwater control system Pressure regulator and turbine generator Radwaste system Area radiation monitoring system Process computer Neutron monitoring system Traversing incore probe (TIP) Process radiation monitoring system Spent fuel pool cooling and cleanup system Reactor vessel instrumentation TABLE 7.1-1 REV.18, APRIL 2010

LSCS-UFSAR TABLE 7.1-2 (SHEET 1 OF 2) CODES AND STANDARDS APPLICABILITY MATRIX ALTERNATE ROD INSERTION I&C REFUEL INTLK CRD/ RCMS VESSEL INST FLOW CONTROL FEEDWATER I&C TURB GEN I&C PROCESS RAD AREA RAD HEALTH PHYSICS COMPUTER CSCS - ECWS CONT ATM MS PCIC I&C STBY LIQUID I&C RADWASTE I&C RCTR WATER CLEANUP I&C RPS STANDBY PWR I&C LEAK DET I&C CRVICS RHR SHUTDOWN I&C ECCS FP&C I&C COMBUSTIBLE GAS NMS RECOMBINER I&C IEEE 279-1971 X X X APRM, IRM 1 1 3 X 2 X X X X X X X OPRM, (1) 2 IEEE 308-1971 X X X X X IEEE 323-1971 X X X APRM, IRM X X X X X X X X X IEEE 338-1971 X X X APRM, IRM X X X X X X X X IEEE 344-1971 (5) X X X APRM, IRM X X X X X X X X X IEEE 379-1972 X X X APRM, IRM X X X X X X IEEE-381 OPRM IEEE 387-1972 X X RG 1.6 X X X RG 1.9 X RG 1.21 X X X RG 1.22 X X X APRM, IRM X X X X X X RG 1.29 X X X APRM, IRM X X X X X X X X RG 1.32 X X X RG 1.45 X RG 1.47 4 4 4 APRM, IRM 4 4 4 4 4 RG 1.53 X X X APRM, IRM X X X X X X RG 1.56 X RG 1.62 X X X X X X RG 1.66 LPRM GDC 10 OPRM GDC 12 OPRM GDC 13 X X X APRM, IRM X X X X X X X X GDC 17 X X GDC 18 X X GDC 19 X X X APRM, IRM X X X X X GDC 20 X X X APRM, IRM X X X X X GDC 21 X X X APRM, IRM X X X X X X GDC 22 X X X APRM, IRM X X X X X GDC 23 X X X APRM, IRM X X X X GDC 24 APRM, IRM, RBM X X X X X X GDC 26 X X X GDC 29 X X X APRM, IRM X X X X GDC 30 X X X GDC 34 X X X X X GDC 35 X X GDC 37 X X GDC 41 X GDC 43 X GDC 54 X GDC 61 X X X GDC 63 X X GDC 64 X X TABLE 7.1-2 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.1-2 (SHEET 2 OF 2) (1) Interlock functions for Rod Withdrawal Block (RBM) are required to meet specific NRC requirements, rather than IEEE-279. (2) The Rod Worth Minimizer is part of the RCMS microprocessor-based system. (3) The Pressure Regulator and Turbine Control System is a non-safeguard process control system. However, RPS trip signals derived from: (a) Stop valve closure limit switches; (b) Control valve fast closure oil pressure switches; and (c) First-stage (flow) pressure switches are engineered to all applicable IEEE and safety criteria and described under RPS description. (4) Conformance to RG 1.47 per Applicant/AE interpretation due to promulgation of RG 1.47 after issuance of construction permit for LSCS. (5) IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-2 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.1-3 REACTOR PROTECTION SYSTEM CODES AND STANDARDS SCRAM MANUAL SWITCH DISCHARGE TRIP LOGIC TRIP VOLUME NEUTRON REACTOR LOW NEUTRON MSL ISOLATION MONITORING NEUTRON INPUTS VALVE CLOSURE MSL HIGH SYSTEM APRM ACTUATOR TURBINE STOP MONITORING DRYWELL HIGH VALVE CLOSURE MONITORING WATER LEVEL TURBINE CONTROL PRESSURE RADIATION BYPASS INPUTS OUTPUTS SYSTEM OPRM REACTOR HIGH SYSTEM IRM VALVE FAST CLOSURE PRESSURE IEEE 279-1971 X X X X X X X X X X X X X X IEEE 323-1971 X X X X X X X X X X X X X IEEE 338-1971 X X X X X X X X X X X X X IEEE 344-1971 X X X X X X X X X X X X X IEEE 379-1972 X X X X X X X X X X X X X RG 1.22 X RG 1.29 X X X X X X X X X X X X X RG 1.47 X X X X X X X X X X X X X RG 1.53 X X X X X X X X X X X X X RG 1.62 X GDC 10 X GDC 12 X GDC 13 X X X X X X X X X X X GDC 19 X GDC 20 X X X X X X X X X X X X GDC 21 X X X X X X X X X X X X X GDC 22 X X X X X X X X X X X X X GDC 23 X X X X X X X X X X X X X GDC 24 X X X X X X X X X X X X X GDC 29 X X X X X X X X X X X X X Note: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-3 REV. 13

LSCS-UFSAR TABLE 7.1-4 CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM CODES AND STANDARDS REACTOR WATER CLEANUP LOOP REACTOR WATER CLEANUP LOOP REACTOR WATER CLEANUP LOOP MSL SPACE HIGH TEMPERATURE MAIN CONDENSER LOW VACUUM PLANT EXHAUST VENT PLENUM REACTOR LOW WATER LEVEL TRIP LOGIC TRIP ACTUATOR MSL HIGH RADIATION REACTOR LOW PRESSURE DRYWELL HIGH PRESSURE RHR SPACE HIGH TEMP MANUAL SWITCH INPUTS MSL SPACE HIGH DIFF MSL HIGH FLOW MONITOR HIGH FLOW HIGHSPACE TEMPERATURE HIGH SPACE DIFF TEMPERATURE BYPASS INPUTS OUTPUTS TEMPERATURE IEEE 279-1971 X X X X X X X X X X X X X X X X IEEE 323-1971 X X X X X X X X X X X X X X X X IEEE 338-1971 X X X X X X X X X X X X X X X X IEEE 344-1971 X X X X X X X X X X X X X X X X IEEE 379-1972 X X X X X X X X X X X X X X X X RG 1.22 X RG 1.29 X X X X X X X X X X X X X X X X RG 1.47 X X X X X X X X X X X X X X X X RG 1.53 X X X X X X X X X X X X X X X X RG 1.62 X GDC 13 X X X X X X X X X X X X X GDC 19 X GDC 20 X X X X X X X X X X X X X X X GDC 21 X X X X X X X X X X X X X X X X GDC 22 X X X X X X X X X X X X X X X X GDC 23 X X X X X X X X X X X X X X X X GDC 24 X X X X X X X X X X X X X X X X GDC 29 X X X X X X X X X X X X X X X X GDC 34 X X NOTE: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-4 REV.10 - APRIL 1994

LSCS-UFSAR TABLE 7.1-5 HIGH-PRESSURE ECCS (HPCS, ADS A, ADS B NETWORK) CODES AND STANDARDS REACTOR LOW WATER LEVEL ADS A AC INTLK PERMISSIVE ADS B AC INTLK PERMISSIVE TRIP LOGIC TRIP ACTUATOR HPCS EMERG BUS VOLTAGE HPCS BATTERY VOLTAGE ADS A BATTERY VOLTAGE ADS B BATTERY VOLTAGE MANUAL SWITCH INPUTS PRIMARY CONTAINMENT HPCS FLOW SUFFICIENT HIGH PRESSURE ADS A TIMER ADS B TIMER BYPASS INPUTS OUTPUTS IEEE 279-1971 XN XN XN XN XN XN XN XN XN XN XN XN XN XN IEEE 308-1971 XN XN XN XN IEEE 323-1971 X X X X XN XN X X XN X X X X X IEEE 338-1971 X X X X XN XN X X XN X X X X X IEEE 344-1971 X X X X XN XN X X XN X X X X X IEEE 379-1972 XN XN XN XN XN XN XN XN XN XN XN XN XN XN IEEE 387-1972 XN RG 1.6 XN XN XN XN RG 1.22 X X X X X X X X X X X X X RG 1.29 X X X X XN XN X X XN X X X X RG 1.32 XN XN XN XN RG 1.47 X X X X X X X X X X X X X X RG 1.53 XN XN XN XN XN XN XN XN XN XN XN XN XN XN RG 1.62 XN GDC 13 X X X X X X X X X GDC 17 XN XN XN XN GDC 18 X XN XN XN GDC 19 X GDC 20 XN XN XN XN XN XN XN XN XN XN XN X XN GDC 21 XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 22 XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 23 XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 24 X X X X X X X X X X X X X X GDC 29 XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 35 XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 37 XN XN XN XN XN XN XN XN XN XN XN XN XN XN X = APPLICABLE XN = APPLICABLE ON A NETWORK BASIS NOTE: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-5 REV. 10 - APRIL 1994

LSCS-UFSAR TABLE 7.1-6 HPCS AND LOW PRESSURE ECCS(LPCS, RHR A, RHR B NETWORK) CODES AND STANDARDS LPCS/RHRA BATTERY LPCS/RHRA INJECTION RHRB/RHRC BATTERY TRIP LOGIC TRIP RHRB/RHRC HPCS EMERGENCY LPCH/RHRA EMERG RHRB/RHRC FLOW LPCS/RHRA FLOW MANUAL SWITCH RHRB/RHRC DRYWELL HIGH BYPASS INPUTS REACTOR LOW HPCS BATTERY INJECTION VALVE Rx HPCS FLOW EMERGENCY BUS WATER LEVEL PRESSURE BUS VOLTAGE SUFFICIENT VOLTAGE VOLTAGE BUS VOLTAGE SUFFICIENT VALVE Rx PRESSURE VOLTAGE VOLTAGE SUFFICIENT PRESSURE ACTIVATOR OUTPUTS IEEE 279- XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN 1971 IEEE 308- XN XN XN XN XN XN 1971 IEEE 323- X X X X XN XN XN X X XN XN X X X X X 1971 IEEE 338- X X X X XN XN XN X X XN XN X X X X X 1971 IEEE 344- X X X X XN XN XN X X XN XN X X X X X 1971 IEEE 379- XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN 1972 RG 1.6 XN XN XN XN XN XN RG 1.22 X X X X X X X X X X X X X X X RG 1.29 X X X X XN XN XN X X XN XN X X X X X RG 1.32 XN XN XN XN XN XN RG 1.47 X X X X X X X X X X X X X X X X RG 1.53 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN RG 1.62 XN GDC 13 X X X X X X XN X X X XN X X GDC 17 XN XN XN XN XN XN GDC 18 X XN XN XN XN XN GDC 19 X X GDC 20 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 21 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 22 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 23 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 24 X X X X X X X X X X X X X X X X GDC 29 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 35 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN GDC 37 XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN XN X= APPLICABLE XN = APPLICABLE ON A NETWORK BASIS NOTE: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-6 REV.10 - APRIL 1994

LSCS-UFSAR TABLE 7.1-7 PROCESS RADIATION MONITORING CODES AND STANDARDS AIR EJECTOR OFF- CARBON BED STACK MONITOR - PROCESS LIQUID REACTOR MAIN OFF-GAS VENT BUILDING VENT STREAMLINE GAS PIPE EXHAUST VAULT MONITOR SAMPLERS IEEE 279-1971 X X IEEE 308-1971 IEEE 323-1971 X X IEEE 338-1971 X X IEEE 344-1971 X X IEEE 379-1972 X X RG 1.21 X X RG 1.22 X X RG 1.29 X X RG 1.47 X X RG 1.53 X X GDC 13 X X X X X X X GDC 20 X X X GDC 21 X X GDC 22 X X GDC 23 X X GDC 24 X X GDC 29 X X GDC 64 X X X X NOTE: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new component must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. TABLE 7.1-7 REV.10 - APRIL 1994

LSCS-UFSAR TABLE 7.1-8 LEAK DETECTION SYSTEM CODES AND STANDARDS HIGH TEMPERATURE AND RECIRCULATION PUMP SAFETY/RELIEF VALVE LOW Rx WATER LEVEL HIGH DIFFERENTIAL DRYWELL FISSION TEMPERATURE HIGH PRESSURE HIGH FLOW SUMP FILL RATE* PRESSURE* LEAK PRESSURE FLOW* TEMPERATURE PRODUCT MONITOR* SYSTEMS MSL MSL MSL RCIC RWCU ADS AFFECTED RCIC RCIC RHR RHR RHR RWC U IEEE 279-1971 X X X X X IEEE 323-1971 X X X X X IEEE 338-1971 X X X X X IEEE 344-1971 X X X X X IEEE 379-1972 X X X X X RG 1.47 X X X X X RG 1.53 X X X X X RG 1.22 X X X X X RG 1.29 X X X X X RG 1.45 X X X GDC 13 X X X X X GDC 19 X X X X X GDC 20 X X X X X GDC 21 X X X X X GDC 22 X X X X X . GDC 23 X X X X X GDC 24 X X X X X GDC 29 X X X X X GDC 30 X X X X X X X X X GDC 33 X X X X X ** X GDC 34 X X X GDC 35 GDC 54 X X X X X . NOTE: IEEE-344-1971 was the original design requirements for seismic qualification. All replacement/new components must meet the requirements of IEEE-344-1975. See UFSAR section 3.10. These contribute to drywell leak detection.

• • Flow only.

TABLE 7.1-8 REV.10 - APRIL 1994

LSCS-UFSAR TABLE 7.1-9 REACTOR PROTECTION SYSTEM AND DEENERGIZE-TO-OPERATE SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION* TOTAL NUMBER DIVISION IA DIVISION IB DIVISION IIA DIVISION IIB OF SENSORS Trip Logic A1 Trip Logic B1 Trip Logic A2 Trip Logic B2 4 A B C D 8 A, E B,F C, G D, H 16 A, E, J, N B, F, K, P C, G, L, R D, H, M, S Part of Trip Part of Trip Part of Trip Part of Trip System A System B System A System B This division does not apply to the six-channel APRM system, which must have a special four-group arrangement to allow for maintenance bypassing of a single channel in each protection system without violating the single-failure criteria (see Table 7.1-10). TABLE 7.1-9 REV. 14 - APRIL 2002

LSCS-UFSAR TABLE 7.1-10 (SHEET 1 OF 2) FOUR-DIVISION GROUPING OF THE NEUTRON MONITORING SYSTEM UTILIZING FOUR, SIX, OR EIGHT DRYWELL PENETRATIONS* DRYWELL PENETRATIONS Penetration E A B C G D F H designations, optional IRM E IRM A IRM B IRM C IRM G IRM D IRM F IRM H 8-penetration grouping APRM E APRM A APRM B APRM C LPRM A APRM D APRM LPRM B Penetration E A B C D F designations, optional IRM E IRM A IRM B IRM C and G IRM D and H IRM F 6-penetration grouping APRM E APRM F LPRM B APRM A APRM B APRM C APRM D LPRM A Penetration A B C D designations, standard IRM A and E IRM C and G IRM D and H 4-penetration grouping APRME IRM B AND F APRM F LPRM B APRM A and B APRM C and D LPRM A (SRM A) (SRM B) (SRM C) (SRM D) Wireway NA NB NC ND Neutron-monitoring channel E E A B C D F F APRM A and E B and F C and G D and H IRM OPRM E G** A B C D F H** RPS trip logic Al A2 A1 B1 A2 B2 B1 B2

• See the notes at the end of this table for an amplification of the tabulated information.
  • OPRM module G receives input from LPRM Group A, and OPRM module H receives input from LPRM Group B.

TABLE 7.1-10 REV. 13

LSCS-UFSAR TABLE 7.1-10 (SHEET 2 OF 2) NOTES

1. Penetrations across the top of the table for 4-, 6-, or 8-penetration groupings carry cables for neutron monitoring channels shown, and each channel serves RPS trip logic directly below it.

2. Horizontal zoning represents LPRM cable and amplifier distribution to APRM's from various penetrations, e.g., in the 4-penetration scheme, Penetration B carries cables for LPRM's going to APRM channels A and B (see Figure 7.1-2).

3. In the 8-penetration arrangement, Penetrations G and H carry only IRM's and spare LPRM cables.

4. Designations for penetrations and wireways are arbitrary and may be deviated from on any specific plant provided that an equivalent separation is maintained and adequate coordination is achieved between instrument supplier and balance-of-plant designer to avoid duplication or confusion.

TABLE 7.1-10 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.1-11 EMERGENCY CORE COOLING SYSTEM CORE STANDBY COOLING AND RCIC SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION ENERGIZE-TO-OPERATE DIVISION I DIVISION II DIVISION III SENSOR SUFFIX LETTERS SENSOR SUFFIX LETTERS SENSOR SUFFIX LETTERS A, C B, D AC* B, D* Operate ECCS A Operate ECCS B directly and used for RCIC initiation through isolation devices Sensors A and C may utilize common process taps; Sensors B and D may utilize common process taps. TABLE 7.1-11 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.1-12 SYSTEM AND SUBSYSTEM SEPARATION DIVISION I DIVISION II DIVISION III Low-pressure core spray and RHR RHR "B" and RHR "C" High-pressure Spray "A" Automatic depressurization* Automatic depressurization* "A" "B" Outboard NSSSS valves* Inboard NSSSS valves Emergency equipment cooling water Emergency equipment cooling A water B RCIC The A and B circuits to each ADS valve inside the primary containment, are run in independent and separate rigid conduit. TABLE 7.1-12 REV. 0 - APRIL 1984

LSCS-UFSAR 7.2 Reactor Protection System 7.2.1 Design Bases 7.2.1.1 Safety Design Bases The reactor protection system is designed to meet the following requirements:

a. The reactor protection system shall initiate a reactor scram with precision and reliability to prevent or limit fuel damage following abnormal operational transients.

b. The reactor protection system shall initiate a scram with precision and reliability to prevent damage to the reactor coolant pressure boundary as a result of excessive internal pressure, that is, to prevent nuclear system pressure from exceeding the limit allowed by applicable industry codes.

c. To limit the uncontrolled release of radioactive materials from the fuel assembly or reactor coolant pressure boundary, the reactor protection system shall precisely and reliably initiate a reactor scram on gross failure of either of these barriers.

d. To detect conditions that threaten the fuel assembly or reactor coolant pressure boundary, reactor protection system inputs shall be derived from variables that are true, direct measures of operational conditions.

e. The reactor protection system shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.

f. A sufficient number of sensors shall be provided for monitoring essential variables that have spatial dependence.

g. The following bases assure that the reactor protection system is designed with sufficient reliability:

1. If failure of a control or regulating system causes a plant condition that requires a reactor scram but also prevents action by necessary reactor protection system channels, the remaining portions of the reactor protection system shall meet the requirements of a, b, and c preceding.

7.2-1 REV. 13

LSCS-UFSAR

2. Loss of one power supply shall neither cause nor prevent a reactor scram.

3. Once initiated, a reactor protection system action shall go to completion. Return to normal operation shall require deliberate operator action.

4. There shall be sufficient electrical and physical separation between redundant instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly.

5. Earthquake ground motions as amplified by buildings and supporting structures shall not impair the ability of the reactor protection system to initiate a reactor scram.

6. No single failure within the reactor protection system shall prevent proper reactor protection system action, when required, to satisfy safety design bases a, b, and c.

7. No single intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall impair the ability of the reactor protection system to respond correctly.

8. The system shall be designed so that the required number of sensors for any monitored variable exceeding the scram setpoint will initiate an automatic scram.

h. The following bases reduce the probability that reactor protection system operational reliability and precision will be degraded by operator error:

1. Access to trip settings, component calibration controls, test points, and other terminal points shall be under the control of plant operations supervisory personnel.

2. Manual bypass of instrumentation and control equipment components shall be under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously annunciated in the control room.

7.2-2 REV. 13

LSCS-UFSAR In addition to the above safety design requirements, the reactor protection system instrumentation and controls comply with the specific regulatory requirements shown in Tables 7.1-2 and 7.1-3. 7.2.1.2 Power Generation Design Bases The reactor protection system has one power generation objective. The setpoints, power sources, and controls and instrumentation are arranged in such a manner as to preclude spurious scrams. 7.2.2 System Description 7.2.2.1 General The reactor protection system includes the motor-generator power supplies, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the process computer system and annunciators, although these latter two systems are not part of the reactor protection system. Trip signals are received from the neutron monitoring system; however, other portions of this system are treated in Sections 7.5, 7.6, and 7.7. The reactor protection system is classified as Safety Related, Seismic Category I, and Quality Group B (Electric Safety Class 1E), with the exception of the motor-generator power supplies which are non-Class 1E. Table 7.2-1 lists the limits for instruments that provide signals for the system. Figure 7.2-2 summarizes the reactor protection signals that cause a scram. 7.2.2.2 Power Sources The reactor protection system receives power from two high inertia a-c motor-generator sets (Figure 7.2-1). A flywheel provides high inertia sufficient to maintain voltage and frequency within 5% of rated values for at least 1 second following a total loss of power to the drive motor. Alternate power is available to either reactor protection system bus. The alternate power switch is interlocked to prevent simultaneous feeding of both buses from the same source. The switch also prevents paralleling of a motor-generator set with the alternate supply. The station batteries supply d-c power to the backup scram valve solenoids. An electrical protection assembly (EPA) consisting of Class 1E protective circuitry is installed between the reactor protection system and each of the power sources (two 7.2-3 REV. 19, APRIL 2012

LSCS-UFSAR reactor protection system motor-generator sets and one alternate voltage supply). The EPA provides redundant protection to the RPS and other systems which receive power from the RPS buses by acting to disconnect the RPS from the power source circuits. 7.2.2.3 Logic The basic logic arrangement of the reactor protection system is illustrated in Figure 7.2-1. The system is arranged as two separately powered trip systems. Each trip system has two automatic logics, as shown in Figure 7.2-3. Each logic receives input signals from at least one channel for each monitored variable. At least four channels for each monitored variable are required, one for each of its four automatic logics. Each trip system also includes one manual scram logic. Trip systems are designated by A or B; logics by A1, A2, B1 or B2, A, C, E, G, B, D, F, or H. During normal operation, all sensor and trip contacts essential to safety are closed; channels, logics, and actuators are energized. In contrast, however, trip contact bypass channels consist of normally open contact networks. Channel and logic relays are fast-response, high-reliability relays. Power relays for interrupting the scram pilot valve solenoids have high current-carrying capabilities and are highly reliable. All reactor protection system relays are selected so that the continuous load will not exceed 50% of the continuous duty rating. The system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 milliseconds. The time requirements for control rod movement are discussed in Subsection 4.6.1. Each logic provides inputs through two relay contacts into each of the actuator logics of one trip system, as shown in Figure 7.2-4. Thus, either of the two contacts associated with one trip system can produce a trip. The logic is a one-out-of-two arrangement for each trip system. To produce a scram, the systems must be tripped. The overall logic of the reactor protection system is termed "one-out-of-two taken twice." The functional arrangement of sensors and channels that constitute a single logic is shown in Drawing No. M-153, sheets 4 and 6. A channel sensor contact opens, its sensor relay deenergizes causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators, which deenergizes the scram pilot valve solenoids associated with that actuator logic. However, the other scram pilot valve solenoid for each rod must also be deenergized before the rods will be scrammed. There are two scram pilot valves and two scram valves for each control rod, arranged as shown in Figure 7.2-1. Each scram pilot valve is solenoid operated, with the solenoids normally energized. Each control rod alternatively may have a 7.2-4 REV. 18, APRIL 2010

LSCS-UFSAR single scram pilot valve with dual solenoid operated pilot assemblies in place of two pilot scram valves. The scram pilot valve solenoids control the air supply to the scram valves for each control rod. With either scram pilot valve solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. As shown in Figure 7.2-3, one of the scram pilot valve solenoids for each control rod is controlled by Actuator Logic A, the other scram pilot valve solenoid by Actuator Logic B. 7.2-4a REV. 18, APRIL 2010

LSCS-UFSAR When both actuator logics are tripped, air is vented from the scram valves and allows control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume. To restore the reactor protection system to normal operation following any single actuator logic trip or a scram, the actuators must be reset manually. The RPS reset switch is used to momentarily bypass the seal-in contacts of the final actuators of the reactor shutdown system. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram situation is present, manual reset is prohibited for a 10-second period to permit the control rods to achieve their fully inserted position. After the 10-second delay, reset is possible only if the conditions that caused the scram have been cleared. The actuators are reset by operating switches in the control room. Figure 7.2-4 shows the functional arrangement of reset contacts for Actuator Logic A. There are two d-c solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valve. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. 7.2.2.4 Initiating Signals and Circuits The reactor protection system signals that cause a scram, as shown in Figure 7.2-2, are discussed in the following sections. 7.2.2.4.1 Neutron Monitoring System Trip Neutron monitoring system instrumentation is described in Sections 7.6 and 7.7 Figure 7.2-5 clarifies the relationship between neutron monitoring system channels, neutron monitoring system logics, and the reactor protection system logics. The neutron monitoring system channels are considered to be part of the neutron monitoring system; however, the neutron monitoring system logics are considered to be part of the reactor protection system. Each neutron monitoring system logic receives signals from one IRM channel, one APRM channel and one OPRM channel. The position of the mode switch determines which input signals will affect the output signal from the logic. 7.2-5 REV. 18, APRIL 2010

LSCS-UFSAR The neutron monitoring system logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. As shown in Figure 7.2-5, there are eight neutron monitoring system logics associated with the reactor protection system. Each reactor protection system logic receives inputs from two neutron monitoring system logics. Removal of shorting links in each RPS trip logic places trip inputs from the associated APRM, IRM or SRM channels in a non-coincident trip mode. In this mode, a trip signal from any single neutron monitoring instrument channel causes a full reactor scram. For all normal plant conditions, the shorting links are installed to maintain the neutron monitoring inputs to RPS in a one out of two taken twice trip logic. During refueling operations, inadvertent criticality protection is provided by the neutron monitoring systems required to be operable in the refuel mode by the plant license, the refueling interlocks described in Section 7.7.13, neutron monitoring rod block interlocks described in Section 7.7.2.2.3, and the shutdown margin requirement specified in the plant license. Shutdown margin demonstrations requiring the withdrawal of multiple control rods in the refuel mode are performed with the reactor mode switch in startup as allowed by special test exception provisions of the plant license. Under this condition, refuel mode interlocks are bypassed and additional inadvertent criticality protection is required. Removal of the RPS shorting links provides this additional protection. Surveillance testing of the RPS non-coincident trip mode is performed prior to its use for inadvertent criticality protection. The neutron monitoring system logic, setpoints and their bases and bypasses for the system channels are discussed in Subsection 7.6.3. 7.2.2.4.2 Nuclear System High Pressure Excessively high pressure within the nuclear system threatens to rupture the reactor coolant pressure boundary. A nuclear system pressure increase during reactor operations compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. Reactor pressure is measured at four physically separated locations. A pipe from each location is routed through the drywell and terminates in the secondary containment. One locally mounted, non-indicating pressure switch monitors the pressure in each pipe. Cables from these switches are routed to the control room. Each switch provides a high-pressure signal to one channel as shown in Drawing Nos. M-93 and M-139. The physical separation and the signal arrangement assure that no single physical event can prevent a scram caused by nuclear system high pressure. 7.2-6 REV. 14, APRIL 2002

LSCS-UFSAR The nuclear system high-pressure scram setting is chosen slightly above the reactor vessel maximum normal operation pressure to permit normal operation without spurious scram yet provide a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high-pressure scram setting. The nuclear system high-pressure scram works in conjunction with the pressure relief system to prevent nuclear system pressure from exceeding the maximum allowable pressure. The nuclear system high-pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during transient events that can be expected to occur when the reactor is operating below rated power and flow. 7.2.2.4.3. Reactor Vessel Low Water Level Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor is operating at power 7.2-6a REV. 14, APRIL 2002

LSCS-UFSAR decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. Reactor vessel low water level signals are initiated by an analog trip system consisting of four differential pressure transmitters and trip units. The transmitters sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. Each transmitter sends an input signal to a trip unit in one of the four RPS channels. The level transmitters are arranged on four sets of taps as shown in drawings No. M-139, sheets 4 and 5. The four pairs of lines terminate outside the drywell and inside the containment; they are physically separated from each other and tap off the reactor vessel at widely separated points. Other systems sense pressure and level from these same pipes. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to avoid spurious scrams. The setting is high enough above the top of the active fuel to assure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in developing thermal-hydraulic limits. The limits set operational limits on the thermal power level for various coolant flow rates. 7.2.2.4.4. Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the nuclear system pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of turbine stop valve closure. Turbine stop valve closure inputs to the reactor protection system come from valve stem position switches mounted on the four turbine stop valves. 7.2-7 REV. 13

LSCS-UFSAR Each of the double-pole, single-throw switches opens before the valve is more than 10% closed to provide the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2-6. The logic is arranged so that closure of three or more valves initiates a scram. The turbine control valve fast closure scram and turbine stop valve closure scram are automatically bypassed if the turbine first-stage pressure is less than 25% of its 100% core thermal power rated value. Closure of these valves below a low initial power level does not threaten the integrity of any radioactive material release barrier. Turbine control valve fast closure and turbine stop valve closure trip bypass is effected by four pressure switches associated with the turbine first stage. Any one channel in a bypass state produces a control room annunciation. The switches are arranged so that no single failure can prevent a turbine stop valve closure scram or turbine control valve fast closure scram. In addition, this bypass is automatically removed when the turbine first-stage pressure exceeds the setpoint corresponding to greater than or equal to 25% of rated core thermal power. 7.2.2.4.5 Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. Turbine control valve fast closure inputs to the reactor protection system come from oil line pressure switches on each of four fast-acting control valve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control, and they are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the reactor protection system, as shown in Figure 7.2-1. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated. Turbine control valve fast closure trip channel operating bypasses are described in Subsection 7.2.2.5. 7.2-8 REV. 13

LSCS-UFSAR 7.2.2.4.6 Main Steam Isolation Valve Closure The main steamline isolation valve closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The main steamline isolation scram setting is selected to give the earliest positive indication of isolation valve closure. Position switches mounted on the eight main steamline isolation valves signal main steamline isolation valve closure to the reactor protection system. Each of the double-pole, double throw switches is arranged to open before the valve is <13.7% closed (technical specification allowable value and an analytical limit of 15%) to provide the earliest positive indication of closure. Either of the two channels associated with one isolation valve can signal valve closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to reactor protection system logics as follows: Trip Valve Position-Sensing Channels Trip Logic Identification Channel Relays Assignment Main steamline A, 1B21-F022A A, B A1, B1 inboard valve (1) and (2) Main steamline A, 1B21-F028A A, B A1, B1 outboard valve (1) and (2) Main steamline B, 1B21-F022B E, D A1, B2 inboard valve (1) and (2) Main steamline B, 1B21-F028B E, D A1, B2 outboard valve (1) and (2) Main steamline C, 1B21-F022C C, F A2, B1 inboard valve (1) and (2) Main steamline C, 1B21-F028C C, F A2, B1 outboard valve (1) and (2) Main steamline D, 1B21-F022D G, H A2, B2 inboard valve (1) and (2) Main steamline D, 1B21-F028D G, H A2, B2 outboard valve (1) and (2) 7.2-9 REV. 15, APRIL 2004

LSCS-UFSAR Each logic thus receives signals from the valves associated with two steamlines (see Figure 7.2-7). The arrangement of signals within each logic requires closing of at least one valve in each of the steamlines associated with that logic to cause a trip of that logic. For example, closure of the inboard valve of steamline A and the outboard valve of steamline C causes a trip of logic B1. This in turn causes Trip System B to trip. No scram occurs because no trips occur in Trip System A. In no case does closure of two valves or isolation of two steamlines cause a scram due to valve closure. Closure of one valve in three or more steamlines causes a scram. The logic allows functional testing of main steamline isolation trip channels with one steamline isolated. Wiring for the position sensing channels from one position switch is physically separated in its own conduit. The wiring for position-sensing channels feeding the different trip logics of one trip system is also separated. At plant shutdown and during initial plant startup, a bypass is required for the main steamline isolation valve closure scram trip in order to properly reset the reactor protection system (RPS). This bypass has been designed to be in effect when the mode switch is in other than the RUN position. 7.2.2.4.7 Scram Discharge Volume High Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement is hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram. Four non-indicating level switches and four analog systems consisting of transmitters/trip units provide scram discharge volume high water level inputs to the reactor protection system. Each switch and trip unit provides an input to one channel (Drawing No. M-100, sheet 4 (Unit 1), and M-146, sheet 4 (Unit 2)). The switches and trip units are arranged so that no single event will prevent a reactor scram caused by scram discharge volume high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate another scram. The scram discharge high water level trip bypass is controlled by the manual operation of two keylocked switches, a bypass switch, and the mode switch. The mode switch must be in the SHUTDOWN or REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are connected into the RPS logic. This bypass allows the operator to reset the reactor protection system scram relays so that the system is restored to operation, allowing the 7.2-10 REV. 13

LSCS-UFSAR operator to drain the scram discharge volume. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the control room indicates the bypass condition. 7.2.2.4.8 Drywell High Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high-pressure scram setting is selected to be as low as possible without inducing spurious scrams. Drywell pressure is monitored by four non-indicating pressure switches mounted on instrument racks outside the drywell in the secondary containment. Pipes that terminate in the secondary containment connect the switches with the drywell interior. The switches are physically separated, and electrically connected to the reactor protection system so that no single event will prevent a scram caused by drywell high pressure. Cables are routed from the switches to the control room. Each switch provides an input to one channel (Drawing Nos. M-93 and M-139). 7.2.2.4.10 CRD Low Charging Pressure CRD charging water pressure is normally maintained by a CRD pump which is backed by an accumulator. When the pump is tripped for any reason, pressure is maintained by the accumulator and a ball check valve in the charging line between the CRD pump and the accumulator. Loss of pressure through the check valve could potentially inhibit reactor scram whenever the accumulator pressure is not capable of supplying charging pressure to the CRDs. To prevent this situation, the CRD autoscram on low charging water pressure is provided for the situation when the pressure in the charging header drops below the accumulator piston seating pressure. Protection against inadvertent scrams due to pressure fluctuations is provided by a pre-set time delay. An alarm annunciator in the control room provides warning of an impending scram whenever the charging water pressure drops to a point somewhat above the scram setpoint. An automatic scram on low pressure in the CRD charging water header is provided by four pressure transmitters attached to four pressure taps on the charging water headers downstream of the CRD pumps. One transmitter is attached to each tap. Each pressure transmitter provides an input signal to a trip unit in one of the four RPS channels. The one-out-of-two-twice logic assures that no single failure can cause or prevent a scram. A scram signal results when the charge pressure is less than the piston seating pressure of the charging accumulator. The CRD Low Charging Pressure trip is active when the reactor mode switch is in the startup or refueling positions. When the reactor mode switch is in the run or 7.2-11 REV. 14, APRIL 2002

LSCS-UFSAR shutdown positions, the CRD charging header low pressure trip is bypassed. Four key-lock test switches, one in each of the bypass circuits, disable the bypass allowing the low pressure trip and associated RPS channel to be individually tested during power operation. 7.2.2.4.11 Manual Scram Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram. There are four scram push buttons, one for each division logic (A1, A2, B1, and B2. To initiate a manual scram, at least two push buttons must be depressed. The manual scram logic is the same as the automatic scram logic. The manual scram push buttons are arranged in two groups of two switches. One group contains the A1 and B1 switches, and A2 and B2 are in the other group. The switches in each group are located close enough to permit one hand motion to initiate a scram. By operating the manual scram button for one logic at a time, then resetting that logic, each actuator logic can be tested for manual scram capability. 7.2.2.4.12 Mode Switch in SHUTDOWN The control room operator can scram the reactor by interrupting power to the reactor protection system by placing the mode switch in its shutdown position. When the mode switch is in SHUTDOWN, the reactor is shut down with all control rods inserted. This scram is not considered a protective function because it is not required to protect the fuel or nuclear system process barrier and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short delay. The bypass allows the control rod drive hydraulic system valve lineup to be restored to normal. An annunciator in the control room indicates the bypassed condition. 7.2.2.5 Scram Operating Bypasses A number of manual and automatic scram bypasses are provided to accommodate the varying protection requirements that depend on reactor conditions. All manual bypass switches are in the control room, under the direct control of the control room operator. The bypass status of trip system components is continuously indicated in the control room. 7.2.2.5.1 Neutron Monitoring System See 7.6.3. 7.2-12 REV. 13

LSCS-UFSAR 7.2.2.5.2 Turbine Stop Valve See 7.2.2.4.4. 7.2.2.5.3 Main Steam Isolation Valves See 7.2.2.4.6. 7.2.2.5.4 Scram Discharge Volume Level See 7.2.2.4.7. 7.2.2.5.5 CRD Low Charging Pressure See 7.2.2.4.10. 7.2.2.5.6 Mode Switch in Shutdown See 7.2.2.4.12. 7.2.2.6 Interlocks The scram discharge volume high water level trip bypass signal interlocks with the rod control management system to initiate a rod block. Reactor vessel low water level, reactor vessel pressure, turbine stop valve closure, and drywell high-pressure signals are shared with the primary containment and reactor vessel isolation system. The sensors feed relays in the reactor protection system whose contacts interlock with the primary containment and reactor vessel isolation system. 7.2.2.7 Redundancy and Diversity Instrument piping into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment. Instruments mounted on instrument racks in the secondary containment sense reactor vessel pressure and water level information from this piping. Valve position switches are mounted on valves from which position information is required. The sensors for reactor protection system signals from equipment in the turbine building are mounted locally. The two motor-generator sets that supply power for the reactor protection system are located in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to two reactor protection system cabinets in the control room. One cabinet is used for each of the two trip systems. The logics of each trip system are isolated in separate bays in each cabinet. Functional diversity is provided by monitoring independent reactor vessel variables. Pressure, water level, and neutron flux are all independent and are separate inputs 7.2-13 REV. 18, APRIL 2010

LSCS-UFSAR to the system. Also, main steamline isolation valve closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and are separate inputs to the system. 7.2.2.8 Actuated Devices The actuator logic opens when a trip signal is received and de-energizes the scram pilot valve solenoids. There are two pilot solenoids per control rod. Both solenoids must deenergize to open the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from Trip System A and the other from Trip System B. The failure of one control rod to scram will not prevent a complete shutdown. The individual control rods and their controls are not part of the reactor protection system. For further information on the scram valves and control rods, see Subsection 4.6. 7.2.2.9 Separation Four independent sensor channels monitor the various process variables listed in Subsection 7.2.2.4. The sensor devices are separated such that no single failure can prevent a scram. All protection system wiring outside the control system cabinets is run in rigid metal wireway. Physically separated cabinet bays are provided for the four scram logics. The mode switch, scram discharge volume high water level trip bypass switch, scram reset switch, and manual scram switches are all mounted on one control panel. Each device is mounted in a can and has a sufficient number of barrier devices to maintain adequate separation. Conduit is provided from the cans to the logic cabinets. The outputs from the logic cabinets to the scram valves are run in four wireways for Trip System A and four for Trip System B. The four wireways match the four scram groups shown in Figure 7.2-1. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown. Sensing elements have enclosures to withstand conditions that may result from a steamline or water line break long enough to perform satisfactorily. Section 3.11 provides the environmental specifications for components in various plant areas. To gain access to those calibration and trip setting controls, located outside the control room, operations personnel must remove a cover plate, access plug, or sealing device before any trip settings can be adjusted. Reactor protection system inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing 7.2-14 REV. 18, APRIL 2010

LSCS-UFSAR equipment can functionally disable the reactor protection system. Direct signals from reactor protection system sensors are not used as inputs to annunciating or data logging equipment. Relay contact isolation is provided between the primary signal and the information output. Additional information on separation criteria for safety and safety-related mechanical and electrical equipment is discussed in section 7.1.3. 7.2.2.10 Testability The reactor protection system can be tested during reactor operation by five separate tests. The first of these is the manual scram test. When the manual scram button for one trip channel is depressed, the actuators are deenergized, opening contacts in the actuator logics. After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual scram push button switches. In addition to control room and computer printout indications, scram group indicator lights verify that the actuator contacts have opened. The second test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units. Calibration and test controls for the neutron monitoring system are located in the control room. Their physical location places them under direct physical control of the control room operator. Subsection 7.6.3 describes the calibration procedure. The third test is the single rod scram test, which verifies capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular control rod device. Timing traces can be made for each rod scrammed. Prior to the test, a physics review must be conducted to assure that the rod pattern during scram testing will not create a rod of excessive reactivity worth. The fourth test involves applying a test signal to each reactor protection system channel in turn and observing that a logic trip results. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. Calibration and test controls for pressure switches, level switches, and valve position switches are located in the turbine building and secondary containment. To gain access to the setting controls on each switch, a cover plate or sealing device must be removed. The control room operator is responsible for granting access to the setting controls. Only properly qualified plant personnel are granted access for the purpose of testing or calibration adjustments. 7.2-15 REV. 13

LSCS-UFSAR Separate from the calibration and test controls, four key-lock control switches in the Main Control Room allow testing of the CRD low charging pressure trip circuits and associated RPS channel during power operation. The CRD charging header low pressure trip is bypassed when the reactor mode switch is in run or shutdown positions. Each switch disables a bypass circuit, reinstating the low charging pressure trip signal and allowing the RPS channel to be tested. The fifth test consists of applying a test signal to each reactor protection system instrument channel in turn and observing that instrument or trip channel trip occurs without a logic trip. This test is the same as the fourth test described in the previous paragraph except that special test equipment is installed across the instrument or trip channel output contact in the RPS trip logic. This test equipment allows the trip function of this contact to be verified without tripping the associated logic circuit during the calibration or functional testing of the instrument channel. This test is only applied to the following reactor protection system channels: ! Neutron Monitoring System trip ! Nuclear System High Pressure ! Reactor Vessel Low Water Level ! Scram Discharge Volume High Water Level ! Drywell High Pressure ! CRD Low Charging Pressure ! Turbine Control Valve Fast Closure The process computer can be used to verify the correct operation of many sensors during plant startup and shutdown. Main steamline isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the process computer is not considered in the selection of test and calibration frequencies and is not required for plant safety. Reactor protection system response times of those functions with times assumed in the accident analysis were first verified during preoperational testing. During the preoperational test, elapsed time was measured from sensor trip to the deenergization of the scram actuators. 7.2.2.11 Environmental Considerations Electrical modules for the reactor protection system are located in the drywell, containment, and in the turbine building. The environmental requirements for these areas are listed in Section 3.11. 7.2-16 REV. 16, APRIL 2006

LSCS-UFSAR 7.2.2.12 Operational Considerations Operator Information Indicators Scram group indicators extinguish when an actuator logic opens. Operator Information Annunciators Each reactor protection system input is provided to the annunciator system through isolated relay contacts. Trip system trips also signal the annunciator system. Manual trips signal the annunciator system. When a reactor protection system sensor trips, an engraved annunciator window common to all the channels for that variable lights on the reactor control panel in the control room to indicate the out-of-limit variable. Each trip system lights an annunciator window to indicate which trip system has tripped. As an annunciator system input, a reactor protection system channel trip also sounds a buzzer or horn, which can be silenced by the operator. The annunciator window lights latch in until reset manually. Reset is not possible until the condition causing the trip has been cleared. The location of alarm windows permits the operator to quickly identify the cause of reactor protection system trips and to evaluate the threat to the fuel or reactor coolant pressure boundary. Operator Information Computer Alarms A computer printout identifies each tripped channel; however, the physical position of the reactor protection system relays may also be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. All reactor protection system trip events are logged using the sequence of events (SOE) points in the process computer. This permits analysis of an operational transient that occurs too rapidly for operator comprehension of events as they occur. Mode Switch A conveniently located, multiposition, keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment 7.2-17 REV. 16 APRIL 2006

LSCS-UFSAR restrictions, which are not considered here as part of the reactor protection system. The switch is designed to provide separation between the four trip channels. The mode switch positions and their related scram functions are as follows:

a. SHUTDOWN Initiates a reactor scram; bypasses main steamline isolation scram; bypasses CRD charging pressure scram.

b. REFUEL Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steamline isolation scram; removes bypass and enables CRD low charging pressure scram.

c. STARTUP Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steamline isolation scram; removes bypass and enables CRD low charging pressure scram.

d. RUN Selects neutron monitoring system scram for power range operation; bypasses CRD low charging pressure scram.

7.2.2.13 Design Basis Information IEEE Standard 279-l97l defines the requirements for design bases. Using the IEEE 279 format, the following nine paragraphs fulfill this requirement:

a. The generating station conditions which require protective action are identified in the technical specifications.

b. The generating station variables which require monitoring to provide protective actions are identified in the technical specifications.

c. The minimum number of sensors required to monitor safety-related variables are given in Tables 7.2-2 and 7.2-3.

Figure 7.2-1 and schematic diagram 1E-1-4215 give the locations of these sensors.

d. Prudent operational limits for each safety-related variable are shown in the technical specifications.

7.2-18 REV. 14, APRIL 2002

LSCS-UFSAR

e. The margin between operational limits and the level determining the onset of unsafe conditions is shown in the applicable setpoint calculation.

f. Levels requiring protective action are shown the Technical Specifications.

g. The environmental requirements of safety systems are given in Section 3.11 and in Subsection 3.1.2.1.4 and 7.3.6.

h. Malfunctions, accidents, and other unusual events which could cause damage to safety systems are discussed in Subsections 7.A.2.1 through 7.A.2.6.

i. For minimum performance requirements see the applicable setpoint calculation.

7.2.2.14 Final System Drawings The final system drawings for the reactor protection system are given as follows:

a. logic locations and electrical schematic diagrams,

b. logic diagrams in Drawing No. M-153, sheets 4 and 6, and Figures 7.2-3 and 7.2-4.

7.2.3 Analysis Presented below are analyses which demonstrate how the various general functional requirements and the specific safety requirements listed under the reactor protection system design bases (Section 7.2) are complied with. Chapter 15 supplements this analysis with a system level analysis for the worst case failures. .A presents the system conformance to IEEE criteria and other regulatory requirements. 7.2.3.1 Conformance to Design Basis Requirements Design Basis of Subsection 7.2.1.1 items a and b The reactor protection system is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Chapter 15.0 identifies and evaluates events that jeopardize the fuel barrier and reactor coolant pressure boundary. The 7.2-19 REV. 14, APRIL 2002

LSCS-UFSAR methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that chapter. Design procedure has been to select tentative scram trip settings such that spurious scrams and operating inconveniences are avoided. It is then verified by analysis that the reactor fuel and nuclear system process barriers are protected. In all cases, the selected scram trip point is a specific value that prevents damage to the fuel or reactor coolant pressure boundary, taking into consideration previous operating experience. The scrams initiated by neutron monitoring system variables, nuclear system high pressure, turbine stop valve closure, turbine control valve fast closure, and reactor vessel low water level will prevent fuel damage following abnormal operational transients. Specifically, these scram functions initiate a scram in time to prevent the core from exceeding the thermal-hydraulic safety limit during abnormal operational transients. Chapter 15.0 identifies and evaluates the threats to fuel integrity posed by abnormal operational events. In no case does the core exceed the thermal-hydraulic safety limit. Design Basis of Subsection 7.2.1.1 item b The scram initiated by nuclear system high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. The main steamline isolation valve closure scram provides a greater margin to the nuclear system pressure safety limit than does the high-pressure scram. For turbine-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than does the high-pressure scram. Chapter 15.0 identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the nuclear system safety limit. Design Basis of Subsection 7.2.1.1 item c The scram initiated by the reactor vessel low water level satisfactorily limits the radiological consequences of gross failure of the fuel or reactor coolant pressure boundary. Chapter 15.0 evaluates gross failures of the fuel and reactor coolant pressure boundary. In no case does the release of radioactive material to the environs result in exposures which exceed the guide values of applicable published regulations. 7.2-20 REV. 13

LSCS-UFSAR Design Basis of Subsection 7.2.1.1 items d, e, and f Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the reactor protection system. The basis for the number and locations of neutron flux detectors is discussed in Subsection 7.6.3. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. Design Basis of Subsection 7.2.1.1 item g (1-8) Sensors, channels, and logics of the reactor protection system are not used directly for automatic control of process systems. An isolated neutron monitoring system signal is used with the recirculation flow control system as described in Subsection 7.7.3.2. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. Failure of either reactor protection system power supply would result in the deenergization of one of the two scram valve pilot solenoids on each scram valve. Alternate power is available to the reactor protection system buses. A complete, sustained loss of electrical power to both power supplies results in a scram if the loss interval exceeds the ride-through capability of the power supplies. Design of the system to seismic safety class requirements assures the availability of reactor safe shutdown during earthquake ground motion. The use of an independent channel for each logic input allows the system to sustain any channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or channel failure may cause a single trip system trip and actuate alarms that identify the trip. If the failures occur in different trip systems, the reactor will scram. Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to deenergize when a scram is required. Any maintenance operation, calibration operation, or test will not prevent a scram. The resistance to spurious scrams contributes to plant safety because reduced cycling of the reactor through its operating modes decreases the probability of error or failure. When an essential monitored variable exceeds its scram trip point, it is sensed by at least two independent sensors in each trip system. Only one channel must trip, in each trip system, to initiate a scram. Thus, the arrangement of two channels per trip system assures that a scram will occur as a monitored variable exceeds its scram setting. 7.2-21 REV. 13

LSCS-UFSAR Design Basis of Subsection 7.2.1.1 item h Other Design Basis Requirements The reactor protection system is a one-out-of-two taken twice system. Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, because the differences are slight, they can, in a practical sense, be neglected. The dual trip system is advantageous because it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability. The environment in which the instruments and equipment of the reactor protection system must operate was considered in setting the environmental specifications. The specifications for the instruments located in the containment or turbine building are based on the worst expected ambient conditions. The maximum and minimum environment is predicated on a mixture of outside and recirculated air concurrent with corresponding maximum or minimum equipment heat loss. The reactor protection system components that must function in the environment resulting from a reactor coolant pressure boundary break inside the drywell are the condensing chambers and the inboard main steamline isolation valve position switches. Special precautions are taken to ensure operability after the accident. The condensing chambers and all essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects or have undergone additional qualification testing under simulated environmental conditions. To ensure that the reactor protection system remains functional, the number of operable channels for the essential monitored variables is maintained at or above the minimums given in Tables 7.2-2 and 7.2-3. The minimums apply to any untripped trip system; a tripped trip system may have any number of inoperative channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables show different functional requirements for the RUN and STARTUP modes. These are the only modes where more than one control rod can be withdrawn from the fully inserted position. In case of a loss-of-coolant accident, reactor shutdown occurs immediately following the accident as process variables exceed their specified setpoint. Operator verification that shutdown has occurred may be made by observing one or more of the following indications:

a. control rod status indicating each rod fully inserted 7.2-22 REV. 18, APRIL 2010

LSCS-UFSAR

b. control rod scram solenoid pilot valve status indicating open valves,

c. neutron monitoring power range channels and recorders downscale,

d. annunciators for RPS variables and trip logic in the tripped state, and

e. process computer logging of trips and control rod position log.

Following generator load rejection, a number of events occur in the following chronological order:

a. The pressure in the EHC lines to the control valve fast closure solenoids drops, signalling the reactor protection system and initial pressure regulator to open the bypass valves to maintain reactor pressure.

b. The reactor protection system scrams the reactor concurrently upon receipt of the turbine control valve fast closure signal.

The reactor scram is averted if at the time of load rejection the unit load is less than a given value (25% of rated core thermal power).

c. The trip setting of the APRM channels is automatically reduced from 115.5% to 100.3% of neutron flux (based on Technical Specification Allowable Value for two recirculation loop operation) as recirculation flow is run back from 100% to 50% of rated flow (flow-referenced scram).

The trip settings discussed in Subsection 7.2.2.4 are not changed to accommodate abnormal operating conditions. Actions required during abnormal conditions are discussed in the Technical Specifications. Transients requiring activation of the reactor protection system are discussed in Chapter 15.0. The discussions there designate what systems and instrumentation are required to mitigate the consequences of these transients. 7.2.3.2 Specific Requirements Conformance Refer to 7.A.2. 7.2.3.3 Regulatory Guides This topic is discussed in Appendix B. 7.2-23 REV. 18, APRIL 2010

LSCS-UFSAR 7.2.3.4 Regulatory Requirements 10 CFR 50 Appendix A - General Design Criteria:

a. Criterion 13 - Each system input is monitored and annunciated.

b. Criterion 19 - Controls and instrumentation are provided in the control room.

c. Criterion 20 - The system constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established setpoints.

d. Criterion 21- The system is designed with four independent and separated input channels and four independent and separated output channels. No single failure or operator action can prevent a scram. The system can be tested during plant operation to ensure its availability.

e. Criterion 22 - The redundant portions of the system are separated such that no single failure or credible natural disaster can prevent a scram. Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, all dependent variables.

f. Criterion 23 - The system is fail-safe. A loss of electrical power or air supply does not prevent a scram. Postulated adverse environments will not prevent a scram.

g. Criterion 24 - The system has no control function. It is interlocked to control systems through isolation devices.

h. Criterion 29 - The system is highly reliable so that it will scram in the event of anticipated operational occurrences.

7.2-24 REV. 13

LSCS-UFSAR TABLE 7.2-1 SHEET 1 OF 2 REACTOR PROTECTION SYSTEM INSTRUMENT LIMITS TRIP ALLOWABLE ANALYTIC OR DESIGN-BASIS FUNCTIONAL UNIT SETPOINT VALUE DESIGN-BASIS ACCURACY CALIBRATION ALLOWANCE DEVICE NOTE 1 NOTE 2 LIMIT NOTE 1 NOTE 1 NOTE 1 RANGE (1) Intermediate Range Monitor DB 2.0% to Neutron Flux Upscale Full Scale (2) Average Power Range Monitor <25% N/A Neutron Flux Upscale (Not Run Mode) (2a) Average Power Range Monitor Note 1 N/A Fixed Neutron Flux Upscale (Run Mode) (3) Average Power Range Monitor Cycle PTAP or N/A Simulated Thermal Power OPL-3 Upscale Note 4 (4) Average Power Range Monitor Cycle PTAP or N/A Upscale (Run Mode) OPL-3 Note 4 (5) Reactor Vessel Pressure High Cycle PTAP or 200-1200 OPL-3 psi Note 4 (6) Reactor Vessel Water Level >1.2 in. 0-60 in. Low Level #3 Note 3 Note 3 (7) Main Steamline Isolation <15% closed Valve - Closure PTAP or OPL-3 Note 4 (8) Deleted (9) Drywell Pressure - High <2.0 psig 0.2-6.0 psi (10) Scram Discharge Volume Note 5 N/A Level - High Level XMIR/SW* 0.45 in. TABLE 7.2-1 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.2-1 SHEET 2 OF 2 REACTOR PROTECTION SYSTEM INSTRUMENT LIMITS TRIP ALLOWABLE ANALYTIC OR DESIGN-BASIS FUNCTIONAL UNIT SETPOINT VALUE DESIGN-BASIS ACCURACY CALIBRATION ALLOWANCE DEVICE NOTE 1 NOTE 2 LIMIT NOTE 1 NOTE 1 NOTE 1 RANGE (11) Turbine Stop Valve Closure <10% closed N/A (12) Turbine Control Valve - Fast >400 psig N/A Closure. Trip Oil Pressure - Low (13) CRD Low Charging Header Note 1 500-1500 Pressure psig (14) CRD Low Charging Header Note 1 1-30 min. Pressure Delay Timer Notes:

1. For Trip Setpoints, Analytic or Design Basis Limit, Accuracy, Calibration, and Design-Basis Allowance, refer to the applicable calculation, listed in Appendix D of Technical Requirement Manual.

2. See Technical Specifications for Allowable Values.

3. All reactor water levels are referenced to instrument zero at 527.5. Vessel Zero is the inside bottom of the RPV at centerline.

4. Refers to the cycle Principal Transient Analysis Parameters for Siemens analysis or the OPL-3 for GE Analysis methods.

5. With respect to instrument zero at elevation 7656.

TABLE 7.2-1 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.2-2 CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF RPS: STARTUP MODE This table shows the normal and minimum number of channels required for the functional performance of the reactor protection system in the startup mode. The "normal" column lists the normal number of channels per trip system. The "minimum" column lists the minimum number of channels per uptripped trip system required to maintain functional performance, assuming the other trip system is tripped. CHANNEL DESCRIPTION NORMAL MINIMUM

• Neutron monitoring system (APRM) 3 2 Neutron monitoring system (IRM) 4 3 Nuclear system high pressure 2 2 Containment high pressure 2 2 Reactor vessel low water level 2 2 Scram discharge volume high water level 2 2 Manual scram 2 2 Each main steamline isolation valve position 2/valve 2/valve Low CRD Charging Water Header Pressure 2 2 During testing of sensors, the channel should be tripped when the initial state of the sensor is not essential to the test.

TABLE 7.2-2 REV. 14 - APRIL 2002

LSCS-UFSAR TABLE 7.2-3 CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF RPS: RUN MODE This table shows the normal and minimum number of channels required for the functional performance of the reactor protection system in the run mode. The "normal " column lists the normal number of channels per trip system. The "minimum " column lists the minimum number of channels per untripped trip system required to maintain functional performance, assuming the other trip system is tripped. CHANNEL DESCRIPTION NORMAL MINIMUM* Neutron monitoring system (APRM) 3 2 Nuclear system high pressure 2 2 Containment high pressure 2 2 Reactor vessel low water level 2 2 Scram discharge volume high water level 2 2 Manual scram 2 2 Each main steamline isolation valve position 2/valve 2/valve Each turbine stop valve position 2/valve 2/valve Turbine control valve fast closure 2 2 Turbine first stage pressure (bypass channel) 2 2 Neutron Monitoring System (OPRM) 2 2 During testing of sensors, the channel should be tripped when the initial state of the sensor is not essential to the test. TABLE 7.2-3 REV. 13

LSCS-UFSAR 7.3 Engineered Safety Feature Systems 7.3.1 Emergency Core Cooling Systems Instrumentation and Control 7.3.1.1 Design Bases The emergency core cooling systems control and instrumentation shall be designed to meet the following safety design bases:

a. Automatically initiate and control the emergency core cooling systems to prevent fuel cladding temperatures from reaching 2200 !F.

b. Respond to a need for emergency core cooling regardless of the physical location of the malfunction or break that causes the need.

c. The following safety design bases are specified to limit dependence on operator judgment in times of stress:

1. The emergency core cooling systems shall respond automatically so that no action is required of plant operators within 10 minutes after a loss-of-coolant accident.

2. The performance of the emergency core cooling systems shall be indicated by control room instrumentation.

3. Facilities for manual control of the emergency core cooling systems shall be provided in the control room.

The controls and instrumentation for the emergency core cooling systems are designed to conform to the regulatory requirements shown on Tables 7.1-2, 7.1-5 and 7.1-6. 7.3.1.2 System Description The emergency core cooling system includes the following subsystems:

a. high-pressure core spray (HPCS) system,

b. automatic depressurization (ADS) system,

c. low-pressure core spray (LPCS) system, and 7.3-1 REV. 13

LSCS-UFSAR

d. low-pressure coolant injection (LPCI) mode of the residual heat removal (RHR) system.

The purpose of ECCS instrumentation and controls is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled in the event of a design-basis accident. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system. The emergency core cooling systems instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response. The ECCS piping arrangement around the reactor vessel is shown in Figure 7.3-1. Successful core cooling for a specified line break accident, as follows, is depicted in Figure 7.3-2, for small line breaks:

a. The depressurization phase is accomplished by HPCS, ADS A, or ADS B.

b. The low-pressure core cooling phase is accomplished by LPCS, an two RHR pumps, or HPCS.

Similarly, the large break model uses the LPCS, HPCS, or the three RHR pumps for successful core cooling. 7.3.1.2.1 High-Pressure Core Spray (HPCS) Instrumentation and Controls 7.3.1.2.1.1 Power Sources The instrumentation and control of the HPCS are powered by the 125-Vdc and 120-Vac Division 3 systems. The redundancy and separation of these systems are consistent with the redundancy and separation of the ECCS instrumentation and control. Both of these systems are described in detail in Chapter 8.0. 7.3.1.2.1.2 Equipment Design The control and instrumentation components for the high-pressure core spray (HPCS) system are located outside the primary containment. Pressure switches and level transmitters used for HPCS initiation are located on racks in the reactor building. Cables connect the sensors to control circuitry in the relay logic cabinet. The system is arranged to allow a full flow functional test during normal reactor power operation; however, the controls are arranged so the system can operate automatically regardless of the test being conducted. The piping and 7.3-2 REV. 13

LSCS-UFSAR instrumentation diagram is shown in Drawing Nos. M-95 and M-141. The high-pressure core spray system operates as an isolated system, independent of electrical connections to any other system except the normal a-c power supply. The HPCS system is designed to operate from normal offsite auxiliary power sources or from diesel generator 1B if offsite power is not available. 7.3.1.2.1.3 Initiating Circuits Reactor low water level indicates that reactor coolant is being lost and that the fuel cladding temperature may be increasing. Drywell high-pressure indicates that a breach of the reactor coolant pressure boundary has occurred inside the drywell. Reactor vessel low water level is monitored by an analog trip system consisting of four differential pressure transmitters and trip units. The transmitters measure the difference in water column heads between a static leg, which senses the constant head reference column created by a condensing chamber, and a variable leg, which senses actual water level changes in the vessel. Each transmitter sends an analog input signal to a trip unit. Instrumentation cables connect the transmitters to the trip units which are located in the relay logic cabinets. The logic is arranged in a one-out-of-two twice arrangement to assure that no single event can prevent HPCS initiation from reactor vessel low water level. The initiation logic for HPCS sensors is shown in Figure 7.3-4. Drywell pressure is monitored by four non-indicating pressure switches. Pipes that terminate outside the primary containment allow the switches to communicate with the drywell interior. Cables are routed from the switches to the relay logic cabinets. Each drywell high-pressure trip channel provides an input into the trip logic. The switches are electrically connected to a one-out-of-two twice circuit, so that no single channel can affect high drywell pressure initiation of the HPCS. The HPCS controls automatically start the HPCS diesel engine/generator set on receipt of a reactor vessel low water level signal or drywell high-pressure signal. The system reaches its design flow rate within 41 seconds. The controls then provides makeup water to the reactor vessel until the reactor high water level is reached, then the HPCS automatically stops flow by closing the injection valve. The controls are arranged to allow automatic or manual operation (see Subsection 7.3.1.2.1.4 for manual operation). The HPCS diesel generator provides power to the HPCS pump motor and the HPCS motor-operated valves if normal auxiliary power is lost. One AC operated pump suction valve is provided in the HPCS System. The valve lines up pump suction from the suppression pool. To position the valve a keylock 7.3-3 REV. 14, APRIL 2002

LSCS-UFSAR switch must be turned in the control room. Two level switches monitor the suppression pool high water level and either switch can provide an alarm in the control room to alert the operator. 7.3.1.2.1.4 Logic and Sequencing Either reactor vessel low water level or high drywell pressure automatically starts the HPCS. Two reactor vessel low water level trip settings are used to initiate the ECCS. The first low water level setting, which is the higher of the two, initiates the HPCS. The second low water level setting, which is lower, initiates the LPCI, LPCS, and ADS. This setting also closes the main steamline isolation valves (see Subsection 7.3.2). The HPCS controls and instrumentation limits are listed in Table 7.3-1. The reactor vessel low water level setting for HPCS initiation is selected high enough to prevent excessive fuel cladding temperature and fuel failure, but low enough to avoid spurious HPCS startups. The drywell high-pressure setting is selected to be as low as possible without inducing spurious HPCS startup. The HPCS control system logic can be reset if reactor water level has been restored even if the high drywell pressure condition persists. Following manual termination of pump operation HPCS will auto restart upon low reactor water level. However, auto restart is blocked on high drywell pressure unless drywell pressure decreases below the setpoint and again increases above the setpoint. A decrease in drywell pressure below trip level will remove all reset features and return HPCS logic to the original status. The HPCS pump is not stopped automatically by any reset. Pump stop requires operator action. 7.3.1.2.1.5 Bypasses and Interlocks A pump discharge bypass routes the pump discharge back to the suppression pool to prevent pump overheating at reduced HPCS pump flow. The bypass is controlled by an automatic motor-operated valve. At HPCS high flow, the bypass valve is closed; at low flow, the bypass valve is opened. A flow switch measures the flow in the HPCS pump discharge pipeline. During test operation, the HPCS pump discharge is routed to the suppression pool via a Motor-operated valve installed in the test line. The piping arrangement is shown in Drawing Nos. M-95 and M-141. On receipt of an HPCS initiation signal, the valve closes and will remain closed. 7.3-4 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.1.2.1.6 Redundancy and Diversity The HPCS is actuated by redundant measurements of either reactor vessel low water level or drywell high-pressure. Both of these conditions will result from a design-basis loss-of-coolant accident. The HPCS system logic requires two independent water level measurements to concurrently indicate the high water level condition. When the high water level condition is reached following HPCS operation, these two signals are used to terminate further operation of the HPCS until such time as the low water level initiation setpoint is reached. Should this latter condition reoccur, the HPCS will be initiated to restore water level within the reactor. 7.3.1.2.1.7 Actuated Devices All automatic valves in the HPCS system are equipped with remote-manual test capability. The entire system can be manually operated from the control room. Motor-operated valves are provided with limit switches to turn off the motor when the full open or closed positions are reached. Torque switches also control valve motor forces while the valves are seating. Thermal overload devices are used to trip motor-operated valves and to provide alarms. The HPCS valves must provide design flow rate within 41 seconds from receipt of the initiation signal. The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. An a-c motor-operated HPCS pump discharge valve is provided in the pump discharge pipeline. The valve opens on receipt of the HPCS initiation signal. The pump discharge valve closes automatically on receipt of a reactor high water level signal. 7.3.1.2.1.8 Separation General Separation within the emergency core cooling system is such that no single occurrence can prevent core cooling when required. Control and instrumentation equipment wiring is segregated into three separate divisions designated l, 2, and 3 (Figure 7.3-3). Similar separation requirements are also maintained for the control and motive power required. System separation is as follows: 7.3-5 REV. 13

LSCS-UFSAR Division 1 Division 2 Division 3 Low-pressure core RHR "B" and "C" High-pressure spray and RHR "A" core spray Automatic depres- Automatic depres-Surization "A" surization "B" Systems shown opposite each other are considered backup to each other. Control logic for all Division 1 systems is powered by 125-Vdc bus A and for Division 2 system by l25-Vdc bus B. HPCS logic is powered by l25-Vdc bus C. Specific HPCS is a Division 3 system (Figure 7.3-3). In order to maintain the required separation, HPCS logic relays, cabling, manual controls, and instrumentation are mounted so that separation from Divisions 1 and 2 is maintained. 7.3.1.2.1.9 Testability The high-pressure core spray instrumentation and control system is capable of being tested during normal unit operation to verify the operability of each system component. Testing of the initiation sensors which are located outside the drywell is accomplished by valving out the sensors one at a time and applying a test pressure source. This verifies the operability of the sensor, instrument channel contacts as well as the trip setpoint. Adequate control room indications are provided. High-pressure core spray high water level sensors may be tested in a similar manner. Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. Availability of other control equipment is verified during manual testing of the system with the pump discharge returning to the suppression pool. While the plant is at power, water is not injected into the reactor vessel by the high-pressure core spray system during periodic testing. 7.3.1.2.1.10 Environmental Considerations The only HPCS control component located inside the drywell is the control mechanism for the testable check valve on the HPCS pump discharge line. The air operator is removed from check valve 1(2)E22-F005 and is replaced with a mechanism to pin the valve open for maintenance and testing. All other HPCS control and instrumentation equipment is located outside the primary containment and is selected to meet the environmental considerations. The testable feature and related control and instrumentation equipment have been eliminated from the Division 1, Division 2, and Division 3, ECCS testable check valves. 7.3-6 REV. 23, APRIL 2018

LSCS-UFSAR 7.3.1.2.1.11 Operational Considerations Under abnormal or accident conditions where the system is required, initiation and control are provided automatically for at least 10 minutes. At that time, operator action may be required. A detection system continuously confirms the integrity of the HPCS piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the top of the core support plate in a static channel and the inside of the core spray sparger pipe just outside the reactor vessel. If the HPCS sparger piping is sound, this pressure difference will be the small drop across the core resulting from interchannel leakage. If integrity is lost, this differential pressure will also include the steam separator pressure drop. Increasing differential pressure initiates an alarm in the control room. Pressure in the HPCS pump suction pipeline is monitored by a pressure indicator that is locally mounted to permit determination of suction head and pump performance. Numerous indications pertinent to the operation and condition of the HPCS system are available to the control room operator, as shown in Drawing Nos. M-95 and M-141. 7.3.1.2.2 Automatic Depressurization System (ADS) Instrumentation and Controls 7.3.1.2.2.1 Equipment Design Automatic relief valves are installed on the main steamlines inside the drywell. The valves can be actuated in three ways; they will relieve pressure by a pressure switch, or by mechanical actuation on high reactor pressure, or by actuation of an electric-pneumatic control system. The suppression pool provides a heat sink for steam relieved by these valves. Relief valve operation may be controlled manually from the main control room to hold the desired reactor pressure. The depressurization by automatic blowdown is intended to reduce nuclear system pressure during a loss-of-coolant accident. The automatic depressurization system (see Figure 7.3-5) consists of redundant pressure and water level trip channels arranged in separated logics that control separate solenoid-operated air pilots on each valve. These pilot valves control the pneumatic pressure applied to an air cylinder operator. The operator controls the safety/relief valve. An accumulator is included with the control equipment to store pneumatic energy for relief valve operation. For a description of the safety/relief valves and accumulators, refer to Section 5.2.2.4.2.1. Cables from the sensors lead to two separate relay logic cabinets where the redundant logics are formed. Station batteries power the electrical control circuitry. The power supplies for the redundant control channels are separated to limit the 7.3-7 REV. 15, APRIL 2004

LSCS-UFSAR effects of electrical failures. Electrical elements in the control system energize to cause the relief valves to open. 7.3.1.2.2.2 Initiating Circuits Two ADS trip systems are provided, ADS A and ADS B (see Figure 7.3-6). Division 1 sensors for low reactor water level and high drywell pressure initiate ADS A, and Division 2 sensors initiate ADS B. The high drywell pressure signal can be automatically bypassed as described in Section 7.3.1.2.2.3. The relays of one logic are mounted in a different cabinet than the relays of the other logic. The reactor vessel low water level setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the LPCI or LPCS system following a loss-of-coolant accident in which the HPCS fails to perform its function adequately. The drywell high-pressure setting is selected as low as possible without inducing spurious initiation of the automatic depressurization system. This provides timely depressurization of the reactor vessel if the HPCS fails to start or fails after it successfully starts following a loss-of-coolant accident. The low-pressure pump discharge pressure setting used as a permissive for depressurization is selected to assure that at least one of the three LPCI pumps or the LPCS pump has received electrical power, started, and is capable of delivering water into the vessel. The setting is high enough to assure that the pump will deliver at near rated flow without being so low as to provide an erroneous signal that the pump is actually running. The low-pressure pump discharge pressure pump permissive is not required for emergency manual initiation of the system. The pressure and level transmitters/trip units used to initiate one ADS logic are separated from those used to initiate the other logic on the same ADS valve. Reactor vessel low water level is monitored by an analog trip system consisting of six differential pressure transmitters and trip units. The transmitters measure the difference in water column heads between a static leg, which senses the constant head reference column created by a condensing chamber, and a variable leg, which senses actual water level changes in the vessel. The transmitters send an analog input signal to the trip units. Drywell high-pressure is detected by four pressure switches, which are located in the secondary containment. The level instruments are piped so that an instrument pipeline break will not inadvertently initiate auto blowdown. The drywell high-pressure signals are bypassed after a time delay as discussed in Section 7.3.1.2.2.3. 7.3-8 REV. 14, APRIL 2002

LSCS-UFSAR An ADS initiation timer is used in each ADS logic. The time delay setting before actuation of the ADS is long enough that the HPCS has time to operate, yet not so long that the LPCI and LPCS systems are unable to cool the fuel adequately if the HPCS fails to start. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals recycles the timers. 7.3.1.2.2.3 Logic and Sequencing Three initiation signals are used for the ADS: reactor vessel low water level, drywell high-pressure, and confirmed reactor vessel low water level. Reactor vessel low water level indicates that the fuel is in danger of becoming uncovered. The second (lower) low water level initiates the ADS. Drywell high-pressure indicates a breach in the reactor coolant pressure boundary inside the drywell. An ADS high drywell pressure bypass timer is started after receipt of RPV level 1 signal. The RPV level 1 signal also initiates a alarm that the bypass logic has been activated. After the ADS high drywell pressure bypass timer time delay, relay contacts bypass the high drywell signal, effecting the bypass. The ADS initiation timer is now started and after runout the ADS solenoid is energized provided that at least one low pressure pump in that division is running. If the low water level signal clears, or the reset pushbutton is pressed, the timers are automatically reset. This logic will automate ADS initiation, if required, for events such as a break external to the drywell or a stuck open SRV. A manual inhibit switch is also provided in each division to allow the operator to inhibit the system without repeatedly pressing the reset button. This manual inhibit is annunciated in the main control room. Discharge pressure on any one of the three LPCI pumps or the LPCS pump is sufficient to give the permissive signal which permits automatic depressurization when the LPCI and LPCS systems are operable. The ADS instrument limits are listed in Table 7.3-1 After receipt of the initiation signals and after the delay provided by timers, each of the two solenoid pilot air valves are energized. This allows pneumatic pressure from the accumulator to act on the air cylinder operator. The air cylinder operator holds the relief valve open. Lights in the main control room indicate when a safety/relief valve is open or closed. The ADS A trip system actuates the "A" solenoid pilot valve on each ADS valve. Similarly, the ADS B trip system actuates the "B" solenoid pilot valve on each ADS valve. Actuation of either solenoid-pilot valve causes the ADS valve to open to provide depressurization. Manual reset circuits are provided for the ADS initiation signal and drywell high-pressure signals. Manually resetting the initiation signal recycles the delay timers. One control switch is available in the control room for each safety/relief valve associated with the ADS. These manual switches backup the automatic 7.3-9 REV. 14, APRIL 2002

LSCS-UFSAR depressurization function by activating a separate solenoid control valve on the safety/relief valves. The switch is a two-position type OPEN-AUTO. The OPEN position is for manual safety/relief valve operation. Manual opening of the relief valves provides a controlled nuclear system cooldown under conditions where the normal heat sink is not available. Valve numbers B21-F013 H, K, and P can be operated from the remote shutdown panel. ADS valves can be operated from the individual ADS logic relay panels. 7.3.1.2.2.4 Bypasses and Interlocks It is possible for the operator to inhibit the ADS system with the manual inhibit switch. The operator would make this decision based on an assessment of other plant conditions. ADS is interlocked with the LPCS and RHR by means of pressure switches located on the discharge of these pumps. These are the "AC interlocks". Although the AC interlocks are common to both automatic ADS initiation circuits, the independence of the automatic initiation trip circuits is not compromised because each of the logics is duplicated (ADS A and ADS B). For a failure of the ADS to occur, the AC interlocks for both trip circuits would have to fail. At least one of the three LPCI pumps or the LPCS pump must be capable of delivering water into the vessel for automatic ADS initiation to occur. The AC interlocks are not associated with the manual ADS initiation circuits. 7.3.1.2.2.5 Redundancy/Diversity The ADS is initiated by high drywell pressure and low reactor vessel water level. The high drywell pressure signal can be automatically bypassed as described in Section 7.3.1.2.2.3. The initiating circuits for each of these parameters are redundant as verified by the circuit description of this section. Instrument limits are listed in Table 7.3-1 according to system functions 7.3.1.2.2.6 Actuated Devices All relief valves in the ADS are actuated by four methods:

a. automatic action resulting from the actuation of logic chains in either Division 1 or Division 2 trip system

b. manual action by the operator,

c. pressure switch contacts closing as a result of high reactor pressure, and 7.3-10 REV. 14, APRIL 2002

LSCS-UFSAR

d. mechanical actuation as a result of high reactor pressure (higher than pressure in item c).

ADS is a Division 1 (ADS A) and Division 2 (ADS B) system, except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two solenoid pilot valves supplying air to the relief valve air piston operators. One of the solenoid pilot valves is operated by trip system A and the other by trip system B. Logic relays, manual controls, and instrumentation are mounted so that Division 1 and Division 2 separation is maintained. Separation from Division 3 is likewise maintained. 7.3.1.2.2.7 Testability ADS has two complete trip systems, one in Division 1 and one in Division 2. Each trip system has two channels, both of which must operate to initiate ADS. One channel contains a timer to delay ADS to give HPCS an opportunity to start. Four test jacks are provided, one for each channel. To prevent spurious actuation of ADS during testing, only one channel is actuated at a time. An alarm is provided if a test plug is inserted in both channels in a division at the same time. Operation of the test plug switch and the permissive contacts closes one of the two series relay contacts in the valve solenoid circuit. This causes a light to extingush indicating proper channel operation. Continuity of the solenoid electrical circuit is demonstrated by a set of indicating lamps which are "on" when solenoid continuity exists. Testing of the other channel is similar. Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the operator that ADS is in a test status. Testing of ADS does not interfere with automatic operation if it is required by an initiation signal. 7.3.1.2.2.8 Environmental Considerations The signal cables, solenoid valves, and safety/relief valve operators are the only control and instrumentation equipment for the ADS located inside the drywell. These items will operate in the most severe environment resulting from a design-basis loss-of-coolant accident (see Table 3.11-l). Gamma and neutron radiation is also considered in the selection of these items. Equipment located outside the drywell will also operate in normal and accident environments. 7.3.1.2.2.9 Operational Considerations The instrumentation and controls of the ADS are not required for normal plant operations. When automatic depressurization is required, it is initiated automatically by the circuits described in this section. No operator action is required for at least 10 minutes following initiation of the system. 7.3-11 REV. 13

LSCS-UFSAR At LSCS Unit 1, an electromechanical lift indicating assembly is directly mounted atop the SRV. It has its own housing which mechanically mates to the valve bonnet. A reverse-spring-loaded actuator rod rides the end of the valve spindle rod to directly transmit valve motion relative to the valve seating surface. Valve position (fully open, intermediate or fully closed) is sensed by a spindle mounted, positive acting reed-switch arrangement. Electrical outputs from the reed-switches are fed to the control room to remotely indicate SRV position there. Event annunciation is also provided in the control room. Environmental and seismic qualification of the position sensor reed-switch arrangement was completed in October, 1985. This sensor is qualified to IEEE 323-1974 and IEEE 344-1975 standards. A new generation position indication system, which is an LVDT incorporated into a setpoint verification assembly, is installed on LSCS Unit 2 and were qualified in March, 1985. A confirmatory indication of SRV popping or long trend leakage is provided via temperature elements mounted in thermowells on each of the SRV blowdown pipes to the suppression pool. These indications are for back-up confirmation of the direct indicating SRV position read-outs. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting safety/relief valve leakage during plant operation. When the temperature in any safety/relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the control room. The alarm setting is high enough above normal rated power drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of safety/relief valve leakage. Drawing Nos. M-93 (sheets 3 through 5), M-139 (sheets 3 through 5), M-55 (sheet 7), and M-116 (sheet 7) show other ADS alarms. 7.3.1.2.2.10 Low-Low Setpoint Relief Logic In order to reduce as far as practicable the number of relief valves that reopen following a reactor isolation event, seven safety relief valves are provided with lower opening and closing setpoints. These setpoints override the normal setpoints following the initial opening of the relief valves and act to hold these valves open longer, thus preventing more than a single valve from reopening subsequently. This system logic is referred to as the low-low setpoint relief logic and functions to minimize the containment design load. This logic is armed when two or more valves are signaled to open from their normal relief pressure switches. At this time, the low-low set logic automatically seals itself into control of the seven selected valves and actuates the annunciator. This logic remains sealed in until manually reset by the operator. The schematic diagrams for the automatic depressurization system are shown in Drawings 1E-1-4201AA through AR and 1E-2-4201AA through 7.3-12 REV. 13

LSCS-UFSAR AR and contain logic for low-low set. This logic has been added as a product improvement to improve load margins and is not required to accommodate containment loads as defined by the NRC in NUREG-0487. The two lowest low-low set valves are the same valves used for the lowest SRV pressure group. Since the valves will already have opened from their original pressure relief signals, the low-low set logic acts to hold them open past their normal reclose point until the pressure decreases to a predetermined "low-low" setpoint, likewise with the remaining five low-low set valves after they have first been opened at their original setpoints. Thus these valves remain open longer than the other safety/relief valves. This extended relief capacity assures that no more than one valve will reopen a second time. Also, the sealed-in logic provides the first two low-low set valves ("low" and "medium") with new reopening setpoints which are lower than their original S/R setpoints. The "medium" low-low set valve acts as a backup for the "low" low-low set valve, should it mechanically fail. The low-low set logic is designed with redundancy and single failure criteria, i.e., no single electrical failure will: (1) prevent any low-low set valve from opening, (2) cause inadvertent seal-in of low-low set logic, or (3) cause more than one valve to open inadvertently or stick open. The seven valves associated with low-low set are arranged in three independent secondary setpoint groups or ranges (low, medium, high). The "low" and "medium" pressure ranges consist of one valve each, having both "reopen" and "reclose" setpoints independently and uniquely adjustable. These are set considerably lower than their normal SRV setpoints. The remaining five valves are individually controlled by new pressure switches which have an independently adjustable "reclose" setpoint. The normal SRV opening setpoints are retained for this valve group though reclose is extended in the low-low set operating mode. The pressure switches are arranged in two divisions for each low-low set valve. The single-failure criterion is thus met for this function. 7.3.1.2.2.11 Low-Low Setpoint Relief Logic Testability The SRV system has two low-low setpoint logics, one in Division 1 and one in Division 2. Either one can perform the low-low set function. Each valve has its own set of pressure switches. A keylock switch, which has a "Normal" and a "Test" position, is provided for each division. The key is removable only in the "Normal" position. When the key is inserted and switched to "test", an annunciator will alert the operator of the test status of that division. In the test mode, all of the valves remain responsive to the high reactor pressure signals should they occur. Indicator lights are switched in series with the solenoid coils on the low-low set valve to facilitate logic testing without actuating the valves from the division under test. The annunciator will not clear until the key is returned to the "Normal" position. 7.3-13 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.1.2.3 Low-Pressure Core Spray (LPCS) Instrumentation and Controls 7.3.1.2.3.1 Equipment Design The low-pressure core spray (LPCS) system supplies sufficient cooling water to the reactor vessel to cool the core adequately following a design-basis loss-of-coolant accident. The LPCS includes one a-c pump, appropriate valves, and piping to route water from the suppression pool to the reactor vessel (see Drawing No. M-94 and M-140). Sensors and valve closing mechanisms for the LPCS system are located outside the primary containment. Cables from the sensors are routed to relay logic cabinets where the control circuitry is assembled. The LPCS pump and automatic valves are powered from an a-c bus that is capable of receiving standby power. Control power for the LPCS comes from a station battery. Control and motive power for the LPCS is from the same source as for LPCI Loop A. 7.3.1.2.3.2 Initiating Circuits Two reactor vessel low water level transmitters/trip units and two drywell high-pressure switches are electrically connected in a one-out-of-two twice arrangement so that no single event can prevent initiation of LPCS. Reactor vessel low water level is monitored by an analog trip system consisting of two differential pressure transmitters and trip units. The transmitters measure the difference in water column heads between a static leg, which senses the constant head reference column created by a condensing chamber, and a variable leg, which senses actual water level changes in the vessel. The transmitters send an analog input signal to the trip units which are located in the relay logic cabinets. Drywell pressure is monitored by two nonindicating pressure switches mounted on instrument racks outside the primary containment. Pipes that terminate outside the primary containment allow the switches to communicate with the drywell interior. Cables are routed from the switches to the relay logic cabinets. Each drywell high-pressure trip channel provides an input into the initiation logic shown in Figure 7.3-6. Instrument limits are listed in Table 7.3-1 according to system functions. 7.3.1.2.3.3 Logic and Sequencing The LPCS initiation logic is depicted in Figure 7.3-6 in a one-out-of-two twice network using level and pressure sensors. The initiation signal will be generated when: 7.3-14 REV. 14, APRIL 2002

LSCS-UFSAR

a. both level sensors are tripped,

b. both pressure sensors are tripped, or

c. either of two other combinations of one level sensor and one pressure sensor is tripped.

Once an initiation signal is received by the LPCS control circuitry, the signal is sealed in until manually reset. 7.3.1.2.3.4 Bypasses and Interlocks A minimum flow bypass pipeline is provided to protect the main system pump from overheating at low flow rates. The pump routes water from the pump discharge to the suppression pool. A motor-operated valve controls the flow through the bypass line. Low flow in the pump discharge line automatically opens the bypass valve if the pump is running. The valve automatically closes when the pump discharge is above the low flow setting. Flow sensing is derived from a flow switch that senses the pressure differential across a flow element in the pump discharge line. Drawing Nos. M-94 and M-140 show the location of the flow switch. Two pressure switches are installed in the pump discharge pipeline upstream of the pump discharge check valve. This pressure signal is used in the automatic depressurization system to indicate that the LPCS pump is running. 7.3.1.2.3.5 Redundancy and Diversity The LPCS is actuated by either reactor vessel low water level and/or drywell high-pressure. Both of these conditions will result from a design-basis loss-of-coolant accident. As described in Subsection 7.3.1.2.3.3, if one low level instrument channel fails, the high drywell pressure instrument channels will initiate LPCS or a combination of low level and drywell pressure. LPCS is a single pump system but is backed up by LPCI A within ECCS Division l. Division 1 systems (LPCS, LPCI A) and Division 2 systems (LPCI B, LPCI C) are provided further backup by the Division 3 HPCS. 7.3.1.2.3.6 Actuated Devices The LPCS pump can be controlled by a control room remote switch or by the automatic control system. Motor-operated valves are provided with limit switches to turn off the motor when the full open or full close positions are reached. Torque switches are also provided to control valve motor forces when valves are closing. Thermal overload devices are 7.3-15 REV. 13

LSCS-UFSAR used to trip motor-operated valves and to provide alarms. All motor-operated valves have limit switches that provide control room indication of valve position. Each automatic valve can be operated from the control room. The LPCS system pump suction valve to the suppression pool is normally open. To position the valve, a keylock switch must be turned in the control room. On receipt of an LPCS initiation signal, the LPCS test line valve is signaled to close (it is normally closed during operation) to ensure that the main system pump discharge is correctly routed. The LPCS injection valve opens upon receipt of an automatic injection signal if reactor pressure is below the low pressure ECCS interlock setpoint. This reactor low pressure interlock is provided by three pressure switches arranged in a one-out-of-two plus one-out-of-one logic arrangement for the LPCS. The injection valve may be opened manually (by remote manual switch) when the pressure between the LPCS injection valve and the LPCS check valve and Reactor pressure drops below the same setpoint. Control logic is provided to allow throttling of the LPCS injection flow for long-term cooling purposes after an accident. 7.3.1.2.3.7 Separation LPCS is a Division 1 system. In order to maintain the required separation, LPCS logic relays, manual controls, cabling and instrumentation are mounted so that separation from Divisions 2 and 3 is maintained. 7.3.1.2.3.8 Testability The LPCS is capable of being tested during normal operation. Pressure and low water level initiation sensors are individually valved out of service and subjected to a test pressure. This verifies the operability of the sensor, instrument channel contacts as well as the trip setpoint. Other control equipment is functionally tested during manual testing of each loop. Adequate indications in the form of panel lamps, annunciators, and printed computer output are provided in the control room. 7.3.1.2.3.9 Environmental Considerations The only control component pertinent to LPCS system operation that is located inside the primary containment is the control mechanism for the air-operated check valve on the LPCS injection line. The air operator is removed from check valve 1(2)E21-F006 and is replaced with a mechanism to pin the valve open for maintenance and testing. Other equipment, located outside the primary containment, is selected in consideration of the normal and accident environments in which it must operate. 7.3-16 REV. 23, APRIL 2018

LSCS-UFSAR 7.3.1.2.3.10 Operational Considerations When the LPCS is required for abnormal and accident conditions, it is initiated automatically, and no operator action is required. Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCS system operation. Valves have indications of full open and full closed positions. The pump has indications for pump running and pump stopped. Alarm and indication devices are shown in Drawing No. M-94 and M-140. 7.3.1.2.4 Low-Pressure Coolant Injection (LPCI) Instrumentation and Controls 7.3.1.2.4.1 Equipment Design Low-pressure coolant injection (LPCI) is an operating mode of the residual heat removal (RHR) system. The RHR system and its operating modes are discussed in Chapter 6.0. Because the LPCI system is designed to provide water to the reactor vessel following the design-basis loss-of-coolant accident, the controls and instrumentation for it are discussed here. Drawing Nos. M-96 and M-142 show the entire RHR system, including the equipment used for LPCI operation. Control and instrumentation for the following equipment is essential:

a. three RHR main system pumps,

b. pump suction valves,

c. LPCI injection valves,

d. vessel level transmitters/trip units

e. drywell pressure switches, and

f. vessel pressure switches.

The instrumentation to operate LPCI also positions appropriate valves in the RHR system. This ensures that the water pumped from the suppression pool by the main system pumps is routed directly to the reactor. These interlocking features are described in this subsection. LPCI operation uses three pump loops, each loop with its own separate vessel injection nozzle. Drawing Nos. M-96 and M-142 show the locations of instruments, 7.3-17 REV. 13

LSCS-UFSAR control equipment, and LPCI components. Components pertinent to LPCI operation are located outside the primary containment. Power for the LPCI system pumps is supplied from a-c buses that can receive standby a-c power. Two pumps are powered from one bus and the third pump from the other bus, which also powers the LPCS. Motive power for the automatic valves comes from the bus that powers the pumps for that loop. Control power for the LPCI components comes from the d-c buses. Trip channels for LPCI A are shown in Figure 7.3-6. Trip channels for LPCI B and LPCI C are shown in Figure 7.3-4. LPCI is arranged for automatic and remote-manual operation from the control room. 7.3.1.2.4.2 Initiating Circuits LPCI A LPCI A is initiated from the LPCS logic circuits, described in Subsection 7.3.1.2.3.2. LPCI B and C Reactor vessel low water level is monitored by two level transmitters mounted on instrument racks outside the primary containment that measure the difference in water column heads between a static leg, which senses the constant head reference column created by a condensing chamber, and a variable leg, which senses actual water level changes in the vessel. Each transmitter sends an input signal to an analog trip unit located in the relay logic cabinet. Instrumentation cables connect the level transmitters to the trip units. Drywell pressure is monitored by two nonindicating pressure switches mounted on instrument racks outside the primary containment. Pipes that terminate outside the primary containment allow the switches to communicate with the drywell interior. Cables are routed from the switches to the relay logic cabinets. Each drywell high-pressure trip channel provides an input into the initiation logic shown in Figure 7.3-

4. The two level analog trip units and two pressure switches are electrically connected in a one-out-of-two twice arrangement so that no single event can prevent initiation of LPCI B and C.

Drawing Nos. M-96 and M-142 can be used to determine the schematic location of sensors. Instrument characteristics and limits are given in Table 7.3-1. 7.3.1.2.4.3 Logic and Sequencing The overall LPCI operating sequence following the receipt of an initiation signal is as follows: 7.3-18 REV. 14, April 2002

LSCS-UFSAR

a. The valves in the suction paths from the suppression pool are kept open and require no automatic action to line up suction.

b. If normal auxiliary power is available, the three LPCI system pumps start immediately, taking suction from the suppression pool. In the event the normal auxiliary power is lost, standby power sources become available, and one of the LPCI system pumps on one of the two buses starts immediately. The other pump on each bus starts after a 5-second delay to limit the loading of the power sources.

c. Valves used in other RHR modes are automatically positioned so the water pumped from the suppression pool is routed correctly.

d. When nuclear system pressure has dropped to a value at which the LPCI system pumps are capable of injecting water into the vessel, the LPCI injection valves automatically open.

e. The LPCI loops then deliver water to the reactor vessel until vessel water level is adequate to provide core cooling.

After an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. 7.3.1.2.4.4 Bypasses and Interlocks To protect the main system pumps from overheating at low flow rates, a minimum flow bypass pipeline is provided that routes water from the pump discharge to the suppression pool. A motor-operated valve controls the condition of each bypass pipeline. The minimum flow bypass valve automatically opens on sensing low flow in the discharge lines from each pump, if the pump is running. The valve automatically closes when the flow from the associated pump is above the low flow setting. Flow indications are derived from flow switches that sense the pressure differential across a flow element in the pump discharge lines. Drawing Nos. M-96 and M-142 show the location of the flow switches. One switch is used for each pump. The valves that divert water for containment cooling cannot be opened by manual action (except for testing during normal operation) unless two conditions exist: the accident initiation and containment pressure signals must be present, indicating the possible need for containment cooling, and the LPCI respective injection valves must be shut. 7.3-19 REV. 13

LSCS-UFSAR Two pressure switches are installed in each pump discharge pipeline to verify that pumps are operating following an initiation signal. The pressure signal is used in the automatic depressurization system to verify availability of low-pressure core cooling. 7.3.1.2.4.5 Redundancy and Diversity The LPCI is actuated by either reactor vessel low water level or drywell high-pressure. Both of these conditions will result from a design-basis loss-of-coolant accident. As described in Subsection 7.3.1.2.3.2, if one low level instrument channel fails, the high drywell pressure or a combination of low level and drywell pressure instrument channels will initiate LPCI. LPCI A initiation logic is common to the LPCS and is separated from the initiation logic for LPCI B and LPCI C. Each initiation logic uses the same one-out-of-two twice form; however, one trip system uses only Division 1 sensors (LPCI A), and the other trip system uses only Division 2 sensors (LPCI B, LPCI C). Each trip system consists of two level switches and two drywell high-pressure instrument channels connected into a one-out-of-two twice configuration. 7.3.1.2.4.6 Actuated Devices LPCI system pumps start immediately if normal auxiliary power is available or are delayed as described in Subsection 7.3.1.2.4.3. The time delays are provided by timers (see Table 8.3-1). The delay times for the pumps to start when normal a-c power is not available include time for the start signal to develop after the actual reactor vessel low water level or drywell high-pressure occurs, time for the standby power to become available, and a sequencing delay to prevent overloading the source of standby power. The total delay times from the time of the accident to the start of the main system pumps are: Pump A, 18 seconds; Pump B, 18 seconds; and Pump C, 13 seconds. If normal power is available, there is no delay time to all three pump motors. The operator can also control the pumps manually from the main control room. The main system pump motors are provided with overload protection. The overload relays maintain power on the motor as long as possible without harming the motor or jeopardizing the emergency power system. All automatic valves used in the LPCI function are equipped with remote/manual test capability. The entire system can be operated from the control room. Motor-operated valves have limit switches to turn off the motor when the full open or full closed positions are reached. Torque switches are also provided to control valve motor forces when valves are closing. Thermal overload devices are used to trip motor-operated valves and to provide alarms. Valves that also have primary 7.3-20 REV. 14, APRIL 2002

LSCS-UFSAR containment and reactor vessel isolation requirements are described in Subsection 7.3.2. The LPCI system pump suction valves from the suppression pool are normally open. To reposition the valves, a keylock switch must be turned in the control room. On receipt of an LPCI initiation signal, certain RHR system valves (for example RHR test line valves) are signaled to close (although they are normally closed) to assure that the LPCI system pump discharge is correctly routed. Valves that, if not closed, would permit the main system pumps to take suction from the reactor recirculation loops, a lineup used during normal shutdown cooling system operation will close on a shutdown cooling isolation signal (Section 7.3.2). The RHR pump suction from the suppression pool must be manually realigned for LPCI operation if the system is operating in the shutdown cooling mode. Each LPCI injection valve opens upon receipt of an automatic injection signal if reactor pressure is below the low-pressure ECCS interlock setpoint. This reactor low-pressure interlock is provided by three pressure switches arranged in a one-out-of-two plus one-out-of-one logic arrangement for each LPCI loop. The respective injection valve may be opened manually (by remote manual switch) when the pressure between the LPCI injection valve and its check valve and Reactor pressure drops below the same setpoint. The control circuitry cancels the LPCI open signal to the heat exchanger bypass valves after these valves reach the full open position. The signal cancellation allows the operator to control the flow through the heat exchangers for other postaccident purposes. Cancelling the open signal does not cause the bypass valves to close. 7.3.1.2.4.7 Separation LPCI is a Division 1 (RHR A) and Division 2 (RHR B and C) system. In order to maintain the required separation LPCI logic relays, manual controls, cabling, and instrumentation are mounted so that Divisions 1 and 2 separation is maintained. Separation from Division 3 is likewise maintained. 7.3.1.2.4.8 Testability The LPCI is capable of being tested during normal operation. Pressure and low water level initiation sensors are individually valved out of service and subjected to a test pressure. This verifies the operability of the sensor, instrument channel contacts as well as the trip setpoint. Other control equipment is functionally tested during manual testing of each loop. Adequate indications in the form of panel lamps and annunciators are provided in the control room. 7.3-21 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.1.2.4.9 Environmental Considerations The only control components pertinent to LPCI operation that are inside the drywell are those controlling the air-operated test feature on check valves in the injection lines. These air operators are removed from check valves 1(2)E12-F041A/B/C and are replaced with mechanisms to pin the valves open for maintenance and testing. Other equipment, located outside the primary containment, is selected in consideration of the normal and accident environments in which it must operate. 7.3-21a REV. 23, APRIL 2018

LSCS-UFSAR 7.3.1.2.4.10 Operational Considerations The pumps, valves, piping, etc., used for the LPCI are used for other modes of the RHR. Initiation of the LPCI mode is automatic, and no operator action is required for at least 10 minutes. The operator may control the RHR manually after initiation to use its capabilities in the other modes of the RHR if the core is being cooled by other emergency core cooling systems. Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCI operation. Valves have indications of full open and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indications devices are shown in Drawing Nos. M-96 and M-142. 7.3-22 REV. 13

LSCS-UFSAR 7.3.1.2.5 Low-Pressure Systems Interlocks The low-pressure systems which interface with the reactor coolant pressure boundary and the instrumentation which protects them from overpressurization are as follows: Parameter RHR System Type Valve Function Sensed Reactor Recirculation MO E12-F009 pressure Prevents valve from opening Suction Reactor until reactor pressure is low MO E12-F008 pressure Reactor Prevents backflow Recirculation Check E12-F050 pressure Discharge Reactor Prevents valve from opening MO E12-F053 pressure until reactor pressure is low Vessel Check E12-F041 Reactor Prevents backflow discharge pressure Reactor Maintains valve closed until MO E12-F042 pressure reactor pressure is low Reactor Prevents backflow Head spray Check E12-F019 pressure Reactor Prevents valve opening until MO E12-F023 pressure pressure is low Reactor Prevents backflow LPCS system Check E21-F006 pressure spray Reactor Maintains valve closed until sparger MO E21-F005 pressure reactor pressure is low At least two valves are provided in series in each of these lines. The recirculation suction valves have independent and diverse interlocks to prevent the valves from being opened when the primary system pressure is above the subsystem design pressure. These valves also receive a signal to close when reactor pressure is above system pressure. The RHR system head spray motor-operated valve and RHR system recirculation discharge valves, 1(2)E12-F053, are interlocked to prevent valve opening whenever the primary pressure is above the subsystem design pressure and automatically closes whenever the primary system pressure exceeds the subsystem design pressure 7.3-23 REV. 14, APRIL 2002

LSCS-UFSAR Valve 1(2)E12 -F053A must operate for long-term cooling and has a shutdown cooling return check valve E12-F050 downstream. There is a relief valve E12-F025 that will handle the leakage of the closed check valve. The RHR system vessel discharge valve E12-F042 must operate for short-term cooling. This valve opens on low reactor pressure and must start opening above system design pressure to fulfill the flooding function. This valve is the fastest opening valve available and has a remote LPCI injection check valve downstream. The LPCS system sparger valve E2l-F005 must operate for core flooding. This valve opens on low reactor pressure and must start opening above system design pressure to fulfill the flooding function. This valve is the fastest opening valve available and has a LPCS injection check valve downstream. Position indication is provided in the control room for the motor operated valves. 7.3.1.2.6 Design-Basis Information IEEE Standard 279-1971 defines the requirements for design basis. Using the IEEE-279 format, the following subsections fulfill this requirement: Conditions The generating station conditions which require protective action for PCRVICS and ECCS are identified in the technical specifications. Variables The generating station variables which require monitoring to provide protective actions are identified in the technical specifications. Number of Sensors and Location Minimum number of sensors and schematic locations required to monitor safety-related variables are identified in Tables 7.3-6 through 7.3-11 for minimum number and Figures 7.3-3, 7.3-6, 7.3-8, 7.3-9, and Drawing No. M-153, sheets 1 and 6. Operational Limits Prudent operational limits for each safety-related variable are shown in the technical specifications. Margin Between Operational Limits The margin between operational limits and the level determining the onset of unsafe conditions is given in the technical specifications. 7.3-24 REV. 14, APRIL 2002

LSCS-UFSAR Levels Requiring Protective Action Levels requiring protective action are stated in the technical specifications. Range of Energy Supply and Environmental Conditions of Safety Systems See Subsections 3.1.2.1.4 and 7.3.6. Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems See Subsection 7.3.1.3.2. Minimum Performance Requirements See Tables 7.3-1, 7.3-2, and 7.3-3. 7.3.1.2.7 Final System Drawings The final system drawings for the ECCS are shown on electrical schematics and the following referenced figures and drawings: RHR/LPCI F6.3-8, M-96, M-142 HPCS F7.3-4, M-95, M-141 LPCS F7.3-6, M-94, M-140 ADS F7.3-6, M-55, M-93, M-116, M-139 7.3.1.3 Analysis 7.3.1.3.1 General Functional Requirement Conformance Chapters 6.0 and 15.0 contain evaluations of individual and combined capabilities of the emergency cooling systems. For the entire range of nuclear process system break sizes, the cooling systems prevent fuel cladding temperatures from exceeding 2200!F since the capabilities of the individual emergency core cooling loops overlap. Instrumentation for the emergency core cooling systems must respond to the potential inadequacy of core cooling regardless of the location of a breach in the reactor coolant pressure boundary. Such a breach inside or outside the containment is sensed by reactor low water level. The reactor vessel low water level signal is the 7.3-25 REV. 14, APRIL 2002

LSCS-UFSAR only emergency core cooling system initiating function that is completely independent of breach location. Consequently, it can actuate HPCS, LPCS, and LPCI. The other major initiating function, drywell high-pressure, is provided because pressurization of the drywell will result from any significant nuclear system breach anywhere inside the drywell. Initiation of the automatic depressurization system, employs both reactor vessel low water level and drywell high pressure. The high drywell pressure will be bypassed after a time delay to automatically initiate ADS for events such as a breach outside the drywell. An evaluation of emergency core cooling systems controls shows that no operator action is required to initiate the correct responses of the emergency core cooling systems. However, the control room operator can manually initiate every essential operation of the emergency core cooling systems. Alarms and indications in the control room allow the operator to interpret any situation that requires the emergency core cooling system and verify the responses of each system. This arrangement essentially eliminates safety dependence on operator judgment, and design of the emergency core cooling systems control equipment has appropriately limited response. The general control room panel arrangement is shown in Figure 7.3-12. The redundance of the control equipment for the emergency core cooling systems is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the emergency core cooling systems, as shown in Figures 7.3-4 and 7.3-6 is also consistent with the arrangement of the systems themselves. Each system, including its initiating sensors, is separated from the other systems within the network of emergency core cooling systems. No failure of a single initiating trip channel can prevent the start of the cooling systems or inadvertently initiate these same systems. An evaluation of the control schemes for each emergency core cooling system component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation the redundancy of components and cooling systems was considered. The minimum number of trip channels required to maintain functional performance is given in Tables 7.3-7, 7.3-8, 7.3-9, and 7.3-10. Determinations of these minimums considered the use and redundancy of sensors in control circuitry and the relative reliability of the controlled equipment in any individual cooling system. 7.3-26 REV. 13

LSCS-UFSAR Because the control arrangement used for the automatic depressurization system is designed to avoid spurious actuation, the information in Table 7.3-8 is worth special consideration. The ADS relief valves are controlled by two trip systems. The conditions indicated by the table result in both trip systems always remaining capable of initiating automatic depressurization. If an inoperable sensor is in the tripped state or if a synthetic trip signal is inserted in the control circuitry, automatic depressurization can be initiated when the other initiating signals are received. The prohibition against simultaneously inoperative reactor vessel low water level and drywell high-pressure trip channels in any one trip logic is necessary to prevent situations where a trip logic is continuously in the tripped condition. The trip channel conditions indicated in Table 7.3-8 avoid these undesirable situations. The conditions represented by Tables 7.3-7, 7.3-8, 7.3-9, and 7.3-10 are a result of a functional analysis of each individual emergency core cooling system. Because of the redundant methods of supplying cooling water to the fuel in a loss-of-coolant accident situation and because fuel cooling must be assured in such a situation, the minimum trip channel conditions in the referenced tables exceed those required operationally to assure core cooling capability. The only protection devices that can interrupt planned emergency core cooling system operation are those that must act to prevent complete failure of the component or system. In no case can the action of a protective device prevent other redundant cooling systems from providing adequate cooling to the core. The locations of controls that adjust or interrupt operation of emergency core cooling systems components have been specified. Controls are located in the control room and are under supervision of the control room operator. The environmental capabilities of instrumentation for the emergency core cooling systems are discussed in the descriptions of the individual systems. Components that are located inside the drywell and are essential to emergency cooling system performance are designed to operate in the drywell environment resulting from a loss-of-coolant accident. Essential instruments located outside the drywell are also qualified for the environment in which they must perform their essential function. Special consideration has been given to the performance of reactor vessel water level sensors, pressure sensors, and condensing chambers during rapid depressurization of the nuclear system. This consideration is discussed in Section 7.5. 7.3-27 REV. 13

LSCS-UFSAR Capability for emergency core cooling following the accident may be verified by observing the following indications:

a. annunciators for HPCS, LPCS, RHR, and ADS sensor initiation logic trips,

b. flow and pressure indications for each emergency core cooling system,

c. isolation valve position lights indicating open valves,

d. injection valve position lights indicating either open or closed valves,

e. ADS valve initiation circuit status by open/closed valve position indicator lamps,

f. ADS valve position may be inferred from reactor pressure indications,

g. process computer logging of trips in the emergency core cooling network, and

h. ADS valve discharge pipe temperature monitors and alarm.

Access to safety equipment areas (rooms) is controlled by the industrial security door access control system, which utilizes card-reader entry and complete logging of access by individual name, authorization code, and time. Access to switches and valves which could be used to disable safety equipment is restricted administratively. Switches are keylocked and keys are administratively controlled. The valves which are locally controllable are within safety equipment areas. Valves which are controlled in the control room have status lights and will cause an annunciation if they are placed in a condition that would disable safety equipment. "Emergency valves" for the NSSS equipment are located in the control room. Each safety system has manual system level initiation capability by operating manual switches mounted on the control room benchboards. The operator has direct, ready access to the switches. The switches require two distinct operator actions to initiate action (turning the collar and depressing the pushbutton). A failure mode and effects analysis is provided and discussed in Section 6.3. 7.3-28 REV. 13

LSCS-UFSAR 7.3.1.3.2 Specific Requirements Conformance 7.3.1.3.2.1 Regulatory Guides This topic is discussed in Appendix B. 7.3.1.3.2.2 10 CFR 50 Appendix A

a. Criterion No. 13 Conformance to this requirement is shown in Subsections 7.3.1.2.1, 7.3.1.2.2, 7.3.1.2.3, and 7.3.1.2.4.

b. Criteria 17 and 18 Power supply ECCS loads are rigorously divided into Division 1, Division 2, and Division 3. The independence of these circuits prevents compromise and enhances inspection of safety-related power supply systems.

c. Criteria 9 through 24, 29, 35, and 37 Conformance to these criteria are shown in Subsections 7.3.1.2.1, 7.3.1.2.2, 7.3.1.2.3, and 7.3.1.2.4.

7.3.1.3.2.3 IEEE Criteria Compliance of the emergency core cooling system with IEEE criteria is presented in 7.A.3.1. 7.3.2 Primary Containment and Reactor Vessel Isolation Control Instrumentation and Control 7.3.2.1 Design Bases The following safety design bases have been implemented in the primary containment and reactor vessel isolation control system:

a. To limit the release of radioactive materials to the environs, the primary containment and reactor vessel isolation control system shall, with precision and reliability, initiate timely isolation of penetrations through the primary containment whenever the values of monitored variables exceed preselected operational limits.

7.3-29 REV. 14, APRIL 2002

LSCS-UFSAR

b. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis a, the primary containment and reactor vessel isolation control system shall respond correctly to the sensed variables over the expected design range of magnitudes and rates of change.

c. To provide assurance that important variables are monitored to fulfill safety design basis a, a sufficient number of sensors shall be provided for monitoring essential variables.

d. To provide assurance that conditions indicative of a failure of the reactor coolant pressure boundary are detected to fulfill safety design basis a, primary containment and reactor vessel isolation control system inputs shall be derived from variables that are true, direct measures of operational conditions.

e. The time required to close the main steamline isolation valves shall be short so as to minimize the loss of coolant from a steamline break.

f. The time required to close the main steam valves shall not be so short that inadvertent isolation of steamlines causes a transient more severe than that resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system.

This ensures that the main steam isolation valve closure speed is compatible with the ability of the reactor protection system to protect the fuel assembly and reactor coolant pressure boundary.

g. To provide assurance that the closure of automatic isolation valves is initiated when required to fulfill safety design basis a, the following safety design bases are specified for the systems controlling automatic isolation valves:

1. No single failure, maintenance operation, calibration operation, or test to verify operational availability shall impair the functional ability of the isolation control system.

2. The system shall be designed so that the required number of sensors for any monitored variable exceeding the isolation setpoint will initiate automatic isolation.

3. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction 7.3-30 REV. 13

LSCS-UFSAR prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of safety design bases a, b, c, and g.l.

4. The power supplies for the primary containment and reactor vessel isolation control system shall be arranged so that loss of one supply cannot prevent automatic isolation when required.

5. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action shall require deliberate operator action.

6. There shall be sufficient electrical and physical separation of wiring and piping between trip channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.

7. Earthquake ground motions shall not impair the ability of the primary containment and reactor vessel isolation control system to initiate automatic isolation.

h. The following safety design basis is specified to assure that the isolation of main steamlines is accomplished:

1. The isolation valves in each of the main steamlines shall not rely on electrical power to achieve closure.

i. To reduce the probability that the operational reliability of the primary containment and reactor vessel isolation control system will be degraded by operator error, the following safety design bases are specified for automatic isolation valves:

1. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under the control of plant operations supervisory personnel.

2. The means for bypassing trip channels, trip logics, or system components shall be under the control of the 7.3-31 REV. 13

LSCS-UFSAR control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously indicated in the control room.

j. To provide the operator with a means to take action that is independent of the automatic isolation functions in the event of a failure of the reactor coolant pressure boundary, it shall be possible for the operator to manually initiate isolation of the primary containment and reactor vessel from the control room.

k. The following bases are specified to provide the operator with the means to assess the condition of the primary containment and reactor vessel isolation control system and to identify conditions indicative of a gross failure of the reactor coolant pressure boundary:

1. The primary containment and reactor vessel isolation control system shall be designed to provide the operator with information pertinent to the status of the system.

2. Means shall be provided for prompt identification of trip channel and trip system responses.

l. It shall be possible to check the operational availability of each trip channel and trip logic during reactor operation.

The specific safety requirements met by the primary containment and reactor vessel isolation control system instrumentation and controls are shown in Tables 7.1-2 and 7.1-4. 7.3.2.2 System Description The primary containment and reactor vessel isolation control system includes the sensors, channels, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment, reactor vessel, or both. The purpose of the system is to prevent the release of significant amounts of radioactive materials from the fuel and reactor coolant pressure boundary by automatically isolating the appropriate pipelines that penetrate the primary containment. The power generation objective of this system is to avoid spurious closure of particular isolation valves as a result of single failure. 7.3.2.2.1 Power Sources 7.3-32 REV. 13

LSCS-UFSAR Power for the channels and logics of the isolation control system, except Group 4 and 2 Group (VP and WR), is supplied from the two electrical buses that supply the reactor protection system trip systems. Power for the channels of the isolation control system for Group 2 and Group 4 is supplied from the two electrical buses that supply the reactor protection system trip systems. Power for the isolation logic of the isolation control system for Group 2 (VP and WR) and Group 4 is supplied from two independent safety related 125 VDC buses. Each RPS bus has its own motor-generator set and can receive alternate power from the preferred power source. Each bus can be supplied from only one of its power sources at any given time. Motor-operated isolation valves receive power from emergency buses. Power for the operation of two valves in a line is supplied from separate or different sources. Table 8.1-1 lists the power supply for each isolation valve, and discussions of these power supplies are given in Section 8.1 and 8.3. 7.3.2.2.2 Equipment Design Pipelines that penetrate the primary containment and directly communicate with the reactor vessel generally have two isolation valves, one inside the primary containment and one outside the primary containment. These automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the reactor coolant pressure boundary. Power cables run in raceways from the electrical source to each motor-operated isolation valve. Solenoid valve power goes from its source to the control devices for the valve. The main steamline isolation valve controls include pneumatic piping and an accumulator for those valves that use air as the emergency motive power source. Pressure, temperature, and water level sensors are mounted on instrument racks in the secondary containment. Turbine stop valve position switch, control valve fast closure trip devices, and condenser vacuum switches are located in the turbine building on turbine equipment. Valve position switches are mounted on motor and air-operated valves. Switches are encased to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room. All signals transmitted to the control room are electrical; no pipe from the nuclear system penetrates the control room. The sensor cables and power supply cables are routed to cabinets in the control or electrical equipment rooms, where the logic arrangements of the system are formed. The vent and purge valve solenoid valves are powered from the MCC from which the original limitorques were powered. 7.3.2.2.3 Initiating Circuits During normal plant operation, the isolation control system sensors and trip controls that are essential to safety are energized. When abnormal conditions are 7.3-33 REV. 13

LSCS-UFSAR sensed, trip channel sensor contacts open causing contacts in the trip logic to open and thereby initiating isolation. Loss of both power supplies also initiates isolation. Loss of instrument air pressure will not prevent the closure of the vent and purge valves if a closure signal occurs. For the main steamline isolation valve control, four channels are provided for each measured variable. One channel of each variable is connected to a particular logic in order to maintain channel independence and separation. One output of the inboard logic actuator is used to control one solenoid of the inboard and outboard valves of all four main steamlines, and one output of the outboard logic actuator is used to control the other solenoid of both inboard and outboard valves for all four main steamlines. Each main steamline isolation valve is fitted with two control solenoids. For each valve to close automatically, both of its solenoids must be deenergized. Each solenoid receives inputs from two logics, and a signal from either can cause deenergization of the solenoid. The main steamline drain valves and reactor water sample valves also operate in pairs. The inboard valves close if both the MSIV inboard isolation logics are tripped. The inboard valves close if two of the main steamline isolation logics are tripped, and the outboard valves close if the other two logics are tripped. The reactor water cleanup system, residual heat removal system, and reactor water sample isolation valves are each controlled by two logic circuits, one for the inboard valve and a second for the outboard valve. The control system for the automatic isolation valves is designed to provide closure of valves in time to minimize the loss of coolant from the reactor and prevent the release of radioactive material from the containment. A secondary design function is to prevent uncovering the fuel as a result of a break in those pipelines that the valve isolates and thereby restrict the release of radioactive material to levels below the guidelines of published regulations. Sensors providing inputs to the primary containment and reactor vessel isolation control system are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems. Channels are physically and electrically separated to reduce the probability that a single physical event will prevent isolation. Redundant channels for one monitored variable provide inputs to different isolation trip systems. Table 7.3-2 lists instrument characteristics. The isolation instrument limits of the primary containment, secondary containment, and reactor vessel isolation control system are listed in Table 7.3-2. The safety design bases of these isolation signals are discussed in the following paragraphs. 7.3-34 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.2.2.3.1 Reactor Vessel Low Water Level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach in any of the pipelines in which the valves are contained, conserve reactor coolant by closing off process lines, or prevent the escape of radioactive materials from the primary containment through process lines that communicate with the primary containment interior. Three reactor vessel low water level isolation trip settings are used to complete the isolation of the containment and the reactor vessel. The first, and highest, (level 3) reactor vessel low water level isolation trip setting initiates closure of RHR isolation valves; the second reactor vessel low water level (level 2) initiates closure of valves in major process pipelines except the main steam, main steam drains and drywell instrument air lines. The main steam lines are left open to allow the removal of heat from the reactor core to the main condenser. The third, and lowest (level 1) reactor vessel low water level, completes the isolation of the containment and pressure vessel by initiating closure of the main steam isolation valves, main steam line drain valves, and drywell instrument air valves. The first low water level setting (which is the RPS low water level scram setting) was selected to initiate isolation at the earliest indication of a possible breach in the reactor coolant pressure boundary, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following pipelines is initiated when reactor vessel low water level falls to this first setting:

a. RHR reactor shutdown cooling supply,

b. RHR reactor head spray, and

c. RHR shutdown cooling discharge to radwaste.

The second (and lower) of the reactor vessel low water level isolation settings (the same water level setting at which the HPCS and RCIC systems are placed in operation) was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram and high enough to complete isolation in time for the operation of emergency core cooling systems in the event of a large break in the reactor coolant pressure boundary. Isolation of the following pipelines is initiated when the reactor vessel water level falls to this second setting:

a. reactor water sample line,

b. reactor water cleanup, 7.3-35 REV. 13

LSCS-UFSAR

c. drywell floor and equipment drains,

d. containment monitoring,

e. primary containment purge,

f. reactor building closed cooling water system,

g. primary containment chilled water, and

h. recirculation flow control valve hydraulic lines.

The third, and lowest (level 1) low reactor vessel low water level setting was selected to complete isolation of the containment and pressure vessel and to minimize the number of reactor vessel isolations. Isolation of the following pipelines is initiated when the reactor vessel water falls to this third setting:

a. All four main steamlines,

b. Main steam drain lines, and

c. Drywell instrument air.

Reactor vessel low water level signals are initiated from eight differential pressure measuring instrument channels. They sense the difference between the pressure caused by a constant reference leg of water and the pressure caused by the actual water level in the vessel. There are three distinct groups of instrument channels. One group is used to indicate that water level has dropped to the first (higher) low water level isolation setting. The remaining second and third group indicate that water level has dropped to the second (lower) and third (lowest) low water level isolation setting. Four pairs of instrument sensing lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement and terminate outside the drywell and inside the containment. They are physically separated from each other and tap off the reactor vessel at widely separated points. This arrangement assures that no single physical event can prevent isolation if it is required. 7.3.2.2.3.3 Main Steamline Space High Temperature and Differential Temperature High temperature in the space in which the main steamlines are located outside of the primary containment could indicate a breach in a main steamline. Such a breach may also be indicated by high differential temperature between the outlet and inlet ventilation air for this steamline space. The automatic closure of various valves prevents the excessive loss of reactor coolant and the release of significant 7.3-36 REV. 13

LSCS-UFSAR amount of radioactive material from the reactor coolant pressure boundary. When high differential temperatures occur in the main steamline space, the following pipelines are isolated:

a. all four main steamlines, and

b. the main steamline drain.

The main steamline space high differential temperature trip is set to provide early indication of a steamline break. These trips are bypassed upon start-up of the reactor building ventilation system. (See Subsection 7.6.2.2.3) Ambient high temperature in the vicinity of the main steamlines is detected by dual element thermocouples located in the tunnel. These temperature sensors provide temperature indication and alarm functions only. They do not initiate an isolation signal (See Subsection 7.6.2.2.3). Dual element thermocouples are also located at the inlet to the steam tunnel and at the outlet to the steam tunnel. These thermocouples measure the temperature difference through the steam tunnel. The temperature elements are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. The main steamline space temperature detection system is designed to detect leaks of from 1% to 10% of rated steam flow. 7.3.2.2.3.4 Main Steamline High Flow Main steamline high flow could indicate a break in a main steamline. Automatic closure of various valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the reactor coolant pressure boundary. On detection of main steamline high flow, the following pipelines are isolated:

a. all four main steamlines, and

b. the main steamline drain.

The main steamline high flow trip setting was selected high enough to permit isolation of one main steamline for test at reduced power without causing an automatic isolation of the other steamlines, yet low enough to permit early detection of a steamline break. High flow in each main steamline is sensed by four differential pressure switches that sense the pressure difference across the flow element in that line. 7.3-37 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.2.2.3.5 Low Steam Pressure at Turbine Inlet Low steam pressure at the turbine inlet, while the reactor is operating, could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves become fully open causing rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the allowable rate of change of vessel temperature could exceed the allowable rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. The occurence of such depressurizations without adequate preventive action could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid these time-consuming requirements following a rapid depressurization, the steam pressure is monitored at the turbine inlet. Pressure falling below a preselected value with the reactor in the RUN mode initiates isolation of the following pipelines:

a. all four main steamlines, and

b. the main steam drain line.

The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of isolation functions. Main steamline low pressure is sensed by four pressure switches that sense pressure downstream of the outboard main steamline isolation valves. The sensing point is located as close as possible to the turbine stop valves. 7.3.2.2.3.6 Drywell High Pressure High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from the containment. On detection of high drywell pressure, the following pipelines are isolated:

a. drywell drains (discharge to radwaste),

b. primary containment vent and purge dampers,

c. drywell instrument nitorgen, 7.3-38 REV. 13

LSCS-UFSAR

d. containment monitoring (non-post-accident portions),

e. RHR shutdown cooling discharge to radwaste,

f. recirculation FCV hydraulic lines, and

g. TIP withdrawal line.

The drywell high-pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips. Drywell pressure is monitored by four non-indicating pressure switches that are mounted on instrument racks outside the primary containment. Instrument sensing lines that terminate in the reactor building connect the switches with the drywell interior. 7.3.2.2.3.7 Reactor Building Ventilation Exhaust Plenum Monitor Subsystem The system initiates control signals in the event the radiation level exceeds a predetermined level to isolate the reactor building vent system, to initiate the standby gas treatment system, and to close primary containment purge and vent valves. A more detailed discussion of the system is presented in Subsection 7.6.1.2. 7.3.2.2.3.8 Reactor Water Cleanup System High Differential Flow High differential flow in the reactor water cleanup system could indicate a breach of the nuclear system process barrier in the cleanup system. The cleanup system inlet flow is compared with the outlet flow. Higher flow from the vessel initiates isolation of the reactor water cleanup system. 7.3.2.2.3.9 Reactor Water Cleanup System Equipment Area High Temperature and Differential Temperature High temperature in the area of the reactor water cleanup system equipment could indicate a breach in the reactor coolant pressure boundary in the cleanup system. High equipment area temperature and high differential temperature in the area ventilation system initiates isolation of the reactor water cleanup system. 7.3.2.2.3.10 Deleted 7.3.2.2.3.11 Main Steamline Leak Detection Description The main steamlines are constantly monitored for leaks by the leak detection system (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Steamline leaks will cause changes in at least one of the following monitored operating parameters: 7.3-39 REV. 13

LSCS-UFSAR sensed differential temperature, flow rate, or low water level in the reactor vessel. If a leak is detected, the detection system responds by triggering an annunciator and initiating a steamline isolation trip logic signal. Additional discussion is presented in Subsection 7.6.2.2.3. 7.3.2.2.3.12 Turbine Condenser Vacuum Trip In addition to the present turbine stop valve trip on low condenser vacuum instrumentation, which is a standard component of the turbine system, a main steamline isolation valve trip in the low condenser vacuum instrumentation system will be provided and will meet the safety design basis of the nuclear steam supply shutoff and primary containment isolation systems. The main turbine condenser low vacuum would indicate a leak in the condenser. Initiation of the automatic closure of various Class A valves will prevent the excess loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of turbine condenser low vacuum, the following lines are isolated:

a. all four main steamlines, and

b. the main steamline drain.

The turbine condenser low vacuum trip setting was selected far enough above the normal operating vacuum to avoid spurious isolation, yet low enough to provide an isolation signal prior to the rupture of the condenser and subsequent loss of reactor coolant and release of radioactive material. 7.3.2.2.3.13 Residual Heat Removal System High Flow High flow in the RHR system could indicate a breach of the nuclear process barrier in the RHR system. High flow from the vessel initiates isolation of the RHR system. 7.3.2.2.4 Logic The basic logic arrangement is one in which an automatic isolation valve is controlled by two trip systems. Each trip system has two trip logics, each of which receives input signals from at least one trip channel for each monitored variable. Thus, two trip channels are required for each essential monitored variable to provide independent inputs to the trip logics of one trip system. A total of four trip channels for each essential monitored variable is required for the trip logics of both trip systems. 7.3-40 REV. 13

LSCS-UFSAR The trip actuators associated with one trip logic provide inputs into each of the trip actuator logics for that trip system. Thus, either of the two automatic trip logics associated with one trip system can produce a trip. The logic is a one-out-of-two arrangement. To initiate valve closure the trip actuator logics of both trip systems must be tripped. The overall logic of the system could thus be termed one-out-of-two taken twice. This type of logic is used to control the main steamline isolation valves (MSIV). The four logic strings for this control are shown in Figure 7.3-9. The variables that initiate automatic closure of the MSIV's are:

a. low low low (level 1) reactor water level,

b. high main steamline flow,

c. high main steamline tunnel temperature,

d. high main steamline tunnel differential temperature,

e. low turbine throttle pressure in RUN mode,

f. main condenser low vacuum (bypassable when not in RUN mode and main turbine stop valves closed).

The logic actuator outputs used to control the main steamline drain valves and reactor water sample valves could be termed two-out-of-two, applied to each valve. The logic strings for this control are shown in Figure 7.3-10. Other isolation valves are controlled by drywell high-pressure and reactor low water level signals. In this arrangement, two drywell pressure sensors are combined with two water level sensors to form a "hybrid" one-out-of-two twice network. These same drywell pressure and water level logics are used with process radiation monitor upscale and inoperative signals to produce other isolation actions, including initiation of the standby gas treatment system. The reactor water cleanup isolation valves are controlled by two logics, using high flow, high area temperature, high area differential temperature, and low water level signals. The trip signals to initiate an isolation from the main steam tunnel differential temperature sensors are bypassed upon start-up of the reactor building ventilation system. 7.3-41 REV. 13

LSCS-UFSAR 7.3.2.2.5 Bypasses and Interlocks An automatic bypass of the main steamline low-pressure signal is effected in the startup mode of operation (see Subsection 7.3.2.2.3.). Interlocks are provided from position switches on the drywell drain sumps to the radwaste system to turn off the drywell drain sump pumps if the isolation valves close. 7.3.2.2.6 Redundancy and Diversity The variables which initiate isolation are listed in Subsection 7.3.2.2.3. Also listed there are the number of initiating sensors and channels for the isolation valves. 7.3.2.2.7 Actuated Devices Subsection 6.2.4.2 itemizes the type of closing device provided for each isolation valve. To prevent the reactor vessel water level from falling below the top of the active fuel as a result of a pipeline break, the valve closing mechanisms are designed to meet the minimum closing rates also specified in Subsection 6.2.4.2. The vent and purge isolation valves are spring closing, pneumatic, piston-operated butterfly valves. Loss of instrument air will not prevent the closure of the vent and purge valves if a closure signal occurs. This is a fail safe design. The control arrangement is shown in Figure 7.3-13. Closure of the valve is less than 10 seconds. Each valve is controlled by one 3-way ASCO direct acting solenoid valve, powered by AC. The main steamline isolation valves are spring-closing, pneumatic, piston-operated valves. They close on loss of pneumatic pressure to the valve operator. This is a fail-safe design. The control arrangement is shown in Figure 7.3-11. Closure time for the valves is adjustable between 3 and 10 seconds. Closure of each MSIV is piloted by two three-way, direct-acting, solenoid-operated pilot valves, both powered by a-c. In addition, there is one three-way solenoid valve which is provided for slow stroke testing. An accumulator located close to each isolation valve provides pneumatic pressure for valve closing in the event of failure of the normal air supply system. The sensor trip channel and trip logic relays for the instrumentation used in the systems described are high reliability relays. The relays are selected so that the continuous load will not exceed 50% of the continuous duty rating. Table 7.3-6 lists the minimum numbers of trip channels needed to ensure that the isolation control system retains its functional capabilities. 7.3.2.2.8 Separation Sensor devices are separated physically such that no single failure (open, closure, or short) can prevent the safety action. By the use of conduit and separated cable trays the same criterion is met from the sensors to the logic cabinets in the control 7.3-42 REV. 13

LSCS-UFSAR room. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same bay of a cabinet. Redundant equipment and wiring may be present in control room bench boards, for separation is achieved by surrounding redundant wire and equipment in metal encasements (a bay is defined by adequate fire barriers). From the logic cabinets to the isolation valves, separated cable trays or conduit are employed to complete adherence to the single-failure criterion. 7.3.2.2.9 Testability The main steamline isolation valve instrumentation is capable of complete testing during power operation. The isolation signals include low reactor water level, high main steamline flow, high main steamline tunnel temperature, low condenser vacuum, and low turbine pressure. The water level, turbine pressure, and steamline flow sensors are pressure or differential pressure type sensors which may be valved out of service one at a time and functionally tested using a test pressure source. The radiation measuring amplifier is provided with a test switch and internal test source by which trip availability may be verified. Functional operability of the temperature switches may be verified by applying a heat source to the locally mounted temperature sensing elements. Control room indications include annunciation, panel lights, and computer printout. The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable. In addition, the functional availability of each isolation valve may be confirmed by completely or partially closing each valve individually at reduced power using test switches located in the control room. The cleanup system isolation signals include low reactor water level, high equipment area ambient temperature and differential temperature, high differential flow, high temperature downstream of the nonregenerative heat exchanger, and standby liquid control system actuation. The water level sensor is of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The temperature switches may be functionally tested by removing from service and applying a heat source to the temperature-sensing elements. The differential flow switches may be tested by applying a test input. The various trip actuations are annunciated in the control room. Also, valve indicator lights in the control room provide indication of cleanup isolation valve position. 7.3.2.2.10 Environmental Considerations The physical and electrical arrangement of the primary containment and reactor vessel isolation control system was selected so that no single physical event will prevent achievement of isolation functions. Motor operators for valves inside the drywell are of the totally enclosed type; those outside the containment have 7.3-43 REV. 13

LSCS-UFSAR weatherproof enclosures. Solenoid valves, whether used for direct valve isolation or as air pilots, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high-radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields. Special consideration has been given to isolation requirements during a loss-of-coolant accident inside the drywell. Components of the primary containment and reactor vessel isolation control system that are located inside the drywell and that must operate during a loss-of-coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss-of-coolant accident environment. Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under loss-of-coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests. 7.3.2.2.11 Operational Considerations The primary containment and reactor vessel isolation control system is not required for normal operation. This system is initiated automatically when one of the monitored variables exceeds preset limits. No operator action is required for at least 10 minutes. All automatic isolation valves can be closed by manipulating switches in the main control room, thus providing the operator with control which is independent of the automatic isolation functions. In general, once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate (from the main control room) those pushbuttons which reset the isolation logic and also the switches and/or pushbuttons for individual valves that have been automatically closed in order to reopen them. With the exception of drywell equipment drain sump outlet and the return line valves and the drywell equipment drain sump outlet valves which are provided with manual override of their isolation logic (to enable taking reactor coolant sample with the high radiation sample system under post-accident conditions), the operator cannot reopen any valves until the conditions that initiated isolation have cleared. A trip of an isolation control system channel is annunciated in the main control room so that the operator is immediately informed of the condition. The response of 7.3-44 REV. 13

LSCS-UFSAR isolation valves is indicated by OPEN/CLOSED lights. All motor-operated and air-operated isolation valves have OPEN/CLOSED lights. Inputs to annunciators, indicators, and the process computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system. Direct signals from the isolation control system sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. 7.3.2.2.12 Design Basis Information See Subsection 7.3.1.2.6. 7.3.2.2.13 Final System Drawings The final system drawings for the PCRIVCS are shown in electrical schematics. 7.3.2.3 Analysis 7.3.2.3.1 General Functional Requirement Conformance The primary containment and reactor vessel isolation control instrumentation and control system is analyzed in this subsection. This system is described in Subsection 7.3.2, and that description is used as the basis for this analysis. The safety design bases and specific regulatory requirements of this system are also stated in Subsection 7.3.2. This analysis shows conformance to the requirements given in that subsection. The primary containment and reactor vessel isolation control instrumentation and control systems, in conjunction with other safety systems, are designed to provide timely protection against the onset and consequences of the gross release of radioactive materials from fuel and reactor coolant pressure boundaries. Chapter 15.0 identifies and evaluates postulated events that can result in gross failure of fuel and reactor coolant pressure boundaries. The consequences of such gross failures are described and evaluated. Chapter 15.0 also evaluates a gross breach in a main steamline outside the containment during operation at rated power. The evaluation shows that the main steamlines are automatically isolated in time to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. The shortest possible main steamline valve closure time is 3 seconds. The transient resulting from a simultaneous closure of all main steam isolation valves in 3 seconds during reactor operation at rated power is discussed in Chapter 15.0. 7.3-45 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.2.3.2 Specific Requirements Conformance 7.3.2.3.2.1 IEEE Criteria Refer to 7.A.3.2. 7.3.2.3.2.2 Conformance to 10 CFR 50 Appendix A

a. Criterion 13 - The integrity of the reactor core and the reactor coolant pressure boundary is assured by monitoring the appropriate plant variables and closing various isolation valves.

b. Criterion 19 - Controls and instrumentation are provided in the control room.

c. Criterion 20 - Protection System Functions. The primary containment and reactor vessel isolation control system automatically isolates the appropriate process lines. No operator action is required to effect an isolation.

d. Criterion 21 - Protection System Reliability and Testability. The high reliability relay and switch devices are arranged in two redundant divisions and maintained separately. Complete testing is covered in the discussion on conformance to Regulatory Guides given in Appendix B.

e. Criterion 22 - Protection System Independence. Two redundant divisions are physically arranged so that no single failure can prevent an isolation. Functional diversity of sensed variables is utilized.

f. Criterion 23 - Protection System Failure Mode. The system logic and actuator signals are failsafe. The motor-operated valves will fail as is on loss of power.

g. Criterion 24 - Separation of Protection and Control Systems.

The system has no control functions. The equipment is physically separated from the control system equipment to the extent that no single failure in the control system can prevent isolation.

h. Criterion 29 - Protection Against Anticipated Operational Occurrences. No anticipated operational occurrence will prevent an isolation.

7.3-46 REV. 13

LSCS-UFSAR

i. Criterion 34 - Isolation signals are provided for the shutdown cooling subsystem of the RHR System.

7.3.2.3.2.3 Regulatory Guide Conformance This topic is discussed in Appendix B. 7.3.3 Core Standby Cooling System (CSCS)/Equipment Cooling Water System (ECWS) Instrumentation and Controls 7.3.3.1 Safety Design Bases The CSCS/ECWS instrumentation and controls function to:

a. Provide adequate cooling water flow to the RHR heat exchangers, diesel-generator coolers, CSCS area cooling coils, RHR pump seal coolers, and LPCS pump motor cooling coils.

b. Provide for containment flooding for postaccident recovery and emergency makeup water for fuel pool cooling.

c. Detect leakage of radioactivity by means of radiation monitors installed immediately downstream of cooled components containing radioactive fluids.

7.3.3.2 Power Generation Design Bases Since containment and core residual heat removal is not required during power generation, the system has no power generation design bases except to be available for operational testing without effect on plant operation. 7.3.3.3 System Description 7.3.3.3.1 Instrumentation and Controls The instrumentation and controls for the CSCS equipment cooling water system sense individual pump discharge pressures, strainer differential pressures, some subsystem flows, and all subsystem discharge temperatures except the LPCS Motor Cooler discharge temperature. The RHR heat exchanger parameters are present in the control room to aid the operator in evaluating heat exchanger operation. In addition, the radiation level of the return flow to the lake from the RHR heat exchanger is also monitored. 7.3-47 REV. 16, APRIL 2006

LSCS-UFSAR Alarms of system malfunctions are also provided. The instrumentation and annunciation do not perform a safety function. The control functions are both safety-related and nonsafety-related. Power supply for all safety-related instrumentation is from Class 1E supplies. Power for control is provided by the same essential bus as the systems being controlled for safety-related functions. 7.3.3.3.2 Equipment Design and Logic Each pump can be started and stopped manually from the main control room during normal operation. The diesel-generator cooling water pumps are started automatically by diesel-generator start signals and continue to operate until the initiation signal is reset, when they can be turned off by a hand switch. The Division 1 diesel-generator cooling water pump is also started automatically by starting the LPCS pump in either Unit 1 or Unit 2. An alarm is activated on automatic trip of these pumps. Logic The piping and instrumentation diagrams for the ECCS equipment cooling water system are illustrated in Drawing Nos. M-87 and M-134. Control redundancy is not required due to the fact that the services of each subsystem are redundant and independent from one another. Control circuits are divided into three divisions which are physically separate and powered from separate buses. 7.3.3.3.3 Environmental Considerations The local instrumentation is designed to maintain a pressure boundary in the normal and accident environments in which it must operate. The remote controls are designed to remain functional during abnormal conditions. 7.3.3.3.4 Final System Drawings The final system drawings for the CSCS/ECWS are shown in electrical schematics and Drawing Nos. M-87 and M-134. 7.3.4 Main Control Room and Auxiliary Electric Equipment (AEE) Room Heating, Ventilating, and Air/Conditioning Systems Instrumentation and Controls 7.3-48 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.4.1 Safety Design Bases

a. The system detects the presence of noxious gases in the minimum outside air intakes (ammonia, smoke), the Control Room main return ducts (smoke), and the AEE room main return ducts (smoke).

b. The system controls are interlocked with the radiation monitoring system and intake air smoke detectors to isolate the normal outside makeup air to the control and AEE rooms and automatically route the outside makeup air for the HVAC system through one of the emergency filter trains to maintain control room and AEE room habitability. Ammonia Detectors provide alarm only, no isolation occurs.)

c. The system operates in conjunction with ionization detection of combustion products in the control room and AEE room air return ducts and ammonia detectors in the minimum outside air intakes.

d. The system is capable of manual purging of the control room with 100% outside air.

e. Manual routing of the outside air return air mixture from the control room and AEE room through recirculation filters is required within four hours of a LOCA to ensure postaccident dose rates comply with GDC19.

f. No single failure, maintenance, calibration, or test operation prevents the functioning of the control room and AEE room HVAC system controls and instrumentation.

g. Any installed means of manual interruption of availability of the control room and AEE room HVAC systems are under control of the operator or other supervisory personnel.

h. Loss of offsite electric power does not affect the normal functioning of controls and instrumentation.

i. The physical events accompanying a loss-of-coolant or fuel-handling accident do not prevent correct functioning of the controls and instrumentation.

7.3-49 REV. 14, APRIL 2002

LSCS-UFSAR

j. Seismic motions resulting from earthquake ground motion, missile, wind, and flood do not impair the operation of the controls and instrumentation.

k. The requirements of IEEE 279, 323, and 344 are met by the control room HVAC system instrumentation and controls.

Additionally, General Design Criteria 13, 19, 20 through 24, and 29 of 10 CFR 50, Appendix A, have been implemented in the design of this control system. 7.3.4.2 Power-Generation Design Bases

a. Control the temperature inside the control room and AEER between 65 °F and 85 °F and maintain the control room and AEER at approximately 1/8-inch water positive pressure with respect to the surrounding potentially contaminated areas.

b. Indicate temperatures and status of operating equipment, i.e.,

supply and return air fans, refrigeration unit, etc., on the main control board for the control room HVAC and on the auxiliary control panel for the AEE room HVAC.

c. Annunciate on the main control board any operating transients that require operators' attention. This includies high temperature, loss of airflow from supply and return air fans, loss of refrigeration unit, high pressure drop across the supply air filters.

d. Provide capability in the main control room to control and operate various components of the control room HVAC system manually from the main control room, and in the auxiliary building to control and operate various components of the AEE room HVAC system manually.

7.3.4.3 System Description The controls and instrumentation for HVAC systems function to ensure the habitability under all station operating conditions as described in Section 6.4 and Subsection 9.4.1. 7.3-50 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.4.3.1 Power Supply The control room and AEE room HVAC systems are comprised of redundant supply air fans, return air fans, electric heating coils (not safety-related), refrigeration units, recirculation filters, and an emergency makeup air filter train consisting of electric heating coil, fan, and filters. Power supply for the various redundant components of each HVAC system is from separate essential a-c buses, which can receive standby a-c power. Control power for isolation dampers, controls, and instrumentation comes from the bus that powers the corresponding equipment train. 7.3.4.3.2 Initiating Circuits, Logic, and Sequencing Various components of each redundant control room and AEE room HVAC system are initiated as described below:

a. The supply and return fans for the control room HVAC system are initiated manually by handswitches provided on the main control board. The supply and return fans for the AEE room HVAC system are initiated manually by handswitches provided on an auxiliary panel outside each AEE room.

b. The refrigeration unit condenser fans are provided with a control switch in the main control room for the control room HVAC system, and a control switch on an auxiliary panel outside the AEE room for its corresponding HVAC system.

While in the automatic mode, the refrigeration unit operates continuously with a built-in unloading system which is initiated by refrigerant suction pressure.

c. On any equipment malfunction alarm on the main control board, the redundant HVAC system is initiated manually.

d. The process radiation system detects high radiation signals from detectors which monitor air going to each of the two minimum outside air intakes and initiates the following simultaneous actions:

1. alarms the radiation levels for either intake in the main control room,

2. closes the normal path of makeup air supply to the control room and AEE room HVAC system, and 7.3-51 REV. 13

LSCS-UFSAR

3. initiates control action to cause outside air to be routed through an emergency makeup filter train.

e. When combustion products are detected in the minimum outside air intakes, the response is similar to the high radiation condition above. When combustion products are detected in the control room or the AEE room return air ducts by the ionization smoke detectors, an alarm is annunciated in the main control room, and the corresponding system supply air is routed through the normally bypassed recirculation filters. In addition, if the quality of outside air is proper, the operator can remote manually operate handswitches on the main control board for the control room HVAC and a control switch on an auxiliary panel outside the AEE room for the corresponding HVAC system to place the recirculation filter on line, to open the maximum outside air intake dampers, fully open the exhaust damper, and close the recirculation air damper for purging the control room and AEE room air.

f. During normal station operating conditions, the ammonia detection system detects ammonia in either of two minimum outside air intakes and activates an alarm on the main control board.

7.3.4.3.3 Bypasses and Interlocks All of the isolation dampers in each control room and AEE room HVAC system equipment train are interlocked with the operation of the corresponding supply air and return air fans. Operation of any one of these fans opens all the corresponding isolation dampers. The supply air and return air fans are operated manually by handswitches. The refrigeration machine start circuit is interlocked with the operation of the supply air fan. The operation of the refrigeration machine is further interlocked with safety protection cutouts such as low pressure and high pressure cutouts in the refrigerant circuit and an oil-failure switch in the compressor lubrication circuit. To guard against overheating, the electric heating coils are interlocked with supply air fan operation and a thermal cutout switch. Zone mixing dampers are controlled by temperature controllers in each zone. The refrigeration machines run continuously in conjunction with refrigerant suction pressure initiated unloading and the hot gas bypass system. The electric heating coils are controlled by thermostats placed in each area served by the control room and AEE room HVAC systems. 7.3-52 REV. 14, APRIL 2002

LSCS-UFSAR The operation of the emergency makeup air filter train is interlocked with the process radiation and ionization products of combustion monitors in the minimum outside air intakes. All of the isolation dampers in the outside air intakes and the emergency makeup air filter train are appropriately interlocked to serve the required function. The electric heating coil for humidity control in the emergency makeup air filter train is interlocked with the corresponding emergency makeup air fan. 7.3.4.3.4 Redundancy/Diversity Instrumentation and controls for each redundant control room and AEE room HVAC system are completely independent of each other. 7.3.4.3.5 Actuated Devices The normal and emergency operation of each control room and AEE room HVAC system involves the following actuated devices:

a. supply air fan,

b. return air fan,

c. electric duct heating coils (normal only),

d. refrigeration unit,

e. emergency makeup air electric heating coil,

f. emergency makeup air fan,

g. corresponding isolation and control dampers , and

h. recirculating filters.

7.3.4.3.6 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single event will prevent operation of the control room and AEE room HVAC system. Electrical cables for instrumentation and control on each control room and AEE room HVAC system are routed separately. 7.3-53 REV. 13

LSCS-UFSAR 7.3.4.3.7 Testability Control and logic circuitry used for the control room and AEE room HVAC system can be checked individually by applying test or calibration signals to the sensors and observing responses. Operation of each component of each redundant HVAC system is periodically rotated to permit online checking and testing of the performance of the total system. The automatic control circuitry for the emergency equipment is designed realign the appropriate automatic dampers to their emergency positions in response to an initiation signal. 7.3.4.3.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of various equipment, instrumentation, and controls for the control room and AEE room HVAC system. These are described in detail in Section 3.11 and Subsection 9.4.1. 7.3.4.3.9 Operational Considerations The control room and AEE room HVAC system is required during normal and abnormal station operating conditions. The automatic circuitry is designed to start the emergency equipment if the signal for its initiation is received as described in this section. 7.3.4.3.10 Operating Bypasses The control room and AEE room HVAC systems have no automatic operating bypasses. Manual bypasses are indicated in the control room via the ESF status indication panel as described in Section 7.8. Manual bypasses consist of a "racking-out" fan breaker, opening starter feeder breakers at damper motor control centers, shutting isolation valves to instruments and sensors which actuate the subsystem and other operations meeting the three conditions given in Regulatory Guide 1.45. 7.3.4.3.11 Outdoor Air Intake Radiation Protection Portion of the Control Room and Auxiliary Electric Equipment Room HVAC Systems

a. The generating station condition which requires protective action is high levels of radioactivity which may be present and the subsequent initiation and use of the control room and AEE room emergency makeup filter equipment, recirculation filters, and the selection of the proper air intake to minimize exposure.

7.3-54 REV. 14, APRIL 2002

LSCS-UFSAR

b. The recirculation filters for the Control Room and AEER must be manually placed on line within four hours of any control room high radiation alarms.

c. The generating station variable which requires monitoring to provide action is the outdoor air activity levels near the intake louvers.

d. A minimum of two trip systems per intake are required. The radioactivity levels are to be sensed by monitors upstream of intake isolation dampers, where the air enters the intake louvers.

e. The maximum radiation monitor time constant, for a one decade increase above the setpoint, is about 5 seconds. The time constant ensures that short duration changes in the count rate will not cause a response of the detector, thus preventing false trip actuations due to background noise. The radiation monitor time constant decreases exponentially with increasing radiation levels.

7.3.4.3.12 This Subsection has been deleted. 7.3.4.3.13 Ionization Detection Portion of Control Room and Auxiliary Electric Equipment Room HVAC Systems

a. The generating station condition which requires protective action is the presence of products of combustion in areas served by the control room and AEE room HVAC systems.

b. The generating station variable which requires monitoring to provide action is the product of combustion.

c. Duct-mounted ionization detectors are located in each minimum outside air intake duct and main return air duct.

d. The ionization detectors meet the requirements of NFPA 72E-1974 and are UL Listed. Expections to the standard are identified and justified.

7.3-55 REV. 14, APRIL 2002

LSCS-UFSAR

e. The installation and operation of the detectors meet the requirements of NFPA 90A-1975, Standard for the Installation of Air Conditioning and Ventilating Systems, with some exceptions. Exceptions to the standard are identified and justified.

f. Testing of the ionization detectors is performed periodically in accordance with the Fire Protection Program, station procedures and Technical Specification requirements, as applicable.

7.3-55a REV. 14, APRIL 2002

LSCS-UFSAR

g. The range of transient and steady-state electrical energy supply conditions throughout which the system must perform is described in Subsection 8.3.1. The range of environmental conditions to which the ionization detectors are subjected is the same as the main control room.

7.3.4.3.14 Outdoor Air Intake Ammonia Protection Portion of Control Room and the Auxiliary Electric Equipment Room HVAC Systems

a. The detection of ammonia at the generating station is provided for the postulated occurrence in which ammonia is dispersed in the air outside the plant in sufficient concentration to affect operator action such that isolation of the ventilation air intakes is required.

b. Outdoor air ammonia concentration is monitored and high ammonia concentrations are annunciated in the control room.

c. The minimum number of sensors required to monitor outdoor air ammonia concentration is two ammonia sensors for each of two air intakes. The ammonia is sensed upstream of intake isolation dampers, where air enters the building.

d. The operational range of the ammonia detection system is from 0 to 75 ppm.

e. The normal operation ammonia concentration is expected to be 0 ppm.

f. The ammonia detectors initiate a control room alarm if ammonia levels are detected in excess of the factory fixed alarm setpoint of approximately 12.5 ppm.

g. The ammonia detectors are not required to be seismically qualified or safety-related because the function performed is not safety related. The instruments are high grade commercial products that provide detection of ammonia within the range of less than or equal to 75 ppm and operate in the range of environmental conditions where they are mounted.

7.3-56 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.4.3.15 Final System Drawings The final system drawings for the main control room and AEE room HVAC systems are shown in electrical schematics and Drawing Nos. M-1443, M-1468, and M-3443. 7.3.4.4 Analysis The control room and AEE room HVAC system analysis is presented in Subsection 9.4.1. The instrumentation and controls are described in Sections 6.4 and 9.4. The control room and AEE room HVAC systems are redundant systems, consisting of two equipment trains, the essential portions of which meet the requirements of IEEE 279-1971, Criteria for Nuclear Power Plant Protection Systems. Specific conformance of the instrumentation and control to IEEE 279-1971 is presented in Attachment 7.A. 7.3.5 Combustible Gas Control System Instrumentation and Controls 7.3.5.1 Safety Design Bases The hydrogen recombining function of the hydrogen recombiners is abandoned in place. The valves that provide RHR cooling water to the hydrogen recombiners are also abandoned in place in the closed position. The blower and associated piping are not abandoned and remain operational to maintain the drywell mixing function. The design basis information for the hydrogen recombination function remains for historical reference.

a. The combustible gas control system has the capability for monitoring and measuring the hydrogen concentration in the drywell and suppression chamber, mixing the atmosphere of both drywell and suppression chamber and controlling combustible gas concentrations in the primary containment without reliance on purging and without the release of radioactive material to the environment.

b. The primary systems for combustible gas control, including measuring and sampling, meet the design, quality assurance, redundancy, energy source, and instrumentation requirements for an engineered safety feature system. They will not introduce safety problems affecting containment integrity.

c. One recombiner package is provided per unit. Each recombiner has the capability of cross connection to the other unit in order to provide 100% redundancy. The units are located outside of 7.3-57 REV. 17, APRIL 2008

LSCS-UFSAR the primary containment in an accessible area during normal operation. They can be tested and/or inspected during normal plant operation or during shutdown conditions.

d. Combustible gas control system components are protected from postulated missiles and pipe whip as required to assure proper operation. The system is single failureproof for all active components.

e. The combustible gas control system will be activated after a LOCA in time to assure that the hydrogen concentration does not exceed 4 volume percent of hydrogen in either the drywell or wetwell atmospheres. In addition, the LSCS containment is nitrogen inerted to an oxygen concentration of 4% by volume.

This is below the combustible limit of oxygen in hydrogen but still provides enough oxygen to react with all the hydrogen that would be produced by the metal water reaction.

f. The combustible gas control systems are designed so that all components are Seismic Category I. The units are capable of cross-connection to provide redundancy and of withstanding the temperature and pressure transients resulting from a LOCA.

All components subjected to containment atmosphere can withstand the humidity and radiation conditions in the containment following a LOCA.

g. The recombiner units are remotely operated from the main control room and the local control panel in the aux. electric equipment room. There are no local operating adjustments that need to be made on a unit operating in a post-LOCA environment. Therefore, no biological shielding is required.

h. As a backup to the combustible gas control system, capability is provided to control gas concentrations by purging the containment vent and purge system and containment atmosphere cleanup system.

7.3.5.2 System Description The hydrogen recombining function of the hydrogen recombiners is abandoned in place. The valves that provide RHR cooling water to the hydrogen recombiners are also abandoned in place in the closed position. The blower and associated piping are not abandoned and remain operational to maintain the drywell mixing function. The design basis information for the hydrogen recombination function remains for historical reference. 7.3-58 REV. 17, APRIL 2008

LSCS-UFSAR This system is described in Subsection 6.2.5. The containment atmospheric monitoring system is discussed in Subsection 7.5.2. The combustible gas control (recombiner) system instrumentation and controls are described in the following subsections. 7.3-58a REV. 17, APRIL 2008

LSCS-UFSAR 7.3.5.2.1 Power Sources The independent instrument and control subsystems use 120-Vac from electrical Division 2 of Unit 1 for System "A" and 120-Vac from Division 2 of Unit 2 for System "B". System "A" 480-Vac is from Unit 1 Division 2 and System "B" 480-Vac is from Unit 2 Division 2. The containment isolation valves located in Unit 1 that allow System "B" to take suction from and discharge to Unit 1 containment are powered from Unit 1 Division 1. The containment isolation valves located in Unit 2 that allow System "A" to take suction from and discharge to Unit 2 containment are powered from Unit 2 Division 1. This arrangement is used to prevent the loss of a unit's Division 2 bus from preventing the opposite unit's combustible gas control system from being cross connected to the affected unit. 7.3.5.2.2 Initiating Circuits Since the use of this system will only be needed in the unlikely event of a LOCA where the hydrogen level in the drywell/containment approaches the established limits of concentration, there are no automatic initiating circuits in this system. The system is manually initiated by operating personnel in the control room and the aux. electric equipment room. 7.3.5.2.3 Logic and Sequencing Interlocks are provided in the control circuitry which compel the control room operator to start the system in proper sequence. The recombiner heaters are temperature controlled and monitored from the local control panel in AEER. Overtemperature trips are provided to shut off power to the heaters on high temperature. Low process gas flow is annunciated on the local control panel. 7.3.5.2.4 Redundancy and Diversity Instrumentation and control for each redundant/combustible gas control system are completely independent of each other. 7.3.5.2.5 Actuated Devices All control valves, blowers, and heaters are initiated by manually operated control switches on the control room panels or the local control panel in the AEER. The valves are equipped with position limit switches, and the valve position is indicated on the respective control room panels by lights. The heater and blower operating status is also indicated by lights on the control room panels and the local control panel. 7.3-59 REV. 13

LSCS-UFSAR 7.3.5.2.6 Separation The combustible gas control system is segregated into two independent systems. 7.3.5.2.7 Testability The combustible gas recombiner instrumentation and control system can be tested during normal plant operation to verify the operability of the system. The control valves can be operated from the control room or local control panel to check operation. The blowers and heaters can be operated from the control room or local control panel. The flow control loops can be checked for operation and control with the blower running. The recombiner heaters can be turned on from the control room or local control panel to check operation. Since this is a manually initiated system from the control room and the AEER, each redundant system is manually checked for system operability. Indication by lights provides information for operational check of the valves. The blower operation is checked by lights and flow instrumentation. 7.3.5.2.8 Environmental Considerations The combustible gas recombiner system is located outside of the drywell/containment and will only be needed in the unlikely event of a LOCA where the established hydrogen level in the drywell/containment approaches the established upper limits of concentration. Components are qualified for the expected most severe environmental conditions at this location. 7.3.5.2.9 Operational Considerations The combustible gas recombiner system is not required for normal plant operation. After a LOCA, several other subsystems will first be started at different intervals. This system is initiated manually from the control room and the local control panel in the AEER. The recombiner is manually energized and after a period of about 1-1/2 hours the recombiner will be up to operating temperature. Each hydrogen recombiner package unit is skid mounted and is an integral package. The recombiner units are remotely started from independent control room panels and local control panels which are physically and electrically separated. 7.3.5.2.10 Operating Bypasses The combustible gas control system has no automatic operating bypasses. Manual bypasses are indicated in the control room via the ESF status indication panel as described in Section 7.8. Manual bypasses consist of "racking-out" fan breakers, opening starter feeder breakers at valve motor control centers, shutting isolation valves to instruments and sensors which control the subsystem, and other operations meeting the three conditions given in Regulatory Guide 1.47. 7.3-60 REV. 13

LSCS-UFSAR 7.3.5.2.11 Final System Drawings The final system drawings for the Combustible Gas Control System are shown in electrical schematics and Drawing No. M-130. 7.3.6 Standby Power System Instrumentation and Controls 7.3.6.1 Design Basis Refer to Subsection 8.1.2 of this USFAR and to Table 1, "Design Basis Events" of IEEE 308-1971. 7.3.6.2 Description The standby a-c power system provides a self-contained source of electrical power which is not dependent on auxiliary transformer sources of supply and which is capable of supplying sufficient power for those electrical loads which are required for the simultaneous safe shutdown of both units, including the load in one unit which is required to combat a loss-of-coolant accident. The standby a-c power system produces a-c power at a voltage and frequency compatible with normal bus requirements. The standby diesel generators are applied to the various plant buses so that the loss of any one of the diesel generators will not prevent the safe shutdown of either unit. The total system satisfies single-failure criteria. In the event that both sources of auxiliary power (system and unit auxiliary transformers) are lost for either one or both units, the auxiliaries essential to safe shutdown will be supplied by the corresponding diesel-driven generators. One diesel generator is permanently assigned to each of the three engineered safety features electrical system 4160-volt buses for each unit. Each diesel-generator system is housed in a separate room, which is provided with an independent source of ventilation air. The design of the rooms prevents the possibility that missiles, explosion, or fire from one diesel generator might affect its redundant counterpart. Each diesel generator is designed and installed to provide a reliable source of redundant onsite-generated auxiliary power. It is capable of supplying the engineered safety features loads assigned to the engineered safety features electrical system bus which it feeds. Each diesel generator with its associated auxiliaries is designed to meet the station Safety Class 1 design criteria. 7.3-61 REV. 14, APRIL 2002

LSCS-UFSAR The diesel generators are so applied to their respective buses that the loss of one diesel generator cannot affect both of any two redundant buses as described in Subsection 8.3.1.1.2. Safe shutdown capability will therefore not be affected by such a diesel generator failure. For each diesel engine, the fuel oil system, air starting system, and generator output and excitation systems are equipped with instrumentation to monitor all important parameters and to annunciate abnormal conditions. This instrumentation is described in the following. Following a manual start (by control switch), the following protective devices are in service during operation of the diesel generator, and their operation automatically shuts down the diesel generator when an out of tolerance condition exists:

a. mechanical:

overspeed, low lube-oil pressure (with time delay), high jacket water temperature, and overcrank (with time delay).

b. electrical:

reverse power relay, generator differential current relays, generator phase overcurrent relays, and loss of excitation. DG-0, 1A, and 2A only: generator under frequency, generator neutral ground. Following an automatic start (by safety injection signal), the protective devices listed below are in service during emergency operation of the diesel generator. Their operation will automatically shut down the diesel generator when an out of tolerance condition exists. 7.3-62 REV. 14, APRIL 2002

LSCS-UFSAR

a. mechanical:

overspeed.

b. electrical:

generator differential relays. When out of service, the diesel engine temperature is maintained by a thermostatically controlled heater. The following alarms are provided:

a. local (at diesel-generator location):

high crankcase pressure, lube oil low pressure, failure to start, lube oil high temperature, jacket water high temperature, and engine overspeed. D/G-0, 1A, and 2A only: fuel oil filter high differential pressure, generator overcurrent, lube oil filter restricted, engine generator trouble, lockout, engine generator trouble, low engine temperature, generator neutral ground, reverse power, underfrequency, undervoltage, 7.3-63 REV. 13

LSCS-UFSAR stator temperature high, generator loss of field, low circulating oil pressure,* and low soak back oil pressure*. D/G-1B and 2B only: starting air low pressure, engine low water level, engine tripped, low water temperature, high stator temperature, low oil temperature, low water pressure, battery charger failure, and d-c trouble. Note: When the DG is shutdown, the low lube oil pressure alarm will annunciate on low circulating or soak back oil pressure.

b. main control room alarms:

diesel-generator trouble, diesel-generator main feed breaker trip,

• Alarm is only functional when the diesel is shutdown.

generator overload, and diesel oil storage tank level low. D/G-0, 1A, and 2A only: loss of d-c to engine panel, generator current-differential trip, failure to start, 7.3-64 REV. 13

LSCS-UFSAR exciter discharge trip, unit manual setup, air compressor breaker auto-trip, engine oil circulating pump auto-trip, not ready for auto-start, and voltage regulator selector switch in manual. D/G-1B and 2B only: generator ground, lockout trip, engine overspeed, engine running, engine trip, and HPCS system not ready for auto-start, HPCS protective relay power failure. The following manual controls are provided:

a. local:

diesel engine generator "START" and "STOP" pushbuttons, diesel engine generator "EMERGENCY STOP" and "RESET" pushbuttons, maintenance "CUT-OUT" switch (prevents starting of diesel while out of service for maintenance), governor control switch, generator voltage adjuster control switch, and auto-manual transfer switch (DG-0, 1A, and 2A only). 7.3-65 REV. 13

LSCS-UFSAR

b. main control room:

diesel engine generator "START/STOP" control switch, engine governor control switch, and generator voltage adjuster control switch, and diesel engine generator "REMOTE-LOCAL" control (DG1B and 2B). The following instrumentation is provided:

a. local (at diesel-generator location):

generator wattmeter, generator varmeter, generator frequency meter, elapsed time meter, generator ammeter (with phase selector switch), generator watt-hour meter, engine starting air pressure gauge, engine lube oil pressure gauge, engine fuel oil pressure gauge, soakback lube oil pressure gauge, engine exhaust temperature, generator voltmeter (with phase selector switch), stator temperature monitor, fuel day tank level, engine tachometer, 7.3-66 REV. 13

LSCS-UFSAR lube oil temperature, cooling water temperature, crankcase pressure lube oil filter differential pressure, cooling water pressure, fuel temperature, and scavenging air pressure. D/G-0, 1A, and 2A only: fuel strainer differential pressure, and fuel filter differential pressure. D/G-1B and 2B only: exciter field voltmeter, exciter field ammeter, synchronizing lights, scope and voltmeters, water jacket pressure and motor driven fuel oil pump filter inlet pressure

b. main control board:

generator voltmeter (with phase selector switch), generator wattmeter, generator varmeter, generator ammeter, generator frequency meter, generator synchroscope (with "incoming" and "running" voltmeters), 7.3-67 REV. 14, APRIL 2002

LSCS-UFSAR generator synchronizing lights, and 4-KV ESF bus voltmeter. The following relays are provided: over and under voltage relay (27.59DG) (DG-0, 1A, and 2A only), reverse power relay (32DG), under frequency relay (81) plus auxiliary relay (DG-0, 1A, and 2A only), diesel-generator differential relay (87), lockout relay (86), loss of field relay (40DG), overcurrent with voltage restraint relays (51V), overcurrent relay (51), and diesel-generator neutral overvoltage relay (59DG). 7.3.6.3 Analysis The general functional requirements for the standby power systems instrumentation and controls are discussed in Chapter 8.0. The following descriptive analyses are also provided:

a. Compliance with NRC General Design Criterion 17, "Electric Power Systems", is described in Subsections 3.1.2.2.8 and 8.3.1.2.

b. Compliance with NRC General Design Criterion 18, "Inspection and Testing of Electric Power Systems", is described in Subsections 3.1.2.2.9 and 8.3.1.2.

c. Conformance with applicable regulatory guides is described in Appendix B.

7.3-68 REV. 14, APRIL 2002

LSCS-UFSAR A planned quality assurance program covering design, fabrication, testing, purchase, shipment, installation, and storage of equipment for safety-related systems is described in Chapter 17.0. 7.3.7 Reactor Building Ventilation and Pressure Control System 7.3.7.1 Design Bases

a. The ventilation pressure control functions to hold the ECCS equipment sections of the reactor building at a negative pressure differential of 1/4-inch water gauge during all normal operating conditions.

b. The design leak rate from atmosphere to the reactor building is 100% of the reactor building volume per day at 1/4-inch water presssure differential.

c. If radioactivity is detected in the exhaust gas from the reactor building, the control system isolates the building and starts and directs the ventilation exhaust to the standby gas treatment system.

7.3.7.2 Description This system is discussed in Section 9.4. 7.3.7.3 Analysis The safety analysis of this system and the associated instrumentation and controls is presented in Section 9.4. 7.3.8 Standby Gas Treatment System Instrumentation and Controls 7.3.8.1 Design Bases The standby gas treatment system instrumentation and controls are designed to meet the following safety design bases:

a. The standby gas treatment system instrumentation and controls start the standby gas treatment system to maintain the reactor building at negative pressure to assure infiltration and to filter the radioactive particulates and iodine from the influents in the case of a loss-of-coolant accident or fuel-handling accident.

7.3-69 REV. 13

LSCS-UFSAR

b. The standby gas treatment system responds automatically so that no action is required of station operators following a loss-of-coolant or fuel-handling accident.

c. The responses of the standby gas treatment system are indicated on the main control board.

d. Facilities for the manual control of the standby gas treatment system are provided in the control room.

e. No single failure, maintenance, calibration, or test operation prevents operation of the standby gas treatment system.

f. The standby gas treatment system flow can be manually adjusted at the local control panel located adjacent to the SGTS train.

g. Loss of offsite electric power and instrument air does not affect the normal functioning of the SGTS.

h. The physical events accompanying a loss-of-coolant or fuel-handling accident do not prevent correct functioning of the instrumentation and controls.

i. Seismic motion resulting from earthquake ground motion, missile, wind, and flood does not impair the operation of the instrumentation and controls.

j. To assure availability of the standby gas treatment system, it is possible to test the response of the instrumentation and controls.

k. The requirements of IEEE 279, 308, 323, 338, and 344 are met by the standby gas treatment system instrumentation and controls. In addition, General Design Criteria 13, 19, 20 through 24, and 29 of 10 CFR 50, Appendix A have been implemented in the design of this control system.

7.3.8.2 System Description The instrumentation and controls of the standby gas treatment system (SGTS) are designed so that the SGTS functions to maintain the reactor building at a negative pressure with respect to the outdoors on an SGTS initiation signal in order to preclude leakage of radioactive particulates and gases directly to the outdoors, and to reduce radioactive particulates and gaseous concentration in the exhaust air from the reactor building before the air is exhausted to the outdoors. 7.3-70 REV. 13

LSCS-UFSAR The standby gas treatment system is described in detail in Subsection 6.5.1 and shown schematically in Drawing No. M-89. 7.3.8.2.1 Power Sources Each SGTS equipment train has an SGTS fan, cooling fan, electric heating coil, and associated motor-operated isolation valves. Power supply for the various components of each SGTS equipment train is from separate essential a-c buses that can receive standby a-c power. Control power for isolation valves and controls comes from the bus that powers the corresponding equipment train. The isolation dampers in the reactor building ventilation system supply and exhaust duct headers are operated by air cylinders, with instrument air controlled by solenoid valves for each isolation valve. Each isolation damper is provided with spring-loaded closure upon failure of the instrument air supply. Each electric solenoid valve initiating the closure of each redundant isolation damper in the reactor building supply and exhaust ducts is powered from an independent essential power bus. 7.3.8.2.2 Initiating Circuits, Logic, and Sequencing The system is automatically started in response to any one of the following signals:

a. high pressure in the drywell of either Unit 1 or Unit 2 (refer to Subsection 7.3.2 for details),

b. low water level in the reactor vessel of either Unit 1 or Unit 2 (refer to Subsection 7.3.2 for details),

c. high radiation in the fuel pool vent plenum of either Unit 1 or Unit 2 (refer to Subsection 7.6.2.2), or

d. high radiation in the reactor building ventilation exhaust plenum (refer to Subsection 7.6.2.2 for details).

If any one of the above signals is received, redundant relay circuitry automatically causes the following actions simultaneously:

a. initiation of reactor building isolation,

b. shutdown of reactor building ventilation system,

c. opening of proper standby gas treatment system isolation valves, and 7.3-71 REV. 13

LSCS-UFSAR

d. startup of both standby gas treatment system equipment trains, causing annunciation of an alarm on the main control board.

The SGTS can also be operated manually from the main control board. When the trains have begun operating, the audible and visual alarms on the main control board warn the operator to shut down one of the trains. Separate handswitches located on the main control board for each of the equipment trains permit manual shutdown of one of the trains within 30 seconds. The isolation dampers in the reactor building ventilation system supply and exhaust ducts are air operated to open and spring return to close. These dampers are specified and tested to ensure maximum 10-second closure time and are operated by air cylinders, with instrument air controlled by an air solenoid valve for each isolation valve. Since the dampers fail closed, air supply is not safety related. On loss of control power or control air, the dampers close, after which a manual reset switch must be activated before they can be opened again. Isolation valves in the standby gas treatment system fail in place on loss of electric power. All controls and instrumentation essential to the operation of the standby gas treatment system are designed to meet IEEE 279 criteria. The instrumentation is independently connected to logic trains that initiate independent and separate signals for system operation to prevent connecting redundant instrumentation trains to a common point. 7.3.8.2.3 Bypasses and Interlocks All the motorized isolation valves pertinent to an SGTS equipment train are interlocked with the operation of the SGTS fan through a relay circuit. The SGTS cooling fan is interlocked not to operate when the SGTS fan is in operation. To protect against overheating, the electric heating coil for relative humidity control is interlocked with the SGTS fan operation. Air flow through each SGTS is controlled automatically with a corresponding modulating valve, and flow is indicated on the main control board. On stopping of the SGTS fan, the SGTS cooling fan is automatically started and the proper isolation valves opened to dissipate the decay heat from the charcoal adsorber. Manual charcoal deluge valves are operated locally. The normally closed manual isolation valves upstream of the solenoid deluge valve, in all cases, require local actions to initiate water flow. The deluge system will spray the adsorber compartment and thereby precluding the chance of an adsorber fire. 7.3-72 REV. 14, APRIL 2002

LSCS-UFSAR 7.3.8.2.4 Redundancy and Diversity Each standby gas treatment unit is automatically initiated by two independent trip logics. To initiate a standby gas treatment unit, both trip logics must be tripped. Instrumentation for each filter train with the system is completely independent of the other. 7.3.8.2.5 Actuated Devices Initiation of the SGTS includes starting of the SGTS fan, energizing the electric heating, and opening the valves on the inlet and outlet sides of the SGTS equipment train. 7.3.8.2.6 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single event can prevent operation of the SGTS. Electrical cables for instrumentation and control on each SGTS equipment train are routed separately. 7.3.8.2.7 Testability Control and logic circuitry used in the controls for the standby gas treatment system can be checked individually by applying test or calibration signals to the sensors and observing trip or control responses. Operation of the isolation valves and fans from manual switches verifies the ability of breakers and damper mechanisms to operate. The automatic control circuitry is designed to restore the standby gas treatment system to normal operation if a fuel-handling or loss-of-coolant accident occurs during a test. 7.3.8.2.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of the various equipment, instrumentation, and controls for the standby gas treatment system. These are described in Section 3.11 and Subsection 6.5.1. 7.3.8.2.9 Operational Considerations During normal plant operations, the standby gas treatment system is operated only in the test mode. The automatic circuitry is designed to restore the standby gas treatment system to normal operation if a signal for initiation of the SGTS is received as described previously in this subsection. 7.3-73 REV. 13

LSCS-UFSAR Each standby gas treatment equipment train is instrumented with local pressure drop indicators measuring differentials across filter banks. Local temperature indicators are provided as shown in Drawing No. M-89. A flow control valve on the inlet to each equipment train limits the airflow rate through the train to design value to permit high filtration efficiencies. This valve is responsive to a flow element and transmitter upstream of the valve. 7.3.8.2.10 Operating Bypasses The standby gas treatment system has no automatic operating bypasses. Manual bypasses are indicated in the control room via the ESF status indication panel as described in Section 7.8. Manual bypasses consist of "racking-out" fan breakers, opening starter feeder breakers at valve motor control centers, shutting isolation valves to instruments and sensors which control the subsystem and other operations meeting the three conditions given in Regulatory Guide 1.47. 7.3.8.2.11 Final System Drawings The final system drawings for the SGTS are shown in electrical schematics and Drawing No. M-89. 7.3.8.3 Analysis The standby gas treatment control system is designed to initiate action that provides timely protection against the consequences of the release of radioactive materials inside the secondary containment following any accident. Chapter 15.0 identifies and evaluates postulated events that can result in the release of fission products due to an accident. The consequences of such an accident are described and evaluated. Because essential variables are monitored by channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate the standby gas treatment system, no single failure, maintenance operation, calibration operation, or test can prevent the system from operating when required. The sensor circuitry and logics used in the standby gas treatment control system are not used in the control of any process system. Malfunction and failures in the controls of process systems thus have no direct effect on the standby gas treatment control system. The various motive power supplies used for the standby gas treatment system logic circuitry and controls provide assurance that the required initiation can be effected in spite of loss of electric power or loss of instrument air. In no case does the loss of 7.3-74 REV. 14, APRIL 2002

LSCS-UFSAR a single power supply prevent initiation of the standby gas treatment system when it is required. All instruments, isolation valves, closing mechanisms, and cables of the standby gas treatment system can operate under the worst environmental conditions associated with postaccident operation. All active components of the SGTS instrumentation and controls can be tested and calibrated during plant operation. All sensors and associated equipment are designed to meet Seismic Category I requirements and are protected from fire, explosion, missiles, lightning, wind, and flood to preclude functional degradation of the system performance. Reactor building ventilation supply and exhaust air duct isolation valves are designed to fail closed, with a closure time not greater than 10 seconds. Inputs to annunciators and indicators are arranged so that no malfunction of the annunciating and indicating devices can functionally disable the system. Direct signals from the standby gas treatment control system sensors are not used as inputs to annunciating or data-logging equipment. Isolation is provided between the primary signal and the information output. All controls for interrupting any part of the system operation are located in the main control room or at a control station which is accessible if conditions may require use of the standby gas treatment system. Any locally located controls have locks to prevent unauthorized operation. All instrumentation and controls essential to the operation of the standby gas treatment system meet IEEE 279 criteria. 7.3.9 RHR/Containment Spray Cooling System Instrumentation and Controls 7.3.9.1 System Description The containment spray cooling system is an operating mode of the residual heat removal system. It is designed to provide the capability of condensing steam in the suppression pool air volume and/or the drywell atmosphere and removing heat from the suppression pool water volume. The system is manually initiated when necessary. The RHR system is shown in P&ID Drawing Nos. M-96 and M-142. 7.3.9.1.1 Power Sources Power for the RHR system pumps is supplied from two a-c buses that can receive standby a-c power. Motive and control power for the two loops of containment spray 7.3-75 REV. 13

LSCS-UFSAR cooling instrumentation and control equipment are the same as that used for LPCI A and LPCI B loops. 7.3.9.1.2 Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:

a. two RHR main system pumps,

b. pump suction valves, and

c. containment spray discharge valves.

Sensors needed for operation of the equipment are drywell pressure switches. The instrumentation for containment spray cooling operation assures that water will be routed from the suppression pool to the containment spray system for use in the drywell and/or wetwell air volumes. Containment spray operation uses two pump loops, each loop with its own separate discharge valve. All components pertinent to containment spray cooling operation are located outside of the drywell. The system can be operated such that the spray can be directed to the drywell and/or the wetwell air volume. The containment spray cooling system is manually initiated from the main control room when a LOCA signal exists such that drywell pressure is above the setpoint and the injection valve is fully closed thus allowing the operator to act. 7.3.9.1.3 Initiating Circuits Containment Spray A Drywell pressure (permissive for manual initiation) is monitored by two absolute pressure switches mounted in instrument racks outside the primary containment. Cables from these switches are routed to the control room relay logic cabinets. The two drywell pressure switches are electrically connected so that no single sensor failure can prevent initiation of containment spray A. Containment Spray B Initiation of containment spray B is identical to that of "A". 7.3-76 REV. 13

LSCS-UFSAR 7.3.9.1.4 Logic and Sequencing The operating sequence of containment spray following receipt of the necessary initiating signals is as follows:

a. The LPCI system pumps continue to operate.

b. Valves in other RHR modes are manually positioned or remain as positioned during LPCI.

c. The RHR service water pumps are started manually.

d. RHR service water discharge valves to the RHR heat exchanger are opened manually.

The containment spray system will continue to operate until the operator closes containment spray injection valves. The operator can then initiate another mode of RHR. 7.3.9.1.5 Bypasses and Interlocks No bypasses are provided for the containment spray system. 7.3.9.1.6 Redundancy and Diversity Redundancy is provided for the containment spray function by two separated divisional loops. Redundancy and diversity of initiation permissive sensors is described in Subsection 7.3.9.1.3. 7.3.9.1.7 Actuated Devices The RHR A and RHR B loops are used for containment spray. Therefore, the pump and valves are the same for LPCI and containment spray function except that each has its own discharge valve. See Subsection 7.3.1.2.4.6 for specific information. 7.3.9.1.8 Electrical Separation Containment spray is a Division 1 (RHR A) and a Division 2 (RHR B) system. Manual controls, logic circuits, cabling, and instrumentation for containment spray are mounted so that Division 1 and Division 2 separation is maintained. 7.3.9.1.9 Testability The containment spray system is capable of being tested up to the last discharge valve during normal operation. Other control equipment is functionally tested during manual testing of each loop. Adequate indication in the form of panel lamps and annunciators are provided in the control room. 7.3-77 REV. 13

LSCS-UFSAR Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. 7.3.9.1.10 Environmental Considerations Refer to Section 3.11. 7.3.9.1.11 Operational Considerations 7.3.9.1.11.1 General Information Containment spray is a mode of the RHR and is not required during normal operation. 7.3.9.1.11.2 Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess containment spray operation. Alarms and indications are shown in Drawing Nos. M-96 and M-142. 7.3.9.1.11.3 Setpoints The suppression pool containment spray cooling system is manually operated. 7.3.9.2. Analysis 7.3.9.2.1 General Functional Requirement Conformance When the RHR system is in the containment spray cooling mode, the pumps take suction from the suppression pool, pass it through the RHR heat exchangers, and either return it to the suppression pool or inject it into the wetwell atmosphere. The hydrogen recombining function of the hydrogen recombiners is abandoned in place. The valves that provide RHR cooling water to the hydrogen recombiners are also abandoned in place in the closed position. The following information for this function remains for historical reference. In the event the hydrogen recombiners are required to limit hydrogen concentration in the drywell, the RHR system provides water to the water-spray cooler in the recombiner to cool hot gases and condense the water vapor exiting the recombiner reaction chamber. The interface between the hydrogen recombiners and RHR system is described in subsection 6.2.5. Initiation of the containment spray mode of the RHR system is described in Subsection 7.3.9.1.3. 7.3.9.2.2 Conformance to Industry Codes and Standards Refer to 7.A.3.4. 7.3-78 REV. 17, APRIL 2008

LSCS-UFSAR TABLE 7.3-1 (SHEET 1 OF 2) ECCS INSTRUMENTATION LIMITS DESIGN-FUNCTIONAL UNIT TRIP ALLOWABLE ANALYTIC OR ACCURACY CALIBRATION BASIS DEVICE Note 1 SETPOINT VALUE DESIGN-BASIS Note 2 Note 2 ALLOWABLE RANGE Note 2 Note 3 LIMIT Note 2 (1) Reactor Water Level >-97.9 -150/0/+60 in.

          -Low, Level #2                                   Note 4                                              Note 4 (2)  Drywell Pressure - High                             <2.0 psig                                           0.2-6.0 psi (3)    Reactor Water Level                                Note 2                                              0-60 in.
           -High, Level 8                                 Note 4                                               Note 4 Note 4 (4) HPCS Discharge Pressure -

High (Bypass) 20-180 psig (5) HPCS System Flow Rate - Note 2 Note 2 Low (Bypass) (6) Drywell Pressure - High <2.0 psig 0.2-6.0 psi (7) Reactor Water Level >-161.5 in. -150/0/160 in.

          -Low, Level #1                                  Note 4                                               Note 4 (8)         ADS Timer                                  <120 seconds                                         40-120 sec.

(9) Reactor Water Level - Low, Note 2 0-60 in. Level 3 (confirmatory) Note 4 Note 4 Note 4 (10) ADS Drywell Pressure Note 2 Bypasss Timer 1-30 min. (11) LPCS Pump Discharge > 125 psig 10-340 psig TABLE 7.3-1 REV. 16, APRIL 2006

LSCS-UFSAR TABLE 7.3-1 (SHEET 2 OF 2) ECCS INSTRUMENTATION LIMITS DESIGN-FUNCTIONAL UNIT TRIP ALLOWABLE ANALYTIC OR ACCURACY CALIBRATION BASIS DEVICE Note 1 SETPOINT VALUE DESIGN-BASIS Note 2 Note 2 ALLOWABLE RANGE Note 2 Note 3 LIMIT Note 2 (12) RHR (I.PCI Mode) Pump >100 psig 10-20 psig Discharge Pressure -High (Permissive) (13) Reactor Vessel Water Level >-161.5 in. -150/0/160 Note 4 in. Note 4 (14) Reactor Low Pressure >450 psig 0-1200 psig Interlock, Injection Valve <550 psig (15) Drywell Pressure - High <2.0 psig 0.2-6.0 psi (16) LPCS Pump Discharge Note 2 Note 2 Flow - Low (Bypass) (17) Drywell Pressure - High <2.0 psig 0.2-6.0 psi (18) Reactor Vessel Water Level >-161.5 in. -150/0/160

             -Low, Level #1                                                    Note 4                                                                     in.

Note 4 (19) Reactor Low Pressure >450 psig Interlock <550 psig 0-1200 psig (20) LPCI Pump A and B Start Note 2 1.5-15 sec.

          -Time Delay Relays (1/Pump)

(21) LPCI Pump Discharge Note 2 Note 2 Flow- Low (Bypass) (1/Pump) Notes:

1. The differential pressure sensors (level switches and P transmitters) are designed for one side pressurization capability of up to 2000 psig without damage to diaphragms.

2. For Trip Setpoints, Analytic or Design Basis Limit, Accuracy, Calibration, and Design-Basis Allowance, refer to the applicable calculation, listed in Appendix D of Technical Requirements Manual.

3. See Technical Specifications for Allowable Values.

4. All reactor water levels are referenced to instrument zero at 527.6. Vessel Zero is the inside bottom of the RPV at centerline.

TABLE 7.3-1 REV. 16, APRIL 2006

LSCS - UFSAR TABLE 7.3-2 (SHEET 1 OF 3) PRIMARY CONTAINMENT, SECONDARY CONTAINMENT AND REACTOR VESSEL ISOLATION ACTUATION INSTRUMENT UNITS FUNCTIONAL UNIT TRIP SETPOINT ALLOWABLE ANALYTIC OR ACCURACY CALIBRATION DESIGN-BASIS DEVICE Note 1 Note 2 VALUE DESIGN-BASIS Not e 2 Note 2 ALLOWABLE RANGE Note 3 LIMIT Note 2 Reactor Core Isolation Cooling (1) RCIC Steamline Flow - High <300% 300/0/+300 in. (< 191 in. wtr.) (1a) RCIC Steam Line Flow - Timer Note 2 Note 2 (2) RCIC Steam Supply Pressure -Low DB 10-240 psig (3) RCIC Pipe Routing Area Note 5 50-350°F Temperature - High (4) RCIC Pipe Routing Area !Temperature - Note 5 0-150°F High (5) RCIC Turbine Exhaust DB 05-80 psig Diaphragm Pressure - High (6) RCIC Equipment Room /Note 5 50-350°F Temperature - High (7) RCIC Equipment /Note 5 0-150°F

    !Temperature - High (7a) Drywell Pressure - High                                                    <2.0 psig                                           0.2 - 6 psig Shutdown Cooling Isolation (8)  Reactor Vessel Water                                                        <7.5 in                                              0-60 in.

Level - Low, Level #3 Note 4 Note 4 TABLE 7.3-2 REV. 16, APRIL 2006

LSCS - UFSAR TABLE 7.3-2 (SHEET 2 OF 3) FUNCTIONAL UNIT TRIP SETPOINT ALLOWABLE ANALYTIC OR ACCURACY CALIBRATION DESIGN-BASIS DEVICE Note 1 Note 2 VALUE DESIGN-BASIS Note 2 Note 2 ALLOWABLE RANGE Note 3 LIMIT Note 2 (9) Reactor Steam Dome Loop A <161 psig 10.0-240 psig Pressure - High Loop B <161 psig 0-500 psig Reactor Water Cleanup System (10) !Flow - High <104.5 gpm 1-100 gpm (10a) Differential Flow - Timer Note 2 (11) Pump and Valve Area Temperature -High Note 5 50-350°F (12) Pump Area Ventilation Temp. !T-High Note 5 0-150°F (12a) Hx Equipment Area Temperature - High 50-350°F (12b) Hx Equipment Area !T - High 0-150°F (12c) Holdup Pipe Area Temperature - High 50-350°F (12d) Holdup Pipe Area !T - High 0-150°F (12e) F/D Valve Area Temperature - High 50-350°F (12f) F/D Valve Area !T - High 0-150°F (12g) Flow - High

                                                                                 >-70 in.                                       -150/0/+60 in.

(13) Reactor Vessel Water Level - Low, Level #2 Note 4 Note 4 Residual Heat Removal (14) RHR Flow - High <201 in. wtr. -10/0/+15 psid. TABLE 7.3-2 REV. 16, APRIL 2006

LSCS - UFSAR TABLE 7.3-2 (SHEET 3 OF 3) FUNCTIONAL UNIT TRIP SETPOINT ALLOWABLE ANALYTIC OR ACCURACY CALIBRATION DESIGN-BASIS DEVICE VALUE DESIGN-BASIS ALLOWABLE RANGE Note 1 Note 2 LIMIT Note 2 Note 2 Note 3 Note 2 Primary Containment

                                                                                                          >7.5 in.                                                                          0-60 in.

(15) Reactor Vessel Water Level Note 4 Note 4 Low, Level #3

                                                                                                          >-70 in.                                                                       -150/0/60 in.

(16) Reactor Vessel Water Level Low, Level #2 Note 4 Note 4

                                                                                                         >-149 in.                                                                       -150/0/60 in.

(17) Reactor Vessel Water Level Note 4 Note 4 Low, Level #1 (18) Drywell Pressure - High <2.0 psig 0.2-6.0 psi (19) Main Steamline Pressure - Low >820 psig Note 2 (20) Main Steamline Flow - High <123 psid ** (21) Deleted (22) Main Steamline !Temperature - High Note 5 0.0-150°F (23) Condenser Vacuum - Low 0.8-29.2 in. Hg (23a) Reactor Building Ventilation Note 2 0.01-100 mR/hr Exhaust Radiation - High (23b) Secondary Containment (24) Reactor Building Exhaust Rad - High 0.01-100 mR/hr (25) Drywell Pressure - High <2.0 psig 0.2-6.0 psi

                                                                                                          >-70 in.                                                                      -150 to 60 in.

(26) Reactor Vessel Water Level Low, Level #2 Note 4 Note 4 (27) Fuel Pool Vent Exhaust Rad - High Note 2 0.01-100 Mr/hr Notes:

1. The differential pressure sensors (level switches and P transmitters) are designed for one side pressurization capability of up to 2000 psig without damage to diaphragms.

2. For Trip Setpoints, Analytic or Design - Basis Limit, Accuracy, Calibration, and Design-Basis Allowance, refer to the applicable calculation, listed in Appendix D of Technical Requirements Manual (TRM).

3. See Technical Specifications or TRM, as applicable for Allowable Values.

4. All reactor water levels are referenced to instrument zero at 527.6. Vessel Zero is the inside bottom of the RPV at centerline

5. During preoperational testing, the trip setpoints were set at 40°F above space ambient temperature. Final setpoints were established based upon operational data after calibration of detectors and module TABLE 7.3-2 REV. 23, APRIL 2018

LSCS - UFSAR TABLE 7.3-3 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS INSTRUMEN T SCALE CHANNEL MONITORING (DECADE TRIP PER DOWNSCAL EXPECTED SUBSYSTEM INSTRUMENT RANGE* LOG): UPSCALE E SENSITIVITY Main Steamline 1 to 106 mR/h 6 2 1 See Table 11.5-2 Air ejector off-gas (pretreat) 1 to 106 mR/h 6 1 1 (posttreat) 0.01 to 106 counts/sec** 5 3 1 Process liquid 10 to 106 counts/min** 5 1 1 Carbon bed vault 1.0 to 106 mR/h 6 1 1 Secondary Containment (Rx 0.01 to 100 mR/h 4 1 1 Bldg Exhaust Plenum) Secondary Containment 0.01 to 100 mR/h 4 1 1 (Refuel Exhaust) Range or measurements depends on items such as source geometry, background radiation, shielding, energy levels, and method of sampling.

• • Readout depends on the pulse height discriminator setting.

TABLE 7.3-3 REV. 0 - APRIL 1984

This page intentionally left blank. TABLE 7.3-4

LSCS - UFSAR TABLE 7.3-5 SHEET 1 OF 2 CONTROL ROD BLOCK INSTRUMENTATION LIMITS FUNCTIONAL UNIT TRIP ALLOWABLE VALUE ANALYTIC OR ACCURACY CALIBRATION DESIGN-BASIS DEVICE SETPOINT Note 2 DESIGN-BASIS Note 1 Note 1 ALLOWANCE RANGE Note 1 LIMIT Note 1 Average Power Range Monitor (1) Neutron Flux - Upscale DB NA (flow referenced) (2) Neutron Flux - Downscale DB NA (3) Neutron Flux - Upscale DB NA (Not Run Mode) Rod Block Monitor (4) Upscale <114% NA (5) Downscale DB NA Source Range Monitors (6) Upscale DB 10-1-106 cps (7) Downscale DB Intermediate Range Monitor (8) Upscale DB 2% to (9) Downscale DB Full Scale (10) Rod Worth Minimizer N/A N/A (11) Scram Discharge Volume N/A Water Level - High TABLE 7.3-5 REV. 16, APRIL 2006

LSCS - UFSAR TABLE 7.3-5 SHEET 2 OF 2 CONTROL ROD BLOCK INSTRUMENTATION LIMITS TRIP ALLOWABLE VALUE ANALYTIC OR ACCURACY CALIBRATION DESIGN-BASIS DEVICE FUNCTIONAL UNIT SETPOINT Note 2 DESIGN-BASIS Note 1 Note 1 ALLOWANCE RANGE Note 1 LIMIT Note 1 (12) Recirculation Flow Unit - 0-100% Upscale (13) Recirculation Flow Unit - 0-100% Comparator Notes:

1. For Trip Setpoints, Accuracy, Calibration, and Design-Basis Allowance, refer to the applicable calculation, listed in Appendix D of Technical Requirements Manual (TRM).

2. See Technical Specifications or TRM, as applicable for Allowable Values.

3. Deleted TABLE 7.3-5 REV. 16, APRIL 2006

LSCS - UFSAR TABLE 7.3-6 TRIP CHANNEL REQUIRED FOR PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM* TRIP CHANNEL DESCRIPTION NORMAL MINIMUM Reactor vessel low water level (first 2 2 setting) Reactor vessel low water level (second) 2 2 setting) Reactor vessel low water level (third 2 2 setting) Main steamline space high temperature 2 temp 2 temp 2 differential temp 2 differential temp Main steamline high flow 8 8 Main steamline low pressure 2 2 Drywell high pressure 2 2 Reactor building ventilation exhaust 2 2 high radiation Fuel pool ventilation exhaust high radiation 2 2 Main condenser low vacuum 2 2 This table shows the normal and minimum number of trip channels required for the functional performance of the containment and reactor vessel isolation control system. The "normal" column lists the normal number of trip channels per trip system. The "minimum" column lists the minimum number of trip channels per untripped trip system required to maintain functional performance.

• • For operational specifics, see the Technical Specifications.

TABLE 7.3-6 REV. 14, APRIL 2002

LSCS - UFSAR TABLE 7.3-7 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF HPCS SYSTEM (This table shows in the right-hand column the minimum number of operable trip channels required to maintain functional performance of the HPCS system.) MINIMUM COMPONENT TRIP CHANNEL INSTRUMENT CHANNELS OPERABLE AFFECTED PROVIDED* CHANNELS** HPCS system Reactor vessel low Differential 4/trip system 2/untripped initiation water level - level 2 Pressure parallel pair Transmitter HPCS system Drywell high Pressure switch 4/trip system 2/untripped initiation pressure parallel pair1

• For operational specifics, see Technical Specifications.
  • The Minimum Operable Channels column lists the minimum number of trip channels per untripped trip system required to maintain functional performance.

TABLE 7.3-7 REV. 15, APRIL 2004

LSCS - UFSAR TABLE 7.3-8 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF AUTOMATIC DEPRESSURIZATION SYSTEM (This table shows in the right-hand column the minimum number of trip channels required to maintain functional performance of the automatic depressurization system.) INITIATING FUNCTION INSTRUMENT CHANNELS MINIMUM PROVIDED 1 CHANNELS 1, 2 Reactor Vessel Low Water Differential 2/Trip System 2/Trip System Level - level 1 Pressure Transmitter Reactor Vessel Low Water Differential 1/Trip System 1/Trip System Level - Level 3 Pressure Transmitter Drywell High Pressure Pressure Switch 2/Trip System 2/Trip System LPCI/LPCS Permissive Pressure Switch 4/Trip System 4/Trip System Time Delay (Initiation) Timer 1/Trip System l/Trip System Time Delay (Hi Drywell Timer 2/Trip System 2/Trip System Pressure Bypass) 1 For operational specifics, see the Technical Specifications. 2 The Minimum Channels column lists the minimum number of trip channels per untripped trip system required to maintain functional performance. TABLE 7.3-8 REV. 14 - APRIL 2002

LSCS - UFSAR TABLE 7.3-9 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF LPCI "B" AND "C" (This table shows in the right-hand column the minimum number of trip channels required to maintain functional performance of the LPCI function for the B and C loops). COMPONENT TRIP CHANNEL INSTRUMENT CHANNELS MINIMUM AFFECTED PROVIDED1 CHANNELS1, 2 LPCI initiation (B Reactor vessel Differential 2/trip 2/untripped and C loops) low water level Pressure system parallel pair Transmitter LPCI initiation (B Drywell high Pressure switch 2/trip 2/untripped and C loops) pressure system parallel pair Minimum flow LPCI pumps Flow switch 1/pump 1/pump bypass valves (B discharge low and C loops) flow LPCI injection Valve pressure Injection line 1/valve 1/valve valves (B and C interlock pressure switch loops) LPCI injection RPV low Reactor pressure 2/valve 1/valve valves (B and C pressure switch loops) interlock 1 For operational specifics, see the Technical Specifications. 2 The Minimum Channels column lists the minimum number of trip channels per untripped trip system required to maintain functional performance. TABLE 7.3-9 REV. 14 - APRIL 2002

LSCS - UFSAR TABLE 7.3-10 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF LPCS SYSTEM AND LPCI "A" (This table shows in the right-hand column the minimum number of trip channels required to maintain functional performance of the LPCS system and LPCI "A".) COMPONENT TRIP CHANNEL INSTRUMENT CHANNELS MINIMUM AFFECTED PROVIDED 1 CHANNELS 1 LPCS and LPCI Reactor vessel Differential 2/trip system 2/untripped A water level Pressure parallel pair initiation Transmitter LPCS and LPCI Drywell high Pressure 2/trip system 2/untripped A pressure switch parallel pair initiation Minimum flow LPCS/LPCI A Flow switch 1 pump 1 pump bypass pumps discharge valve(LPCS low flow and LPCI A) LPCS injection Valve pressure Injection line 1/valve 1/valve valve interlock pressure switch LPCS/LPCI A RPV low Reactor pressure 2/valve 1/valve injection pressure switch valve interlock LPCI A injection Valve pressure Injection line 1/valve 1/valve valve interlock pressure switch 1 For operational specifics, see the Technical Specifications. 2 The Minimum Channels column lists the minimum number of trip channels per untripped trip system required to maintain functional performance. TABLE 7.3-10 REV. 14 - APRIL 2002

LSCS - UFSAR TABLE 7.3-11 INSTRUMENT SPECIFICATIONS FOR PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM MONITORING INSTRUME INSTRUMEN TRIPS CHANNEL SUBSYSTEM NT RANGE T SCALE PER DOWNSCA (DECADE UPSCAL LE LOG) E Secondary Containment 0.01 to 100 4 1 1 (Rx Bldg Exhaust mR/h Plenum) Secondary Containment 0.01 to 100 4 1 1 (Refuel Exhaust) mR/h TABLE 7.3-11 REV. 13

LSCS-UFSAR 7.4 Systems Required for Safe Shutdown 7.4.1 Reactor Core Isolation Cooling System Instrumentation and Controls 7.4.1.1 Design Bases The RCIC system is not a safety system, hence it has no safety design bases. RCIC is considered a safe shutdown system rather than an emergency core cooling system. RCIC instrumentation and controls are designed to meet the requirements listed in Table 7.1-2 with exceptions as described in Attachment 7.A.4.1. The RCIC system functional design bases are as follows:

a. The system is capable of maintaining sufficient coolant in the reactor vessel in case of an isolation with a loss of main feedwater flow.

b. Provisions are made for automatic and remote manual operation of the system.

c. Components of the RCIC system are designed to satisfy Seismic Category I design requirements.

d. To provide a high degree of assurance that the system shall operate when necessary, the power supply for the system is from immediately available energy sources of high reliability.

e. To provide a high degree of assurance that the system shall operate when necessary, provision is made that periodic testing can be performed during unit operation.

7.4.1.2 System Description The reactor core isolation cooling system consists of a turbine, pump, piping, valves, accessories, and instrumentation designed to add water inventory to the reactor vessel thus assuring continuity of core cooling. Reactor vessel water is maintained or supplemented by the RCIC during the following conditions:

a. Should the reactor vessel be isolated and yet maintained in the hot standby condition.

b. Should the reactor vessel by isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system.

7.4-1 REV. 13

LSCS-UFSAR

c. Should a complete plant shutdown under conditions of loss of normal feedwater system be started before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation.

Electrical modules for the RCIC system are classified as Safety Class 2 and Seismic Category I. 7.4.1.2.1 Power Sources RCIC logic are powered from Division 1 and Division 2 125-Vdc. All valves are powered from 250-Vdc Bus 121/221Y, except the following: Inboard isolation valves E51-F063 and E51-F076 are powered from 480-Vac MCC Bus 136Y-2/236Y-2 and outboard isolation valve E51-F008 is powered from 480-Vac MCC, Bus 135X-1/235X-1. 7.4.1.2.2 Equipment Design When actuated, the RCIC system pumps water from either the condensate storage tank or the suppression pool to the reactor vessel. The RCIC system includes one turbine-driven pump, one barometric condenser with a d-c vacuum pump, one vacuum d-c condensate pump, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Drawing Nos. M-101 and M-147. Pressure switches and level transmitters used in the RCIC system are located on instrument panels outside the drywell. The only operating components of the RCIC system that are located inside the drywell are one of the steamline isolation valves, the steamline warmup line isolation valve, and one of the two testable check valves on the pump discharge line. The inboard and outboard isolation valves are common to both the steamline feeding the RHR heat exchanger line and the steamline feeding the RCIC turbine. The rest of the RCIC system control and instrumentation components are located in the reactor building. Cables connect the sensors to control circuitry in the main control room. Although the system is arranged to allow a full flow functional test of the system during normal reactor power operation, the test controls are arranged so that the system can operate automatically to fulfill its safety function regardless of the test being conducted. 7.4-2 REV. 14, APRIL 2002

LSCS-UFSAR 7.4.1.2.3 Initiating Circuits Reactor vessel low water level is monitored by an analog trip system consisting of four differential pressure transmitters and trip units. The transmitters measure the difference in water column heads between a static leg, which senses the constant head reference column created by a condensing chamber, and a variable leg, which senses actual water level changes in the vessel. The transmitters send an analog input signal to the trip units which are located in the relay logic cabinets. The pipelines for the transmitters are physically separated from each other and tap off the reactor vessel at widely separated points. The RCIC system is initiated only by low water level in a one-out-of-two twice logic. The RCIC system is initiated automatically following a short time delay (not to exceed 3.0 seconds) after the receipt of a reactor vessel low water level signal and produces the design flow rate within 30 seconds. The controls then function to provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate to restore vessel level, at which time the RCIC system automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown. The RCIC turbine governor limits the turbine speed and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC system pump discharge line. 7.4.1.2.3.1 Shutdown Initiation The turbine is automatically shut down by closing the turbine trip and throttle valve if any of the following conditions are detected:

a. turbine overspeed,

b. high turbine exhaust pressure,

c. RCIC isolation signal from logic "A" or "B",

d. low pump suction pressure, and

e. manual trip actuated by the operator.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine 7.4-3 REV. 13

LSCS-UFSAR trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so far that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low RCIC system pump suction pressure. High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in RCIC system turbine damage caused by gross carry-over of moisture. To prevent this, a high water level trip is used to initiate closure of steam supply valve, to shut off the steam to the turbine, and to halt RCIC operation. The system will automatically reinitiate if the water level decreases to the reactor low water level trip setpoint. Two level transmitters/trip units that sense differential pressure are arranged to require that both instrument channels must trip to initiate a turbine shutdown. 7.4.1.2.4 Bypasses and Interlocks To prevent the turbine pump from being damaged by overheating at reduced RCIC pump discharge flow, a pump discharge bypass is provided to route the water discharged from the pump back to the suppression pool. The bypass is controlled by an automatic, d-c motor-operated valve. At RCIC high flow, this valve is closed; conversely, at low flow, the valve is opened. A flow switch that measures the pressure difference across a flow element in the RCIC pump discharge pipeline provides the signals. To prevent the RCIC steam supply pipeline from filling up with water and cooling excessively, a condensate drain pot, steamline drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The controls position valves so that during normal operation, steamline drainage is routed to the main condenser. Upon receipt of an RCIC initiation signal, the drainage path is isolated. The water level in the steamline drain condensate pot is controlled by a level switch and a direct acting solenoid valve which energizes to allow condensate to flow out of the drain pot. There are two test modes of operation. During Test Mode 1, the RCIC pump takes suction from the condensate storage tank and the RCIC pump discharge is routed to the condensate storage tank. Two d-c motor-operated valves are installed in the pump discharge to condensate storage tank pipeline. The piping arrangement is shown in Drawing Nos. M-101-2 and M-147-2. Upon receipt of an RCIC initiation signal, the valves close and remain closed. The pump suction and discharge to condensate storage tank valves are interlocked closed if the suppression pool 7.4-4 REV. 13

LSCS-UFSAR suction valve is fully open. The suppression pool suction valve auto-opens on a low level signal in the CST. Numerous indications pertinent to the operation and condition of the RCIC are available to the control room operator. Drawing Nos. M-101 and M-147 show the various indications provided. During Test Mode 2, the RCIC pump takes suction from the suppression pool and the RCIC pump discharge is routed to the suppression pool. One d-c motor-operated valve and two manual gate valves are installed in the pump discharge to the suppression pool. The piping arrangement is shown in drawings M-101-2 and M-147-2. 7.4.1.2.5 Redundancy The RCIC is actuated by reactor low water level. Four level sensors in a one-out-of-two twice circuit supply this signal. 7.4.1.2.6 Actuated Devices All automatic valves in the RCIC are equipped with remote-manual test capability, so that the entire system can be operated from the control room. All required components of the RCIC controls operate independently of a-c power. To assure that the RCIC can be brought to design flow rate within 30 seconds from the receipt of the initiation signal, the following maximum operating times for essential RCIC valves are provided by the valve operation mechanisms: RCIC turbine steam supply valve 15 seconds RCIC pump discharge valves 15 seconds RCIC pump minimum flow bypass valve 7 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. The two RCIC steam supply line isolation valves are normally open and they are intended to isolate the RCIC steamline in the event of a break in that line. A normally closed d-c motor-operated valve is located in the turbine steam supply pipeline just upstream of the turbine stop valve. Upon receipt of an RCIC initiation signal this valve opens and remains open until closed by operator action from the control room. Two normally open isolation valves provided in the steam supply line to the turbine are controlled by a-c motors. These valves are normally open. The valves automatically close upon receipt of an RCIC isolation signal. The steamline warmup line isolation valve is also controlled by an a-c motor and will close automatically upon receipt of an RCIC isolation signal. 7.4-5 REV. 13

LSCS-UFSAR The instrumentation for isolation consists of the following: Outboard RCIC Turbine Isolation Valve

a. differential temperature switches-RHR (Unit 2) and RCIC equipment area ventilation air inlet and outlet high temperature;

b. ambient temperature switches-RHR (Unit 2) and RCIC equipment area high temperature;

c. differential temperature switch-RCIC pipe routing area ventilation air inlet and outlet high temperature;

d. ambient temperature switch-RCIC pipe routing area high temperature;

e. differential pressure switches-RCIC or RHR/RCIC steamline high flow;

f. two pressure switches-RCIC turbine exhaust diaphragm high pressure, both switches must activate to isolate;

g. pressure switch-RCIC steam supply pressure low; and

h. manual isolation if the system has been initiated.

Inboard Valve Isolation Valve

a. A similar set of instrumentation causes the inboard valve to isolate except for the manual isolation feature.

Two pump suction valves are provided in the RCIC system. One valve lines up pump suction from the condensate storage tank, the other one from the suppression pool. The condensate storage tank is the preferred source. Both valves are operated by d-c motors. Upon receipt of an RCIC initiation signal, the condensate storage tank suction valve automatically opens. When the water level in the condensate storage tank falls below a predetermined level, suction is automatically switched over to the suppression pool. Low water level signal causes the suppression pool suction valve to open, which in turn causes the valve from the condensate storage tank to close. 7.4-6 REV. 13

LSCS-UFSAR One d-c motor-operated RCIC pump discharge valve is provided in the pump discharge pipeline. This valve is arranged to open upon receipt of the RCIC initiation signal and closes automatically upon receipt of a turbine trip signal. 7.4.1.2.7 Separation As in the emergency core cooling system, the RCIC system is separated into divisions designated 1 and 2, for both Units 1 and 2. The RCIC is a Division 1 system, but the inside steamline isolation valve, the steamline warmup line isolation valve, and the inside vacuum breaker isolation valve are in Division 2; therefore, part of the RCIC logic is treated as Division 2. The inboard and outboard steam supply line isolation valve and the steamline warmup line isolation valve are a-c powered valves. The rest of the valves are d-c powered valves. RCIC logic relays, instruments and manual controls are mounted so that separation from Division 2 is maintained. 7.4.1.2.8 Testability The RCIC may be tested to design flow during normal plant operation. During Test Mode 1, water is drawn from the condensate storage tank and discharged through a full flow test return line to the condensate storage tank. During Test Mode 2, water is drawn from the suppression pool and discharged through a full flow test return line to the suppression pool. The discharge valve from the pump to the RPV line remains closed during both test modes and reactor operation remains undisturbed. Design of the control system is such that the RCIC system returns to the operating mode from test if system initiation is required. 7.4.1.2.9 Environmental Considerations The only RCIC/RHR control components located inside the drywell that must remain functional in the environment resulting from a loss-of-coolant accident are the control mechanisms for the inside isolation valve and the steamline warmup line isolation valve. The RCIC control and instrumentation equipment located outside the drywell is selected in consideration of the environments in which it must operate. Level sensing instrumentation used as the initiation for RCIC is discussed in Subsection 7.3.1. 7.4.1.2.10 Operational Considerations General Information Core cooling is required in the event the reactor becomes isolated during normal operation from the main condensers by a closure of the main steamline isolation 7.4-7 REV. 13

LSCS-UFSAR valves. Cooling is necessary due to the core fission product decay heat. Steam is vented through the pressure relief/safety valves to the suppression pool. The RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic. Operator Information The following indications are provided in the control room for operator information. Analog Indication

a. RCIC turbine-inlet pressure,

b. RCIC turbine-outlet pressure,

c. RCIC pump-suction pressure,

d. RCIC pump-discharge pressure,

e. RCIC pump-discharge flow,

f. RCIC turbine-turbine speed,

g. status by indicating lamps,

h. position of all motor-operated valves,

i. position of all solenoid-operated valves,

j. turbine trip solenoid energized or deenergized,

k. status of all sealed-in circuits, and

l. pump status.

Annunciators

a. Annunciators are provided as shown in the RCIC system P&ID, Drawing Nos. M-101 and M-147.

Setpoints Instrument limits for the RCIC system controls and instrumentation are listed in Table 7.4-1. 7.4-8 REV. 14, APRIL 2002

LSCS-UFSAR The reactor vessel low water level setting for RCIC system initiation is selected high enough above the active fuel to start the RCIC system in time to prevent the core from uncovering. The water level setting is far enough below normal levels that spurious RCIC system startups are avoided. 7.4.1.3 Analysis The following are analyses which show how the RCIC system satisfies the design bases listed in Subsections 7.4.1.1 and 7.4.1.2. 7.4.1.3.1 General Functional Requirement Conformance For events other than pipe breaks, the RCIC system has a makeup capacity sufficient to prevent the reactor vessel water level from decreasing to the level where the core is uncovered. To provide a high degree of assurance that the RCIC system will operate when necessary and in time to provide adequate inventory makeup, the power supply for the system is taken from energy sources of high reliability. Evaluation of instrumentation reliability for the RCIC system shows that no failure of a single initiating sensor can either prevent or falsely start the system. A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the condensate storage tank and discharging it through the full flow test return line back to the condensate storage tank. A design flow functional test of the RCIC system can also be performed during plant operation by taking suction from the suppression pool and discharging through the full flow test return line back to the suppression pool. During this test, the discharge valve to the reactor vessel remains closed, and reactor operation is not disturbed. The control system design provides automatic return from the test mode to the operating mode if system initiation is required during testing. 7.4.1.3.2 Specific Requirement Conformance Refer to 7.A.4.1. 7.4.1.3.3 10 CFR 50 Appendix A 10 CFR 50 Appendix A Requirements

a. Criterion 13 - Reference Subsections 7.4.1.2.3, 7.4.1.2.4, and 7.4.1.2.5;

b. Criterion 20 - Reference Subsection 7.4.1.2.7; 7.4-9 REV. 13

LSCS-UFSAR

c. Criterion 21 - Reference Subsection 7.4.1.2.8;

d. Criterion 22 - Reference Subsection 7.4.1.2.6;

e. Criterion 29 - Reference Subsection 7.4.1.2.10;

f. Criterion 34 - Reference Subsection 7.4.1.2.2;

g. Criterion 37 - Reference Subsection 7.4.1.2.8; 7.4.1.3.4 NRC Regulatory Guides Refer to Appendix B.

7.4.2. Standby Liquid Control (SBLC) System Instrumentation and Controls 7.4.2.1 Design Bases In accord with its safety design basis, this system is capable of shutting the reactor down from full power to cold shutdown and maintaining the reactor in a subcritical state at atmospheric temperature and pressure conditions by pumping sodium pentaborate, a neutron absorber, into the reactor. The manual start controls of the SBLC system are interlocked with the reactor water cleanup system such that initiation of either standby liquid control channel will act to close the outboard RWCU system isolation valve. This isolation function prevents undesirable dilution or removal of neutron absorber from the reactor vessel during SBLC operation. The system instrumentation and control complies with the specific requirements shown in Table 7.1-2. 7.4.2.2 System Description Function The instrument and control system for the standby liquid control system is designed to inject liquid neutron moderator into the reactor and maintain this liquid chemical solution well above saturation temperature. 7.4-10 REV. 14, APRIL 2002

LSCS-UFSAR Classification The standby liquid control system is a backup method of manually shutting down the reactor to cold subcritical conditions independent of the control rod system. Thus the system is considered a control system and not a safety system. The standby liquid control process equipment, instrumentation, and controls essential for injection of the neutron absorber solution into the reactor are designed to withstand Seismic Category I earthquake loads. Nonprocess equipment, instrumentation, and controls are designed to meet non-Seismic Category I requirements. 7.4.2.2.1 Power Sources The power supply to one explosive valve, injection pump, tank outlet valve, tank heater, and associated controls is from 480 volt AC ESF Motor Control Center 135Y-1 (Division 1). The power supply to the other explosive valve, injection pump, tank outlet valve, tank heater, and associated controls is from 480 volt AC ESF Motor Control Center 136Y-2 (Division 2). The power supply to the control room benchboard indicator lights and the level and pressure transmitters is the 120 volt AC Distribution Panel at ESF Motor Control Center 136X-2 (Division 2). 7.4.2.2.2 Initiating Circuits The standby liquid control system (Drawing Nos. M-99 and M-145) is initiated in the control room by turning the appropriate keylocking switch to initiate either system A or system B. The key is removable in the center STOP position should the selected pump fail to start, the other key switch may be turned to actuate the alternate pump. 7.4.2.2.3 Logic/Sequencing When the standby liquid control system is initiated from the control room, both explosive valves fire and the tank discharge valves start to open immediately The pump that has been selected for injection will not start until one of the tank discharge valves is open or the test tank outlet valve is open. 7.4.2.2.4 Bypasses/Interlocks Either of the storage tank discharge valves or the test tank outlet valve must be open for the pump to run when initiated from the control room. These pump run interlocks are bypassed by the local pump run testing switch. The outside isolation valve of the reactor water cleanup system is automatically closed when the Standby Liquid Control System A or B is initiated from the control room. Additionally, when System A or B is initiated from the control room, the storage tank discharge valves will not automatically open if the test tank outlet valve is open. 7.4-11 REV. 13

LSCS-UFSAR 7.4.2.2.5 Redundancy/Diversity Redundancy exists in duplicated pumps, explosive valves, storage tank outlet valves, and power supply as outlined in Subsection 7.4.2.2.1. 7.4.2.2.6 Actuated Devices When the standby liquid control system is initiated to inject neutron moderator into the reactor, the following devices are actuated:

a. One of the two injection pumps is started.

b. Each of the two explosive valves are fired.

c. Each of the two storage tank discharge valves is opened.

7.4.2.2.7 Testability The instrumentation and control system of the standby liquid control system is tested when the system test is performed. 7.4.2.2.8 Environmental Considerations The environmental considerations for the instrument and control portions of the standby liquid control system are the same as for the active mechanical components of the system. This is discussed in Section 3.11. 7.4.2.2.9 Operational Considerations Normal The standby liquid control system is manually initiated in the control room by turning the keylocking switch for either system A or system B to actuate the appropriate system. It will take between 50 and 125 minutes to complete the injection and for the storage tank level to indicate that the storage tank is dry. When the injection is completed, the system may be manually turned off by returning the keylocking switch to the STOP position. Operation Information Indicators The following indications are provided in the control room for operator information: 7.4-12 REV. 13

LSCS-UFSAR Analog Indication

a. storage tank level,

b. system pressures, and

c. explosive valves continuity.

Indicating Lamps

a. pump status,

b. explosive valve open circuit,

c. position of injection line manual stop valve,

d. position of storage tank outlet valve, and

e. position of test tank discharge manual stop valve.

Annunciators The standby liquid control system control room annunciators indicate:

a. the loss of continuity of either explosive valve primers,

b. standby liquid storage tank high or low temperature, and

c. standby liquid tank high and low level.

Local Indications The following indications are provided locally at the equipment for operator information: Analog Indication

a. storage tank level,

b. system pressure, and

c. storage tank temperature.

Indicating Lamps 7.4-13 REV. 13

LSCS-UFSAR

a. storage tank high and low power heater status.

Setpoints The standby liquid control has setpoints for the various instruments as follows:

a. The loss of continuity meter is set to activate the annunciator just below the trickle current that is observed when the primers of the explosive valves are new.

b. The high- and low-standby liquid temperature switch is set to activate the annunciator at temperatures of 110°F and 70°F, respectively.

c. The high- and low-standby liquid storage tank level switch activates the annunciator prior to level exceeding the overflow limit or dropping below Technical Specification required limit.

d. The thermostatic controller is set to turn on the heater when the standby liquid temperature drops to 75°F and to turn off the heater at 85°F.

7.4.2.3 Analysis General Functional Requirement Conformance As required by General Design Criterion 26 of 10 CFR 50 Appendix A, the standby liquid control provides the second independent reactivity control system as qualified in Subsection 9.3.5. 7.4.3 Reactor Shutdown Cooling (RHR) Instrumentation and Controls 7.4.3.1 Design Bases The reactor shutdown cooling mode function of the RHR system is designed to meet the following safety design bases:

a. Instrumentation and controls are provided that enable the system to remove the residual heat (decay heat and sensible heat) from the reactor vessel during normal shutdown.

b. Manual controls of the shutdown cooling system are provided in the control room area.

7.4-14 REV. 16, APRIL 2006

LSCS-UFSAR

c. Performance of the shutdown cooling system is indicated by control room instrumentation.

The reactor shutdown cooling mode of the residual heat removal system (RHR) meets the following power generation design bases:

a. Provide cooling for the reactor during the shutdown operation when the vessel pressure is below approximately 135 psig.

b. Cool the reactor water to 125°F which is practical for refueling and servicing operation.

c. Provide means for reactor head cooling by diverting part of the shutdown flow to a nozzle in the vessel head. This flow will condense the steam generated from the hot walls of the vessel while it is being flooded, thereby keeping system pressure down.

7.4.3.2 System Description The shutdown cooling mode of the RHR system including the reactor vessel head spray is used during a normal reactor shutdown and cooldown. The initial phase of a normal nuclear system cooldown is accomplished by dumping steam from the reactor vessel to the main condenser which serves as the heat sink.

a. The reactor shutdown cooling system is capable of providing cooling for the reactor during shutdown operation after the vessel pressure is reduced to approximately 135 psig.

b. The system is capable of cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished.

c. Means are provided to divert part of the shutdown flow to a nozzle in the vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.

The classification of this system is discussed in Section 3.2. The power sources for this system are discussed in Subsection 7.3.1. 7.4.3.2.1 Equipment Design The reactor water is cooled by taking suction from one of the recirculation loops; the water is pumped through the system heat exchanger and back to the reactor vessel 7.4-15 REV. 15, APRIL 2004

LSCS-UFSAR via the recirculation loop as shown in M-96 and M-142. Part of the flow can be diverted to a nozzle in the vessel head to provide for head cooling. The function of head cooling is to condense steam generated from the hot walls of the vessel while it is being flooded, thereby keeping system pressure down. During the initial phase of cooling the reactor, only a portion of the RHR system heat exchanger capacity is required. This allows the remaining portion of the RHR system with its heat exchanger, associated pumps, and valving to be available for the LPCI mode. The LPCI mode portion of the system is shifted to the shutdown mode after the reactor is depressurized so the proper cooling rate may be achieved with the lower reactor water inlet temperature. If it is necessary to provide additional fuel pool cooling, a means is provided for making a physical intertie between the spent fuel pool cooling system and the B RHR pump and heat exchanger. This increases the cooling capacity of the spent fuel pool cooling system to handle the heat load for this situation. 7.4.3.2.2 Initiating Circuits The reactor shutdown cooling system is initiated only by manual action. 7.4.3.2.3 Bypasses/Interlocks To prevent opening the shutdown cooling valves except under proper conditions, the interlocks are provided as shown in Table 7.4-2. The two RHR pumps used for shutdown cooling are interlocked to trip the pumps if the shutdown cooling valves and suction valves from the suppression pool are not properly positioned. 7.4.3.2.4 Redundancy There is redundancy in duplicated pumps, heat exchangers, valves, piping, and power supply. Only the suction line and valves from the recirculation line are shared. 7.4.3.2.5 Actuated Devices All valves in the shutdown cooling system are equipped with remote-manual switches in the control room. Further discussion can be found in Subsection 7.3.1. 7.4.3.2.6 Separation As described in Subsection 7.3.1.2.4.7, RHR A is a Division 1 system, and RHR B is a Division 2 system. In order to maintain the required separation, manual controls, 7.4-16 REV. 14, APRIL 2002

LSCS-UFSAR cabling, and instrumentation are routed and installed so that Division 1 and 2 separation is maintained. Separation from Division 3 is likewise maintained. The shared suction line from the reactor recirculation system is provided with a Division 2 isolation valve inside containment and a Division 1 isolation valve outside containment, in agreement with containment isolation requirements. After the shared line branches to each pump suction, a motor-operated shutoff valve, assigned to the applicable division, is provided. These valves are located in areas compatible with their divisional assignments. Separation is therefore maintained. 7.4.3.2.7 Testability The shutdown cooling system pumps (RHR) may be tested to full capacity during normal plant operation. All valves in the system may be tested during normal plant operation from the remote switches in the control room. 7.4.3.2.8 Environmental Considerations The only shutdown cooling control component located inside the drywell that must remain functional in that environment is the control mechanism for the inboard isolation shutdown cooling suction valve. The control and instrumentation equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate. 7.4.3.2.9 Operational Considerations All controls for the shutdown cooling system are located in the control room. Operator information is provided as described in the RHR discussion of the LPCI mode in Subsection 7.3.1.2.4.10. 7.4.3.3 Analysis General Functional Requirement Conformance Capability is provided for orderly shutdown and cooldown of the reactor under normal conditions as discussed in Subsection 7.4.3.2. Conformance to 10 CFR 50 Appendix A

a. Criterion 34 - Reference Subsection 7.4.3.2, and

b. Criterion 61 - Reference Subsection 7.4.3.2.

7.4-17 REV. 14, APRIL 2002

LSCS-UFSAR No other regulatory requirements are applicable because this RHR subsystem is used only to cool the reactor core for removal of decay heat with the reactor fully shut down and at approximately 50 psia. 7.4.4. Shutdown Outside the Control Room It is possible to shut down the reactor from outside the main control room and bring the reactor to cold conditions in an orderly fashion, in compliance with General Design Criterion 19 of 10 CFR 50, Appendix A. 7.4.4.1 Conditions Assumed to Exist as the Main Control Room Becomes Inaccessible

a. The plant is operating initially at, or less than, design power.

b. Loss of offsite a-c power is considered unlikely but credible. The remote shutdown panel is powered from a Class 1E power system bus so backup a-c power is automatically supplied by the diesel generator in the event of loss of offsite power. Manual controls of the diesel generator are also available locally.

c. A loss-of-coolant accident is not assumed, so that complete control of engineered safeguards systems from outside the control room shall not be required.

d. Plant personnel evacuate the control room.

e. The control room continues to be inaccessible for several hours.

f. The event that causes the control room to become inaccessible is assumed to be such that the operator can manually scram the reactor before leaving the main control room. If this is not practical, opening the output breakers of the RPS logic can be used as a backup means to achieve reactor shutdown.

g. The main turbine pressure regulators may be controlling reactor pressure via the bypass valves; however, it is assumed that this function is lost. Therefore, main steamline isolation is assumed to occur at a specified low turbine inlet pressure and reactor pressure is relieved through the relief valves to the suppression pool. The feedwater system is also assumed to be unavailable.

h. Reactor water is made up by the RCIC system when and if reactor level reaches RCIC initiation level.

7.4-18 REV. 13

LSCS-UFSAR

i. D-c power is supplied from at least one plant d-c power system for each essential system or equipment item in the remote shutdown system.

7.4.4.2 Description

a. The system provides remote control of those reactor systems needed to accomplish shutdown from outside the main control room to bring the reactor to a cold condition in an orderly fashion.

b. It provides an alternative to the normal main control room shutdown of the reactor when feedwater is unavailable and the normal turbine and condenser heat sinks are lost.

c. Automatic activation of relief valves and the reactor core isolation cooling (RCIC) system brings the reactor to a hot shutdown condition after scram and isolation are achieved.

During this phase of shutdown, the suppression pool is cooled by operating the residual heat removal (RHR) system in the suppression pool cooling mode. Reactor pressure is controlled, and core decay and sensible heat is rejected to the suppression pool by relieving steam pressure through the relief valves. Reactor water inventory is maintained by the RCIC system.

d. Manual operation of the relief valves will cool the reactor and reduce its pressure at a controlled rate until reactor pressure becomes so low that the RCIC system will discontinue operation.

This condition is reached at 50 to 100 psig reactor pressure.

e. The RHR system then operates in the shutdown cooling mode using the RHR system heat exchanger in the reactor water circuit to bring the reactor to the cold, low-pressure condition.

7.4.4.3 Procedure for Reactor Shutdown From Outside the Control Room

a. If evacuation becomes necessary, the operator will scram the reactor by depressing the scram switches at the main control room panel as he leaves the control room.

b. Under normal conditions the main turbine pressure regulator will control the reactor pressure while rejecting heat (steam) through the turbine bypass valves, and the feedwater control system will control water level.

7.4-19 REV. 13

LSCS-UFSAR

c. The operator then opens the output breakers on feeders from reactor protection system bus A and bus B to reactor protection system trip logic channels A and B, respectively, as a backup means of scramming the reactor and closing the containment and reactor vessel isolation valves. The controls for this function are located on the reactor protection system power distribution panel near the reactor protection system motor-generator sets in the auxiliary equipment room beneath the main control room.

d. The remainder of the procedure assumes that the automatic pressure regulator is not available from time zero and the main steamline isolation valves are closed.

e. The operator then uses transfer switches to transfer control to the remote shutdown panel.

f. Relief valves not used in the remote shutdown system may open automatically and cycle to control reactor pressure. Reactor water level starts to drop at a rate dependent on prior power level and elapsed time from scram.

g. The operator starts the RCIC system manually before automatic initiation and monitors water level thereafter. The water level will continue to fall.

h. One relief valve is manually operated to maintain the desired reactor pressure.

i. The reactor water level reaches RCIC initiation setpoint level if the RCIC system was initiated at low level. This is well above the LPCS or RHR system initiation level. The level starts to rise as a result of RCIC system flow. Pressure relief is continued through one relief valve in manual intermittent operation.

j. The water level is returned to normal by operation of the RCIC system.

k. The operator can start reduction of reactor pressure by manually actuating two relief valves.

l. While activating these relief valves, the operator observes reactor water level, reactor temperature, and suppression pool temperature. The relief valves are closed as necessary to 7.4-20 REV. 13

LSCS-UFSAR maintain adequate level for core cooling. The reactor cooldown rate should not exceed 100°F per hour.

m. The operator uses the RHR system with one pump and one heat exchanger and associated water systems to cool the suppression pool.

n. The operator activates two relief valves to maintain reduction of pressure to 250 psig while observing pool temperature.

o. Reactor pressure is reduced to 100 psig.

p. The operator then places the RHR system in the shutdown cooling mode and flushes the system for several minutes by pumping reactor water into the suppression pool.

q. Normal reactor water level is maintained.

The following GE supplied systems have controls and instrumentation located outside the control room:

a. reactor core isolation cooling (RCIC) system,

b. one residual heat removal (RHR) system loop, and

c. nuclear boiler system instrumentation.

7.4.4.4 Analysis General Functional Requirement Conformance As required by General Design Criterion 19 of 10 CFR 50 Appendix A, capability is provided to shut down the reactor and bring it to a cold condition from outside the main control room. 7.4-21 REV. 13

LSCS-UFSAR TABLE 7.4-1 REACTOR CORE ISOLATION COOLING INSTRUMENT LIMITS RCIC ALLOWABLE ANALYTIC OR FUNCTION INSTRUMENT TRIP SETTINGS VALUE DESIGN-BASIS ACCURACY RANGE Note I Note 3 LIMIT Note 2 (1) Reactor Vessel High Differential Pressure Note 2 Water Level Transmitter Note 2 Note 4 Note 4 0-60in. (2) Turbine Exhaust High Pressure Pressure Switch Note 5 Note 5 Note 5 Note 5 Note 5 (3) RCIC System Pump 50-150 psig High Suction Pressure Switch <99 psig <psig Pressure (4) RCIC System Pump -30 in. Hg/0/+0.5 Low Suction Pressure Switch -20 in. Hg Note 7 N/A +/- 2% psig Pressure (5) Reactor Vessel Low Differential Pressure Note 2 Water Level - Transmitter/Trip Note 2 Note 4 Note 4 -150/0/+60 in. Level 2 Note 6 Unit (6) RCIC System Steam Supply Low Pressure Switch Note 5 Note 5 Note 5 Note 5 Note 5 Pressure (7) Turbine Overspeed Centrifugal Device 125% of rated speed N/A +/- 2% 0-125% (8) Condensate Storage Float Switch N/A Tank Low Level Note 2 Note 2 Notes:

1. The differential pressure sensors (level switches and AP transmitters) are designed for one side pressurization capability of up to 2000 psig without damage to diaphragms.

2. See the applicable calculation, listed in Appendix D of Technical Requirements Manual.

3. See Technical Specifications or the Technical Review Manual, as applicable, for Allowable Values.

4. All reactor water levels are referenced to instrument zero at 527.6, Vessel Zero is the inside bottom of the RPV at centerline.

5. See UFSAR Table 7.3-2 for RCIC Isolation Actuation Instrumentation Limits.

6. Incident detection circuitry instrumentation.

7. Approximate setting.

TABLE 7.4-1 REV. 16, APRIL 2006

LSCS-UFSAR TABLE 7.4-2 REACTOR SHUTDOWN COOLING BYPASSES AND INTERLOCKS VALVE FUNCTION REACTOR PRESSURE ISOLATION VALVE SHUTDOWN SUCTION MANUAL OPEN EXCEEDS SHUTDOWN CLOSURE SIGNAL LINE EXCESS FLOW Inboard suction Cannot open Cannot open Cannot open isolation Outboard suction Cannot open Cannot open Cannot open isolation Reactor injection Cannot open Cannot open Cannot open Head spray Cannot open Cannot open Cannot open Radwaste discharge Can open Cannot open Not Applicable inboard Radwaste discharge Can open Cannot open Not Applicable charge outboard VALVE FUNCTION . (Auto (A) close or manual (M) close) Inboard suction Closes A and M Closes A and M Closes A and M isolation Outboard suction Closes A and M Closes A and M Closes A and M isolation Reactor injection Closes A and M Closes A and M Closes A and M Head spray Closes A and M Closes A and M Closes A and M Radwaste discharge Closes M Closes A and M Not Applicable inboard Radwaste discharge Closes M Closes A and M Not Applicable outboard TABLE 7.4-2 REV. 1 - APRIL 1985

LSCS-UFSAR 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 General This section describes the instrumentation which provides information to the operator to enable him to perform required safety functions. The indicators and recorders for normal plant process variables are described in Section 7.7 and are shown on the P&ID's for the various systems. Channel ranges and indicators are selected on the basis of giving the operator the necessary information to perform all the normal plant maneuvers and to be able to track all the process variables pertinent to safety during expected operational perturbations. The ranges of indicators and recorders provided are capable of covering the extremes of process variables and provide adequate information for all abnormal transient events. Some accidents may cause larger parameter excursions. Information readouts are designed to accommodate all credible accidents from the standpoint of operator action, information, and event tracking requirements, providing assurance that the requirements of all other credible events or incidents will be covered. Certain instruments have been designated as post-accident monitors, and as such have been determined to be in compliance with the intent of Reg. Guide 1.97 Rev. 2 as documented in Appendix B. 7.5.2 Post-Accident Tracking In accordance with Regulatory Guide 1.97, process variables used in post-accident monitoring are grouped into 5 types: A, B, C, D, and E. Type A, those variables to be monitored that provide the primary information required to permit the control room operators to take the specific manually controlled actions for which no automatic control is provided and are required for safety systems to accomplish their safety function for design basis accident events. Primary information is information that is essential for the direct accomplishment of the specified safety functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures. Type B, those variables that provide information to indicate whether plant safety functions are being accomplished. Plant safety functions are (1) reactivity control (2) core cooling (3) maintaining reactor coolant system integrity, and (4) maintaining containment integrity (including radioactive effluent control). 7.5-1 REV. 18, APRIL 2010

LSCS-UFSAR Type C, those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product releases. The barriers are (1) fuel cladding, (2) primary coolant pressure boundary, and (3) containment. Type D, those variables that provide information to indicate the operation of individual safety systems and other systems important to safety. These variables are to help the operator make appropriate decisions in using the individual systems important to safety in mitigating the cause of an accident. Type E, those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and in continually assessing such releases. The five classifications are not mutually exclusive in that a given variable may be included in one or more types. Post-accident monitoring instruments are assigned to meet one of three design categories. These categories provide a graded approach to requirements depending on the importance to safety of the measurement of a specific variable. Category 1 variables are key type variables used to provide information or to monitor the applicable parameter. The qualification requirements are the most stringent, with requirements that the instrumentation should be environmentally qualified in accordance with Regulatory Guide 1.89 "Qualification of Class 1E Equipment for Nuclear Power Plants," and the seismic portion of qualification be in accordance with Regulatory Guide 1.100 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants." Instrumentation shall continue to read within the required accuracy following but not necessarily during a seismic event. At least one instrumentation channel shall be qualified from a sensor to display and be a direct indicating or recording device. The instrumentation should be energized from station standby power sources and should be backed up by batteries where momentary interruption is not tolerable. Category 2 variables provide selective backup information and monitoring information of the performance of safety systems and the release of radioactive materials. The qualification requirements are not quite as stringent, but many of the same standards are recommended. Category 3 variables are instruments of high quality commercial grade. 7.5-1a REV. 14, APRIL 2002

LSCS-UFSAR Type A, B, and C variables relate to the determination of the safety condition of the plant and provide the operator with the information to perform tasks needed to mitigate accidents. The following parameters have been identified as Type A or Category 1 variables for LaSalle:

1. Reactor Vessel Water Level

2. Reactor Steam Dome Pressure

3. Drywell Pressure

4. Suppression Pool Water Level;

5. Suppression Pool Water Temperature

6. Drywell Gross Gamma Radiation

7. Primary Containment Isolation Valve Position The instruments monitored by these variables meet the intent of Category 1 requirements per Regulatory Guide 1.97, or deviations from these requirements have been justified.

The design basis that all engineered safety features are to mitigate the accident event condition takes into consideration that no operator action or assistance may be assumed for the first 10 minutes of the event. This requirement therefore makes it mandatory that all protective actions necessary in the first 10 minutes be "automatic". Therefore, although continuous tracking of process variables is available, no operator action based on them is required. After 10 minutes, operator action is optional based on the information available. The process instrumentation described below provides information to the operator after a loss-of-coolant accident for his use in monitoring reactor conditions within the drywell or containment integrity. The post-accident tracking process instrumentation for Type A and Category 1 variables is grouped as: 1) reactor and primary containment process instrumentation and 2) primary containment atmosphere monitoring system instrumentation, and 3) primary containment integrity. 7.5-1b REV. 16, APRIL 2006

LSCS-UFSAR 7.5.2.1 Reactor and Primary Containment Process Instrumentation 7.5.2.1.1 Reactor Water Level Reactor vessel water level is a Type B Category 1 variable provided to support monitoring of core cooling and to verify operation of Emergency Core Cooling Systems (ECCS). The wide range and fuel zone range water level instruments provide this function. The range of the recorded/indicated level is from the top of feedwater control range to a point just below the bottom of active fuel. Four wide-range water level signals are transmitted from four independent differential pressure transmitters and are recorded on two separate recorders and two separate indicators. One separate recorder input records the wide range level; the other records the reactor pressure on each of the two recorders. The differential pressure transmitters have one side connected to a condensing chamber reference leg and the other side connected directly to a vessel nozzle for the variable leg. The water level system is uncompensated for variation in reactor water density and is calibrated to be most accurate over the operational pressure and temperature range at which it is used. The range of the recorded/indicated level is from the top of the feedwater control range (just above the high level turbine trip point) down to a point near the top of the active fuel. The power sources for the four channels are the two instrument a-c buses (two channels per a-c bus) fed from the two Class 1E standby a-c buses. The recorders and indicators are seismically qualified, and are visible to the operator from the front of the panel on which they are mounted. Two fuel zone-range water level signals are transmitted from two independent differential pressure transmitters and are indicated on one recorder and one indicator. The fuel zone water level transmitters share the reference legs of two of the wide range level transmitters and use the taps at the jet pump diffuser skirt for the variable leg. The range of the recorded/indicated level is from about four feet above the top of the active fuel to just below the bottom of active fuel. The zero of the instrument is the same as that of all other level instrumentation, and the instruments are calibrated to be accurate at 0 psig and saturated condition. Each fuel zone instrument channel is powered from a separate Class 1E power source (Divisions 1 and 2). The recorder and indicator are seismically qualified and are visible to the operator from the front panel on which they are mounted. 7.5.2.1.2 Reactor Pressure Reactor pressure is a Type A and Category 1 variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems. 7.5-2 REV. 18, APRIL 2010

LSCS-UFSAR Two reactor pressure signals are transmitted from two independent pressure transmitters and are recorded on two recorder input recorders. One recorder input records pressure; the other records the wide-range level. The range of recorded pressure covers the highest expected ATWS transient. Power sources are as stated in the previous subsection. 7.5.2.1.3 Containment Pressure

a. Drywell Pressure Drywell pressure is a Type A and Category 1 variable provided to detect a breach of the reactor coolant pressure boundary and to verify ECCS functions that operate to maintain RCS integrity.

There are four drywell pressure monitoring channels, two wide-range channels and two narrow-range channels. Together, they combine to cover a pressure range during reactor normal operation and following a loss-of-coolant accident. The combined range is -5 to 200 psig, which is three times the concrete containment design pressure of 45 psig. These recorders operate continuously during normal plant operations; they provide a continuous visual indication and yield a continuous recording. One set of wide- and narrow-range pressure instrumentation is powered from a Division 1 Class 1E power source, while the other set is powered by Division 2 Class 1E power source. Each transmitter has a readout on separate 7.5-2a REV. 21, JULY 2015

LSCS-UFSAR recorders and indicators in the main control room. The recorders and indicators are seismically qualified and visible to the operator from the front of the panel on which they are mounted.

b. Suppression Chamber Pressure Suppression chamber pressure is not a Regulatory Guide 1.97 variable, but does provide useful information on containment status.

There are two suppression chamber pressure monitoring channels. Their purpose is to provide information to the operator to indicate suppression pool bypass phenomenon so that he may take action to prevent upward forces in the drywell floor from exceeding design limits. Each channel is powered from redundant Class 1E emergency instrument buses. They each have readouts on a main control room indicator. The indicator is seismically qualified and is visible to the operator from the front of the panel on which it is mounted. 7.5.2.1.4 Suppression Pool Water Level Suppression pool water level is a Type A and Category 1 variable provided to detect a breach in reactor coolant pressure boundary. This variable is also used to verify and provide long term surveillance of the ECCS function. There are two suppression pool water level channels. Each has a range to cover all expected normal transients as well as post-LOCA conditions. The water level measurement system has the capability to measure water level over a 32-foot range from 14 feet above normal level down to the lowest ECCS suction point. Each channel is powered by separate Class 1E emergency instrument buses and has a readout on a separate recorder. Each recorder is seismically qualified and is visible to the operator from the front of the panel on which it is mounted. 7.5.2.1.5 Containment Temperature

a. Drywell Temperature Drywell temperature is a Type D Category 2 variable. There are four channels of drywell temperature monitoring. They have ranges adequate to cover normal through post-accident conditions. They are located so that they form two groups of two sensors to cover each half of the drywell. For example, the sensor in the northwest quadrant of the containment is 7.5-3 REV. 14, APRIL 2002

LSCS-UFSAR indicative of temperature from azimuths 315° to 135°, while the southeast sensor covers 135° to 315°. These two sensors are powered from one Class 1E redundant instrument bus, while the other two sensors are located in the other two quadrants in the drywell and are powered from a different Class 1E bus. These two temperature channels have readouts on separate seismically qualified recorders visible to the operator from the front of the panel on which they are located. 7.5-3a REV. 14, APRIL 2002

LSCS-UFSAR

b. Suppression Pool Temperature:

1. Suppression Chamber Air Temperature Suppression chamber air temperature is not a Regulatory Guide 1.97 variable. There are two channels of suppression chamber air temperature. They have the same range requirements as the drywell temperature sensors. They are powered by redundant Class 1E instrument buses, and have readouts on the same two recorders as the drywell temperature monitoring channels.

2. Suppression Pool Water Temperature Suppression pool water temperature is a Type A and Category 1 variable provided to detect a condition that could potentially lead to a containment breach, and to verify the effectiveness of ECCS actions taken to prevent containment breach.

There are 28 channels of suppression pool water temperature measurement. They are separated into two sets of 14 sensors. These 14 sensors are distributed throughout the pool area so as to be able to redundantly detect a stuck-open safety/relief valve continuous discharge into the pool. Each set of 14 sensors is inputted to a seismically qualified computer based system. The computer based systems are powered by redundant class 1E buses. Each computer based system drives a dedicated recorder which records the suppression pool water bulk temperature. In addition, the same suppression pool water bulk temperature signal is inputted to the plant process computer via a signal isolation. 7.5.2.2 Post-Accident Primary Containment Atmosphere Monitoring System Instrumentation and Controls 7.5.2.2.1 Design Bases IEEE Standard 279-1971 defines the requirements for design bases. Subsection 7.2.2.13 meets this requirement. The following is a comparison of the design-basis requirements found in IEEE 279-1971 as they relate to the primary containment atmosphere monitoring system: 7.5-4 REV. 14, APRIL 2002

LSCS-UFSAR

a. The generating station condition which requires protective action in the primary containment atmosphere monitoring system is hydrogen generation following a LOCA.

b. The generating station variable which requires monitoring to provide protective actions is hydrogen content in the primary containment atmosphere.

7.5-4a REV. 14, APRIL 2002

LSCS-UFSAR

c. Prudent operational limit for each safety-related variable is 4%

hydrogen (by volume).

d. The margin between operational limits and the level determining the onset of unsafe conditions is shown in Subsection 6.2.5.

e. Levels requiring protective action are given in item d preceding.

f. For the range of energy supply and environmental conditions of safety systems, see Subsections 3.1.2.1.4 and 7.3.6.

g. Malfunctions, accidents, and other unusual events which could cause damage to safety systems are discussed in Subsections 7.2.3 and 7.3.1.3.

The system is designed to meet the following safety design bases:

a. The system can detect hydrogen and oxygen concentrations and any possible release of fission products from the fuel resulting from a loss-of-coolant accident.

b. The hydrogen and oxygen monitoring subsystems and the gross gamma monitoring subsystem display in the control room the hydrogen and oxygen concentrations and gross gamma radiation level inside the primary containment resulting from a loss-of-coolant accident and provide alarms at predetermined setpoints.

c. Limits are established on abnormal concentrations of hydrogen and oxygen so that corrective action can be taken before unacceptable results occur. The unacceptable results are as follows:

1. A threat of significant compromise to the primary containment structure.

2. A threat of significant compromise to the equipment inside the primary containment.

The containment atmosphere monitoring system is designed to meet the specific requirements listed in Table 7.1-2. 7.5-5 REV. 13

LSCS-UFSAR 7.5.2.2.2 Description The purpose of the containment atmosphere monitoring subsystem instrumentation and controls is to provide the signals necessary to indicate and alarm high hydrogen, high oxygen, or high gross gamma radiation in the drywell following a loss-of-coolant accident (LOCA). The gross gamma monitoring subsystem monitors the dose rate resulting from gross release of fission products from the fuel. The 120-Vac Division 1 and Division 2 buses are the power sources for the primary containment atmosphere monitoring subsystem. The Division 1 channel is powered from the Division 1 bus, and the Division 2 channel is powered from the Division 2 bus. The H2/O2 monitoring system heat tracing for each division is energized from the same Class 1E electrical system division that supplies 120VAC power to the respective H2/O2 monitoring systems. Each channel provides a local measurement except for gross gamma monitoring system, and transmits the signal to the control room, where a permanent record is provided on seismically qualified recorders. Drawing Nos. M-156 and M-158 show the primary containment monitoring instrumentation and controls. This subsystem is designed in accordance with Seismic Category I requirements. The piping for this subsystem is designed in accordance with ASME Section III - 1974 Class 2 requirements, up to and including the outboard isolation valves. The use of revised allowable stress values within the 2001 Edition through 2003 Addenda has been reconciled and is acceptable for design evaluations, modifications, repairs and replacements. The hydrogen and oxygen monitoring subsystems have been designed in accordance with IEEE 323-1974. 7.5.2.2.2.1 Drywell Hydrogen and Oxygen Monitoring Subsystem Drywell hydrogen and oxygen concentration analyzers are Type C Category 3 and Type C Category 2 instruments, respectively, provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. Initiating Circuits Both divisional H2/O2 monitoring systems heat tracing are energized during plant operation, shutdown and after an accident. During normal plant operation, the heat tracing is maintained at 300°F and the hot box located in the analyzer panel is maintained at 270°F to prevent sample condensation. 7.5-6 REV. 20, APRIL 2014

LSCS-UFSAR Two hydrogen and two oxygen sensors are mounted directly in the reactor building, where drywell atmosphere samples are brought out, the measurement made, and an electrical signal is transmitted to the control room. The P&ID of these monitors is shown on the right-hand portion of Drawing Nos. M-156 and M-158. 7.5-6a REV. 14, ARPIL 2002

LSCS-UFSAR The volume percent each of hydrogen and oxygen is recorded by two recorders in the control room. The millivolt signals generated by the sensors are suitably conditioned and amplified by solid-state electronic modules for transmission to the control room. Two such units make up the total analyzer package. The hydrogen-monitoring system utilizes a thermal conductivity sensor design concept. The sensing element generates an electrical current that is directly proportional to the hydrogen in the drywell atmosphere sample. A self-contained sample temperature control unit ensures that the calibration of the sensor is maintained over the entire operational temperature range. Analyzer Electronics The analyzer electronics consists of an amplifier, power supply, divider, and recording channel. The amplifier and power supply consist of solid-state, highly reliable, proven circuits that are capable of meeting the system requirements. The amplifier takes the cell output signal and provides a 4-20 mA signal for transmission to the control room. This volume percent hydrogen value is fed into the two-channel recorder. Redundancy The subsystem consists of redundant analyzer units. Separation Each of the redundant analyzer units is physically separated and is powered from a separate power bus. Hydrogen-Monitoring Test and Calibration Although the sensors are inherently stable over extended periods of time, a calibration capability is provided to guarantee greater accuracy. Sample gases can be introduced to the sample chamber by manual operation of valves from the calibration gas tanks. The calibration cycle is completed within 30 to 45 minutes from the time the calibration gas reaches the sensor assembly. Adjustments to the calibration signal are made remotely in the main control room. System startup and calibration are relatively straightforward. Power will normally be maintained to electronic components to eliminate warmup requirements. 7.5-7 REV. 15, APRIL 2004

LSCS-UFSAR Environmental Considerations The hydrogen/oxygen monitoring equipment is located in the reactor building and is designed to remain functional in the environment which results from a loss-of-coolant accident. See Section 3.11 for a description of the reactor building environments. Operational Considerations The hydrogen/oxygen subsystem is automatically activated on the occurrence of a loss-of-coolant accident and remains in operation after initiation unless turned off with a handswitch. Continuous indication and recording will be functioning within 15 minutes after initiation. During normal operation, the system is maintained in the standby mode or analyze. The hydrogen concentration is recorded up to 10%, with an accuracy of +/-5% of the readout. The oxygen concentration is recorded up to 20%. An alarm is activated on high concentration. The individual H2/O2 monitoring system heat tracing circuits for each division are controlled by temperature controllers located in the respective divisional control panel. Each panel provides local indication of the following abnormal conditions: high temperature, low temperature, and loss of power. Indication of the heat tracing system trouble/loss of power to the panel is also provided in the control room. The heat tracing circuits are automatically controlled from their respective divisional control panel. 7.5.2.2.2.2 Drywell Gross Gamma Monitoring Drywell gross gamma radiation is a Type E Category 1 variable provided to monitor for the potential of significant radiation releases and to provide assessment for use by operators in determining the need to invoke site emergency plans. Initiating Subsystem Circuits Two gamma-sensitive instrumentation channels monitor the radiation in the drywell atmosphere. Two detectors are mounted in steel sleeves which protrude into the primary containment at diverse locations so as to view a larger segment of the containment atmosphere. Each instrument channel consists of a gamma-sensitive ion chamber and a log radiation monitor. Each log radiation monitor has an upscale trip circuit which is used to initiate an alarm on high radiation. The output from each log radiation monitor is displayed on an eight-decade meter on the local panel and on separate recorders located in the control room. These detectors have a wide range so that the 7.5-8 REV. 15, APRIL 2004

LSCS-UFSAR monitors can follow the radiation increase from lower levels of radiation for personnel safety up to the maximum expected in a major accident. They are responsive to gamma photons which have energy levels of 60 KeV to 3.0 MeV. The lower energy gammas are slightly attenuated by the thin steel sleeves, but the amount of attenuation is less than a factor of four. For example, if the containment gamma radiation is 106 R/hr, and contains mostly Xe-133 with an energy level of 7.5-8a REV. 14, APRIL 2002

LSCS-UFSAR 81.1 KeV, the detector will still respond to 2.5 x 105 R/hr. At higher energy levels, a larger percentage of the gamma radiation will reach the detector. Redundancy The subsystem utilizes a redundant instrumentation channel so that a single failure cannot prevent subsystem operation. Separation Each of the redundant pairs of gamma-sensitive instrumentation is physically separated from the other and is powered from a separate power bus. Inspection and Testing A built-in source of current is provided with each radiation monitor for test purposes to provide a point reading equivalent to 105 R/hr. In addition, the operability of each monitoring channel can be routinely verified by comparing the outputs of the channels at any time. Environmental Considerations The gross gamma monitoring equipment readouts are in the control room. See Section 3.11 for a description of the reactor building and control room environment. Operational Considerations The gross gamma subsystem is operational at all times during normal and accident conditions except when taken out of service for calibration. Detectors are easily retrievable for replacement, maintenance, and located so as to minimize personnel exposure. This subsystem covers the range of 1 to 108 R/hr, which is greater than the dose rates in the H2 and O2 sample lines following the loss-of-coolant accident. 7.5.2.3 Primary Containment Integrity Primary Containment Isolation Valve (PCIV) position is a Type B Category 1 variable provided for verification of primary containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. Primary containment isolation valves that are remotely operated with control room indication needed for verifying containment integrity are applicable. PCIV's that are not included for this requirement of position indication includes check valves, relief valves, manual valves, CRD solenoid valves and excess flow check valves. Drywell vacuum breakers, which are provided with control room position indication, are not considered PCIVs and are not a part of this 7.5-9 REV. 20, APRIL 2014

LSCS-UFSAR requirement. Table 7.5-1 Position Indication for Reg. Guide 1.97 PCIV's lists the primary containment isolation valves that require position indication meeting the Reg. Guide 1.97 Category 1 requirements. Exceptions to the general guidance are listed in Table 7.5-1. 7.5.3 Shutdown, Isolation, and Core Cooling Indication The information furnished to the control room operator permits him to assess reactor shutdown, isolation, and availability of emergency core cooling following the postulated accident.

a. Operator verification that reactor shutdown has occurred may be made by observing one or more of the following indications:

7.5-9a REV. 20, APRIL 2014

LSCS-UFSAR

1. Control rod status on panel H13-P603, indicating each rod fully inserted.

2. Computer display of rod position.

3. Control rod scram pilot valve status indicating open valves. The power sources are RPS MG sets. See Drawings 1E-1-4215AJ and 1E-2-4215AJ. Note that the RPS MG sets are powered from motor control centers (MCC 135X-2, 235X-2, and MCC 136X-2, 236X-2) which are in turn powered by the emergency diesel generators on loss of offsite power.

4. Neutron monitoring power range channels and recorders downscale. The power sources are RPS MG sets (see Subsection 7.5.3.a.3) for monitoring channels and ESF power sources for the recorders which are ultimately powered by the emergency diesel generators on loss of offsite power.

5. Annunciators for reactor protection system variables and trip logic in the tripped state. The power source is d-c from a station battery.

b. The operator may verify reactor isolation by observing one or more of the following indications:

1. Isolation valve position lamps indicating valve closure.

See Subsection 7.5.2.3. The power source is the same as for the associated motor operator, except for valves 1(2)E12-F008. A separate power supply is furnished for the indicating lights for the valves 1(2)E12-F008.

2. Main steamline flow indication downscale. The power source is instrument a-c from one of the standby a-c buses.

7.5-10 REV. 18, APRIL 2010

LSCS-UFSAR

c. Operation of the emergency core cooling and the RCIC system following an accident may be verified by observing the following indications:

1. Flow and pressure indications for each emergency core cooling system and RCIC system. The power sources are independent and from the same standby buses as the driven equipment.

2. RCIC isolation valve position indicating open valves. The power source is from the same bus as the valve motive power.

3. Injection valve position lights indicating either open or closed valves. The power source is the same as the valve motor.

4. Relief valve position status by open or closed indicator lamps. The power source is 125 VDC from the Division I distribution panels 111Y (Unit 1) and 211Y (Unit 2).

7.5.4 Analysis 7.5.4.1 General The safety-related display instrumentation provides adequate information to allow the operator to make manual control actions permitted under normal, abnormal, transient, and accident conditions. Insofar as practical, instruments are selected from those types which are qualifiable under IEEE 279-1971 and IEEE 323-1971. The reactor pressure transmitters are mounted on two independent local panels and the reactor water level transmitters are mounted on six local panels (four wide range and two fuel zone range). The transmitters are designed to operate during normal operation, accident, and postaccident environmental conditions. The design criteria that the instruments must meet are discussed in Subsection 7.7.1. There are four complete and independent channels of wide-range reactor water level and two independent channels of fuel zone reactor water level and reactor vessel pressure. Each channel has its readout on a separate recorder or indicator. The recorders and indicators are located in the control room on the reactor core cooling benchboard One recorder is with the Division 1 systems and the other with the Division 2 systems. The design is adequate to provide for accurate reactor water level and reactor pressure information during normal operation, abnormal, transient, and accident conditions. 7.5-11 REV. 18, APRIL 2010

LSCS-UFSAR Subsection 7.5.2 describes the basis for selecting ranges for instrumentation. Since abnormal, transient, or accident conditions monitoring requirements exceed those for normal operation, the normal ranges are covered adequately. Abnormal transient occurrences are not limiting from the point of view of instrument ranges and functional capability (see Subsection 7.5.4.2). The variety of indications which may be utilized to verify that shutdown and isolation safety actions have been accomplished as required (see Subsection 7.5.3) are considered adequate to comply with the requirements of IEEE 279-1971. Conformance of the instrumentation system to Regulatory Guide 1.97 is given in Appendix B of the UFSAR. 7.5.4.2 Accident Conditions The DBA-LOCA is the most extreme operational event. Information readouts are designed to accommodate this event from the standpoint of operator action, information, and event tracking requirements, and therefore cover all other design-basis events or incident requirements.

a. Initial Accident Event The design basis of all engineered safety features to mitigate an accident takes into consideration that "no operator action or assistance is required or recommended for the first ten (10) minutes of the event." This requirement makes it mandatory that all protective action necessary in the first 10 minutes be "automatic". Therefore, although continuous tracking of variables is available, no operator action based on them is intended.

b. Postaccident Tracking After 10 minutes, operator action is optional, therefore, the following information is available:

The following process instrumentation provides information to the operator after a DBA loss-of-coolant accident for his use in monitoring reactor conditions within the drywell.

1. Reactor Water Level and Pressure Vessel water level and pressure instrumentation described in Subsection 7.5.4.1 above is redundant, electrically independent, and is qualified to be operable 7.5-12 REV. 15, APRIL 2004

LSCS-UFSAR during and after a loss-of-coolant accident. Power is from independent instrument buses powered from the two standby a-c buses. This instrumentation complies with the independence and redundancy requirements of IEEE 279-1971 and provides recorded and indicated outputs. All equipment can perform its required functions during and following a seismic event.

2. Suppression Pool Water Level This instrumentation complies with the requirements of IEEE 279-1971 and provides recorded and indicated outputs. All equipment can perform its required function during and after the seismic event.

3. Drywell/Containment Pressure This instrumentation is redundant, electrically independent, and is qualified to be operable during and after a LOCA. Power is from independent buses, and the instrumentation complies with the requirements of IEEE 279-1971 and provides recorded outputs. All equipment can perform its required function during and after a seismic event.

The area of the suppression chamber above the water but below the drywell floor is monitored via a redundant pair of pressure transmitters to detect pressurization upward on the drywell floor due to the suppression pool bypass phenomena, in order to insure that design limits of the drywell floor are not exceeded. These transmitters feed redundant divisional indicators in the control room to provide instantaneous pressure readings to the operator. In addition, for the non-accident case, an alarm is provided in the control room to call the operator's attention to these indicators if there is an abnormal pressure reading. The transmitters are qualified to IEEE 323-1971 standards, and each loop in the redundant pair is powered from Class 1E power sources, which are capable of being powered by the diesel generators. 7.5-13 REV. 21, JULY 2015

LSCS-UFSAR

4. Emergency Core Cooling Performance of emergency core cooling systems following an accident may be verified by observing redundant and independent indications as described in Subsection 7.5.3 item c and fully satisfies the need for operator verification of operation of the system.

5. Postaccident Tracking The various indications described in Subsection 7.5.3 provide adequate information regarding the status of the reactor vessel level and pressure to allow operators to make proper decisions regarding core and containment cooling operations; they also fully satisfy the need for postaccident surveillance of these variables.

c. Safe Shutdown Display The safe shutdown instrumentation is described in Subsection 7.5.3. It includes the computer display of control rod position information, the scram pilot valve status indication on control room panel H13P603, and the neutron monitoring instruments on panel 608. Displays of this information are expected to remain operable for a sufficient time following an accident or loss of offsite power to indicate the attainment of safe reactor shutdown. Diversity is provided to these safe shutdown indications because the information is fed into three separate systems, each with a separate power supply and indicating mode.

The rod position information is recorded by the process computer which has an uninterruptible power supply. The Rod Position Indication System (RPIS) displays are part of the rod control management system (RCMS). The RCMS (including the RPIS displays) is powered from an uninterruptible supply, with the means to switch to an alternate power supply. The RPIS sensors which are powered from the uninterruptible power supply, will provide input information to the process computer. The redundant scram pilot valve status lamps are powered from independent buses fed from the motor-generator set of the Reactor Protection System (RPS) which has a backup. 7.5-14 REV. 18, APRIL 2010

LSCS-UFSAR The neutron monitoring instrumentation is arranged into four separate channels with ARM's, SRM's, and IRM's in each channel, with two redundant channels powered from the A bus and two redundant channels powered from the B bus of 24-Volt DC battery systems. Compliance with IEEE 279-1971 The rod status circuitry and the scram pilot valve status circuitry together meet the requirements of IEEE 279-1971. The neutron monitoring system is designed to meet all the requirements of IEEE 279-1971 as a part of the reactor protection system. However, its RPS function is a "fail-safe" function, while safe shutdown display is not. Further, its RPS function terminates with the generation and maintenance of a shutdown signal. Taken in the aggregate, the neutron monitoring subsystem's redundancy, power switching capabilities, RPS capabilities, and expected time to failure under DBA environment conditions enable the neutron monitoring system to meet the functional requirements of IEEE 279-1971 as applicable to display instrumentation. 7.5-15 REV. 18, APRIL 2010

LSCS - UFSAR Table 7.5-1 (SHEET 1 OF 7) Position Indication for Reg. Guide 1.97 PCIV's Panel No. 1(2)H13-P601 Valve INBD MSIV INBD DRAIN INDICATION 1(2)B21-F016 Valve INBD MSIV INBD DRAIN INDICATION 1(2)B21-F019 Valve INBD MSIV INDICATION 1(2)B21-F022A Valve INBD MSIV INDICATION 1(2)B21-F022B Valve INBD MSIV INDICATION 1(2)B21-F022C Valve INBD MSIV INDICATION 1(2)B21-F022D Valve OTBD MSIV INDICATION 1(2)B21-F028A Valve OTBD MSIV INDICATION 1(2)B21-F028B Valve OTBD MSIV INDICATION 1(2)B21-F028C Valve OTBD MSIV INDICATION 1(2)B21-F028D Valve "A" FW HDR TEST CK VLV INDICATION 1(2)B21-F032A Valve "B" FW HDR TEST CK VLV INDICATION 1(2)B21-F032B Valve "A" FW HDR ISOL VLV INDICATION 1(2)B21-F065A Valve "B" FW HDR ISOL VLV INDICATION 1(2)B21-F065B Valve "A" OTBD MSIV DRAIN ISOL INDICATION 1(2)B21-F067A Valve "B" OTBD MSIV DRAIN ISOL INDICATION 1(2)B21-F067B Valve "C" OTBD MSIV DRAIN ISOL INDICATION 1(2)B21-F067C Valve "D" OTBD MSIV DRAIN ISOL INDICATION 1(2)B21-F067D Valve "A" RR SAMPLE INBD ISOL INDICATION 1(2)B33-F019 Valve "B" RR SAMPLE OTBD ISOL INDICATION 1(2)B33-F020 Valve "A" RHR PUMP SUCTION VLV INDICATION 1(2)E12-F004A Valve "B" RHR PUMP SUCTION VLV INDICATION 1(2)E12-F004B Valve "C" RHR PUMP SUCTION VLV INDICATION 1(2)E12-F004C Valve RHR SHTDN CLG SUCT OTBD ISOL INDICATION 1(2)E12-F008 Valve RHR SHTDN CLG SUCT INBD ISOL INDICATION 1(2)E12-F009 Valve "A" RHR DW SPRAY UPSTREAM ISOL INDICATION 1(2)E12-F016A Valve "B" RHR DW SPRAY UPSTREAM ISOL INDICATION 1(2)E12-F016B Valve "A" RHR DW SPRAY DWNSTRM ISOL INDICATION 1(2)E12-F017A Valve "B" RHR DW SPRAY DWNSTRM ISOL INDICATION 1(2)E12-F017B Valve "C" RHR TEST TO SP VLV INDICATION 1(2)E12-F021 Valve RHR HEAD SPRAY VLV INDICATION 1(2)E12-F023 Valve "A" RHR TEST TO SP VLV INDICATION 1(2)E12-F024A Valve "B" RHR TEST TO SP VLV INDICATION 1(2)E12-F024B Valve "A" RHR SP SPRAY ISOL INDICATION 1(2)E12-F027A Valve "B" RHR SP SPRAY ISOL INDICATION 1(2)E12-F027B Valve "A" RHR MIN FLOW VLV INDICATION 1(2)E12-F064A Valve "B" RHR MIN FLOW VLV INDICATION 1(2)E12-F064B Valve "C" RHR MIN FLOW VLV INDICATION 1(2)E12-F064C Valve "A" RHR LPCI INJ VLV INDICATION 1(2)E12-F042A Valve "B" RHR LPCI INJ VLV INDICATION 1(2)E12-F042B Valve "C" RHR LPCI INJ VLV INDICATION 1(2)E12-F042C TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 2 OF 7) Valve "A" RHR SHTDN CLG RETURN ISOL INDICATION 1(2)E12-F053A Valve "B" RHR SHTDN CLG RETURN ISOL INDICATION 1(2)E12-F053B Valve "A" RHR SHTDN CLG RETURN CK BYP INDICATION 1(2)E12-F099A Valve "B" RHR SHTDN CLG RETURN CK BYP INDICATION 1(2)E12-F099B Valve LPCS PMP SUCT VLV INDICATION 1(2)E21-F001 Valve LPCS INJ VLV INDICATION 1(2)E21-F005 Valve LPCS MIN FLOW VLV INDICATION 1(2)E21-F011 Valve LPCS TEST TO SP VLV INDICATION 1(2)E21-F012 Valve HPCS INJECTION VLV INDICATION 1(2)E22-F004 Valve HPCS MIN FLOW VLV INDICATION 1(2)E22-F012 Valve HPCS PUMP SUCT FROM SP VLV INDICATION 1(2)E22-F015 Valve HPCS TEST TO SP VLV INDICATION 1(2)E22-F023 Valve RCIC STM OTBD ISOL VLV INDICATION 1(2)E51-F008 Valve RCIC PMP INJ VLV INDICATION 1(2)E51-F013 Valve RCIC PMP MIN FLOW VLV INDICATION 1(2)E51-F019 Valve RCIC UPSTREAM TEST VLV INDICATION 1(2)E51-F022 Valve RCIC PMP SUCT FROM SP VLV INDICATION 1(2)E51-F031 Valve RCIC TEST TO CST VLV INDICATION 1(2)E51-F059 Valve RCIC STM INBD ISOL VLV INDICATION 1(2)E51-F063 Valve RCIC TURB EXH ISOL VLV INDICATION 1(2)E51-F068 Valve BARO CNDSR VAC PMP DSCH VLV INDICATION 1(2)E51-F069 Valve RCIC STM INBD ISOL BYP VLV INDICATION 1(2)E51-F076 Valve RCIC TURB EXH VAC BKR DNSTM ISOL INDICATION 1(2)E51-F080 Valve RCIC TURB EXH VAC BKR UPSTM ISOL INDICATION 1(2)E51-F086 Valve RBCCW DW INLET OTBD ISOL VLV INDICATION 1(2)WR029 Valve RBCCW DW OUTLET OTBD ISOL VLV INDICATION 1(2)WR040 Valve RBCCW DW INLET INBD ISOL VLV INDICATION 1(2)WR179 Valve RBCCW DW OUTLET ISOL VLV INDICATION 1(2)WR180 Panel No. 1(2)H13-P602 Indicator "A" RR FCV HPU OTBD ISOL VLV (Note 1) 1(2)B33-R819 Indicator "A" RR FCV HPU INBD ISOL VLV (Note 1) 1(2)B33-R820 Indicator "B" RR FCV HPU OTBD ISOL VLV (Note 1) 1(2)B33-R821 Indicator "B" RR FCV HPU INBD ISOL VLV(Note 1) 1(2)B33-R822 Valve RWCU SUCT INBD ISOL VLV INDICATION 1(2)G33-F001 Valve RWCU SUCT OTBD ISOL VLV INDICATION 1(2)G33-F004 Valve RWCU RETURN DWNST ISOL VLV INDICATION 1(2)G33-F040 Panel No. 1(2)PM06J Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ026 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ027 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ029 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ030 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ031 TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 3 OF 7) Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ032 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ034 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ035 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ036 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ040 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ042 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ043 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ047 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ048 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ050 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ051 Valve MIMIC OR VALVE SWITCH INDICATION 1(2)VQ068 Valve "A" DW COOLER OTBD ISOL VLV INDICATION 1(2)VP053A Valve "B" DW COOLER OTBD ISOL VLV INDICATION 1(2)VP053B Valve "A" DW COOLER OTBD ISOL VLV INDICATION 1(2)VP063A Valve "B" DW COOLER OTBD ISOL VLV INDICATION 1(2)VP063B Valve "A" DW COOLER INBD ISOL VLV INDICATION 1(2)VP113A Valve "B" DW COOLER INBD ISOL VLV INDICATION 1(2)VP113B Valve "A" DW COOLER INBD ISOL VLV INDICATION 1(2)VP114A Valve "B" DW COOLER INBD ISOL VLV INDICATION 1(2)VP114B Panel No. 1(2)PM13J Valve DW PNEUMATICS SUCT UPSTRM ISOL INDICATION 1(2)IN001A Valve DW PNEUMATICS SUCT DNSTRM ISOL INDICATION 1(2)IN001B Valve DW PNEUMATICS 100LB HDR ISOL INDICATION 1(2)IN017 Valve DW PNEUMATICS TIP INDXR PRG ISOL INDICATION 1(2)IN031 Valve DW DRYER PRG OTLT DNSTM ISOL VLV INDICATION 1(2)IN074 Valve DW DRYER PRG OTLT UPSTM ISOL VLV INDICATION 1(2)IN075 Valve DW SUCT UPSTREAM ISOL INDICATION 1(2)CM017A Valve DW SUCT UPSTREAM ISOL INDICATION 1(2)CM017B Valve DW SUCT DOWNSTREAM ISOL INDICATION 1(2)CM018A Valve DW SUCT DOWNSTREAM ISOL INDICATION 1(2)CM018B Valve SUP CHBR RTN UPSTREAM ISOL INDICATION 1(2)CM019A Valve SUP CHBR RTN UPSTREAM ISOL INDICATION 1(2)CM019B Valve SUP CHBR RTN DOWNSTREAM ISOL INDICATION 1(2)CM020A Valve SUP CHBR RTN DOWNSTREAM ISOL INDICATION 1(2)CM020B Valve 1(2)PL75J SP SUCT UPSTREAM INDICATION 1(2)CM027 Valve 1(2)PL75J SP SUCT DOWNSTREAM INDICATION 1(2)CM028 Valve 1(2)PL75J DW SUCT UPSTREAM INDICATION 1(2)CM029 Valve 1(2)PL75J DW SUCT DOWNSTREAM INDICATION 1(2)CM030 Valve 24 POINT SAMPLE UPSTRM ISOL VLV INDICATION 1(2)CM031 Valve 24 POINT SAMPLE DWNSTRM ISOL VLV INDICATION 1(2)CM032 Valve 1(2)PL75J/15J SP UPSTREAM RTN INDICATION 1(2)CM033 Valve 1(2)PL75J/15J SP DOWNSTREAM RTN INDICATION 1(2)CM034 TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 4 OF 7) Panel No. 1(2)PM16J Valve DW SUCT UPSTREAM ISOL INDICATION 1(2)HG001A Valve DW SUCT UPSTREAM ISOL INDICATION 1(2)HG001B Valve DW SUCT DOWNSTREAM ISOL INDICATION 1(2)HG002A Valve DW SUCT DOWNSTREAM ISOL INDICATION 1(2)HG002B Valve SP RETURN DOWNSTREAM ISOL INDICATION 1(2)HG005A Valve SP RETURN DOWNSTREAM ISOL INDICATION 1(2)HG005B Valve SP RETURN UPSTREAM ISOL INDICATION 1(2)HG006A Valve SP RETURN UPSTREAM ISOL INDICATION 1(2)HG006B Valve DWEDS PMPS SUCT UPSTRM ISOL VLV INDICATION 1(2)RE024 Valve DWEDS PMPS SUCT DNSTM ISOL VLV INDICATION 1(2)RE025 Valve DWEDS RECIRC DNSTM ISOL VLV INDICATION 1(2)RE026 Valve DWEDS RECIRC UPSTRM ISOL VLV INDICATION 1(2)RE029 Valve DWFDS PMPS SUCT UPSTRM ISOL VLV INDICATION 1(2)RF012 Valve DWFDS PMPS SUCT DNSTM ISOL VLV INDICATION 1(2)RF013 TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 5 OF 7) Table 7.5-1 Position Indication for Reg. Guide 1.97 PCIV's Note 1 1(2)B33-F338A,B 1(2)B33-F339A,B 1(2)B33-F340A,B 1(2)B33-F341A,B 1(2)B33-F342A,B 1(2)B33-F343A,B 1(2)B33-F344A,B 1(2)B33-F345A,B The Reactor Recirculation Hydraulic Flow Control Line Isolation Valves are solenoid operated valves with position indication for each valve provided in the Auxiliary Electric Equipment Room. Control Room indication of the valve position status is provided by indicating lights 1(2)B33R819 1(2)B33R820 1(2)B33R821 1(2)B33R822. Each indicating light indicates that the position status of the group of valves associated with RR Hydraulic Flow control line penetration e.g. the position indicating light of the A Loop RR Flow Control Line Isolation Inboard isolation valves indicates closed when all four inboard isolation valves associated with the A RR Control Lines are closed; otherwise the indicated position of the penetration is not closed (deenergized). A similar position indicating light is likewise provided for the A RR Hydraulic Line Outboard Isolation Valves, and the B RR Hydraulic Line Inboard Isolation Valves and Outboard Isolation Valves. The Control Room position indicating lights are considered Reg. Guide 1.97. Exceptions to the general criteria: Note 2 (2)CM021B 1(2)CM022A 1(2)CM023B 1(2)CM024A 1(2)CM025A 1(2)CM026B POST-LOCA Containment Monitoring Isolation Valves are solenoid operated valves that automatically open during accident conditions. UFSAR Table 6.2-21 List of Containment Penetrations and Containment Valves indicates in Note 40 that the POST_LOCA valves are required to open and remain open following a LOCA to allow the containment to be sampled. The sample system constitutes a closed loop outside of containment and is tested in the Type A PC Integrity Test. Since the valves do not provide information related to Containment Integrity, they are not included as a Reg. Guide 1.97 Category B Variable for Primary Containment Integrity. Note 3 1(2)C41-F004A, 1(2)C41-F004B Position indication for the Standby Liquid Control (SLC) squib valves is not classified as a Reg. Guide 1.97 variable. The containment penetration associated with the SLC has both an inboard and outboard check valve isolation. The squib valves are closed unless the SLC system is manually initiated by the control room operator. Therefore the position of the squib valves is not required for the operator to ascertain containment integrity as indicated in Table 1 of Reg. Guide 1.97. TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 6 OF 7) Note 4 1(2)C51-J004 Position indication for the Traversing Incore Probe (TIP) system is not a Reg. Guide 1.97 variable. The TIP system isolation and ball valve position indication are classified as non-safety related. There are no specific regulatory or IEEE requirements for the TIP subsystem. UFSAR Table 6.2-21 Note 18 and UFSAR 7.7.6.4 describe the TIP system isolation and the backup explosive shear valves. The ball valve position indication is in the control room. A common pair of position indicating lights indicates the TIP ball valves closed when all five valves are closed. The TIP valves are not included as Reg. Guide 1.97 equipment for the same reason that the NRC did not require the valves to be safety related. The penetration is normally closed. A maximum of four valves may be opened at any one time to perform calibration and any one guide tube is used at most a few hours per year. If a TIP cable fails to withdraw or ball valve fails to close, the explosive shear valve is actuated. Note 5 1(2)E12-F011A/B, 1(2)E12-F073A/B, 1(2)E12-F074A/B, 2E51-F064 RHR Steam Condensing Mode Valves, which have been administratively deactivated in the closed position during Unit operation Modes 1, 2 and 3, are not classified as Reg. Guide 1.97 indication. UFSAR 5.4.7.2.2.3 Steam Condensing Mode states that On-Site Review 92-37 was performed by LaSalle Station to delete the Steam Condensing Mode of Residual Heat Removal System Operation from use at LaSalle. The procedures governing Steam Condensing Mode Operation have been deleted and a review of other procedures that operate the below listed valves, concluded that these valves are not required to operate in plant emergency procedures. The active safety related function of the actuators has been deleted and the valves will only be opened in Operating Conditions 4, 5, and Defueled to support infrequent non-safety related functions. Note 6 1(2)IN100, 1(2)IN101 Drywell pneumatics to ADS accumulator valves are not classified as Reg. Guide 1.97 indication. The drywell pneumatics to ADS accumulator valves have a similar safety function as that of the POST-LOCA containment monitoring isolation valves in that the safety function of the valves is in the open position and the valves are designed to fail open. The ADS drywell pneumatics valves provide instrument nitrogen from either the Instrument Nitrogen System or nitrogen bottle banks. The bottled nitrogen allows operation of the ADS valves following an accident via continuous supply to the two groups of ADS accumulators. The lines are continuously monitored for leakage by pressure instrumentation that alarms in the control room on low pressure. Since the function of the valves is to be open during an accident, the position indication of these valves is not required for Primary Containment Integrity status. TABLE 7.5-1 REV. 15, APRIL 2004

LSCS - UFSAR Table 7.5-1 (SHEET 7 OF 7) Note 7 1(2)CM085, 1(2)CM086, 1(2)CM089, 1(2)CM090 The High Radiation Sampling System (HRSS) Air Sampling Isolation Valves are solenoid operated valves that are normally closed and administratively deactivated by the removal of the control fuses.. The procedures, which control these valves, ensure that the valves are only opened under administrative controls within the constraints of the applicable Technical Specifications. As such, the valves are considered equivalent to locked or sealed closed manual valves. The valves are closed unless the use of the valves is authorized by the control room operator. Therefore the position of the valves is not required for the operator to ascertain containment integrity as indicated in Table 1 of Reg. Guide 1.97. Note 8 1(2)PC009A, 1(2)PC010A Position indication for the Hardened Containment Vent System (HCVS) Primary Containment Isolation Valves is not classified as a Reg. Guide 1.97 variable. The HCVS Primary Containment Isolation Valves are equipped with safety-related, spring to close / gas to open (fail closed) actuators. The solenoid valves that must be energized to open the PCIVs are normally de-energized by a key-locked switch in the Main Control Room. Furthermore, inadvertent opening of a solenoid valve by operator error or an electrical fault would not deliver compressed gas to the associated actuator because the manual gas supply isolation valve will be in its normally lock closed position. Opening the manual gas supply isolation valve due to operator error would not deliver compressed gas to the valve actuators because the solenoid valves will be in their de-energized, normally closed position. The procedures that control these valves ensure that the valves are only opened under administrative controls within the constraints of the applicable Technical Specifications. As such, the valves are considered equivalent to locked or sealed closed manual valves. Therefore, the position of the valves is not required for the operator to ascertain containment integrity as indicated in Table 1 of Reg. Guide 1.97. TABLE 7.5-1 REV. 24, APRIL 2020

LSCS-UFSAR 7.6 OTHER INSTRUMENTATION REQUIRED FOR SAFETY This section discusses the instrumentation and control aspects of the following systems:

a. Process Radiation Monitoring System.

1. Reactor Building Ventilation Exhaust Plenum Monitoring System.

2. Fuel Pool Vent Plenum Radiation Monitoring Subsystem.

b. Leak Detection System.

1. Main Steamline Leak Detection.

2. RCIC System Leak Detection.

3. RHR System Leak Detection.

4. Reactor Water Cleanup System Leak Detection.

c. Neutron Monitoring System.

1. Intermediate Range Monitor Subsystem.

2. Average Power Range Monitor Subsystem.

d. Recirculation Pump Trip System.

7.6.1 Process Radiation Monitoring System Instrumentation and Controls A number of radiation monitors and monitoring subsystems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. The safety-related subsystems include the following:

a. reactor building vent exhaust plenum radiation monitoring subsystem, and

b. fuel pool vent plenum radiation monitoring subsystem.

These subsystems are described individually in the following paragraphs. The non-safety-related radiation monitoring subsystems are discussed in Subsection 7.7.14. 7.6.1.1 Main Steamline Radiation Monitoring Subsystem (See Subsection 7.7.14.5) 7.6-1 REV. 15, APRIL 2004

LSCS-UFSAR 7.6.1.2 Reactor Building Vent Exhaust Plenum Radiation Monitoring Subsystem 7.6.1.2.1 Design Bases 7.6.1.2.1.1 Safety Design Bases The subsystem shall:

a. Provide the capability of detecting gamma radiation level in the reactor building vent exhaust plenum.

b. Initiate control signals in the event the radiation level exceeds a predetermined level to isolate the reactor building vent system, to initiate the standby gas treatment system, and to close primary containment purge and vent valves.

c. Provide alarms as the radiation level approaches the trip level for isolation or as the level has reached the trip level.

The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Tables 7.1-2 and 7.1-7. 7.6.1.2.1.2 Power Generation Design Bases The subsystem provides an indication in the control room of the gross gamma radiation level and provides the recorder signal. 7.6.1.2.2 System Description Subsystem Identification The purpose of this subsystem is to indicate when excessive amounts of radioactive gases exist in the reactor building and to effect appropriate action so that the release of radioactive gases to the environs is controlled. Power Sources The 120-Vac RPS Buses A and B are the power sources for this subsystem. Two channels receive power from one RPS bus, and the other two channels receive power from the other RPS bus. Equipment Design The reactor building ventilation exhaust plenum radiation monitoring subsystem is shown in Drawing No. M-153, sheets 1 and 6, and characteristics are given in Table 7.3-3. The subsystem consists of four independent channels. 7.6-2 REV. 13

LSCS-UFSAR Each channel includes a Geiger-Muller type detector and an indicator and trip unit. The four channels share two inputs on a recorder. All equipment except the detectors is located in the control room. The detectors are located in the vent plenum. Each channel has two trips. The upscale trip indicates high radiation, and the downscale trip indicates instrument trouble. When the instrument is switched to "calibrate", it is considered to be inoperative. Any one trip sounds an alarm in the control room. Two upscale trips, two inoperative trips, or one upscale trip and one inoperative trip on either set of channels will shut down the containment ventilation system, start the standby gas treatment system, and initiate closure of the various containment purge and exhaust paths. Testability The monitors are readily accessible for inspection, calibration, and testing. The reactor building vent exhaust plenum radiation monitoring subsystem and the response of the plant ventilation systems and standby gas treatment system are routinely tested. Operation of the detectors can be verified through use of a portable gamma source. Environmental Considerations The environmental considerations are given in Section 3.11. Operational Considerations The reactor building vent exhaust plenum radiation monitoring subsystem is designed to function under all operating conditions. It is designed to withstand the environment which would accompany a containment high radiation situation. 7.6.1.2.3 Analysis 7.6.1.2.3.1 General Functional Requirement Conformance The physical location and monitoring characteristics of the reactor building ventilation exhaust plenum radiation monitoring channels are adequate to detect abnormal amounts of radioactivity in the reactor building vent plenum and to initiate isolation. The redundancy and arrangement of channels ensure that no single failure can prevent isolation when required. During refueling operation (including criticality tests), the monitoring system acts as an engineered safeguard against the consequences of the refueling accident and the rod drop accident. The response of the reactor building ventilation exhaust plenum radiation monitoring subsystem to the refueling accident is presented in Chapter 15.0. 7.6-3 REV. 15, APRIL 2004

LSCS-UFSAR 7.6.1.2.3.2 Specific Requirement Conformance .A presents the system conformance to IEEE criteria and other regulatory requirements. 7.6.1.2.3.3 Regulatory Guides This topic is discussed in Appendix B. 7.6.1.2.3.4 10 CFR 50 Appendix A Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. Criterion 20 The subsystem conforms to Criterion 20 in that activation of the trip circuit will result in alarm annunciator activation and, depending upon the specific trip, a trip indication being sent to the plant vent system, the standby gas treatment system, and the containment system. Criterion 21 The subsystem conforms to Criterion 21 in that redundant circuits are an integral part of the system design. Criterion 22 The subsystem conforms to Criterion 22 in that the effects of natural phenomena and normal operation (including testing) do not result in loss of protection. Criterion 23 The subsystem conforms to Criterion 23 in that the trip circuits associated with each channel have been designed to specifically "fail-safe" in the event of loss of power. Criterion 24 The subsystem conforms to Criterion 24 in that manufacturing construction features assume separation from the control system. 7.6-4 REV. 14, APRIL 2002

LSCS-UFSAR Criterion 29 No anticipated operational occurrence can prevent this equipment from performing its safety function. Criterion 64 Continuous radiation monitoring is provided for this discharge path under all reactor conditions. 7.6.1.3 Fuel Pool Ventilation Exhaust Plenum Radiation Monitoring Subsystem 7.6.1.3.1 Design Bases 7.6.1.3.1.1 Safety Design Bases The subsystem:

a. Provides the capability of detecting gamma radiation level in the fuel pool vent exhaust plenum.

b. Initiates control signals in the event the radiation level exceeds a predetermined level to isolate the reactor building vent system, to initiate the standby gas treatment system, and to close primary containment purge and vent valve.

c. Provides alarms as the radiation level approaches the trip level for isolation or as the level has reached the trip level.

The subsystem instrumentation and controls conform to the specific requirements shown in Tables 7.1-2 and 7.1-7. 7.6.1.3.1.2 Power Generation Design Bases The subsystem provides an indication in the control room of the gross gamma radiation level and provides the recorder signal. 7.6.1.3.2 Description The fuel pool vent plenum radiation monitoring subsystem is identical to the reactor building ventilation exhaust plenum monitoring subsystem, which is discussed in Subsection 7.3.2.2.3. 7.6-5 REV. 13

LSCS-UFSAR 7.6.1.3.3 Analysis The analysis for the reactor building vent exhaust plenum radiation monitoring subsystem, discussed in subsection 7.6.1.2.3 and Attachment 7.A, applies to this system since they are identical. 7.6.2 Reactor Coolant Pressure Boundary Leakage Detection 7.6.2.1 Design Bases 7.6.2.1.1 Safety Design Bases The safety design bases for the leak detection systems are as follows:

a. Signals are provided to permit isolation of abnormal leakage before the results of this leakage become unacceptable.

b. The unacceptable results are as follows:

1. A threat of significant compromise to the reactor coolant pressure boundary.

2. A leakage rate in excess of the coolant makeup capability to the reactor vessel.

The part of leak detection that is related to isolation circuits is designed to meet requirements of the engineered safety feature systems and to comply with the specific regulatory requirements listed in Tables 7.1-2 and 7.1-8. 7.6.2.1.2 Power Generation Design Basis A means is provided to detect abnormal leakage from the reactor coolant pressure boundary. 7.6.2.2 General System Description The instrumentation and controls associated with the leak detection system are discussed in Subsection 5.2.5. Associated automatic valve isolating logic is defined to be part of the containment and reactor vessel isolation control system (Subsection 7.3.2) and RCIC instrumentation and control system (Subsection 7.4.1) and is described in those subsections. The safety-related portions of the leak detection system perform the following functions:

a. Main Steamline Leak Detection.

7.6-6 REV. 13

LSCS-UFSAR

b. RCIC System Leak Detection.

c. RHR System Leak Detection.

d. Reactor Water Cleanup System Leak Detection.

Non-safety-related portions of the leak detection system are discussed in Subsection 7.7.15. The purpose of the leak detection instrumentation and controls is to provide the signals necessary to detect and isolate leakage from the reactor coolant pressure boundary before predetermined limits are exceeded. 7.6.2.2.1 Power Sources Power separation is applicable to leak detection signals that are associated with the isolation valve systems. Four power sources are used to comply with separation criteria. Equipment associated with Division 1 is powered by 120-Vac Instrument Bus A. Division 2 equipment is powered by 120-Vac Instrument Bus B. 7.6.2.2.2 Equipment Design The systems or parts of systems which contain water or steam coming from the reactor vessel or which supply water to the reactor vessel, and which are in direct communication with the reactor vessel, are provided with leakage detection systems as listed above (Figure 7.3-7 and Drawing Nos. M-155 and M-157). 7.6.2.2.3 Main Steamline Leak Detection The main steamline leak detection subsystem consists of three types of monitoring circuits. The first of these monitors the ambient and differential area temperature, triggering the alarm circuit and main steamline isolation valve logic when the observed temperature rises above a preset maximum. The second circuit monitors the mass flow rate through the main steamlines and uses this information for comparison purposes and to trigger the alarm circuit and close isolation valves when the observed flow rate exceeds a preset maximum. The third type of circuit detects low water level in the reactor vessel and sends a trip signal to the isolation valve logic when the level decreases below a preselected setpoint. 7.6-7 REV. 16, APRIL 2006

LSCS-UFSAR Thermocouples are positioned in the main steamline tunnel so that they are screened from direct incident-radiated heat and yet are still able to respond to the temperature of the ambient air. All of the thermocouples are terminated on Digital Recorders located in the control room, which compute and display differential temperatures for the rooms as well as the ambient temperatures. Output relays from the recorders will initiate alarms and isolations when the associated temperatures exceed predefined setpoints. There are no isolations associated with ambient temperatures. During start-up of the reactor building ventilation system, the differential temperature isolation circuits are bypassed, preventing a trip signal to initiate the isolation logic, and an alarm is provided for indicating the bypass function. All other alarm and indicating functions provided by the ambient temperature and differential temperature circuits under this condition will function as previously stated above. This will prevent spurious isolations resulting from reactor building temperature transients that are experienced during the start-up of the reactor building ventilation system. Each main steamline is instrumented to monitor the steam flow rate through it. The flow rate monitoring components of the main steamline leak detection system consist of a set of four differential pressure switches (DPS) and an associated steam flow restrictor for each main steamline. The outputs of the DP switches are connected to components of the primary containment and reactor vessel isolation system and give a coincidence signal for main steamline flow below the setpoint trip value. Flow rates in excess of the predetermined setpoint will cause DPS actuation. Reactor water level is monitored to indicate the presence of a steam leak. Under conditions of normal reactor operation at constant power, reactor water level should remain fairly constant at its programmed level, since the rate of steam mass flow leaving the boiler is matched by the feedwater mass flow rate into the vessel. However, given a condition of continued steam leakage from the closed system, the reservoir of condensate to be returned to the reactor vessel decreases, and the reactor water level soon cannot be maintained. Reactor water level is monitored by four level switches as part of the design of the nuclear steam supply system in addition to the normal complement of process monitoring instruments. Reactor water level falling below the predetermined minimum allowable level will result in switch actuation and subsequent primary containment and reactor vessel isolation system response. 7.6-8 REV. 16, APRIL 2006

LSCS-UFSAR 7.6.2.2.4 RCIC System Leak Detection Subsystem Function The steam circuits of the RCIC system are constantly monitored for leaks by a leak detection subsystem. Leaks from the RCIC will cause a change in at least one of the following monitored operating parameters: sensed area temperature, steam pressure, or steam flow rate. If the monitored parameters indicate that a leak may exist, the detection subsystem (Figure 7.3-7 and Drawing Nos. M-155 and M-157) responds by activating an annunciator and initiating a RCIC isolation trip logic signal. Theory of Operation The RCIC leak detection subsystem consists of three types of monitoring circuits. The first of these monitors ambient and differential temperature to trigger an annunciator when the observed temperature rises above a preset maximum. The second type monitors the flow rate (differential pressure) through the steamline and triggers an annunciator when the observed differential pressure rises above a preset maximum. The third type of circuit monitors the steamline pressure upstream of the differential pressure element and is also annunciated. Alarm outputs from all three circuits are also used to generate the RCIC autoisolation signal. The area temperature monitoring circuit is similar to the one described for the main steamline tunnel temperature monitoring system except both ambient and differential temperature monitoring circuits send trip signals to the isolation logic. (see Subsection 7.6.2.2.3). The RCIC equipment area and RCIC pipe chase also utilize ambient temperature leak detection monitors in these respective areas. Isolation will occur at the established leakage rate limit (25 gpm) or below regardless of the ambient temperature under normal operational conditions (i.e., CSCS cubicle area coolers not operating). If the CSCS cubicle coolers are operating, the leakage rate at which isolation will be actuated will be slightly higher (approximately 40-50 gpm). The leakage rate at which an alarm is actuated will be at the established rate (5 gpm) during design ambient temperature conditions expected during summer. During winter design conditions, the leakage rate a which the alarm is actuated will be slightly higher, but always less than the established isolation actuation leakage rate limit. During winter design conditions, the differential temperature alarm actuation is conservative (i.e., actuates at leakage rates less than the established limit). The RCIC equipment area differential temperature detectors monitor the temperature differential between the general area from which the reactor building ventilation is induced, and the temperature in the equipment area. The RCIC pipe chase differential is monitored between the ducted supply ventilation and the chase temperature. 7.6-9 REV. 13

LSCS-UFSAR The steamline from the nuclear boiler leading to the RCIC turbine is instrumented with one set of two differential pressure switches connected to measure the differential pressure created as steam flows past an elbow in the line so that the steam flow rate through it can be monitored. In the presence of a leak, the RCIC system responds by generating the autoisolation signal. Steamline pressure to the RCIC turbine is monitored to detect gross system leaks that may occur upstream of the differential pressure element (elbow), causing the line pressure to drop to an abnormally low level. This line pressure is monitored by the pressure switches which also monitor RHR steamline pressure (see Subsection 7.6.2.2.5). 7.6.2.2.5 RHR System Leak Detection Subsystem Function The RHR system is constantly monitored for leaks by the leak detection system (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Leaks from the RHR system are detected by flow rate and system pressure similar to the RCIC system. Logics from all these channels are used to generate RHR auto isolation signals and alarm communication. If the monitored parameters indicate that a leak may exist, the detection system responds by activating an annunciator and initiating a RHR isolation trip logic signal. Theory of Operation The RHR system is a moderate energy system. Since temperature and differential temperature leak detection monitors are only effective for hot (high energy) systems, other means of leak detection are relied upon. The RHR leak detection subsystem consists of two types of monitoring circuits. The first monitors the flow rate (differential pressure) through the steamline, triggering an annunciator when the observed differential pressure (flow) rises above a preset maximum. The second type of circuit monitors the line pressure upstream of the differential pressure element and is also annunciated. Alarm outputs from both circuits are also used to generate the RHR autoisolation signal. Flow rate monitoring is provided on the RHR shutdown cooling suction line. Flow rates in excess of the predetermined maximum are indicative of a line leak or break and will generate differential pressure heads of sufficient magnitude to cause DPS actuation. Process line pressure is monitored to detect gross system leaks that may occur upstream of the flow element, causing the line pressure to drop to an abnormally low level. Line pressure is monitored by two pressure switches actuating on low pressure. 7.6-10 REV. 13

LSCS-UFSAR Additionally, differential pressure between RHR lines and RHR and LPCS lines is monitored by differential pressure-indicating switches to detect RHR or LPCS line break. Annunciation is provided in the main control room. Floor drain and radiation monitors are also available to indicate system leakage from the RHR equipment areas. 7.6.2.2.6 Reactor Water Cleanup System Leak Detection Subsystem Function The purpose of this part of the leak detection system is to monitor the reactor cleanup system components and activate a system annunciator should a system leak of sufficient magnitude occur. In addition to annunciation, a high flow comparison activates automatic isolation of the cleanup system. Theory of Operation The reactor water cleanup (RWCU) leak detection subsystem consists of three types of monitoring circuits. The first of these monitors the ambient and differential temperature of the RWCU Pump and Heat Exchanger Rooms, Holdup Pipe Room, and F/D Valve Rooms, triggering the alarm circuit and isolation of RWCU isolation logic when the monitored temperature rises above a preset maximum. For Unit 2, monitors are located in the Heat Exchanger Rooms only. The area temperature monitoring circuit is similar to the one described for the main steamline temperature monitoring system except both ambient and differential temperature monitoring circuits send trip signals to the isolation logic. (see Subsection 7.6.2.2.3 and Figure 7.6-1). The reactor water cleanup leak detection subsystem includes an area drain monitoring system. The monitoring subsystem activates an annunciator when the reactor building sump flow exceeds a predetermined value. In addition to floor drain detection methods, leakage is also monitored by the flow comparison of water inlet and outlet flow rate. The floor drain monitoring circuits are described in Subsection 7.7.15.2.8. RWCU pump suction flow is monitored, and provides for alarm and isolation for RWCU pipe break flow rates. A time delay is incorporated in the circuit to avoid spurious trips due to operational transients. This delay is based on the HELB analysis. 7.6-11 REV. 13

LSCS-UFSAR RWCU system inlet flow is compared to RWCU outlet flow to the feedwater lines or to the main condenser. A flow element, flow transmitter, and square root converter provide signals to a flow summer which trips two timers and activates an alarm at a preselected difference in flows. After a time delay to avoid spurious trips, the time switches trip differential flow alarm units, activating isolation. Flow indication for return to feedwater or to main condenser/waste collection surge tanks and differential flow indication are provided in the control room. The RWCU differential flow instrumentation measures volumetric flow with no temperature compensation and, therefore, no correction for differences in coolant densities. The system is designed for power operation temperatures and pressures. The RWCU System leak detection interlocks for area high and differential temperature and for RWCU System differential flow are bypassed for less than 1 hour by operation of test bypass keylock switches during spurious trips of Reactor Building ventilation to prevent unnecessary RWCU System isolation due to higher ambient temperatures expected when the Reactor Building ventilation is off. Alarms from the leak detection devices remain available to provide Operator warning small line leaks. Isolation logic is restored to normal upon restart of Reactor Building ventilation. During operational conditions when the Unit is in cold shutdown, refuel, or defueled, the Reactor Water Cleanup System Leak Detection Isolation trip functions may be continuously bypassed. These isolations consist of RWCU HX Room Area High Temperature and High Differential Temperature, High RWCU Differential Flow and the associated leak detection power monitoring trip function. These isolation are associated with high energy line breaks (HELB) and detecting leakage related to operational conditions when the RWCU system is at high temperatures (above 212 degrees F). These isolations are not required during conditions when the reactor coolant is at conditions of low energy and low temperature. During these shutdown/refuel/defueled conditions the above Leak Detection isolation functions are not required operable by the corresponding Technical Specification. 7.6.2.2.7 Testability The proper operation of the sensors and the logic associated with the leak detection systems is verified during the leak detection system preoperational test and during inspection tests that are provided for the various components during plant operation. 7.6-12 REV. 20, APRIL 2014

LSCS-UFSAR All temperatures are monitored by dual element thermocouples. One element of each is connected to the digital recorders, which allows for the second element to be used as an in-place spare. Detailed testing and calibration for each digital recorder can be performed using standard test and calibration procedures. Alarm and indictor lights monitor the status of the trip circuit. Each digital recorder has indications on their display screens that will indicate the status of the channel alarms. Setpoints are revised using the modification process to revise the configuration file for the specific affected recorder(s). In addition, keylock test switches are provided so that the logic can be tested without sending an isolation signal to the system involved. Thus, a complete system check can be confirmed by checking activation of the isolation relay associated with each switch. Detailed testing and calibration for each RWCU differential flow leak detection alarm units can be performed using standard test and calibration procedures. Alarm and indicator lights monitor the status of the trip circuit. Testing of flow, reactor vessel level, and pressure leak detection equipment is described in Subsection 7.3.2. 7.6.2.2.8 Environmental Considerations The sensors, wiring, and electronics which are associated with the isolation valve logic are designed to withstand the conditions that follow a loss-of-coolant accident. 7.6.2.3 Analysis 7.6.2.3.1 General Functional Requirement Conformance The part of leak detection system instrumentation that is related to the system isolation circuitry is designed to meet requirements of the primary containment and reactor vessel isolation control system. There are at least two different methods of detecting abnormal leakage from each reactor coolant pressure boundary system within the primary containment and in each area as shown in Table 5.2-8. The instrumentation is designed so that it may be set to provide alarms at established leakage rate limits and isolate the affected system if necessary. The alarm points are determined analytically, based on design data and on measurements of appropriate parameters made during startup and preoperational tests. This satisfies the power generation design bases and safety design bases. 7.6-13 REV. 16, APRIL 2006

LSCS-UFSAR 7.6.2.3.2 Specific Requirement Conformance A presents the system conformance to IEEE criteria and other regulatory requirements. 7.6.2.3.3 Regulatory Guides This topic is discussed in Appendix B. 7.6.2.3.4 10 CFR 50 Appendix A Criterion 13 The leak detection sensors and associated electronics are designed to monitor the reactor coolant leakage over all expected ranges required for the safety of the plant. Automatic initiation of the system isolation action, reliability, testability, independence, and separation have been factored into leak detection design as required for isolation systems. Criterion 19 Controls and instrumentation are provided in the control room. Criterion 20 Leak detection equipment senses accident conditions and initiates the containment and reactor vessel isolation control system when appropriate. Criterion 21 Protection related equipment is arranged in two redundant divisions and maintained separately. Testing is covered in the conformance discussion for regulatory guides. Criterion 22 Protection related equipment is arranged in two redundant divisions so no single failure can prevent isolation. Functional diversity of sensed variables is utilized. Criterion 23 Signals provided are such that isolation logic is fail safe. 7.6-14 REV. 14, APRIL 2002

LSCS-UFSAR Criterion 24 The system has no control functions. Criterion 29 No anticipated operational occurrence can prevent an isolation. Criterion 30 The system provides means for detection and generally locating the source of reactor coolant leakage. This criterion also applies to the sump, drywell, recirculating pump, and ADS leak monitoring equipment. Criterion 33 The leak detection total leakage limitations are confined to conservative levels far below the coolant makeup capacity of the RCIC system. Criterion 34 Leak detection is provided for the RHR shutdown cooling and RCIC lines penetrating the drywell. Criterion 35 ECCS leak detection is augmented by the sump monitoring system portion of the leak detection system. ECCS leaks can easily be identified by operator correlation of various flow, pressure, and reactor vessel level signals transmitted to the control room. Criterion 54 Leak detection is provided for main steam, RCIC, RHR shutdown cooling, and reactor water cleanup lines penetrating the drywell. Sump fill rate monitoring provides leak detection for other pipes penetrating the drywell and reactor buildings. 7.6.3 Neutron Monitoring System Instrumentation and Controls 7.6.3.1 General System Description The safety-related subsystems of the neutron monitoring system consist of the following:

a. intermediate range monitor (IRM) subsystem, and 7.6-15 REV. 13

LSCS-UFSAR

b. average power range monitor (APRM) subsystem.

c. oscillation power range monitor (OPRM) subsystem The purpose of this system is to detect excessive neutron flux in the core and provide signals to the reactor protection system and the rod block portion of the rod control management system. It also provides information for operation and control of the reactor.

The OPRM subsystem detects and suppresses potential core power oscillations at high power and low flow conditions, in order to prevent exceeding the fuel safety limits. The IRM, APRM, and OPRM subsystems provide a safety function and have been designed to meet particular requirements established by the NRC. The LPRM subsystem has been designed to provide a sufficient number of LPRM inputs to the APRM and OPRM subsystems to meet their requirements. Although, the LPRM subsystem was originally not considered a safety system, General Electric re-evaluated the LPRM subsystem in 1987 and concluded it should be considered safety related. Consequently, all renewal parts for the subsystem are procured as safety related. The portions of the neutron monitoring system, which have no safety function or was historically considered to have no safety function are discussed in Subsection 7.7.6. 7.6.3.1.1 Power Source The power sources for each system are discussed in the individual system descriptions. 7.6.3.2 Intermediate Range Monitor Subsystem 7.6.3.2.1 Design Bases 7.6.3.2.1.1 Safety Design Bases The IRM generates a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range. The independence and redundancy incorporated in the design of the IRM are consistent with the safety design bases of the reactor protection system. The IRM is designed in accordance with the specific regulatory requirements shown in Table 7.1-2. 7.6-16 REV. 18, APRIL 2010

LSCS-UFSAR 7.6.3.2.1.2 Power Generation Design Bases The IRM generates an interlock signal to block rod withdrawal if the IRM reading exceeds a preset value or if the IRM is not operating properly. The IRM is designed so that overlapping neutron flux indications exist with the SRM and APRM subsystems. 7.6-16a REV. 14, APRIL 2002

LSCS-UFSAR 7.6.3.2.2 System Description Equipment Design The IRM monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range (see Figure 7.6-7). The subsystem has eight IRM channels, each of which includes one detector that can be positioned in the core by remote control (see Figure 7.6-4). The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is turned to RUN.

a. Power Supply Power is supplied separately from two 24-Vdc sources. The supplies are split according to their uses so that loss of a power supply will result in loss of only one trip system of the reactor protection system.

b. Physical Arrangement Each detector assembly consists of a miniature fission chamber attached to a low-loss, quartz-fiber-insulated transmission cable.

When coupled to the signal conditioning equipment, the detector produces a reading of full scale on the most sensitive range with a neutron flux of 4 x 108 nv. The detector cable is connected underneath the reactor vessel to a triple-shielded coaxial cable that carries the pulses generated in the fission chamber to the preamplifier. The detector and cable are located in the drywell. They are movable in the same manner as the SRM detectors and use the same type of mechanical arrangement (see Figures 7.6-3, 7.6-4, and Reference 1).

c. Signal Conditioning A voltage amplifier unit located outside the drywell serves as a preamplifier. This unit converts the current pulses to voltage pulses, modifies the voltage signal, and provides impedance matching. The preamplifier output signal is coupled by a cable to the IRM signal conditioning electronics (see Figure 7.6-5).

Each IRM channel receives its input signal from the preamplifier and operates on it with various combinations of preamplification gain and amplifier attenuation ratios. The amplification and attenuation ratios of the IRM and 7.6-17 REV. 13

LSCS-UFSAR preamplifier are selected by a remote range switch that provides ten ranges of increasing attenuation (the first six called low-range and the last four called high-range) acting on the signal from the fission chamber. As the neutron flux of the reactor core increases from 1 x 108 nv to 1.5 x 1013 nv, the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter. Outputs are also provided for a remote meter and recorder.

d. Trip Functions The IRM is able to generate a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range.

The IRM is divided into two groups of IRM channels arranged in the core as shown in Figure 7.6-5. Four IRM channels are associated with one of the two trip systems of the reactor protection system. Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining two channels are installed in a separate bay of the cabinet. Full-length side covers isolate the cabinet bays. Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on three conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, or (3) when the OPERATE- CALIBRATE switch is not in the OPERATE position. Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached. The trip functions actuated by the IRM trips are indicated in Table 7.6-1. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a neutron monitoring system trip of the reactor protection system. Only one of the IRM channels must trip to initiate a neutron monitoring system trip of the associated trip system of the reactor protection system. The IRM rod block trip functions are discussed in Subsection 7.7.2.2.3. 7.6-18 REV. 13

LSCS-UFSAR The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring. Each IRM channel is tested and calibrated using procedures which incorporate IRM vendor instruction manual recommendations, standard industry practices and LaSalle specific requirements. The IRM detector drive mechanisms and the IRM rod-blocking functions are checked in the same manner as for the SRM channels. Each IRM channel can be checked to ensure that the IRM high flux scram function is operable. Environmental Considerations The wiring, cables, and connectors located in the drywell are designed for continuous duty in the conditions described in Section 3.11. 7.6.3.2.3 Analysis 7.6.3.2.3.1 General Functional Requirement Conformance The analysis for the RPS trip inputs from the intermediate range monitor subsystem is discussed in Attachment 7.A under the reactor protection system. The IRM is the primary source of information as the reactor approaches the power range. Its linear steps (approximately a half decade) and the rod blocking features on both high flux level and low flux level require that all the IRM's are on the correct range as core reactivity is increased by rod withdrawal. The SRM overlaps the IRM. The sensitivity of the IRM is such that the IRM is on scale on the least sensitive (highest) range with approximately 15% reactor power. The number and locations of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass or detector failure conditions. To verify this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes that the reactor is barely subcritical. One-fourth of the control rods plus one more rod have been removed in the normal operating sequence (Figure 7.6-8). The error or malfunction is removal of the control rod adjacent to the last rod withdrawn. This rod has been chosen to maximize the distance to the second nearest detector for each trip system. It is assumed that the nearest detector in each RPS trip system is bypassed. A scram signal is initiated when one IRM detector in each RPS trip system reaches its scram trip level. The neutron flux versus distance resulting from this withdrawal is shown in Figure 7.6-9. Note that the second nearest detector in Trip System B is a different distance away than the second nearest detector in Trip System A. The ratio of the neutron flux at the farther point to the peak flux is 1/857. This detector reaches its high scram trip setting of 120/125% of full scale at a local flux of approximately 4.0 x 108 nv. At that time the peak flux in the core is 3.45 x 1011 nv or .66% rated average flux. The core 7.6-19 REV. 14, APRIL 2002

LSCS-UFSAR average power is .050% when scram occurs. For this scram point to be valid the IRM must be on the correct range. To assure that each IRM is on the correct range, a rod block is initiated any time the IRM is both downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core unless the reactor mode switch is in the RUN position. The IRM scram trips and the IRM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position. The IRM detectors and electronics have been tested under operating conditions and verified to have the operational characteristics described. They provide the level of precision and reliability required by the RPS safety design basis. 7.6.3.2.3.2 Specific Requirement Conformance .A presents the IRM subsystem conformance to IEEE criteria and other regulatory requirements. 7.6.3.2.3.3 Regulatory Guides This topic is covered in Appendix B. 7.6.3.2.3.4 10 CFR 50 Appendix A Criteria 13, 19, 20, 21, 22, 23, 24, and 29 The IRM detectors and associated electronics are designed to monitor the incore flux over all expected ranges required for the safety of the plant. Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the IRM design as required for protection systems. 7.6.3.3 Average Power Range Monitor Subsystem 7.6.3.3.1 Design Bases 7.6.3.3.1.1 Safety Design Bases Under the worst permitted input LPRM bypass conditions, the APRM is capable of generating a trip signal in response to average neutron flux increases in time to prevent fuel damage. The independence and redundancy incorporated into the design of the APRM are consistent with the safety design bases of the reactor protection system. The APRM is designed in accordance with the specific regulatory requirements listed in Table 7.1-2. LU2000-164 7.6-20 REV. 14, APRIL 2002

LSCS-UFSAR 7.6.3.3.1.2 Power Generation Design Bases The APRMS provides the following functions:

a. a continuous indication of average reactor power (neutron flux) from a few percent to 125% of rated reactor power,

b. interlock signals for blocking further rod withdrawal to avoid an unnecessary scram actuation,

c. a reference power level for the rod block monitor subsystem,

d. a reference power level for controlling reactor recirculation system flow, and

e. a reactor thermal power signal derived from each APRM channel which approximates the dynamic effects of the fuel.

7.6.3.3.2 System Description Equipment Design The APRM subsystem has six APRM channels. Each channel uses input signals from a number of LPRM channels. Three APRM channels are associated with each trip system of the reactor protection system.

a. Power Supply The APRM channels receive power from the 120-Vac supplies used for RPS power. Power for each APRM trip unit is supplied from the same power supply as the APRM it services. APRM Channels A, C, and E are powered from the a-c bus used for Trip System A of the reactor protection system; APRM Channels B, D and F are powered from the a-c bus used for Trip System B. The a-c bus used for a given APRM channel also supplies power to its associated LPRM's.

b. Signal Conditioning The APRM channel uses electronic equipment that averages the output signals from a selected set of LPRM's, trip units that actuate automatic devices, and signal readout equipment. Each APRM channel can average the output signals from as many as 24 LPRM's. Assignment of LPRM's to an APRM follows the pattern shown in Figure 7.6-2.

Position A is the bottom position, Positions B and C are above Position A, and Position D is the 7.6-21 REV. 13

LSCS-UFSAR topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions. The APRM amplifier gain can be adjusted by combining fixed resistors and potentiometers to allow calibration. The averaging circuit automatically corrects for the number of unbypassed LPRM amplifiers providing inputs to the APRM. Each APRM channel receives two independent, redundant flow signals representative of total recirculation driving flow. Each signal is provided by summing the flow signals from the two recirculation loops. These redundant flow signals (Figure 7.6-2) are sensed from four pairs of elbow taps, two in each recirculation loop. No single active component failure can cause more than one of these two redundant signals to read incorrectly. To obtain the proper (most conservative) reference signal under single-failure conditions, these flow signals are routed to a low-auction circuit. This circuit selects the lower of the two signals for use as the reference in the thermal power scram trip for that particular APRM. Because there are two redundant flow units assigned to each trip system, one flow unit in each trip system can be bypassed for a short time. This design meets the intent of IEEE 279-1971.

c. Trip Function The APRM channels receive input signals from the LPRM channels and provide a continuous indication of average reactor power from as few percent to greater than rated reactor power.

The APRM subsystem has sufficient redundant channels to meet industry and regulatory safety criteria. Under the worst permitted input LPRM bypass conditions, the APRM subsystem is capable of generating a trip scram signal before the average neutron flux increases to the point that fuel damage is probable. The trip units for the APRM's supply trip signals to the RPS and the rod control management system. Table 7.6-2 itemizes the APRM trip functions. Any one APRM can initiate a rod block, depending on the position of the reactor mode switch. The APRM upscale rod block and the thermal power scram trip setpoints vary as a function of reactor recirculation driving loop flow. The APRM signal for the thermal power scram trip is passed through a 6-second time constant circuit to simulate thermal power. A faster response (approximately 0.09 seconds) APRM upscale trip has a fixed setpoint not variable with 7.6-22 REV. 18, APRIL 2010

LSCS-UFSAR recirculation flow. Any APRM upscale or inoperative trip initiates a neutron monitoring system trip in the RPS. Only the trip system associated with that APRM is affected. At least one APRM channel in each trip system of the RPS must trip to cause a scram. The operator can bypass the trips from one APRM in each trip system of the RPS. A simplified circuit arrangement is shown in Figure 7.6-6. In addition to the IRM upscale trip, a fast response APRM trip function with a setpoint of 15% power is active in the startup mode. APRM channels are calibrated using data from previous full power runs. They are tested by procedures which incorporate vendor instruction manual recommendations, standard industry practices and LaSalle specific requirements. Each APRM channel can be tested individually for the operability of the APRM scram and rod-blocking functions by introducing test signals. 7.6.3.3.3 Analysis 7.6.3.3.3.1 General Functional Requirement Conformance Each APRM derives its signal from LPRM information. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accord with the safety design bases of the RPS. There are six APRM channels, three for each RPS trip system, to allow one undetected failure in each trip system and still satisfy the RPS safety design bases. Figure 7.6-10 illustrates the ability of the APRM to track core power versus coolant flow starting at 100% power and 100% flow to below the 65% flow point. Figure 7.6-11 illustrates the ability of the APRM to respond to control rod motion. The conditions for this are selected from the most restrictive case. The figure also shows a full withdrawal of a control rod from limiting conditions at rated power. Normal control rod manipulation results in good agreement (less than 6% deviation on the worst APRM) through a wide range of power levels. The flow-referenced APRM scram setpoint is adequate to prevent fuel damage during an abnormal operational transient, as demonstrated in Chapter 15.0. 7.6.3.3.3.2 Specific Requirement Conformance The portion of the APRM subsystem that provides outputs to the reactor protection system is designed to provide complete periodic testing of protection system actuation functions. This provision is accomplished by initiating an output trip of 7.6-23 REV. 13

LSCS-UFSAR one APRM channel at any given time which will result in tripping one of the two RPS trip systems. Operator indication of APRM bypass is provided by indicator lamps. Attachment 7.A presents the system conformance to IEEE criteria and other regulatory requirements. 7.6.3.3.3.3 Compliance with 10 CFR 50 Criteria 13, 19, 20, 21, 22, 23, 24, and 29 The APRM detection and associated electronics are designed to monitor the incore flux over all expected ranges required for the safety of the plant. Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the APRM design as required for protection systems. 7.6.3.4 Oscillation Power Range Monitor Subsystem The Oscillation Power Range Monitor (OPRM) subsystem is a microprocessor-based monitoring and protection system, which will:

• detect a thermal-hydraulic instability,
• provide an alarm on detection of an oscillation (based on period-based algorithm only), and
• initiate an Automatic Suppression System (ASF) trip to suppress an oscillation prior to exceeding fuel safety limits.

The subsystem design, technical details, equipment qualification, and validation are discussed in Reference 3. The NRC has accepted the above reference, and had issued a safety evaluation report (Reference 4). 7.6.3.4.1 Design Bases 7.6.3.4.1.1 Safety Design Bases Boiling water reactor cores may exhibit thermal-hydraulic reactor instabilities in certain portions of the core power and flow operating domain. General Design Criterion 10 (GDC 10) requires that the reactor core be designed with appropriate margin to assure that acceptable fuel design limits will not be exceeded during any condition of normal operation including the effects of anticipated operational occurrences. GDC 12 requires assurance that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are either not possible or can be reliably and readily detected and suppressed. The OPRM is provided to meet the requirements of these GDCs by adding a detect and suppress feature to the Reactor Protection System. 7.6-24 REV. 17, APRIL 2008

LSCS-UFSAR 7.6.3.4.1.2 Power Generation Design Bases The power generation design basis of OPRM consists of assuring that spurious scrams do not occur. 7.6.3.4.2 System Description Detailed description of OPRM subsystem design and physical arrangements are provided in the Generic Topical Report (Reference 3). Basic and station specific information is summarized here. The OPRM subsystem consists of 4 OPRM trip channels, each channel consisting of two OPRM modules. Each OPRM module receives input from individual LPRMs, which are combined into localized monitoring cells. It also receives input from the RPS average power range monitor (APRM) power and recirculation flow signals to automatically enable the trip function of the OPRM module. The OPRM interconnection diagram is shown in Figure 7.6-12. The OPRMs are capable of detecting thermal-hydraulic instabilities within the reactor core. Each OPRM includes a signal processing module, Automatic Suppression Function (ASF) Trip Relay Assembly, OPRM Annunciator Relay Assembly, two Digital Isolation Blocks (DIBs), and an Enable/Bypass Selector Switch. The OPRM trip circuits may be bypassed if initiated by a selector switch. The bypass is accomplished through hardwired bypass of ASF trip relay contact by selector switch contact and through actuation of OPRM logic circuits and software. The bypass condition of the OPRM unit is annunciated in the MCR panel utilizing the selector switch contact. Also, the OPRMs may be manually enabled by the selector switch for any recirculation flow and reactor power levels.

a. Modes of Operation The OPRM has two modes of operation, operate and test. In the operate mode, it performs all of its normal trip and alarm functions as well as broadcasting status information to fiber optic output ports. The test mode is utilized for test, calibration, setpoint adjustment and downloading of the event buffer. In the test mode, the OPRM's trip output is bypassed and the channel is considered inoperable.

Entry into the test mode is controlled by a key switch and is annunciated in the control room.

b. Event Buffer 7.6-25 REV. 17, APRIL 2008

LSCS-UFSAR When a trip occurs, data immediately prior to and following the trip is captured in an event buffer. This buffer may be downloaded to aid in the analysis of the trip. The event buffer can also be captured and downloaded at any time for non-trip analysis by placing the OPRM in the test mode.

c. Maintenance Terminal A portable maintenance terminal is utilized for system testing, calibration and data collection. It is connected to the OPRM via fiber optic cables. This maintains isolation between the safety related OPRM and the non-safety related maintenance terminal.

With the OPRM in its operate mode, the maintenance terminal may only be used to collect data, which is broadcast by the OPRM at fixed intervals. Communications in this mode are one way, namely OPRM to maintenance terminal. The OPRM will not respond to commands from the maintenance terminal when in the operate mode. Thus, the maintenance terminal cannot affect OPRM operation. In the OPRM test mode, bi-directional, fiber optic communications are established between the OPRM and its maintenance terminal. In this mode, commands may be sent from the maintenance terminal to the OPRM to perform such actions as altering the OPRM configuration and setpoints, downloading event buffers and error logs and testing various OPRM functions. Additional, conventional test cables may be connected between the maintenance terminal and a test port on the OPRM for use in calibration and testing. To access this test port, a shorting plug must be removed from the OPRM. Removal of the shorting plug causes the OPRM to become inoperable and is annunciated in the control room.

d. Power Supply Power supplies for the OPRMs are the same as those for the APRM channels.

These power supplies provide required voltage sources +/- 15 Vdc and + 5 Vdc for OPRM signal processing modules and DIBs, +20 Vdc for ASF Trip Relay Assemblies, OPRM annunciator Relay Assemblies and DIBs, and +/- 20 Vdc for new flow units and existing APRM and LPRM channels.

e. Physical Arrangement The OPRM signal processing modules are installed in APRM and LPRM Pages of a Power Range Neutron Monitoring System (PRNMS) Panel by removing one of the voltage regulators and installing in its location the OPRM signal processing module.

The power supply function of the removed voltage regulator will be taken over by the new voltage regulator with the increased load capacity that will replace one of the existing voltage regulators in the APRM and LPRM Pages. Selector switches required for manual enable and bypass functions will be installed in the PRNMS panel. Automatic Suppression Function (ASF) Trip Relay Assemblies, OPRM Annunciator Relay Assemblies and Digital Isolation Blocks will be installed in the PRNMS panel. 7.6-26 REV. 13

LSCS-UFSAR

f. Exclusion Region The OPRM is required to be operable in order to detect and suppress neutron flux oscillations in the event of thermal-hydraulic instability. As described in Reference 3, the region of anticipated oscillation is defined by thermal power > 30% RTP and core flow < 60% of rated core flow (see Figure 7.6-7). Therefore, the OPRM trip is enabled in this region. Reference 8 evaluated the effects of power uprate and maximum extended load line limit on the OPRM. The region of anticipated oscillation is modified for power uprate operation to maintain the pre-uprate absolute power and flow coordinates. However, to protect against anticipated transients, the OPRM is required to be operable with thermal power > 25% RTP.

This provides sufficient margin to account for potential instabilities as a result of a loss of feedwater heater transient.

g. Algorithm Reference 3 describes three separate algorithms for detecting stability-related oscillations: the period detection algorithm, the amplitude-based algorithm, and the growth rate algorithm. The OPRM System hardware implements these algorithms in a microprocessor-based module. The module executes the algorithms based on LPRM inputs and generates alarms and trips based on these calculations. These trips result in tripping the Reactor Protection System (RPS) when appropriate RPS trip logic is satisfied. Only the period based detection algorithm is used in the safety analysis. The remaining algorithms provide defense in depth and additional protection against anticipated oscillations.

h. Trip Function The OPRMs are designed to provide an alarm (based on period-based algorithm only) and initiate, when armed, an automatic suppression function (ASF) trip to suppress oscillations prior to exceeding the MCPR safety limits. The OPRMs are auto enabled at the specified reactor recirculation flow and reactor power setpoints. The ASF initiates an ASF trip through the RPS based on the existing plant trip logic and configuration. The OPRMs provide alarm for pre-trip conditions and other alarm functions such as Trouble, INOP, and Trip Enabled to be displayed in the Main Control Room (MCR). Table 7.6-4 lists the OPRM trip functions and setpoints.

i. Alternate Backup Method At times when OPRM channels may be inoperable, and until they can be restored to operable status, an alternate method of detecting and suppressing thermal hydraulic instability oscillations can be used. This alternate method is described in References 6 & 7. It consists of increased operator awareness and monitoring for neutron flux oscillations when operating in the region where oscillations are possible. If indications of oscillation, as described in References 6 & 7 are observed by the operator, the operator will take the actions described by the procedure, which may include initiating a manual scram of the reactor.

7.6-27 REV. 14, APRIL 2002

LSCS-UFSAR

j. Component Qualification Considerations The OPRM devices are designated Class 1E, Seismic Category I and are qualified to the applicable portions of IEEE-381 and IEEE-344.

k. Single Failure Considerations Since the OPRMs perform a protective function, they are required to withstand a single failure. To ensure acceptable defense against single random failures, the combination of architecture, wiring practices, and use of isolation devices is applied to provide the required redundancy, isolation, and physical independence.

There are two redundant OPRM channels in each RPS division. OPRMs in each RPS division are electrically isolated and physically separated from OPRMs in other RPS divisions. Within each OPRM channel there are two OPRM modules. The use of two OPRM modules per channel provides redundancy against an OPRM hardware failure in the same channel. The redundant OPRM modules in the same RPS division share the same Class 1E power supplies as those used by the safety-related APRM modules in that RPS division. However, each OPRM module is electrically isolated from the companion module in the same channel.

l. Redundancy, Diversity, and Separation Since the OPRM operation interfaces with PRNMS and RPS, its redundancy, diversity, and separation requirements are the same as the requirements for these systems. The LPRM analog signals, which are locally wired, are provided to OPRMs with the same redundancy and separation as provided to the APRM channels and LPRM groups. One exception is that the analog signals from LPRM and related OPRM constitute OPRM channel G and H for the LPRM group A and B respectively.

The OPRMs receiving LPRM analog signals associated with APRM channels constitute OPRM channels A through F. Thus, two OPRM channels fall into one RPS division for the RPS trip circuits providing the required redundancy between RPS divisions and between OPRM channels. The output digital signals are redundant and separated the same way as the actuation signals from APRM channels, with the exception that OPRM channels G and H replace channels E and F in order to eliminate the double up of channels E and F in the RPS divisions A2 and B2. The assignment of OPRM channels and existing APRM channels for each RPS division is as follows: RPS Division OPRM Channel APRM Channel A1 A, E A, E A2 C, G C, E B1 B, F B, F B2 D, H D, F 7.6-28 REV. 13

LSCS-UFSAR 7.6.3.4.3 Analysis 7.6.3.4.3.1 Conformance to Functional Requirements The OPRM subsystem is designed to alarm when a stability-related thermal-hydraulic oscillation is detected (based on period-based algorithm only), and to initiate an ASF trip when oscillations are large enough to threaten fuel safety limits. The OPRM design assures high reliability as it is governed by Quality Assurance requirements, and applicable industry standards. The system performs self-health tests on a continuous basis. Reference 5 describes the licensing basis and methodology that demonstrates the adequacy of the hardware and software to meet the functional requirements. A brief summary of the design is provided in UFSAR subsections 4.4.4.6.3 through 4.4.4.6.6. 7.6.3.4.3.2 Regulatory Guides Conformance to Regulatory Guides is discussed in Appendix B. 7.6.3.4.3.3 General Design Criteria The GDCs applicable to OPRM are 10 and 12. The OPRM subsystem is designed to conform to the applicable requirements of these GDCs. 7.6.4 Recirculation Pump Trip 7.6.4.1 System Description See Subsection G.5.1 of Appendix G. 7.6.4.2 Analysis 7.6.4.2.1 General Functional Requirements Conformance The RPT system is designed to aid the RPS in protecting the integrity of the fuel barrier. Turbine stop valve closure or turbine control valve fast closure initiates a scram and recirculation pump trip in time to keep the core within the thermal-hydraulic safety limit during operational transients. Recirculation pump trip is a two-out-of-two logic system. Each of the logic channels is initiated by logic from the RPS system, which requires a two-out-of-two confirmation of the sensed variable. A trip of the sensed variable in any two divisions results in a trip initiate signal for all recirculation pumps. Failure or repair in a single RPS division does not violate single-failure criteria. Channel bypass switches are provided. The switches provide a "tripped" input to 7.6-29 REV. 17, APRIL 2008

LSCS-UFSAR the recirculation pump trip logic. Sensors, channels, and logics of the RPT system are not used directly for automatic control or process systems. Therefore, failure in the control and instrumentation of process systems cannot induce failure of any portion of the system. Design of the system to safety class requirements and the redundance of Class 1E power supplies as breaker trip sources assures actuation of the pump trip function if required during design-basis earthquake ground motion. Operator verification that two-pump trip has occurred may be made by observing one or more of the following functions:

a. recirculation flow indicators on the MCB panel,

b. breaker trip indicating lights on the MSB panel,

c. two-pump trip initiation annunciator Division 1, and

d. two-pump trip initiation annunciator Division 2.

7.6.4.2.2 Specific Requirement Conformance Refer to 7.A.5.3.1. 7.6.4.2.3 Regulatory Guides This subject is addressed in Appendix B. 7.6.5 Alternate Rod Insertion (ARI) System Controls and Instrumentation The ARI system consists of transmitters, detection and actuation logic, and the necessary interfaces with the control rod drive system to provide an alternate method for automatic initiation of a scram function. The safety-related components consist of the following:

a. Division 1 transmitters:

                    - Reactor high dome pressure
                    - Reactor water level below level 2

b. Division 2 transmitters:

                    - Reactor high dome pressure
                    - Reactor water level below level 2

c. Manual initiation division 1 switches

d. Manual initiation division 2 switches

e. Four trip logic units per division (2 Pressure/2 Low Water Level)

f. Ten dual coil solenoid valves plus associated logic circuitry.

g. Division 1:

                    - SDV vent valve position indicator
                    - SDV drain valve position indicator 7.6-30                  REV. 14, APRIL 2002

LSCS-UFSAR

                   - Instrument air inlet valve position indicator
                   - North bank HCU instrument air valve position indicator
                   - South bank HCU instrument air valve position indicator

h. Division 2:

                   - SDV vent valve position indicator
                   - SDV drain valve position indicator
                   - Instrument air inlet valve position indicator
                   - North bank HCU instrument air valve position indicator
                   - South bank HCU instrument air valve position indicator The instrumentation and controls associated with the ARI system perform the following functions:

a. Sense reactor vessel high pressure

b. Sense reactor vessel low water level

c. Initiate logic to actuate solenoid valves

d. Shutoff air supply to pilot air header

e. Vent Scram valve pilot air header

f. Vent air header to scram discharge volume vent and drain valves.

The equipment used in the ARI system is independent and diverse from the RPS equipment. ARI system equipment is qualified to assure that it will, on a continuing basis, function during and after an ATWS event. The ARI system equipment is qualified to safe shutdown earthquake conditions The system provides the operator with information regarding system readiness, functional controls, and inoperative status. The ARI instrumentation specification and setpoints are given in Table 7.6-3. 7.6.5.1 Safety Design Bases The ARI system is designed to meet the following requirements:

1. ARI shall be redundant and diverse from the normal scram systems, except for the air supply system.

2. ARI shall be initiated by reactor vessel low water level and/or high reactor vessel pressure signals for automatic initiation or by manual initiation.

3. The ARI shall use separate solenoid operated valves, energized to open. The valves shall be sized to allow insertion of all control rods to begin with a maximum time delay of 35 seconds. This delay shall be the time interval from receipt of the system initiation until all control rods have started insertion.

7.6-31 REV. 13

LSCS-UFSAR

4. All ARI solenoid valves shall be capable of providing open/closed position indication.

5. The control rod drives must be functional to provide reactor scram when ARI is required. For the ARI function, the maximum time between receipt of the initiation signal and the time when all control rods have started inserting shall be 35 seconds. The maximum time delay between receipt of the initiation signal and the time when all control rods reach their full-in position shall be 45 seconds.

6. The main operator control console benchboard display of the control rod positions shall be powered from uninterruptible power sources.

These power sources shall provide power to enable the display to remain functional for at least one hour after the ARI initiation even if loss of normal power has occurred.

7. The ARI system shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.

8. A sufficient number of sensors shall be provided for monitoring essential variables that have spatial dependence.

9. The following bases assure that the ARI system is designed with sufficient reliability:

a. Loss of a divisional power supply shall neither cause nor prevent a reactor scram from the ARI system.

b. Once initiated, an ARI system action shall go to completion.

Reset is prohibited for at least 2 minutes after initiation. After the 2 minutes have elapsed, 4 of the 10 ARI scram exhaust valves will automatically reset (north and south side HCU vents). The remaining 6 valves (ARI vents at the backup scram valves, SDV vents, and SDV drains) will close when the operator manually resets the Division I and Division II ARI logic.

c. There shall be sufficient electrical and physical separation between redundant instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly.

d. Expected earthquake ground motions (operating basis earthquake - OBE) as amplified by buildings and supporting 7.6-32 REV. 13

LSCS-UFSAR structures shall not impair the ability of the ARI system to initiate a reactor scram.

e. No single failure within the ARI system shall prevent proper ARI system action.

f. No single intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall impair the ability of the ARI system to respond correctly.

g. The system shall be designed so that the required number of sensors for any monitored variable exceeding the setpoint will initiate an ARI.

The following bases reduce the probability that ARI system operational reliability and precision will be degraded by operator error:

1. Access to trip settings, component calibration controls, test points, and other terminal points shall be under the control of plant operations supervisory personnel.

2. Manual bypass of instrumentation and control equipment components shall be under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously annunciated in the control room.

7.6.5.2 Equipment Design The ARI system is redundant and diverse from the Reactor Protection System (RPS), such that no credible common mode failure can prevent both normal scram and ATWS prevention or mitigation functions. Diversity from RPS is achieved by meeting the following criteria: (a) use of components from different manufacturers, (b) use of energized trip status, (c) use of direct current power sources, and (d) use of transmitters employing different principles for measuring the reactor pressure and reactor water level parameters. The ARI system is designed so that no single component failure can prevent the specified system function. The ARI system will be initiated by reactor pressure vessel (RPV) high dome pressure and/or RPV level 2 low-water level. The initiation sensors are level and pressure transmitters in the nuclear boiler system. The transmitter signals actuate trip logic when the setpoints are exceeded (See Table 7-6.3). Upon receipt of an ARI initiation signal, five air-operated solenoid valves in each division operate to insert the control rods. 7.6-33 REV. 13

LSCS-UFSAR There are four separate trip units for each division of valve actuators. The trip logic uses RPV high pressure and/or RPV low-water level to originate a trip signal in a 1:2:2 configuration. The ARI uses separate dual-coil solenoid operated valves, energized to open. The valves are sized to allow insertion of all control rods to begin within 35 seconds and to be completed within 45 seconds of receipt of initiation signal. ARI System Valves - The solenoid valves employ direct current dual coil operators. The valves are provided with position switches to indicate valve open/close status. The valves perform three functions during an ATWS trip:

1. Block the instrument air supply line to the pilot scram valves.

2. Exhaust the air from the pilot scram air header to 5 psig in 15 seconds.

3. Exhaust air header to the scram discharge volume vent and drain valves, thus permitting these valves to close.

7.6.5.3 Theory of Operation The ARI system senses, processes and provides trip signals to prevent an ATWS event by exhausting the scram discharge air header through ARI scram valves entirely separate from the reactor protection system scram discharge valves. This provides an alternate means of initiating control rod insertion. The automatic and manual actuation signals to the ARI scram valves shall seal-in for 2 minutes to assure that all control rods have time to fully insert. Reset of the ARI function is automatic for valves C11-F404A, B, F405A, B and manual for valves C11-F400, 401, F402A, B, F403A, B. Reset is prohibited for 2 minutes after initiation. Manual ARI Actuation - The ARI system can be manually initiated from a location in the control room near the RPS manual scram switches. The manual initiation of ARI is designed such that no single operator action can result in inadvertent initiation. The manual ARI initiation function is distinct and separate from the manual RPS scram initiation functions. Different types of display and pushbutton equipment is utilized to distinguish ARI equipment for ATWS purposes. 7.6.5.4 ARI System Operator Information The ARI system is designed to provide the operator with the reactor level and pressure values, trip status, valve position, test status, inoperative, failure and maintenance status. ARI system unique annunciators are provided on the main operator console in the control room for each ARI channel to indicate that the ARI system has been initiated. 7.6-34 REV. 13

LSCS-UFSAR Indicators are provided for input trip signals to ARI and output protective action signals from the ARI logic. Abnormal status indication is provided for those functions/components associated with the ATWS mitigation signals. These include the four steam dome pressure transmitters and associated trip units, the four vessel level transmitters and associated trip units and the manual ARI initiation circuitry. An indicating light lights up when the ARI logic is initiated. A different indicating light is used to indicate to the operator that manual reset of the ARI control logic is permissive. This light remains on until the operator resets the control logic manually. An alarm also annunciates in the control room to alert the operator that the ARI control logic has been initiated. Open/closed position indication for monitoring all ARI scram valves is also provided. Test switches and indicating lights are provided for periodic testing of ARI initiation control logic without opening the solenoid valves. 7.6.5.5 Power Supply The ARI system has one power generation objective. The setpoints, power sources, and controls and instrumentation are arranged in such a manner as to preclude spurious ARI scrams. Two separate divisions of ARI logic, sensors and control valve solenoids are powered by 125 Vdc Class 1E Division 1 and Division 2 power sources. The power supplies for the ARI system equipment are uninterruptible, separate, and independent from the RPS power supplies. The two 125 Vdc power divisions are separate and independent of each other. 7.6.5.6 Cabling and Wiring Cabling and wiring for the ARI redundant divisions follow the separation criteria specified in IEEE 384-1977, Standard Criteria. 7.6.5.7 Testability The proper operation of the transmitters and the logic associated with the ARI system can be verified during system preoperational testing. Auto initiation and the required system time responses are testable with the reactor at rated temperature and pressure during startup. All individual ARI scram solenoid valves and solenoid logic circuits have built-in test capability for individual solenoid integrity testing. The ARI system has two redundant control logics, one in division 1 and one in division 2. Either one can perform a reactor scram function. Division 1 and 2 7.6-35 REV. 13

LSCS-UFSAR solenoid valves are controlled by division 1 and division 2 control logic, respectively. A test switch is provided for each division. When the test switch is in the test position, the control logic is set in the test mode and an annunciator in the control room alerts the operator of the test status of that divisional control logic. When division 1 logic is in the test mode, division 2 valves remain responsive to the reactor vessel low water level signals and the high reactor vessel pressure signals to provide uninterrupted ATWS mitigation capability. The ARI test logic annunciator does not clear until the test switch is returned to the normal position. 7.6.5.8 Redundancy and Diversity The ARI is activated automatically by reactor vessel low water level and/or high reactor vessel pressure signals when they reach a predetermined level. There are four separate trip channels for each divisional control logic. The trip logic is initiated by RPV high pressure and/or RPV low water level in a 1:2:2 configuration to actuate the ARI solenoid valves. There are two divisional power supplies which are independent of each other to power the ARI control logic. Sensor and power cables are routed to two ARI control cabinets in the auxiliary electrical equipment room. The cables and control cabinet of one division are physically separated and independent of those of the other division. Each cabinet houses both of the trip channels for one division. 7.6.5.9 Environmental Considerations The ARI equipment is located outside the primary containment and it is selected in consideration of the normal and abnormal/transient environments in which it must operate. 7.6.6 References

1. W. R. Morgan, "In-Core Neutron Monitoring System for General Electric Boiling Water Reactors", APED-5706, November 1968 (Rev.

April 1969).

2. Hatch Amendment 7, pp. 7-3.0-1 and 7-5.0-1, June 24, 1969.

3. Licensing Topical Report CEND-400-P, Rev. 01, Generic Topical Report for the ABB Option III Oscillation Power Range Monitor (OPRM), prepared for the BWR Owners Group by ABB Combustion Engineering, May 1995.

4. U.S. Nuclear Regulatory Commission Safety Evaluation Report, Acceptance of Licensing Topical Report CEND-400-P, transmitted from B.A. Boger to R.A. Pinelli of GPU Nuclear, August 16, 1995.

7.6-36 REV. 13

LSCS-UFSAR

5. NEDO-32465-A, BWR Owners Group Reactor Stability Detect and Suppress Solution Licensing Basis Methodology and Reload Application, August 1996.

6. BWROG Letter BWROG-9479, Guidelines for Stability Interim Corrective Action, June 6, 1994.

7. ComEd Letter from John C. Brons to William T. Russell, Response to Generic Letter 94-02 (BWR Stability), September 9, 1994.

8. LaSalle County Station Power Uprate Project, Task 202, Thermal-Hydraulic Stability, GE-NE-A1300384-13-01, Revision 0, August 1999.

7.6-37 REV. 17, APRIL 2008

LSCS-UFSAR TABLE 7.6-1 IRM TRIPS** TRIP FUNCTION NORMAL TRIP ACTION SETPOINT IRM upscale (high-high) #* Scram, annunciator, red light display or IRM inoperative*** IRM upscale (high)## # Scram, annunciator, amber light display IRM downscale## # Rod block (exception on most sensitive scale), annunciator, white light display IRM bypassed White light display

• IRM is inoperative if module interlock chain is broken, operate-calibrate switch is not in operate position, or detector polarizing voltage is below 80 volts.
  • Accuracy 2%; Calibration 0.5%; Design-Basis Allowable 2%

1. For Normal Setpoint, see the applicable calculation.

• • • See UFSAR Table 7.2-1 for more information on IRM upscale (high-high).

1. 1. See UFSAR Table 7.3-5 for more information.

TABLE 7.6-1 REV. 15, APRIL 2004

LSCS-UFSAR TABLE 7.6-2 APRM SYSTEM TRIPS TRIP TRIP POINT NOMINAL ALLOWABLE ACTION FUNCTION RANGE SETPOINT VALUE APRM Note # Note ** Note # Rod block, annunciator downscale white light display APRM upscale Note # Note ** Note # Rod block, annunciator (high) amber light display APRM upscale Note # # Note ** Note # # Scram, annunciator, red (thermal power) light display APRM upscale Note # # Note ** Note # # Scram, annunciator, red (high-high) light display APRM Calibrate Not in operate N/A Scram, rod block, inoperative switch or too mode or module annunciator, red light few inputs interlock chain display broken or less than 14 APRM bypass Manual N/A N/A White light switch

• APRM signal passes through a 6-second time constant circuit to simulate heat flux.

    ** For Nominal Setpoint, see the applicable calculation.
    #     See UFSAR Table 7.3-5 for more information.
    # # See UFSAR Table 7.2-1 for more information.

TABLE 7.6-2 REV. 15, APRIL 2004

LSCS-UFSAR TABLE 7.6-3 ALTERNATE ROD INSERTION (ARI) / ANTICIPATED TRANSIENT WITHOUT SCRAM RECIRUCLATION PUMP TRIP SYSTEM INSTRUMENTATION SPECIFICATIONS & SETPOINTS SCRAM INSTRUMENT TRIP ALLOWABLE ANALYTIC ACCURACY CALIBRATION DESIGN DEVICE FUNCTION SETTING VALUE OR DESIGN BASIS RANGE BASIS LIMIT ALLOWANCE REACTOR DOME Pressure Note 1 Note 2 Note 1 Note 1 Note 1 Note 1 800-1300 HIGH PRESSURE Transmitter psi RPV LOW LOW Differential Note 1 Note 2 Note 1 Note 1 Note 1 Note 1 -150 to WATER LEVEL Pressure +60 (LEVEL TWO) Transmitter inches Note 1: See applicable calculation listed in Table T3.3.4.2 - 1 of Technical Requirements Manual, Appendix D. Note 2: See Technical Specification for Allowable Value.

• Accuracy Range is the full scale calibrated Range for each transmitter.

TABLE 7.6-3 REV. 16, APRIL 2006

LSCS-UFSAR TABLE 7.6-4 OPRM SYSTEM TRIPS CONFIRMATION TRIP FUNCTION TRIP SETPOINT ACTION COUNT SETPOINT OPRM N/A

• Annunciator Alarm Annunciator, OPRM

                                   ***                         ***              Automatic suppression Trip function (ASF) trip signal to RPS OPRM                       Selector N/A                    Annunciator Bypass                  switch contact OPRM                        OPRM N/A                    Annunciator Inoperative/ Trouble        annunciator relays System Enable        Setpoints are based on the N/A                    Annunciator analytical limits:

28.6% thermal power

                            < 60% core flow

• Can be varied to meet operating needs.
  • • Refer to cycle specific values in the Core Operating Limits Reports for Units 1 and 2.

TABLE 7.6-4 REV. 17, APRIL 2008

LSCS-UFSAR 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY This section discusses instrumentation and control systems whose functions are not essential for safety of the plant. These systems include the following:

a. Reactor vessel instrumentation and controls.

b. Rod control management system instrumentation and controls.

1. Rod movement controls.

2. Rod block trip system.

3. Rod Worth Minimizer.

c. Recirculation flow control instrumentation and controls.

d. Feedwater control system instrumentation and controls.

e. Pressure regulator and turbine-generator instrumentation and controls.

f. Neutron monitoring system.

1. Source range monitor.

2. Local power range monitor.

3. Rod block monitor.

4. Traversing in-core probe.

g. Process computer system instrumentation and controls.

1. Instrument monitor and process functions.

h. Reactor water cleanup system instrumentation and controls.

i. Area radiation monitoring system instrumentation and controls.

j. Gaseous radwaste control system instrumentation and controls.

k. Liquid radwaste control system instrumentation and controls.

7.7-1 REV. 18, APRIL 2010

LSCS-UFSAR

l. Spent fuel pool cooling instrumentation.

m. Refueling interlocks system.

n. Process radiation monitoring system.

1. Air ejector off-gas radiation monitor subsystem.

2. Stack radiation monitoring subsystems.

3. Process liquid radiation monitoring subsystems.

4. Carbon bed vault radiation monitor.

5. RHR portion of process liquid radiation monitor.

6. Main steamline radiation monitoring subsystem.

o. Leak detection system.

1. Recirculation pump leak detection.

2. Spent fuel pool system leak detection.

3. Drywell and reactor building leak detection.

4. Safety/relief valve leak detection.

5. Reactor vessel head leak detection.

6. Sump monitoring system.

7.7.1 Reactor Vessel Power Generation Instrumentation and Controls 7.7.1.1 Design Bases To fulfill its power generation design basis, the reactor vessel instrumentation is designed to provide the operator with sufficient indication of reactor vessel coolant temperature, reactor vessel water level, reactor vessel pressure, and nuclear system leakage to maintain proper operating conditions. These instruments augment existing information such that the operator can start up, operate, shutdown and service the reactor in an efficient manner. 7.7-2 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.1.2 System Description Because the reactor vessel sensors used for safety systems, engineered safeguards, and control systems are described and evaluated in other portions of this document, only the sensors that are not required for those systems are described in this subsection. The purpose of the reactor vessel instrumentation and control is to monitor the key reactor vessel operating variables during plant operation. These instruments and systems are used to provide the operator with information during normal plant operation, startup, and shutdown. They are essentially monitoring devices only and provide no active power control or safety functions. The systems and instruments discussed in this subsection are designed to operate under normal and peak operating conditions of system pressures and ambient pressures and temperatures and are classified as not related to safety. 7.7.1.2.1 Power Sources The systems and instruments discussed in this subsection are powered from the instrument and control bus. 7.7.1.2.2 Equipment Design The instrument sensing lines that the various pressure and level sensors are connected to slope downward from the vessel to the instrument rack with a minimum slope of 1/2-in./ft for those lines which cannot be sloped at the normal minimum of 1 in./ft (including allowance for piping sag), so that air traps are not formed. The instrument lines are self-venting back to the reactor vessel. Reactor Vessel Temperature The reactor vessel temperature is determined on the basis of reactor coolant temperature. Temperatures needed for operation and for compliance with the operating limits are obtained from one of several sources, depending on the operating condition. During normal operation, either reactor pressure and/or the inlet temperature of the coolant in the recirculation loops can be used to determine the vessel temperature. Below the operating span of the resistance temperature detectors in the recirculation loop, the vessel pressure is used for determining the temperature. Below 212qF the vessel coolant, and thus the vessel temperature, are reasonably well shown by the reactor water cleanup system inlet temperature. These three sources of input are most conveniently available from the process computer. During normal operation, vessel thermal transients are limited via operational constraints on parameters other than temperature. 7.7-3 REV. 19, APRIL 2012

LSCS-UFSAR Reactor Vessel Water Level Figure 7.7-1 shows the water level range and the vessel penetration for each water level range. The instruments that sense the water level are strictly differential pressure devices calibrated to be accurate at a specific vessel pressure and liquid temperature condition. The following is a description of each water level range shown in Figure 7.7-1:

a. Shutdown water level range: This range is used to monitor the reactor water level during the shutdown condition when the reactor system is flooded for maintenance and head removal.

The water level measurement design is the condensate reference chamber leg type that is not compensated for changes in density. The vessel temperature and pressure conditions that are used for the calibration are 0 psig and 120qF water in the vessel. The two vessel instrument penetrations elevations used for this water level measurement are located at the top of the RPV head and the instrument tap just below the bottom of the dryer skirt. NOTE: An Alternate Reactor water level transmitter is installed to display reactor level only when reactor is in mode 4 or 5 and shutdown range transmitter is not available. It is calibrated for 0 PSIG and 120°F to display water level between instrument zero (801' 71/4") and refuel floor (843') via plant process computer.

b. Upset water level range: This range is used to monitor the reactor water when the level of the water goes off the narrow range scale on the high side. The design and vessel taps are the same as outlined above. The vessel pressure and temperature conditions for accurate indication are at the normal operating points. Further information as to the range and control room indication is given in Subsection 7.7.4.

c. Narrow water level range: This range uses for its RPV taps the elevation near the top of the dryer skirt and the taps at an elevation near the bottom of the dryer skirt. The zero of the instrument is the bottom of the dryer skirt, and the instruments are calibrated to be accurate at the normal operating point. The water level measurement design is the condensate reference chamber type, is not density compensated, and uses differential pressure devices as its primary elements. The feedwater control system uses this range for its water level control and indication inputs. For more information as to the range, trip points, number of channels, and control room indication, see the discussion on the feedwater control system, Subsection 7.7.4.

7.7-4 REV. 18, APRIL 2010

LSCS-UFSAR

d. Wide water level range: This range uses for its RPV taps the elevation near the top of the dryer skirt and the taps at an elevation near the top of the active fuel. The zero of the instrument is the bottom of the dryer skirt, and the instruments are calibrated to be accurate at the normal power operating point. The water level measurement design is the condensate reference type, is not density compensated, and uses differential pressure devices as its primary elements. These instruments provide inputs to various safety systems and engineered safeguards systems.

e. Fuel zone water level range: This range uses for its RPV taps the elevation near the top of the dryer skirt and the taps at the jet pump diffuser skirt. The zero of the instrument is the same as that of all other level instrumentation, and the instruments are calibrated to be accurate at 0 psig and saturated condition.

The water level measurement design is the condensate reference type, is not density compensated, and uses differential pressure devices as its primary elements. These instruments provide input water level indication. There is a common condensate reference chamber for the narrow and wide water level ranges. The fuel zone water level transmitters 1B21-N044A and 1B21-N044B share the reference legs of Condensing Chambers 1B21-D368 and 1B21-D367 with the wide range level transmitters 1B21-N026E/CA and 1B21-N026AA/BA, respectively (Unit 1). There is a common condensate reference chamber for the narrow and wide water level ranges. The fuel zone water level transmitters 2B21-N044A and 2B21-N044B share the reference legs of Condensing Chambers 2B21-D368 and 2B21-D367 with the wide range level transmitters 2B21-N026E/CA and 2B21-N026AA/BA, respectively (Unit 2). The water in the reference legs is continuously replaced (backfilled) by a steady flow of water from the CRD system. The water enters the reference leg at a location outside the drywell, flows through the condensing chamber, and is then transferred to the RPV through the steam leg and water level instrumentation nozzle. The continuous backfilling of the reference leg prevents the transport of noncondensible gases from the condensing chamber to the reference leg. In order to decouple the change in water level with changes in drywell temperature, the elevation drop from RPV penetration to the drywell penetration remains uniform for the narrow range and wide range water level instrument lines. 7.7-5 REV. 19, APRIL 2012

LSCS-UFSAR Reactor water level instrumentation that initiates safety systems and engineered safeguards systems is discussed in Subsections 7.2.2 and 7.3.1. Reactor water level instrumentation that is used as part of the feedwater control system is discussed in Subsection 7.7.4. The reactor water level that pertains to this subsection is used to monitor the reactor water level during the shutdown conditions when the reactor system is flooded for maintenance and head removal. The water level measurement design is the condensate chamber reference leg type that is not compensated for change in density. The vessel conditions that will provide accurate water level information are 0 psig pressure and ambient temperature. The range of the instrument is from the bottom of the feedwater control operating range to a level over the top of the reactor vessel head. Reactor Core Hydraulics A differential pressure transmitter indicates core plate pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The instrument sensing line used to determine the pressure below the core support assembly attaches to the same reactor vessel tap that is used for the injection of the liquid from the standby liquid control system. An instrument sensing line is provided for measuring pressure above the core support assembly. The differential pressure of the core plate is recorded in the main control room. Another differential pressure device indicates the jet pump developed head by measuring the pressure difference between the pressure above the core and the pressure below the core plate. This indication is at the local panel. Reactor Vessel Pressure Pressure switches, indicators, and transmitters detect reactor vessel internal pressure from the same instrument lines used for measuring reactor vessel water level. The following list shows the subsections in which the reactor vessel pressure measuring instruments are discussed:

a. Pressure switches for initiating scram and pressure switches for bypassing the main steamline isolation valve closure are discussed in Subsection 7.2.2.

b. Pressure switches used for HPCS, LPCS, LPCI, and ADS are discussed in Subsection 7.3.1.

c. Pressure transmitters and recorders used for feedwater control are discussed in Subsection 7.7.4.

7.7-6 REV. 19, APRIL 2012

LSCS-UFSAR

d. Pressure transmitters that are used for pressure recording are discussed in Subsection 7.5.2.1.2.

Reactor Vessel Head Seal Leak Detection A pressure between the inner and outer head seal ring is sensed by a pressure switch. If the inner seal fails, the pressure at the pressure switch is the vessel pressure, and the pressure switch will trip and actuate an alarm. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak is detected by an increase in drywell temperature and pressure. Safety/Relief Valve Seat Leak Detection Thermocouples are located near the discharge of the safety/relief valve seat. The temperature signal goes to a multipoint recorder with an alarm. The alarm is activated by any temperature in excess of a set temperature, signalling that one of the safety/relief valve seats has started to leak. Other Instruments

a. The steam temperature is measured and is transmitted to the control room.

b. The feedwater temperature is measured and transmitted to the control room.

c. The feedwater corrosion products are manually sampled and analyzed to monitor the water quality.

Testability Pressure, differential pressure, water level, and flow instruments are located outside the primary containment and are piped so that calibration and test signals can be applied during reactor operation, if desired. 7.7.1.2.3 Environmental Considerations There are no special environmental considerations for the instruments described in this subsection. 7.7.1.2.4 Operational Considerations The reactor vessel instrumentation discussed in this subsection is designed to augment the existing information from the engineered safeguards and safety 7.7-7 REV. 19, APRIL 2012

LSCS-UFSAR system such that the operator can start up, operate at power, shut down, and service the reactor vessel in an efficient manner. None of this instrumentation is required to initiate any engineered safeguard or safety system. Operator Information The information that the operator has at his disposal from the instrumentation discussed in this subsection is discussed as follows:

a. The shutdown flooding water level is indicated in the control room.

b. The core plate differential pressure is recorded on one input of a recorder input recorder. The second recorder input is used for total core flow.

c. The jet pump developed head is indicated at a local instrument panel.

d. The reactor pressure is indicated at two local racks in the containment by a pressure gauge.

e. The reactor head seal leak detection system turns on an annunciator when the inner reactor head seal fails.

f. The discharge temperatures of all the safety/relief valves are shown on a multipoint recorder in the control room. Any temperature point will turn on an annunciator indicating that a safety/relief valve seat has started to leak.

g. The feedwater corrosion products are manually sampled and analyzed to monitor the water quality.

h. The jet pump developed flow indication is provided on the flat panel display at panel 1(2)H13-PE19 in the AEER and on the operator station in the Main Control Room.

Setpoints The annunciator alarm setpoints for the reactor head seal leak detection, safety/relief valve seat leak detection, and feedwater corrosion product monitor are set so that sensitivity to the variable being measured will provide adequate information. Figure 7.7-1 includes a chart showing the relative indicated water levels at which various automatic alarms and safety actions are initiated. Specific level values are shown in Figure 7.7-1. Each of the listed actions is described and evaluated in the subsection of this report where various level-measuring components and their setpoints are discussed. 7.7-8 REV. 19, APRIL 2012

LSCS-UFSAR

a. Level switches for initiating scram are discussed in Subsection 7.2.2.

b. Level switches for initiating containment or vessel isolation are discussed in Subsection 7.3.2.

c. Level switches used for initiating HPCS, LPCI, LPCS, and ADS and the level switches to shut down the HPCS pump are discussed in Subsection 7.3.1.2.

d. Level switches to initiate RCIC and the level switches to shut down the RCIC pump drive turbine are discussed in Subsection 7.4.1.

e. Level trips to initiate various alarms and trip the main turbine and the feedpumps are discussed in Subsection 7.7.4.

7.7.1.3 Analysis The reactor vessel instruments and systems discussed in this subsection are designed to augment the existing information from the engineered safeguards and safety systems such that the operator can start up, operate at power, shut down, and service the reactor system in an efficient manner. None of this instrumentation is required to initiate any engineered safeguard system nor a safety system. There are no specific regulatory requirements imposed on the reactor vessel instruments and subsystems discussed in Subsection 7.7.1. because of the reasons stated previously. 7.7.2 Rod Control Management System Instrumentation and Controls The objective of the rod control management system is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods. The rod control management system consists of the rod movement controls and rod block trip subsystems. The Rod Control Management System (RCMS) is designed to replace the original Reactor Manual Control System (RMCS) equipment consisting of the Rod Drive Control System (RDCS), Rod Position Information System (RPIS), Rod Worth Minimizer (RWM), and Operator Control & Display Subsystem (OCDS), along with the original power supplies. 7.7-9 REV. 19, APRIL 2012

LSCS-UFSAR The Rod Control Management System (RCMS) is a digital system, comprised of four subordinate systems for the combined purpose of maneuvering reactor control rods to obtain the desired reactor core power level and flux distribution safely and efficiently. The subordinate systems are:

a. Rod Position Indication System (RPIS) - Senses the vertical position of the control rods and transmits information to the RCMS Controllers.

b. RCMS Interfaces A and B - Provide internal and external system Input/Output between the RCMS Controllers and various plant systems including rod movement commands to the HCU assemblies.

c. RCMS Controller Channels A and B - Decode rod position data from the RPIS, perform rod control and sequence enforcement logic and transmit/receive signals to/from RCMS Interfaces.

d. Operator Control and Display Sub-System (OCDS) - The normal primary means of operator input/output for system control and for displaying RCMS information and alarms.

The major pieces of equipment that make up the RCMS are located in the main control room (panel H13-P603), auxiliary electrical equipment room (panels H13-P659, H13-P615 Bays 1 and 2) and in the reactor building immediately outside the primary containment, with the hydraulic control units. 7.7.2.1 Design Bases 7.7.2.1.1 General The rod control management system meets the following safety design bases:

a. The circuitry provided for the manipulation of control rods shall be designed so that no failures can negate the effectiveness of a reactor scram.

b. Repair, replacement, or adjustment of any failed or malfunctioning component shall not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.7-9a REV. 19, APRIL 2012

LSCS-UFSAR The rod control management system instrumentation and controls are designed in accordance with the specific regulatory requirements shown in Table 7.1-2. The rod control management system is designed to meet the following power generation design bases:

a. Inhibit control rod withdrawal following erroneous control rod manipulations so that reactor protection system action (scram) is not required.

b. Inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.

c. Inhibit control rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable of monitoring the core response to rod movement.

d. Limit the potential for inadvertent rod withdrawals leading to reactor protection system action by designing the rod control management system in such a way that deliberate operator action is required to effect a continuous rod withdrawal.

e. Provide the operator with the means to achieve prescribed control rod patterns; provide information pertinent to the position and motion of the control rods in the control room.

7.7.2.1.2 DELETED 7.7.2.2 System Description 7.7.2.2.1 General The rod control management instrumentation and controls consist of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The rod control management does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Section 7.2. In addition, the mechanical devices of the control rod drives and the control rod 7.7-10 REV. 18, APRIL 2010

LSCS-UFSAR drive hydraulic system are not included in the rod control management system. The latter mechanical components are described in Subsection 4.6.1. The Rod Control Management System allows the operator to select and move control rods as needed for efficient fuel management or varying plant power level for normal operation. The vertical position of each control rod is displayed for operator information. Other functions include the monitoring of conditions pertaining to control rods, providing individual status indications, providing summary information, control rod insertion and withdrawal sequence enforcement and initiation of rod blocks to prevent non-conservative control rod motion in the event of abnormal conditions. The RCMS prevents normal rod insertion and withdrawal with a Rod Position Indication System Not Operative condition present. In this case, insertion of control rods using the EMERGENCY INSERT pushbutton is supported by the RCMS, as long as the RCMS is Operative and the INSERT Permissive is present for the rod selected for insertion. The RCMS logic functionally monitors and enforces adherence to established startup, shutdown, and low power level control rod procedures. The RCMS hardware is arranged in two-channel redundant system architecture. The RCMS System Block Diagram is shown in Figure7.7-2a. This system is a power generation system and is classified as not related to safety. 7.7-10a REV. 18, APRIL 2010

LSCS-UFSAR The rod control management system is an operational control system and has no safety function. Therefore, there are no safety differences between this system and those of the reference design facilities. The rod movement controls systems and rod block trip system, are described in 7.7.2.2.2 and 7.7.2.2.3 respectively. The power sources for each system are discussed in the individual system descriptions. 7.7.2.2.2 Rod Movement Controls Systems Drawing Nos. M-100 and M-146 show the layout of the control rod drive hydraulic system. Although the figures also show the arrangement of scram devices, these devices are not part of the rod control management system. Control rods are moved by admitting water, under pressure from a control rod drive water pump, into the appropriate end of the control rod drive cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the operational modes. The valves control the path that the control rod drive water takes to the cylinder. The rod drive control system, a subsystem of the rod control management system, controls the valves. Rod positions are displayed in the control room by the rod position information system (another subsystem of the rod control management system). 7.7.2.2.2.1 Rod Drive Control System The RCMS Rod Control Logic uses plant status variables and system variables from other RCMS Controller channel software tasks to determine rod movement permissives and indicator variables for use in Rod Motion command generation, Position Feedback and as system outputs. A combination of movement logic, motion timers (for each rod), and position feedback are used to control rod motion. Each RCMS Controller channel continuously compares its commands, as issued to the RCMS Interfaces (INSERT, WITHDRAW, SETTLE, and Collet Unlatch Assist), against rod positions. This function also develops the CRD Stabilizing Valve control signals dependent on rod movement commands. The RCMS control system logic ensures that only one rod can be selected and then commanded to move at one time. A rod is selected for movement via either the Rod Select Display or the Status Display on panel H13-P603 in the main control room. 7.7-11 REV. 18, APRIL 2010

LSCS-UFSAR Prior to the operator initiating rod motion, the Drive Flow Trip Circuit switch of RCMS on the rod select panel is repositioned from the Active position to the Bypassed position. The Drive Flow trip circuit prevents unintended control rod motion from a hypothetical software common cause failure of the RCMS system by removing power to the RCMS power modules if CRD Drive Water flow occurs when no operator action is being taken to move control rods. Removing power to the RCMS power modules interrupts signals between RCMS and the CRD HCU transponder cards, which prevents the directional control valves from receiving power to open. The Drive Flow trip circuit seals in once tripped, and can be reset by the operator with a reset pushbutton on the rod select panel. The Drive Flow Trip circuit is bypassed when control rod motion is desired by the operator. The Drive Flow Trip circuit may also be bypassed under operation's authorization to support maintenance on the CRO hydraulic systems when changes in the systems lineups may result in unintended system pressure disturbances that cause CRD Drive Water Flow signal spiking. 7.7-11a REV. 19, APRIL 2012

LSCS-UFSAR The operator initiates rod motion request signals for the selected control rod, by pressing the rod INSERT or WITHDRAW pushbuttons located on the Rod Select Module at H13-P603. Both the A and B MCR Controller Channels monitor the state of the INSERT, WITHDRAW, CONTINUOUS INSERT and CONTINUOUS WITHDRAW pushbuttons and process the operator initiated rod motion request signals, via separate sets of contacts on those pushbuttons. The MCR Controller Channels transmit the rod motion request signals to both RCMS Controller channels. Each RCMS Controller channel performs a comparison of the rod motion request signals it receives from MCR Controller channels A and B. In either rod motion direction, if the rod motion requests received from the two MCR Controller channels are not in agreement, no action is taken by the Cross-Compare logic in the RCMS Controller channels and no rod motion occurs. Rod Motion requests are only processed if rod position data from an OPERATIVE RCMS Controller channel is displayed on either the Rod Select Display or Status Display, with the associated MCR Controller channel for that display in OPERATIVE mode. RCMS Controller Channels Two RCMS Controller channels (A and B are used in the RCMS architecture and perform the majority of the Rod Control Logic Processing. Each controller channel is a separate hardware assembly running the same software, but running independently of the opposite RCMS controller channel. The objective of this dual-redundant design is to provide high RCMS availability. The RCMS Controller channels decode rod position data from the RPIS, perform the functions of the Rod Control & Sequence Enforcement Logic, acquire/send signals to/from the RCMS Interfaces including the transponder serial words, perform channel Cross-Compare tests, and interface with the RCMS Maintenance Display. The two RCMS Controller channels exchange Sequence Enforcement, Rod Control Logic, and other status information with each other to verify the functional integrity of the opposite RCMS Controller channel. A loss of communications between the two RCMS Controller Channels, will generate an RCMS TROUBLE or INOP Alarm output (with appropriate deactivation of INSERT and WITHDRAWAL permissives) depending upon the severity of the failure. If the values calculated by one RCMS Controller channel for critical parameters do 7.7-12 REV. 18, APRIL 2010

LSCS-UFSAR not match those calculated by the opposite channel, a critical cross-comparison failure is then declared by the RCMS Controller channel(s) detecting the discrepancy and an RCMS INOP Alarm is generated. This integrity check between the two RCMS Controller channels is called the Cross-Compare Test. Information is provided to the RCMS controller channels, from the MCR Controller channels, for operator input and LPRM status information. Display information is provided from the RCMS Controller channels to the MCR Controller channels for display on the RCMS displays. During normal operation, rod movement commands from both RCMS Controller channels are sent to each RCMS Interface. In order to move a rod, each RCMS Interface logically ANDs the rod motion commands from both RCMS Controller channels. In order for Rod motion command data to be accepted and processed by the RCMS Interfaces, the following criteria must be met:

a. Both RCMS Controller channels must be operative and the command signals received from the RCMS Controller channels by the applicable RCMS Interface are in agreement; or

b. One RCMS Controller channel is OPERATIVE and the opposite RCMS Controller channel is in INOP/TEST, in which case rod motion commands from the OPERATIVE RCMS Controller channel are acted upon.

In the event of a disagreement between the rod motion command data sent to a particular RCMS Interface from both RCMS Controller channels, that RCMS Interface generates no Operator Follow serial command data output. Each RCMS Controller channel operates in one of three operating modes:

a. OPER - The OPER or Operate mode may be entered through user selectable parameters and is the normal mode of operation of the RCMS Controller channels.

b. INOP/TEST - An RCMS Controller channel may be manually placed in INOP/TEST or Inoperative/Test through user selectable parameters. If in this mode, that channels outputs no longer contribute to RCMS outputs or rod motion commands.

c. INOPERATIVE - An RCMS Controller channel enters the INOPERATIVE Mode automatically if, while in OPER mode, a fault occurs causing an RCMS INOP Alarm. If in this mode, that channels outputs no longer contribute to RCMS outputs or rod motion commands.

7.7-13 REV. 18, APRIL 2010

LSCS-UFSAR The RCMS Sequence Enforcement Logic consists of redundant software running independently on both RCMS Controller channels. The Sequence Enforcement Logic enforces predefined rod pattern control restrictions through generation of withdraw and insert permissive signals. These withdraw and insert permissive signals are used by the RCMS Rod Control Logic in order to determine if the WITHDRAW and INSERT rod motion command signals should be activated. The Sequence Enforcement Logic limits rod motion such that rods cannot be withdrawn to the extent of generating excessive heat flux in the fuel or causing premature criticality. During low power operation, the Sequence Enforcement Logic prevents achieving control rod configurations that would give any single control rod a high reactivity worth. Rod worth minimization, is intended to mitigate the effect of a postulated rod drop accident which might occur in the unlikely event that a stuck control rod, previously separated from its control rod drive, suddenly became free. The Sequence Enforcement Logic will remove the rod motion permissive signal if the operator does not follow the prescribed rod motion sequence. For example, if the operator selects a control rod that is not to be moved in the current step, both INSERT and WITHDRAW permissives are removed and rod motion is blocked (prevented). Once a rod reached its step limit in a given direction of motion, the permissive for further motion in that direction is removed. When all rods in a current step are withdrawn to their limits, the operator proceeds with the next step. During startup of the reactor and power ascension, this process continues until the Low Power Set Point (LPSP) is reached. Above the LPSP, the rod worth of any single rod is not large enough to cause fuel damage in the event of a rod drop accident. 7.7.2.2.2.2 Control Rod Drive Hydraulic System Control One motor-operated pressure control valve, two air-operated flow control valves, and two solenoid-operated stabilizer valves are included in the control rod drive hydraulic system to maintain smooth and regulated system operation. These devices are shown in Drawing Nos. M-100 and M-146. The motor-operated pressure control valves are positioned by manipulating switches in the control room. The switches for these valves are located close to the pressure indicators that respond to the pressure changes caused by the movements of the valves. The air-operated flow control valve is automatically positioned in response to signals from an upstream flow-measuring device. The stabilizer valves are automatically controlled by the energization of the insert and withdraw commands. There are two drive water pumps which are controlled by switches in the control room. Each pump automatically stops on indication of low suction pressure. 7.7-14 REV. 18, APRIL 2010

LSCS-UFSAR 7.7.2.2.2.3 Rod Position Information System(RPIS) This system includes the rod position probes and the electronics that processes the probe signals and provides the data described above. The position probe is a long cylindrical assembly that fits inside the control rod drive index tube. It includes 52 magnetically operated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the control rod drive and hence the rod itself is positioned. The switches are located as follows: one at each of 24 notch (even) positions; one at each of 24 midnotch (odd) positions; two at the fully inserted position (approximately the same location as the "00" notch); one at the fully withdrawn position (approximately the same location as the "48" notch position); and one at the "overtravel" or decoupled position. All of the midnotch or "odd" switches are wired in parallel and treated as one switch (for purposes of external connections), and the two fully-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5x6 array (the switches short the intersections) and routed out in all 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separate from the 5x6 array) (see Figure 7.7-4). RCMS RPIS Electronics The Rod Position Indication System senses the vertical position of the control rods in the reactor and transmits this information to the Rod Control Management System (RCMS) Controller channels. The RCMS Controller channels also use rod position data from the RPIS in performance of the following system tasks/functions:

a. Sense any rods that are not latched in a notch (i.e. drifting rods)

b. Sense any rod(s) that is (are) fully inserted

c. Sense any rod(s) which is (are) uncoupled (overtravel)

d. Analyze raw data from the position probes for abnormalities indicative of shorts or breaks, and notify the operator if they are found Three RPIS modules are located in the RPIS cabinets. Each RPIS module contains 7.7-15 REV. 18, APRIL 2010

LSCS-UFSAR either one or two associated RPIS cardfiles. There are a total of five RPIS cardfiles. Each RPIS cardfile contains a single File Control Processor (FCP) card and up to 11 Probe Multiplexer (MUX) cards. A single probe MUX card receives rod position data from a maximum of four Position Indication Probes (PIPs). Each individual FCP generates query signals, called Command Words, simultaneously to every Probe MUX card in its associated RPIS cardfile. The Probe MUX card, whose identity matches the address encoded in the Command Word, responds with raw probe data derived from the corresponding control rod PIP, in the form of two sequential data words. 7.7-15a REV. 18, APRIL 2010

LSCS-UFSAR Each FCP processes the responses for all Probe MUX cards in its associated cardfile and encapsulates it into two User Datagram Protocol / Internet Protocol (UDP/IP) packets containing duplicate copies of the raw PIP data. The FCP performs self-tests to determine its own status, polls the status of the associated RPIS power supply, and polls the status of the Probe MUX cards in its associated cardfile. The check and status information obtained by each FCP is encapsulated into the two UDP/IP packets. One of the UDP/IP packets is sent to the RCMS Controller Channel A and the other is sent to RCMS Controller Channel B. In H13-P659, RPIS data is processed independently by each of the two redundant RCMS Controller channels. The RPIS data is used to generate rod blocks, displayed throughout the RCMS and transmitted to the PPC for use in Scram Timing. The RPIS is a reporting subsystem of the RCMS incapable of effecting rod movement alone; therefore it does not require the same redundancy as that utilized in the RCMS Controller channel design. The RCMS will prevent normal rod insertion and withdrawal with a RPIS Not Operative condition present. In this case, Rod Insertion using the EMERGENCY INSERT pushbutton is supported by the RCMS, provided that the RCMS is Operative and the Insert Permissive is present for the rod selected for Insertion. Status Indication The following control room lights or indications are provided to allow the operator to know the conditions of the control rod drive hydraulic system and the control circuitry:

a. Deleted

b. insert command energized,

c. withdraw command energized,

d. settle command energized,

e. withdrawal not permissive,

f. continuous withdrawal,

g. pressure control valve position,

h. flow control valve position,

i. drive water pump low suction pressure (alarm and pump trip),

7.7-16 REV. 18, APRIL 2010

LSCS-UFSAR

j. drive water filter high differential pressure (alarm only),

k. charging water (to accumulator) high pressure (alarm only),

l. charging water (to accumulator) low pressure (alarm only),

m. control rod drive temperature (alarm only),

n. scram discharge volume not drained (alarm only), and

o. scram valve pilot air header high/low pressure (alarm only).

7.7.2.2.2.4 Power Supplies The RCMS components in main control room panel H13-P603 and in AEER panels H13-P615 and H13-P659 receive their 120Vac power from an uninterruptible power supply (UPS). Manual transfer to an alternate source is available to each panel for temporary use during maintenance or out-of services on the normal power system. 7.7.2.2.2.5 Inspection and Testing The RCMS automatically performs a series of diagnostic self-test routines designed to detect abnormal operation and/or degradation of system components. Self-test failures typically result in initiation of an RCMS TROUBLE Alarm and/or RCMS INOP Alarm depending upon the nature and severity of the self-test failure. RCMS Calibration includes displays to perform the following tasks:

a. RCMS Interface Output Checks

b. RCMS and MCR Interface calibration

c. RCMS Interface CRD pressure and flow Analog Input calibration

d. RCMS Interface Power Module Voltage and Current Analog Input calibration

e. Screen Calibration The Drive Flow Trip circuit has a test switch which allows the trip function of each programmable trip unit to be functionally tested without disrupting power to the RCMS power modules.

7.7-17 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.2.2.6 Environmental Considerations The rod control management system is not required for safety functions, nor required to operate after the design-basis accident. The rod control management system is required to operate in the normal plant environments for power generation purposes only. The hydraulic control units are located in the secondary containment. The transponder cards and branch junction modules are located in the same area. The RCMS Main Control Room (MCR) equipment, located in H13-P603, consists of 2 NUMAC MCR Controller channels, 2 MCR Interfaces, Local Power Range Monitor (LPRM) Interface, 40 Core Map display, 20 Status display, Rod Select Module with 20 display, and MCR Interface Bypass Switch. The two MCR Controller channels (A and B) are installed in a common MCR Controller chassis, located in the rear of H13-P603. In the AEER, RCMS equipment, located in panel H13-P659, consists of 2 NUMAC RCMS Controller channels, 2 RCMS Interfaces, Maintenance Display, SYSTEM SELECT Switch, and an RCMS Power Module in place of the original equipment (H13-P616 Analyzer / Fault Map, Activity Controls, and Power Gate). The two RCMS controller channels (A and B) are installed in a common RCMS Controller chassis, located in H13-P659. The control rod position detectors are located beneath the reactor vessel in Zone 3 of the drywell. For the normal design environments encountered in these areas, see Section 3.11. 7.7-17a REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.2.2.7 Operational Considerations Normal Operation The rod control management system is totally operable from the control room. Manual operation of individual control rods is possible to effect control rod insertion, withdrawal, or settle. Rod position indication, described below, provides the necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod withdrawal are alarmed with the rod out block annunciator. Operator Information (RCMS) The RCMS is equipped with three 20 touch-screen LCD displays, which can be used to provide operator input to and view system indications. In addition, the RCMS is equipped with a 40 Core Map Display, which provides a common MCR display where operators and the Shift Supervisor can monitor the position and state of every control rod and associated indications. The Rod Select Display provides the following indications:

a. The selectable Core Map Display showing the position and state of all control rods.

b. Indications related to the state of any control rods (# Rods Unknown, # Rods Out, WITHDRAW BLOCK, Drift, Data Fault, INSERT Error, WITHDRAW Error, Rod Bypassed).

c. Indications related to the power, referring to the LPAP and LPSP (Power Below LPAP, Power Below LPSP, RWM to Full Power).

d. Indication of the RCMS Interfaces and Controller channels Status (RCMS Interface A/B Bypassed, MCR Interface A/B Bypassed, RWM Blocks to Full Power), also the RWM Status (RWM Bypassed) and the TS Interlock Defeated indications.

e. Indications related to the sequence loaded (Sequence XXXXXX, Step: XXX, Array: XXX, Step Limits: XX to XX)

f. Indications related to ATWS, Shutdown or Scram situation (ATWS or Reactor Shutdown or All Rods In, All Scram Valves Open).

g. STEP UP / DOWN softkey with arrow (up or down) shows latching direction based on RWM prompting.

7.7-18 REV. 19, APRIL 2012

LSCS-UFSAR Displayed in the header region of the Rod Select Display are the following indications:

a. RCMS Controller channel, RCMS Interface, MCR Controller channel and MCR Interface operating mode

b. RCMS Controller channel and MCR Controller channel Self-Test status The Core Map Display provides a common MCR display where operators and the Shift Supervisor can monitor the position and state of every control rod and associated indications. The Core Map Display provides the following indications:

a. A fixed format Core Map Display providing coordinate and position information of all rods.

b. LPRM upscale/downscale status

c. Selected rod(s)

d. Color coded drifting rod flashing and solid (acknowledged) indication

e. Accumulator status alarm with acknowledge function

f. Scram valve position status

g. Rod Control status boxes providing TS interlock defeated, Accum Trouble, Drift, Data Fault, Rod Summary, LPRM DNSC disabled, Scram Valves open, and S/D status indicators

h. Fixed mimic indications for SRM, IRM and LPRM locations on core.

The Status Display is capable of providing the same indications as the Rod Select Display. The Status Display also serves as a back-up to the flat panel touchscreen Rod Select Display in the event of component failure. This provides the equivalent of a 2-channel system for operability. 7.7-18a REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.2.3 Rod Block Trip Instrumentation and Control System The rod block trip instrumentation and control system, upon receipt of input signals from other systems and subsystems, inhibits movement or selection of control rods. The RCMS rod blocking functions are designed to prevent plant operation errors. RBM rod blocks are redundantly received by Input Modules installed in each RCMS Interface. Whenever a rod block is applied, a reason for the block is provided as a system alarm message. Rod block messages are also transferred to the Plant Process Computer (PPC). The Rod Block Inhibit function provides the operator the ability to manually disable specific refuel blocks or defeat / bypass certain external blocks and block related inputs. 7.7.2.2.3.1 Power Supply The power supply for the rod block trip instrumentation and control system is discussed in Subsection 7.7.2.2.2.4. 7.7.2.2.3.2 Grouping of Channels The grouping of neutron monitoring equipment (SRM, IRM, APRM, and RBM) used in the rod block circuitry is NOT the same as that used in the reactor protection system. Half of the total monitorsSRMs A & C, IRMs A, B, E, & F, and APRMs A, D, & Eprovide inputs to one of the RCMS rod block logic circuits, and the remaining half of the monitors provide inputs into the other RCMS rod block logic circuitSRMs B & D, IRMs C, D, G, & H, and APRMs B, C, & F. (In the RPS trip logic, one RPS trip system has IRMs A, C, E, & G, and APRMs A, C & E and the other trip system has IRMs B, D, F, & H and APRM B, D & F.) Half of the total monitors (SRM, IRM, APRM, and RBM) provide inputs to one of the RCMS rod block logic circuits, and the remaining half provide inputs to the other RCMS rod block logic circuit. Two recirculation flow units provide a rod block signal to one logic circuit; the remaining units provide an input to the other logic circuit. The flow unit comparator provides trip signals to each flow unit trip circuit. Scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the rod worth minimizer trip affects one rod block logic circuit. The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion. The APRM and RBM rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are sufficient to avoid both reactor 7.7-19 REV. 19, APRIL 2012

LSCS-UFSAR protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system trip channels is available in Subsection 7.6.3. The rod block from scram discharge volume high water level utilizes one nonindicating float switch installed on the scram discharge volume. A second float switch provides a control room annunciation of increasing level below the level at which a rod block occurs. 7.7.2.2.3.3 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later. The rod block functions provided specifically for refueling situations are described in Subsection 7.7.13.

a. With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode.

b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:

1. Any average power range monitor (APRM) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.

2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the APRM channels are either in service or correctly bypassed.

3. Either rod block monitor (RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result.

Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power-range operation. 7.7-20 REV. 19, APRIL 2012

LSCS-UFSAR

4. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed.

5. Either recirculation flow converter upscale or inoperative alarm. This assures that no control rod is withdrawn unless the recirculation flow converters, which are necessary for the proper operation of the RBM's, are operable.

6. Recirculation flow converter comparator alarm or inoperative. This assures that no control rod is withdrawn unless the difference between the outputs of the flow converters is within limits and the comparator is in service.

7. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.

8. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.

9. The rod worth minimizer (RWM) can initiate a rod insert block and a rod withdrawal block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under lower power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design-basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. Additional information on the rod worth minimizer function is available in Subsection 7.7.7.

7.7-21 REV. 19, APRIL 2012

LSCS-UFSAR

c. With the mode switch in the RUN position, any of the following conditions initiates a rod block:

1. Any APRM downscale alarm. This assures that no control rod will be withdrawn during power-range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRM's must be on scale during reactor operations in the RUN mode.

2. Either RBM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.

d. With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:

1. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any associated IRM range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.

2. Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.

7.7-22 REV. 19, APRIL 2012

LSCS-UFSAR

3. Any SRM downscale alarm. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.

4. Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operation unless neutron monitoring capability is available in that all SRM channels are in service or correctly bypassed.

5. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are correctly located.

6. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring reactor protection system action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.

7. Any IRM downscale alarm except when range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the intermediate range monitor is on scale if control rods are to be withdrawn.

8. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all IRM channels are in service or are correctly bypassed.

7.7.2.2.3.4 Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows: 7.7-23 REV. 18, APRIL 2010

LSCS-UFSAR

a. 1 SRM channel,

b. 2 IRM channels (1 on either Bus A or Bus B),

c. 2 APRM channels (1 on either Bus A or Bus B), and

d. 1 RBM channel.

The permissible IRM and APRM bypasses are arranged in the same way as in the reactor protection system. The IRM's are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The same type of grouping and bypass arrangement is used for APRM's. The arrangement allows the bypassing of one IRM and one APRM in each RPS Trip system. (The RPS trip systems are divided so that one has IRM A, C, E, & G, and APRM A, C & E and the other trip system has IRM B, D, F, & H and APRM B, D & F.) These bypasses are controlled by positioning switches in the control room. A light in the control room indicates the bypassed condition. An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation or when the range switches for all IRMs in the same group are at position 3 or higher. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued. An automatic bypass of the SRM downscale rod block is effected when the range switches for all IRMs in the same group are at position 3 or higher. All SRM rod blocks are bypassed when all IRMs in the same group are at position 8 or higher. An automatic bypass of the RBM rod block occurs when the power level is below a preselected level or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not threatened and that RBM action is not required. The rod worth minimizer rod block function may be optionally bypassed when reactor power increases above a preselected value in the power range. It can be manually bypassed for maintenance below 10% power provided a second licensed operator or other qualified member of the technical staff is present to check rod movements at any time. Above the preselected power level, rod blocks may be optionally enforced, if desired. An automatic bypass of the SRM downscale rod block and the SRM detector position rod block is effected when the range switch for all IRMs on the same group are at position 8 or higher. 7.7-24 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.2.3.5 Rod Block Interlocks Figure 7.7-2a shows the general arrangement of the rod control management system. 7.7.2.2.3.6 Redundancy To achieve an operationally desirable performance objective where most failures of individual components would be easily detectable or would not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits. Each logic circuit receives input trip signals from a number of trip channels and each logic circuit can provide a separate rod block signal to inhibit rod withdrawal. The output of each logic circuit is coupled to a comparator by the use of electro-optical devices in the rod drive control cabinet. The formulated A and B signals are compared and rod blocks applied when either A or B trip signals are present. Rod withdrawal is permitted only if the two signals agree at all times. Because the transmitted signals are dynamic and vary with time, any reactor manual control system failure that interrupts the dynamic signals transmitted to the hydraulic control units will prevent further control rod motion. Hence, failures consisting of short circuits, open circuits, loss of circuit continuity, or loss of power will inhibit manual rod movement. The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even during a continuous rod withdrawal. The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in Subsection 7.7.13. 7.7.2.2.4 DELETED 7.7.2.2.4.1 DELETED 7.7.2.2.4.2 DELETED 7.7.2.2.4.3 DELETED 7.7.2.2.4.4 DELETED 7.7.2.2.4.5 DELETED 7.7.2.3 Analysis 7.7.2.3.1 Rod Movement Controls 7.7-25 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.3.1.1 General Functional Requirement Conformance The rod control management system circuitry is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents any failures in the rod control management circuitry from affecting the scram circuitry. The scram circuitry is discussed in Section 7.2. During control rod insertion or withdrawal, directional control valves in the hydraulic control unit open to apply or relieve hydraulic water pressure and flow as needed to effect the desired rod movement. If a scram were to occur during a control rod movement, then it is possible that some of the directional control valves could be open during the scram. Analyses (Reference 9) have confirmed that the scram times for normally operating CRDs will meet Technical Specification scram performance requirements during CRD insertion and withdrawal (notching and continuous). No failures in the rod control management system can result in the prevention of a reactor scram. Repair, adjustment, or maintenance of reactor manual control system components does not affect the scram circuitry. Fiber-optic Ethernet communications are used to simplify electrical isolation between the RCMS Controller channels and the Plant Process Computer (PPC). Fiber-optic Ethernet is also used internally to provide User Datagram Protocol (UDP) communications links between File Control Processors (FCPs) and RCMS Controller Channels, as well as between the RCMS Interfaces and the RCMS Controller Channels. Discrete plant inputs and bypass switches for the RCMS and MCR Interfaces are optically isolated via isolated digital input modules installed in each NUMAC interface chassis

a. The RCMS is not required for plant safety. The system has no function during a loss-of-coolant accident or any design-basis accident.

b. This system is not used for plant shutdown resulting from accident or nonstandard operational conditions.

c. The function of the RCMS is to control core reactivity and thus power level. Interlocks from many different sources are incorporated to prevent the spurious operation of drives or undesirable rod patterns throughout all ranges of operation.

d. This system contains no components, circuits or instruments required for reactor trip or scram. There are no operator manual controls which can prevent scram.

e. The consequence of improper operator action or the failure of rod block interlocks is an inadvertent reactor scram.

7.7-26 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.2.3.1.2 Specific Requirements 10 CFR 50 Appendix A - Criterion 24 No part of the RCMS is required for scram. The rod block functions provided by the NMS are the only instances where the RCMS uses any instruments or devices used by the RPS. The rod block signals received from the NMS prevent improper rod motion before limits causing reactor scram are reached. Common APRM, IRM, and SRM detectors are used, but physically and electrically separate trip units provide signals for the RCMS and RPS. See Subsections 7.2.2.4.1, 7.6.3, and 7.7.2.2.3.2 for a description of this interface. In addition to separate trip units for the RPS and RCMS, the inputs to the RCMS are isolated from the logic via optical isolators. Single failure of a control component therefore will not degrade the protection system. 10 CFR 50 Appendix A - Criterion 26 The RCMS is one of the two independent reactivity control systems required by this criterion. 7.7.2.3.2 DELETED 7.7.2.3.2.1 DELETED 7.7.2.3.2.2 DELETED 7.7.3 Recirculation Flow Control System Instrumentation 7.7.3.1 Design Bases 7.7.3.1.1 Safety Design Basis The recirculation flow control system functions so that no abnormal operational transient resulting from a malfunction in the recirculation flow control system can result in damaging the fuel or exceeding nuclear system pressure limits. 7.7.3.1.2 Power Generation Design Bases The recirculation flow control system is designed to meet the following power generation design bases:

a. To allow variation of the recirculation flow rate.

b. To allow manual recirculation flow adjustment, so that manual control of reactor power level is possible.

7.7-27 REV. 18, APRIL 2010

LSCS-UFSAR 7.7.3.2 Description The objective of the recirculation flow control system is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water. The recirculation flow control system consists of the electrical circuitry, switches, indicators, motors, and alarm devices provided for operational manipulation of the recirculation flow control valves and the low-frequency MG set and for surveillance associated equipment. Recirculation flow control is by manual operation. During periods of low power level such as plant startup and shutdown, the recirculation pump and motor will be powered by the low-frequency MG set and will operate at approximately 25% of rated full load speeds. This system is a power generation system and is classified as not related to safety. The recirculation flow control system is an operational control system and has no safety function; therefore, there are no safety differences between this system and those of the above referenced facilities. 7.7.3.2.1 Power Sources Normal The digital RRFC system is powered by two independent reliable 120 Vac power sources, which receive power from motor control centers 131A-2, 132B-1 (Unit 1) and 231A-2, 232B-1 (Unit 2). The two power sources support all the RRFC and jet pump instrumentation equipment in the cabinets with redundant power. This configuration allows continuous operation upon loss of any power supply unit or power supply source. If a failure occurs in any power supply unit or diode the RRFC system supervises and annunciates a minor RRFC alarm in the 1(2)H13-P602 panel. More detailed alarm information is available at the Operator Station (OS). Alternate On loss of normal auxiliary power, one of the reserve auxiliary transformers provides backup power to the 460-Vac normal auxiliary power systems. 7.7.3.2.2 Equipment Design Reactor recirculation flow is varied by throttling the recirculation pump discharge with control valves. The recirculation pumps operate at constant speed on either the LFMG or normal 60-cycle power. By adjusting the position of the discharge throttling valves, the recirculation system can change the reactor power level. 7.7-28 REV. 18, APRIL 2010

LSCS-UFSAR Control of core flow is such that, at various control rod patterns, different power level changes can be automatically accommodated. For a rod pattern where rated power accompanies 100% flow, power can be reduced to approximately 65% of full power by manual flow variation. The manual control of power is available at other rod patterns as well. An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases reactivity of the core, which causes reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner. The RRFC system control configuration is shown in Figure 7.7-5A. It is based on four Advant Controller 70 (AC70) with process interfaces to support control of the two recirculation flow loops (Reference 5). Four independent AC70s including S800 Input/Output (I/O) modules are interfacing the recirculation pumps and flow control valves (FCV), process instrumentation and M/A stations in the main control room. A field communication interface (FCI) with S800 I/O modules is used for the jet pump instrumentation. The calculation of jet pump algorithms is made in the RWLC Advant Controller 450 (AC450). Both of the recirculation flow loops are supported with their own group of S800 I/O modules to meet requirements for independence and reliability for the RRFC system. Each flow control valve (FCV) has two independent controllers (AC70) and group S800 I/O modules supporting each redundant half of the hydraulic power unit (HPU) and associated process instrumentation. There is also an AC70 that controls the jet pump instrumentation flat panel display via a MODBUS connection. The AC450 within RWLC system is used for communication with the common RWLC and RRFC equipment, such as the Advant Station 500 Operator Station (AS500 OS) and the Advant Engineering Workplace (AEW). A gateway is shared with the RWLC system for supporting data to a local area network (LAN) and transient recording of data. The RRFC and RWLC systems control functions are completely independent from each other. Also, AC450 and AC70 differ in both, hardware design and software programming. Therefore, this arrangement ensures control equipment diversity between these critical control systems. The reactor power change resulting from change in recirculation flow causes the initial pressure regulator to reposition the turbine control valves. If the original demand signal was a turbine load/speed error signal, the turbine responds to the 7.7-29 REV. 18, APRIL 2010

LSCS-UFSAR change in reactor power level by adjusting the control valves, and hence its power output, until the load/speed error signal is reduced to zero. The recirculation pump/motor will operate from the normal plant electrical supply during normal plant power operation. At plant low power levels the recirculation pump/motor will operate from the electrical output of the low-frequency (LFMG) set. Since the LFMG set electrical output frequency is at approximately one-fourth the normal plant electrical frequency, the recirculation pump/motor will be driven at approximately one-fourth of its rated speed. The LFMG set is not intended to be capable of starting the recirculation pump/motor with the pump/motor initially at zero speed. At low reactor power levels the start is initiated on the normal plant electrical power supply. As the pump/motor speed approaches rated full load speed it is automatically tripped. When the pump/motor speed coastdown is about 25% of rated full load speed the pump/motor will be reenergized from the LFMG set and driven at about 25% rated full load speed. Preceding initiation of the pump/motor, the plant operator may start the LFMG manually. If the LFMG set is not operating when the pump/motor start is initiated, the LFMG will be automatically started. If the pump/motor start is initiated at higher reactor power levels, the LFMG set will not start automatically and the pump/motor will continue to operate at rated full load speed. Certain trip functions will trip the pump/motor and automatically transfer it to the LFMG set. Other trip functions will trip the pump/motor without transfer to the LFMG set. Low-Frequency Motor-Generator (LFMG) Set The LFMG set consists of a 16-pole a-c induction motor driving a four-pole a-c synchronous generator through a flexible coupling. This arrangement provides one-quarter normal plant frequency at the output of the generator. The generator exciter is directly connected to the generator to provide a brushless excitation system. The voltage regulator for the excitation system is located in the auxiliary relay panel, which is separate from the LFMG set. Several permissives must be satisfied before the recirculation pump/motor can be operated from either the normal plant electrical system or the LFMG set. These permissives prohibit pump start until conditions assure there will be no damage to the system. Section 4.4 describes the regions of the operational map where operation is not permitted. 7.7-30 REV. 19, APRIL 2012

LSCS-UFSAR Pump Drive Motor Control The pump drive motor is an a-c, four-pole induction motor. The motor breaker control system includes several permissives that must be satisfied to start the pump. These permissives prohibit pump startup until conditions assure there will be no damage to the system. Section 4.4 describes the regions of the operational map where operation is not permitted. In addition to the normal drive motor trips, a high vessel pressure, or low vessel level, or turbine-generator load rejection, or trip will initiate a recirculation pump motor trip. Each trip sensor and channel is separate and independent from the reactor protection system and includes a testability feature that will allow testing of each trip sensor while the recirculation system is in operation. The abnormal position of the test switch is annunciated. Valve Position Control Components The main flow regulating valves can be controlled individually or jointly. (See Figure 7.7-5A.) Each flow control calve (FCV) has two independent controllers (AC70) and group of S800 I/O modules supporting each redundant half of the hydraulic power unit (HPU) and associated process instrumentation. Each loop flow controller M/A station communicates with both controllers corresponding to one recirculation loop. The control and logic of each HPU subloop is implemented in each individual controller without redundancy. The redundancy is achieved by the existence of two independent HPU subloops (servo valve, solenoid operated 4-way valve, hydraulic pump, etc.). In case of failure in one controller, an automatic transfer is performed to the backup controller and HPU. A failure in one of the HPU subloops will force a transfer to backup HPU subloop and controller. The controllers are balanced to allow bumpless transfer between them. The ganged control algorithm is implemented in one of the controllers. In ganged control mode, both recirculation flow loops are controlled in parallel by a ganged position setpoint (common position setpoint M/A station). A drywell pressure switch, which is independent of any safety-related switches, is actuated when the drywell pressure increases as would be indicative of a LOCA. During normal operation, actuation of the pressure switch will prevent both opening and closing capabilities of the discharge block valve. It will also actuate the "motion inhibit" interlock to the flow control valve so that its position also cannot be changed. This circuit can be tested during operation by placing the drywell high-pressure test switch in the test position and externally applying pressure to the pressure switch. Lockup of both valves will occur during the test. However, the 7.7-31 REV. 19, APRIL 2012

LSCS-UFSAR hydraulic system for the flow control valve will be shut down as will occur during an actual disturbance. The position of the test switch is annunciated. Manual/Automatic Transfer Stations Setting the individual M/A station flow controllers to automatic provides "ganged" parallel manual operation of the flow control loops. Flow Controller The individual flow controller (one for each valve) transmits the signal that adjusts the valve position. Each flow-regulating valve can be manually positioned from individual M/A stations, or in parallel from the Ganged Setpoint station. Limiter A limiting function is provided. Electronic limiting with reasonable range adjustment is provided in each main flow control loop. This limiter normally is held bypassed by controller logic. When the limiting permissive condition is reached, the main regulating valve control signal is limited to close the valve to the desired position. Valve Actuator The valve actuator (one for each valve) is the electrohydraulic device that moves the flow control valve to the desired position and maintains it there. The valve control system is designed to maintain the valve in the last position demanded if control power is lost. The valve actuator has an inherent rate-limiting feature that will limit the resulting rate of change of core flow and power to within safe limits in the event of an upscale or downscale failure of the valve position or velocity control system. Inspection and Testing The AC70 controllers, associated I/O modules, position feedback signals and valve actuator are functioning during normal power operation. Any abnormal operation of these components can be detected during operation. The components that continually function during normal operation can be tested and inspected for calibration and operability during scheduled plant shutdown. All the recirculation low control system components may be tested and inspected according to the component manufacturers' recommendations. This can be done during scheduled shutdown. The LFMG set can be operated, tested, and maintained during normal power operation. 7.7-32 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.3.2.3 Environmental Considerations The recirculation flow control system is not required for safety purposes nor required to operate during or after the design-basis accident. The system is required to operate in the normal plant environment for power generation purposes only. The recirculation flow control equipment in Zone 4 of the drywell, namely, the hydraulic actuator and pump isolation valve motors, are subject to the drywell environment. The logic, control units, and instrumentation terminals are located in the control room and subject to the normal control room environment. The LFMG set is designed for 104qF ambient temperature and indoor installation. 7.7.3.2.4 Operational Considerations Normal Operation The RRFC has one individual manual mode and one ganged mode of operation. The operator can select either of the two modes from the loop flow controller M/A stations (References 5 and 7). Manual Mode The loop A and B flow controller M/A stations are identical (one for each loop). Each M/A station sends an individual setpoint or valve position demand to the servo controller for FCV positioning. This demand or control output signal is generated by raise/lower pushbuttons on the loop flow controller M/A station. The individual setpoint of the M/A station is applied to the input of the function generator. The function generator converts the FCV control output signal into a valve position demand signal. This conversion is necessary because the flow through the FCV is not linear with valve position. The function generator compensates for this non-linearity. The output of the function generator is applied to the valve position limiter. Normally, this limiter is bypassed. If a recirculation FCV runback occurs, the limiter will ramp the FCV to close for as long as the FCV runback condition is valid or until minimum position of 15% (Unit 1) or 18% (Unit 2) is reached. The valve position demand signal from the position limiter is sent to the position summer. This summer compares the demanded position to the actual valve position. The position error signal, referred to as servo error, represents the 7.7-33 REV. 19, APRIL 2012

LSCS-UFSAR demand that would be necessary to restore the flow control valve to its proper position. The polarity of the signal would represent the direction of travel needed and the magnitude of the signal would represent the needed speed. As the valve moves in the desired direction the servo error decreases. This causes the speed to also decrease, which will result in the valve easing into its final position. The servo error signal is limited to restrict maximum valve speed to about 11% per second. This limiter prevents high rates of change of reactor power due to high velocity demands. The servo error signal is compared to the actual valve velocity in the velocity summer. The resulting signal is applied to the appropriate servo through the servo controller. Ganged Mode In ganged mode, both recirculation flow loops are controlled in parallel by a ganged position setpoint (common position setpoint M/A station). The ganged position setpoint is generated by raise/lower pushbuttons on the ganged setpoint station. The individual position setpoint is then sent to the function generator of each recirculation flow loop. A loop flow bias function provides ability to adjust individual loop position demand around the ganged control setpoint. Controllers for positioning the flow control valve are located in the main control room. The controllers have provisions for either ganged or manual operation. Control switches for pump isolation valves, LFMG set and pump motor, and interlock reset functions are also located in the main control room. Switches and indicators for control of the flow control valve hydraulic system are located on the operator station in the main control room for easy accessibility. The flow control valve positioning circuit and equipment protective interlocks controls are manual requiring operator action. The LFMG set is required to supply power to the recirculation pump/motor only during plant low power conditions. Provisions are made to allow operation of the LFMG set independent of pump/motor operation during normal plant power operation as well as during plant shutdown. Operator Information Indications, trends, and alarms are provided to keep the operator informed of the status of systems and equipment, and to quickly determine location of malfunctioning equipment. Visual display consists of loop flow (i.e., recirculation flow), valve position, and controller output and velocity feedback meters (Figure 7.5-3). Alarms are provided to alert the operator of malfunctioning control signals, inability to change valve position, condition of 7.7-34 REV. 15, APRIL 2004

LSCS-UFSAR hydraulic system, pump, motor, and temperatures of cooling water. In most cases alarms are supplemented by alarm indication provided by operator station (OS) indicators and messages to more closely define the problem area. Indicating lights are provided to indicate status of the LFMG set and pump/motor control breakers. A pump/motor speed indicator is provided to indicate (in addition to the breaker indicating lights) to the operator which power supply is driving the pump/motor. Alarms are provided to alert operation of automatic trips and transfers of the pump/motor, malfunctions, and availability of automatic control circuitry. 7.7.3.3 Analysis 7.7.3.3.1 General Functional Requirement Conformance The flow control valve, being a part of the reactor coolant system, meets Safety Class 1 requirements. The LFMG motors and controls, however, not being a part of a Safety Class 1 system and having no safety function, are designed to Safety Class 2 standards. The controls and interlocks are not required nor designed to comply with single-failure criteria. However, a degree of redundancy is provided for the more important operational and equipment protective functions. System single failures or single operator errors are evaluated in the transient analysis in Chapter 15.0. It is shown that no malfunction in the recirculation flow control system or LFMG system can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis. The main recirculation process control system is not designed to meet single-failure criteria but is designed to be fault tolerant. Control system failures resulting in complete loss of control signal will result in electrical "locking" of the final control valve actuator in its last demand position at the instant of signal loss. Recirculation control system failures (i.e., transistors, resistors, etc.) causing upscale signal failure will initiate a RRFC failure alarm. The reactor is protected by high pressure or high flux scram. Such faults have been analyzed in Chapter 15.0 and include both FCV's opening simultaneously. Recirculation system flow control failures causing downscale signal failures may cause one or both recirculation flow control valves to close simultaneously. Valve velocity is limited to not more than 11% per second. Closure of both valves might result from failure of the ganged control of the RRFC system. Control component failures such as the individual loop controller, AC70 controller and associated I/O modules result in a single flow control valve closure at 11% per second. 7.7-35 REV. 15, APRIL 2004

LSCS-UFSAR The recirculation pump valves are treated as conventional remote motor-operated valves. From a circuit viewpoint, each recirculation pump valve is independent of the other and has its own benchboard mounted control switch for manual operation. Each valve has open/close travel limit switches and remote benchboard pilot lamp indication (see Figure 7.5-3). 7.7.4. Feedwater Control System Instrumentation and Controls 7.7.4.1 Design Basis The feedwater control system regulates the feedwater flow (1) to maintain adequate water level in the reactor vessel according to the requirements of the steam separators, and (2) to prevent uncovering the reactor core over the entire power range of the reactor. 7.7.4.2 System Description The feedwater control system controls the flow of feedwater into the reactor pressure vessel to maintain the water in the vessel within predetermined levels during all plant operating modes. The range of water level is based upon the requirements of the steam separators (this includes limiting carry-over and carry-under, which affects recirculation pump operation and turbine performance), and the need to prevent exposure of the reactor core. The feedwater control system employs water level, steam flow, and feedwater flow as a three-element control. Single-element control is also available based on water level only. Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly. The reactor water level control (RWLC) system configuration is shown in Figure 7.7-5C (Reference 6 and 8). It uses redundant processors based on the Advant Controller 450 (AC450) and an Advant Station 500 Operator Station (AS500 OS) for technical support and human machine interface (HMI). Four independent groups of S800 I/O modules are connected to the AC450 for interfacing the final control elements, process instrumentation and M/A stations in the main control room. A gateway is used for supplying data to a local area network (LAN) and transient recording of data. Three separate Advant Controller 70 (AC70) with S800 I/O modules are used for the high level 8 trip function. The maintenance of the system is supported from the operator workstation based HMI as well as from the separate engineering tool, Advant Engineering Workplace (AEW). All software changes in the AC450 and AC70s are performed from the 7.7-36 REV. 15, APRIL 2004

LSCS-UFSAR AEW. The same is valid for advanced fault tracing, implementation of additional functionality and backup of the AC450 and AC70s. The RWLC system performs its task by use of any combination of the two turbine driven reactor feedwater pumps (TDRFP) and the motor driven reactor feedwater pump (MDRFP) in combination with a feedwater regulating valve (FRV) and a low flow feedwater regulating valve (LFFRV). The FRV and LFFRV are used to control the MDRFP flow. TDRFP flow is controlled by modulating the admission of steam to the turbines using control valves. 7.7-37 REV. 15, APRIL 2004

LSCS-UFSAR This system is a power generation system and is classified as not related to safety. The feedwater control system is an operational control system and has no safety function. Therefore, there are no safety differences between this system and those of the above referenced facilities. 7.7.4.2.1 Power Sources The feedwater control system power is supplied by three independent sources such that no single power failure can incapacitate more than one level-sensing element. Power for one of the three level-sensing channels is supplied through a DC-to-DC converter module from one of the plant battery supplies. Power for another level-sensing channel is supplied through another DC-to-DC converter module from another plant battery supply. The third level-sensing channel is powered from one of the 120-Vac instrumentation buses. 7.7.4.2.2 Equipment Design During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel. The system can be manually operated (see Figure 7.7-5). The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. During automatic operation, these three measurements are used for controlling feedwater flow. The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. For optimum limitation of carry-over and carry-under, the steam separators require that the reactor vessel water level decrease functionally as reactor power level increases. The water level in the reactor vessel is maintained within r 2 inches of the optimum level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow is regulated by controlling the speed of the turbine-driven feedwater pumps or the position of the motor-driven feedwater pump's associated flow control valve to deliver the required flow to the reactor vessel. Reactor Vessel Water Level Measurement Reactor vessel narrow range water level is measured by two identical, independent sensing systems. For each channel, a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and 7.7-38 REV. 13

LSCS-UFSAR the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems (see Subsecton 7.7.1.2). The differential pressure signals are used for indication and control. All three narrow-range level sensors are used as input to the digital RWLC system. In addition, a fourth level channel is used. This level signal comes from the Upset Range reactor vessel level instrument. The digital RWLC system performs self-checking and soft majority selection to ensure the final level control signal is accurate. This provides a highly reliable and fault-tolerant system, reducing the likelihood of a RWLC system failure causing a transient or scram. The soft majority selected narrow range water level and upset range water level signals are continually recorded in the control room. The three level-sensing channels are used to provide failure-tolerant trips of the main turbine and feed pump prime movers. The three narrow range reactor level signals and reactor pressure are indicated in the control room. Steam Flow Measurement Steam flow is sensed at each main steamline flow restrictor by a differential pressure transmitter. A signal proportional to the true mass steam flow rate is linearized and indicated in the control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. These signals are also used for soft majority selection to produce the total steam flow interlock signal for tripping and control functions. The total steam flow signal is recorded in the control room. Feedwater Flow Measurement Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitter. Each feedwater signal is linearized and then summed to provide a total mass flow signal which is recorded in the control room and compared with feedwater flow demand to provide a flow error signal for the feedwater flow controller. In addition, feedwater flow through each pump is sensed at a point downstream of the feed pump discharge. After linearization, the discharge flow of each pump is recorded in the control room. The discharge flows of TDRFP A and B are used for flow biasing or flow equalizing of the TDRFPs. Valve position control or turbine speed change are the flow adjustment techniques involved. Feedwater flow is also sensed using ultrasonic transducers known as the Leading Edge Flow Meter (LEFM). LEFM metering spools are installed in both the A and B feedwater line. Sixteen transducers are mounted to each metering spool. The transducer signals are processed using redundant processors to calculate feedwater mass flow and temperature, which are used as inputs into the plant process computer. The transducers are located in the steam tunnel and the process panels are located in the Auxiliary Building. 7.7-39 REV. 19, APRIL 2012

LSCS-UFSAR Ultrasonic flow transducers are also installed on the turbine driven reactor feed pump discharge lines. Signal cables from the transducers are located in the feed pump rooms. Portable equipment can be connected to the signal cables to obtain flow data. Feedwater/Level Control The RWLC system control algorithm is depicted in Figure 7.7-5D (Reference 6 and 8). It has one individual manual mode and two modes of automatic operation, single-element and three-element control. The operator may select any of the two automatic control modes as soon as any component (defined as either a TDRFP or the FRV/LFFRV pair) is switched to automatic mode. The RWLC system can, depending on the situation, automatically transfer from three-element control to single-element control and vice versa. Single-Element Control Single-element control utilizes only the reactor water level to determine the need for increasing or decreasing feedwater flow. The controller is normally used when the reactor power is low (total steam flow <20%). The reactor water level is compared to the reactor water level setpoint and is passed to the single-element controller. The single-element controller output is then sent to any of the final control elements. Only two components may be simultaneously placed in automatic mode. The set of FRV/LFFRV is defined as one component. Three-Element Control Three-element control receives inputs from three different parameters; reactor water level, total steam flow and total feedwater flow. Using the steam flow and feedwater flow signals allows the system to anticipate changes in the reactor water level and respond more quickly than single-element control. The reactor water level is compared to the reactor water level setpoint and is passed to the level controller. The level controller output signal is then summed together with total steam flow and creates a feedwater flow demand signal. The total feedwater flow is compared to the feedwater flow demand signal and is passed to the feedwater flow controller. The feedwater flow controller output is then sent to any of the final control elements. Only two components may be simultaneously placed in automatic mode. The set of FRV/LFFRV is 7.7-39a REV. 18, APRIL 2010

LSCS-UFSAR defined as one component. When total steam flow >20% an automatic transfer to three-element control is performed. Manual mode provides manual control for the two TDRFPs, the FRV and the LFFRV from the control room. In addition, the operator has direct control of the reactor feedwater pump minimum flow valves. This facilitates putting the feedwater system in service. 7.7-39b REV. 18, APRIL 2010

LSCS-UFSAR The MDRFP will autostart on a trip of both TDRFPs or on a trip of any single TDRFP with total steam flow >67%. The autostart function on a trip of any single TDRFP with total steam flow >67% is to anticipate the reactor vessel level control requirements at higher power levels. The RWLC System will not automatically transfer to single-element control in this case. The FRV flow demand 60% (or more) greater than MDRFP discharge flow indicates tripped condition of the MDRFP. Similarly, the TDRFP flow demand 60% (or more) greater than TDRFP discharge flow indicates tripped condition of the TDRFP. Interlocks The level control system also provides interlocks and control functions to other systems. When one of the reactor feed pumps is lost and coincident or subsequent low water level exists, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low-level scram by reducing the steaming rate. Reactor recirculation flow is also reduced on sustained low feedwater flow to ensure that adequate NPSH will be provided for the recirculation system. Interlocks from steam flow are used to initiate insertion of the rod worth minimizer block. An alarm on low steam flow indicates that the above rod worth minimizer insertion interlock setpoint is being approached. Alarms are also provided for (1) high and low water level and (2) reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in the event of reactor high water level. Turbine-Driven Feedwater Pump Control Feedwater is delivered to the reactor vessel through turbine-driven feedwater pumps, which are arranged in parallel. The turbines are driven by steam from the reactor vessel. During planned operation, the total feedwater control signal from the digital RWLC system is fed to the turbine speed control systems, which adjust the speed of their associated turbines so that feedwater flow is proportional to the feedwater demand signal. Each turbine can be controlled by its manual/automatic transfer station. If the feedwater control signal is lost, the turbine speed control system locks the turbine speed "as is", transfers to the manual speed control mode and initiates an alarm in the control room. All control stations associated with each turbine speed controller are the "bumpless transfer" types. Inspection and Testing All feedwater flow control system components can be tested and inspected according to manufacturers' recommendations. This can be done prior to plant operation and during scheduled shutdowns. Reactor vessel water level indications from the three water level sensing systems can be compared during normal operation to detect 7.7-40 REV. 18, APRIL 2010

LSCS-UFSAR instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. All control can be tested while the feedwater control system is being controlled by the manual/automatic transfer stations. 7.7.4.2.3 Environmental Considerations The feedwater control system is not required for safety purposes, nor is it required to operate after the design-basis accident. This system is required to operate in the normal plant environment for power generation purposes only. The reactor feed pumps in the turbine building experience the normal design environments. 7.7.4.2.4 Operational Considerations Normal Operation The level controller is located in the main control room where at the operator's discretion, the system can be operated either manually or automatically via the manual/auto control selector. Manual control of the individual reactor feedwater pumps is available to the operator in the main control room. This includes control of both low flow feedwater control valves used for startup when steam is not available to run the turbine-driven reactor feed pumps. In the event of loss of feedwater, the reactor protection system causes plant shutdown thus preventing any further lowering of vessel water level. Operator Information Indicators and alarms, provided to keep the operator informed of the status of the system, are as noted in the preceding. The operator also has RWLC failure and trouble alarms available. 7.7.4.3 Analysis 7.7.4.3.1 General Functional Requirement Conformance The feedwater control system is a power generation system for purposes of maintaining proper vessel water level. Control circuits are provided to lock the flow changing capabilities in the "as is" condition and transfer to the manual speed control mode in the event of control signal failure. Should the vessel level rise too high, the feedwater pumps and plant main turbine would be tripped. This is an equipment protective action which would result in reactor shutdown by the RPS system as outlined in Section 7.2. Lowering of the vessel level would also result in action of the RPS to shut down the reactor. 7.7-41 REV. 18, APRIL 2010

LSCS-UFSAR The feedwater system is not a safety-related system and is not required for safe shutdown of the plant, nor is it required during or after accident conditions. APRM There are no connections to safety-related systems except for the APRM signal to the RWLC system. The criteria for interface design are taken from IEEE 279; the particular sections that have major effects are listed below, together with discussions on compliance with the criteria. Compliance with IEEE 279-1971 Requirement 4.7a Classified as RPS equipment. 4.7b Isolation amplifiers used as part of RPS equipment. The APRM signal from APRM C or APRM E to the RWLC system has an isolation amplifier. Control system faults, open circuit, and short circuit will be buffered from the APRM system by this amplifier in series. Interconnecting cable and/or relay open circuit or short circuit faults associated with selection of either APRM signal to the RWLC system, during APRM bypass, will be protected by this isolation amplifier. The consequences of failure of this isolation amplifier and its effects on the APRM system are no different from primary isolation amplifier failure on the rod block monitor signal takeoff. 7.7.4.3.2 Specific Regulatory Requirement Conformance 10 CFR 50 Appendix A - Criterion 26 With double isolation provided as discussed previously the interface of this system with the neutron monitoring system assures no single failure will impair safety system performance. 7.7.5 Pressure Regulator and Turbine-Generator Instrumentation and Controls 7.7.5.1 Power Generation Design Bases One of the features of direct cycle boiling water reactors is the direct passage of the nuclear boiler generated steam through the turbine and regenerative system. In this system the turbine is slaved to the reactor in that all steam (except steam to the moisture separator reheaters) generated by the reactor is normally accepted by the turbine. The operation of the reactor demands that a pressure regulator concept be employed to maintain a constant (within the range of the regulator controller proportional band setting) turbine inlet pressure (or reactor dome pressure). 7.7-42 REV. 18, APRIL 2010

LSCS-UFSAR The pressure regulator normally controls the turbine control valves to maintain constant (within the range of the regulator controller proportional band setting) pressure. In addition, the pressure regulator also operates the steam bypass valves such that a portion of nuclear boiler rated flow can be bypassed when operating at steam flow loads above that which can be accepted by the turbine as well as during the startup and shutdown phases. Since the turbine is slaved to the reactor, operation of the reactor demands that a pressure regulator concept be applied to maintain a constant pressure (within the range of the regulatory controller proportional band setting). The pressure regulator, in maintaining constant pressure, operates the steam bypass valves such that a portion of nuclear boiler rated flow can be bypassed for transient steam flow loads above that which can be accepted by the turbine as well as during the startup and shutdown phase. The pressure regulator and turbine-generator control system accomplishes the following control functions as a part of its power generation design bases:

a. Controls turbine speed and turbine acceleration.

b. Operates the steam bypass system to keep reactor pressure within limits and avoid large power transients.

c. Controls steam pressure within the proportional band setting of the pressure regulator.

d. Operates in a stable fashion, on "isolated grid conditions."

The main turbine pressure regulator and bypass system is an electrical/hydraulic control system and is classified as not related to safety. 7.7.5.2 System Description 7.7.5.2.1 Power Sources Power to the turbine-generator MKVI electro-hydraulic control system is supplied from two redundant sources. One power source is from a 480 volt MCC 1(2)236Y3 through a 7.5 KVA 1-phase 480/120 volts distribution transformer and dedicated UPS with sufficient capacity providing a stable power source during diesel generator start sequencing and the other120 Vac power source is from computer UPS distribution cabinet 1(2)IP01E. These two power sources are totally independent, each capable of feeding the required power to the EHC cabinet. 7.7-43 REV. 17, APRIL 2008

LSCS-UFSAR 7.7.5.2.2 Equipment Design The turbine-generator is equipped with an electrohydraulic control (EHC) system. The EHC system consists of an electronic governor using solid-state control techniques in combination with a high-pressure hydraulic system completely independent of the turbine lubricating system. The high-pressure fluid supply is from a dual pump system in which one pump is a complete backup for the other. The hydraulic fluid is fire resistant. The system includes electrical control circuits for pressure control, speed control, load control, and valve positioning. Control and supervisory equipment for the turbine-generator is arranged for remote operation from the main control room. Normally, the pressure regulator controls the main turbine control valve position to maintain operating reactor pressure (see Figure 7.7-6). The ability of the plant to follow system load demands is accomplished by adjusting reactor power level, either by manually changing flow in the reactor recirculation system or moving control rods (manual only). The turbine overspeed protection control system overrides an increase in system frequency, or a loss of generator load causes the speed of the turbine to increase. In the event that the reactor is delivering more steam than the control valves can pass, the excess steam is bypassed directly to the main condenser by the bypass valves. The turbine-generator control system is classified as not related to safety. See Section 10.2 for additional description of the turbine-generator control system. Steam Pressure Control The pressure control system controls reactor pressure during plant startup, power generation and shutdown modes of operation. The Mark VI pressure controllers act to ensure that the desired pressure set point is achieved through the positioning of the turbine control valves (CVs) and the steam bypass valves (BPVs) in response to changes in the pressure set point error. Under steady state operating conditions, the CVs regulate steam pressure; however, whenever the total steam flow delivery exceeds the effective turbine steam flow need or capacity, the BPVs are opened to regulate the pressure and send the excess steam directly to the condenser. The reactor operator maintains control over the rate of steam production to meet the plant's steam demands - these control functions take place outside the Mark VI controllers. The turbine operator uses the MKVI - Human Machine Interface (HMI) to set the desired operating set point. 7.7-44 REV. 17, APRIL 2008

LSCS-UFSAR Pressure control is designed to control reactor pressure during the following conditions: x reactor vessel heat up to rated pressure; x when the turbine is being brought up to speed and synchronized; x when reactor steam generation exceeds the turbine steam flow requirements during power operation; x plant load rejections and turbine trip/generator trips; and x reactor cool down. The reactor pressure control algorithm is designed to operate using three pressure transmitter inputs from one of two locations in the steam flow path. In effect, two pressure control strategies are offered, either of which is selectable by the turbine operator. The control strategy offered by the three pressure transmitters tapped into reactor vessel dome structure is called reactor vessel (dome) pressure control or VPC. The second control strategy uses three pressure transmitters tapped into the main steam line just upstream of the main stop valves and is called turbine inlet main steam (throttle) pressure control or MSP. The major functional components processed in the pressure controller: x Controlling reactor pressure x Controlling and monitoring the turbine steam bypass steam x Protecting against unsafe operating conditions x Controlling reactor cool down The pressure regulator compares the measured steam supply pressure to the turbine operator entered pressure demand and develops the steam flow demand on the magnitude of the pressure error. The output from the pressure regulator has the ability to drive the control valves to their 100% open position plus the capability of continuing to drive the bypass valves to their 100% open position. The regulation for the main turbine control valves and the bypass valves in terms of percent change of the output from the pressure regulator versus the percent change of steam flow shall be uniform from control valves closed to control valves and bypass valves full open. 7.7-44a REV. 17, APRIL 2008

LSCS-UFSAR Control for the turbine control valve is designed so that the valves will close upon loss of control system electric power or loss of hydraulic system pressure. Under normal operation, the pressure regulator controls all four (4) turbine control valves to regulate pressure. Cycle specific Chapter 15 transient analyses are performed to evaluate the impact of various combinations of turbine valve abnormal conditions, including:

1) One (1) turbine control valve closed (sometimes referred to as "stuck closed");

2) Turbine control valve slow closure;

3) One (1), or more, turbine bypass valves out-of-service (either in pressure regulating mode or in fast opening mode); and,

4) Number of turbine bypass valves capable of opening in pressure control mode.

The transient analysis results of these abnormal modes of operation are contained in the Core Operating Limits Report (COLR). The COLR describes which abnormal combinations are allowed and any core thermal limit penalties that are required to be implemented to support the abnormal combination. Steam Bypass System The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements, e.g., during startup (pressure, speed ramping, and synchronizing), sudden load reduction, and cooldown. The bypass capacity of the system is 25% of NSSS rated steam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram. Normally, the bypass valves are held closed and the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure will rise and reactor protection system action causes shutdown of the reactor. The bypass valves are of the automatically-operated, regulating type which are proportionally controlled by the turbine pressure regulator and control system. Each bypass valve (BPV) is independently operated. Each loop has a position demand, a position error summer, a valve opening sequence bias, a proportional controller and a positioning sensor. The bypass valves are opened sequentially to control reactor system pressure. A position demand bias (bypass jack) is provided for opening the bypass valves as deemed necessary by plant operators. An automatic feature is also provided for cooldown using the bypass valves. 7.7-45 REV. 19, APRIL 2012

LSCS-UFSAR The servo regulator BPV positioning reference starts with the summation of the BPV flow reference, the negative BPV sequencing bias, and the BPV test reference. The BPV sequencing bias is used to control the opening sequence of all the BPVs; it is different for each valve. The BPV test reference is normally zero except during the BVPs test. After a gain is applied to the modified BPV flow reference, it is limit checked and the result becomes the BPV position reference. The bypass valve jack algorithm provides manual position control by the turbine operator using the appropriate HMI commands or by entering the set point and rate directly. The bypass valve jack bias enters a maximum value select block along with the total bypass valve demand and reactor cooldown reference. The maximum value of these three signals becomes the BPV flow reference. Assuming that the bypass valve jack bias is applied when the BPVs are closed, the effect of the bias is to open the bypass valves in the order of their normal operating sequence. Bypass valves and controls are designed so the valves will close on loss of control system electric power or hydraulic pressure. Turbine-Generator to Reactor Protection System Interface Two conditions which initiate reactor scram are turbine stop valve closure and turbine control valve fast closure when reactor power is above a preselected percent of rated power (see Section 7.2). The turbine stop valve closure signal is generated before the turbine stop valves have closed more than 10%. This signal originates from position switches that sense stop-valve motion away from fully open. Each stop valve is monitored near the full open position by two limit switches. The switches are closed when the stop valves are fully open and open within 10 msec after the setpoint is reached. The switches are electrically isolated from each other and from other turbine plant equipment. The control valve fast closure signal is generated by four turbine oil line pressure switches which sense hydraulic oil pressure decay, which is indicative of fast control valve closure. The switches are closed when the valves are open and open within 30 msec after the control valves start to close in a fast closure mode. Four turbine first-stage pressure switches, which measure equivalent steam flow, are provided for bypassing the stop valve closure and control valve fast closure inputs at low power levels. Turbine-Generator to Main Steam Isolation System Interface There are four independent main condenser vacuum switches for the purpose of providing an isolation signal to the NSSS main steam isolation valves. Each 7.7-46 REV. 19, APRIL 2012

LSCS-UFSAR vacuum switch has its own isolation (root valve) and pressurizing source connection for testing. Pressure switch contacts open on low vacuum. The vacuum switch setting is selected so that it is compatible with safe turbine and main condenser operating and design conditions should loss of vacuum occur. Condenser vacuum switches are also discussed in Subsection 7.3.2. Inspection and Testing Testing controls are provided for testing the turbine valve reactor protection system interface signal switches in the following ways:

a. Actuate each stop valve individually to the 10% closed point with no interaction with other valves.

b. Actuate the following pairs of stop valves to the 10% closed point, one pair at a time: 1 and 2; 3 and 4; 1 and 3; 2 and 4.

c. Actuate one control valve fast closure hydraulic oil pressure switch at a time by actuating test valves in the pressure switch sensing line.

d. Individually test each main condenser low vacuum switch.

7.7.5.2.3 Environmental Considerations The turbine-generator control system is required to operate in the normal plant environment for power generation purposes only. Instruments and controls on the turbine that experience the turbine building normal design environment are listed in Table 3.11-1. The logic, remote control units, and instrument terminals located in the control room experience the control room environment as shown in Section 3.11. 7.7.5.2.4 Operational Considerations Process variables which are controlled by the pressure regulator, speed/load control system are displayed on the turbine-generator section of the main control board. Manual and automatic control modes for the various turbine-generator operational modes are available to the operator from the main control board. Operator workstation screens are provided to inform the operator as to the operating mode of the turbine-generator unit. Main Steam turbine bypass valve "open" alarm is available to the operator at the control room panel to facilitate operations during emergency events. 7.7.5.3 Analysis 7.7-47 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.5.3.1 Power Generation Design Bases Conformance Turbine speed and acceleration control is provided by the pressure regulator which controls steam throttle valve position to maintain constant reactor pressure. The turbine speed governor overrides the pressure regulator on increase of system frequency or loss of generator load. Excess steam is automatically bypassed directly to the main condenser by the pressure controlled bypass valves. 7.7.5.3.2 Specific Requirement Conformance The turbine-generator control system is not a safety-related system. Protection systems which are provided as an integral part of the turbine-generator equipment override the turbine-generator control system. In the event of a turbine-generator trip due to a protective action, the control valve fast closure and the stop valve closure inputs to the RPS initiate reactor scram. Pressure regulator malfunction which leads to low turbine inlet pressure is detected by pressure switches provided in the main steam isolation system which in turn initiates closure of the main steam isolation valves (see Section 7.3). Similarly, high turbine inlet pressure leads to detection of high reactor pressure by the RPS which initiates reactor scram. Control malfunction which results in high flow through the turbine control valves and the bypass valves is detected by main steam flow switches provided in the main steam isolation system which initiates closure of the main steam isolation valves (see Section 7.3). 7.7.6 Neutron Monitoring System Instrumentation and Controls The non-safety/related subsystems of the neutron monitoring system consist of the following:

1. source range monitor (SRM) subsystem,

2. local power range monitor (LPRM) subsystem,

[The LPRM subsystem was originally not considered a safety system, General Electric re-evaluated the LPRM subsystem in 1987 and concluded it should be considered safety related. Consequently, all renewal parts for the subsystem are procured as safety related.]

3. rod block monitor (RBM) subsystem, and

4. traversing incore probe (TIP) subsystem.

The purpose of this system is to detect excessive power generation in the core and provide signals to the reactor protection system and the rod block portion of the 7.7-48 REV. 17, APRIL 2008

LSCS-UFSAR rod control management system. It also provides information for operation and control of the reactor. The power sources for each subsystem are discussed in the individual circuit descriptions. 7.7.6.1 Source Range Monitor Subsystem 7.7.6.1.1 Design Bases The source range monitor (SRM) subsystem meets the following power generation design bases:

a. Neutron detectors shall have a minimum count rate of 0.7 counts per second (cps) with a signal to noise ration of 20 to 1 (20:1). With a signal to noise ratio less than 20:1, the minimum count rate shall be 3 cps. The above limits extend from all rods fully inserted prior to power operations until SRM/IRM overlap has been demonstrated. An exception to this requirement occurs when no more than four fuel assemblies are present in each core quadrant at locations adjacent to the neutron detectors. An additional restriction requiring a two fuel cell separation between groups of four fuel assemblies in adjacent quadrants applies when moveable neutron detectors are used. Under these conditions, SRM indication is not required since core geometry precludes criticality.

b. The SRM shall be able to perform the following functions:

1. Indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 seconds during the worst possible startup rod withdrawal conditions.

2. Indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations.

3. The SRM channels shall be on scale when the IRM first indicates neutron flux during a reactor startup.

4. Provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience.

5. Generate interlock signals to block control rod withdrawal if the count rate exceeds a preset value or falls below a 7.7-49 REV. 18, APRIL 2010

LSCS-UFSAR preset limit if the IRM's are not above the second range) or if certain electronic failures occur.

c. Perform its function in the maximum normal thermal and radiation environment.

d. Loss of a single power bus will not disable the monitoring and alarming functions of all the available monitors.

7.7.6.1.2 Description Equipment Design The SRM provides neutron flux information during reactor startup and low flux level operations. There are four SRM channels. Each includes one detector that can be physically positioned in the core from the control room (see Figure 7.6-4). The detectors are inserted into the core for a reactor startup. They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above (see Figure 7.6-5).

a. Power Supply The power for the monitors is supplied from the two separate 24 Vdc buses. Two monitors are powered from each bus (see Figure 7.6-5).

b. Physical Arrangement Each detector assembly consists of a miniature fission chamber and a low-loss, quartz-fiber-insulated transmission cable. The sensitivity of the detector is 1.2 x 10-3 cps/nv nominal, 5.0 x 10-4 cps/nv minimum and 2.5 x 10-3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to the triple-shielded coaxial cable. This shielded cable carries the pulses to a pulse current preamplifier located outside the drywell.

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to below the lower core support (see Figure 7.6-6 and 7.6-7). When a detector arrives at a travel end point, detector motion is automatically stopped. SRM/IRM drive control arrangement and logic are presented in Figure 7.6-7. The electronics for the source range 7.7-50 REV. 14, APRIL 2002

LSCS-UFSAR monitors, their trips, and their bypasses are located in the two cabinets.

c. Signal Conditioning A current pulse preamplifier provides amplification and impedance matching for the signal conditioning electronics (Figure 7.7-9). The signal conditioning equipment converts the current pulses to analog d-c currents that correspond to the logarithm of the count rate (LCR). The equipment also derives the period. The output is displayed on front panel meters and is provided to remote meters and recorders. The LCR meter displays the rate of occurrence of the input current pulses. The period meter displays the time in seconds for the count rate to change by a factor of 2.7. In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits.

d. Trip Functions The trip outputs of the SRM operate in the fail-safe mode. Loss of power to the SRM causes the associated outputs to become tripped.

The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the rod control management system. to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Subsection 7.7.2.2.3. Appropriate lights and annunciators are also actuated to indicate the existence of these conditions (Table 7.7-4). One of the four SRM channels can be bypassed at any one time by the operation of a switch on the operator's control panel. Each SRM channel is tested and calibrated using procedures which incorporate SRM vendor instruction manual recommendations, standard industry practices and LaSalle specific requirements. Inspection and testing are performed as required on the SRM detector drive mechanism; the mechanism can be checked for full insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions. Environmental Considerations The wiring, cables, and connectors located within the drywell are designed for continuous duty in the conditions described in Section 3.11. 7.7-51 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.6.1.3 Analysis General Functional Requirement Conformance The arrangement of the neutron sources and startup chambers in the reactor is shown in Figure 7.6-2. This arrangement produces at least 0.7 counts/sec in the SRM using the sensitivity given in Subsection 7.7.6.1.2 and the design source strength at initial reactor startup. If the discriminator setting is adjusted to produce the specified sensitivity, the signal-to-noise count ratio is well above the 20:1 design basis for cold startup. If the multiplication of one section of the core increases to put that section of the reactor on a 20-second period, the nearest SRM chamber shows an increase in count rate. In general, at least one detector indicates the change in multiplication. Normal startup procedures ensure that withdrawal of control rods is distributed about the core to prevent excessive multiplication in any one section of the core. Hence, each SRM chamber can respond in some degree during the initial rod withdrawal. This assures increases in the detector signals as the core average neutron multiplication increases. Examination of the sensitivity of the SRM detectors and their operating ranges of up to 106 counts/sec indicates that the IRM is on scale before the SRM reaches full scale (Figure 7.6-7). 7.7.6.2 Local Power Range Monitor Subsystem 7.7.6.2.1 Design Bases The LPRM is designed to provide a sufficient number of LPRM signals to satisfy the APRM safety design bases. To fulfill its power generation design bases, the LPRM supplies:

a. signals to the APRM that are proportional to the local neutron flux at various locations within the reactor core,

b. signals to the RBM to indicate changes in local relative neutron flux during the movement of control rods,

c. signals to alarm high or low local neutron flux, and

d. signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of power distribution, local heat flux, minimum critical heat flux, and fuel burnup rate.

7.7-52 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.6.2.2 System Description Equipment Design The LPRM consists of fission chamber detectors, signal conditioning equipment, and trip functions. The LPRM also provides outputs to the APRM, the RBM, and the process computer.

a. Power Supply Power for the LPRM is supplied by the two RPS buses.

Approximately half of the LPRM's are supplied from each bus. Each LPRM amplifier has a separate power supply in the control room, which furnishes the detector polarizing potential. This power supply is adjustable from 75- to 200-Vdc. The maximum current output is 3 mA. This ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. For maximum variation in the input voltage or line frequency and over extended ranges of temperature and humidity, the output voltage varies no more than 2 volts. Each "page" of amplifiers is supplied operating voltages from a separate low-voltage power supply.

b. Physical Arrangement The LPRM includes 43 LPRM detector strings having detectors located at different axial heights in the core; each detector string contains 4 fission chambers. These assemblies are distributed to monitor four horizontal planes throughout the core. Figure 7.6-2 shows the LPRM detector radial layout scheme that provides a detector assembly at every fourth intersection not containing control crosses of the water channels around the fuel bundles.

Thus, the uncontrolled water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant. The detector assemblies (see Figure 7.7-10) are inserted in the core in spaces between the fuel assemblies. They are inserted through thimbles mounted permanently at the bottom of the core lattice and penetrate the bottom of the reactor vessel. These thimbles are welded to the reactor vessel at the penetration point. They extend down into the access area below the reactor vessel, where they terminate in a flange. The flange mates to the mounting flange on the incore detector assembly. The detector assemblies are locked at the top end to the top fuel 7.7-53 REV. 19, APRIL 2012

LSCS-UFSAR guide by means of a spring-loaded plunger. Special water sealing caps are placed over the connection end of the assembly and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents loss of reactor coolant water on removal of an assembly and also prevents the connection end of the assembly from being immersed in the water during installation or removal. Each LPRM detector assembly contains four miniature fission chambers with an associated solid sheath cable. The chambers are vertically spaced in the LPRM detector assemblies in a way that gives adequate axial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each fission chamber produces a current that is coupled with the LPRM signal-conditioning equipment to provide the desired scale indications. Each miniature chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder (the collector) is mounted on insulators and is separated from the outer cylinder by a small gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approximately 100 Vdc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage (Reference 1). Each assembly also contains a calibration tube for a traversing incore probe. The enclosing tube around the entire assembly contains holes that allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies, including tests of linearity, lifetime, gamma sensitivity, and cable effects (Reference 1.) These tests and experience in operating reactors provide confidence in the ability of the LPRM subsystem to monitor neutron flux to the design accuracy throughout the design lifetime. 7.7-54 REV. 13

LSCS-UFSAR

c. Signal Conditioning The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the control room. The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear-current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. Low level output signals are provided that are suitable as an input to the computer, recorders, etc. The output of each LPRM amplifier is isolated to prevent interference of the signal by inadvertent grounding or application of stray voltage at the signal terminal point.

The LPRM amplifier signals are indicated on the reactor control panel. When a central control rod is selected for movement, the output signals from the amplifiers associated with the nearest 16 LPRM detectors are displayed on reactor control panel meters. The four LPRM detector signals from each of the four LPRM assemblies are displayed on 16 separate meters. The operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in order.

d. Trip Functions The trip circuits for the LPRM provide trip signals to activate lights, instrument inoperative signals, and annunciators. These trip circuits are set to trip when power is not available for the LPRM amplifiers. Table 7.7-5 indicates the trips.

The trip levels can be adjusted to within r0.5% of full-scale deflection and are accurate to r1% of full-scale deflection in the normal operating environment. LPRM channels are calibrated using data from previous full power runs and TIP data. They are tested with procedures which incorporate vendor instruction manual recommendations, standard industry practices and LaSalle specific requirements. Environmental Considerations Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. The chambers are designed to operate up to 600qF and 1250 psig. The wiring, cables, and connectors located within the drywell are designed for continuous duty 7.7-55 REV. 14, APRIL 2002

LSCS-UFSAR to operate under the normal operating and bounding environmental conditions inside the drywell specified in Section 3.11. 7.7.6.2.3 Analysis General Functional Requirement Conformance The LPRM provides detailed information about neutron flux throughout the reactor core. The number of LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures. The division of the LPRM into various groups for a-c power supply allows operation with one a-c power supply failed or out of service without limiting reactor operation. Individual failed chambers can be bypassed. Neutron flux information for a failed chamber location can be interpolated from nearby chambers. A substitute reading for a failed chamber can be derived from an octant-symmetric chamber, or an actual flux indication can be obtained by inserting a TIP to the failed chamber position. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of the LPRM signal. Tests and experience attest to the ability of the detector to respond proportionally to the local neutron flux changes (Reference 1). Specific Requirement Conformance This topic is discussed in Appendix B. 10 CFR 50 Appendix A (1975) The LPRM detection and associated electronics are designed to monitor the incore flux over all expected ranges required for the safety of the plant. Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the LPRM design as required for protection systems. 7.7.6.3 Rod Block Monitoring Subsystem 7.7.6.3.1 Design Bases The RBM is designed in accordance with the specific regulatory requirements listed in Table 7.1-2. The rod block monitor (RBM) subsystem meets the following power generation design bases:

a. prevents local fuel damage that may result from a single rod withdrawal error, and 7.7-56 REV. 14, APRIL 2002

LSCS-UFSAR

b. provides a signal used by the operator to evaluate the change in the local relative power level during control rod movement.

7.7.6.3.2 Description Equipment Design The RBM has two channels. Each channel uses input signals from a number of LPRM channels. A trip signal from either RBM channel can initiate a rod block. One RBM channel can be bypassed without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four LPRM assemblies, three when using three LPRM assemblies, and two when using two LRPM assemblies (Figure 7.7-11).

a. Power Supply The RBM power is received from the 120-Vac supplies for the RPS. RBM channel A receives power from the a-c bus used for RPS trip system A; RBM channel B receives power from the a-c bus used for RPS trip system B.

b. Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals. One RBM channel averages the signals from LPRM detectors at the A and C positions in the assigned LPRM assemblies. The second RBM channel averages the signals from the LPRM detectors at the B and D positions. Assignment of LPRM assemblies to be used in RBM averaging is controlled by the selection of control rods. Figure 7.7-11 illustrates the four possible assignment combinations. Note that the RBM is automatically bypassed and the output set to zero if a peripheral rod is selected. If any LPRM detector assigned to an RBM is bypassed, the computed average signal is adjusted automatically to compensate for the number of LPRM input signals.

When a control rod is selected, the gain of each RBM channel output is normalized to an assigned APRM channel. The assigned APRM channel is on the same RPS trip system as the RBM channel. This gain setting is held constant during the movement of that particular control rod to provide an indication of the change in the relative local power level. If the APRM used to normalize the RBM reading is indicating less than 30% power, the RBM is zeroed and the RBM outputs are bypassed. 7.7-57 REV. 13

LSCS-UFSAR If the normalizing APRM is bypassed, the normalizing signal is automatically provided by a second APRM. In the operating range, the RBM signal is accurate to approximately 1% of full scale. The RBM supplies a trip signal to the rod control management system to inhibit control rod withdrawal. The trip is initiated when RBM output exceeds the rod block setpoint. There are three parallel rod block setpoint lines that have an adjustable slope. These lines provide a setpoint that is a function of the recirculaton driving loop flow. The intercepts of these setpoint lines with rated flow are adjustable. The trip setting for the normal (upper) line is set consistent with the Allowable Value set in the unit specific Core Operating Limits Report (COLR). The settings for the intermediate and lower lines are set below the upper line and are currently set to their lowest value as they are not used in the current core analysis. Lights indicate which rod block setpoint line is active. Associated with the intermediate and lower rod block setpoint lines are the setup permissive (and setdown) lines. When the power reaches these lines on increasing power, an indicator will light so the operator can evaluate the conditions and change manually to the next higher rod block setpoint line. On decreasing power, these lines will provide automatic setdown. The setup lines are also set at their lowest values. Either RBM can inhibit control rod withdrawal. Table 7.7-6 itemizes the RBM trip functions. The operator can bypass one of the two RBM's at any time (see also Subsection 7.7.2.2.3.4). The following features are included in RBM design:

a. Redundant, separate, and isolated RBM channels.

b. Redundant, separate, isolated rod selection information provided directly to each RBM channel.

c. Separate, isolated LPRM amplifier signal information provided to each RBM channel.

d. Separate and electrically isolated recirculation flow inputs provided to the RBM's for trip reference signals.

e. Independent, separate, isolated APRM reference signals to each RBM channel.

f. Independent, separate, isolated RBM level readouts and status displays from the RBM channels.

g. Mechanical barrier between Channel A and Channel B of the manual bypass switch.

7.7-58 REV. 18, APRIL 2010

LSCS-UFSAR

h. Independent, separate, isolated rod block signals from the RBM channels to the rod control management system circuitry.

The rod block monitor channels are tested and calibrated with procedures which incorporate vendor instruction manual recommendations, standard industry practices and LaSalle specific requirements. The RBM's are functionally tested by introducing test signals into the RBM channels. Environmental Considerations See description for APRM, Subsection 7.6.3.3.2. 7.7.6.3.3 Analysis General Functional Requirement Conformance Motion of a control rod causes the LPRM's adjacent to the control rod to respond strongly to the change in power in the region of the rod in motion. Figures 7.7-12 and 7.7-13 illustrate the calculated response of the two RBM's to the full withdrawal of a selected control rod from a region in which the design limits on power and flow exit. Because MCPR cannot reach 1.0 until the control rod is withdrawn through greater than half its stroke, the highest rod block setpoint halts rod motion well before local fuel damage can occur. This is true even with the adjacent and nearest LPRM detector assemblies failed. Specific Regulatory Requirement Conformance Criterion 24 The RBM provides an interlocking function in the control rod withdrawal portion of the CRD rod control management system. This design is separated from the protective functions in the plant to assure their independence. The RBM is designed to prevent inadvertent control rod withdrawal given an imposed single failure within the RBM. One of the two RBM channels is sufficient to provide an appropriate control rod withdrawal block. In addition, the RBM has been designed to meet "appropriate protection system criteria. . . .acceptable to the Regulatory Staff" (Reference 2). 7.7-59 REV. 18, APRIL 2010

LSCS-UFSAR 7.7.6.4 Traversing Incore Probe Subsystem 7.7.6.4.1 Design Bases The TIP meets the following power generation design bases:

a. Provides a signal proportional to the axial gamma flux distribution at selected small axial intervals over the regions of the core where LPRM detector assemblies are located. This signal shall be of high precision to allow reliable calibration of LPRM gains.

b. Provides accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution.

7.7.6.4.2 System Description There are five TIP machines as indicated in Figure 7.6-2, sheet 2. The TIP machines have the following components:

a. one traversing incore probe (TIP),

b. one drive mechanism,

c. one indexing mechanism, and

d. up to 10 incore guide tubes.

The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine. Physical Arrangement A TIP drive mechanism uses a gamma detector ion chamber attached to a flexible drive cable. The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The tenth tube is used for TIP cross calibration with the other TIP machines. The control system provides for both manual and semiautomatic operation. Electronics of the TIP panel amplify and display the TIP signal. Core position versus gamma flux is provided to the computer and is optionally recorded on a X-Y recorder in the main control room. The Traversing Incore Probe assembly is shown in Figure 7.7-7. Actual operating 7.7-60 REV. 14, APRIL 2002

LSCS-UFSAR experience has shown the system to reproduce within 1% of full scale in a sequence of tests (Reference 1). A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIPS are in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the primary containment. They maintain the pressure integrity of the containment. A valve (1(2)IN031) is also provided for a nitrogen gas purge line to the indexing mechanisms as described in Section 6.2.4 and Table 6.2-21. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball valve and power to the TIPS fails. The shear valve, which is controlled by a manually operated keylock switch, can cut the cable and close off the guide tube. The shear valves are actuated by detonation squibs. The continuity of the squib circuits is monitored by indicator lights in the control room. Upon receipt of a containment isolation command from the NSSS, all mechanisms are put in automatic withdraw condition, removing the TIP detector from the containment and allowing the ball valves to close. The purge gas control valve 1(2)C51-J00903 valve is also closed at this time. Testability The TIPS equipment is tested and calibrated using heat balance data and procedures which incorporate vendor equipment manual recommendations, standard industry practices and LaSalle specific requirements. Environmental Considerations The equipment and cabling located in the drywell are designed for continuous duty up to 150qF and 100% relative humidity. 7.7.6.4.3 Analysis An adequate number of TIP machines are supplied to assure that each LPRM assembly can be probed by a TIP and that one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration. Typical TIP's have been tested to prove linearity (Reference 1). The system has been field tested in an operating reactor to assure reproducibility for repetitive measurements. The mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semiautomatic operation for LPRM calibration and process computer use. The TIP machines can be operated manually to allow pointwise flux mapping. There are no specific regulatory or IEEE requirements for the TIP subsystem. 7.7-61 REV. 13

LSCS-UFSAR 7.7.7 Process Computer System Instrumentation and Controls 7.7.7.1 Design Bases 7.7.7.1.1 Safety Design Bases The process computer system is not a safety system, hence it has no safety design basis. 7.7.7.1.2 Power Generation Design Bases

a. The Process Computer System is designed to periodically determine the three-dimensional power density distribution for the reactor core and provide printed logs that permit accurate assessment of core thermal performance.

b. The Process Computer System provides periodically updated monitoring of the core operating level and initiates appropriate alarms based on established core operating limits at all times, especially during periods of power level changes.

c. The Process Computer System provides isotopic concentration data for each fuel bundle in the core.

d. The Process Computer System provides status alarm logging of selected contact-actuated nuclear systems inputs, to aid in the general operation of the plant.

e. The Process Computer System provides postscram analysis logging of stored data before and after a reactor scram for selected analog inputs.

f. The Process Computer System performs certain "balance of plant" calculations to aid in maintaining efficiency of operation.

7.7.7.2 System Description The objectives of the Process Computer System are to provide a quick and accurate determination of core thermal performance; to improve data reduction, accounting, and logging functions. Refer to section 7.8 for an explanation of Safety Parameter Display System (SPDS) and Engineered Safety Features (ESF). The Process Computer System is defined as any and all computer systems set up to perform the objectives of the Process Computer System. 7.7-62 REV. 16, APRIL 2006

LSCS-UFSAR Each computer system of the Process Computer System is designed to: Provide a capability to protect all runfiles from being corrupted unintentionally. Provide a capability to periodically backup the runfiles and all dynamic data. Provide all the necessary hardware and software needed to perform the objectives of the Process Computer System. 7.7.7.2.1 Power Sources The power for the computer system is supplied from a reliable a-c source. 7.7.7.2.2 Instrument Monitoring and Processing Equipment Design Analog Monitor and Alarm The Process Computer System is capable of checking each analog input variable against two types of limits for alarming purposes:

a. process alarm limits as determined by the computer during computation or as preprogrammed at some fixed value by the operator, and

b. a reasonable limit of the analog input signal level both low and high, which are also pre-programmed.

The alarming sequence consists of an audible buzzer, a console alarm light, and a hardcopy printout for the variables that exceed process alarm limits. An "acknowledge" pushbutton is provided to reset the buzzer to normal. A variable that is returning to normal is signified by a hardcopy printout. Data Recall Logging The Process Computer System measures and stores the values of selected variables at frequent intervals to provide a past history of data. An on-demand request permits the operator to initiate printing of this data The Process Computer System creates a report that contains the values of these variables for the period immediately preceding and following a reactor scram. 7.7-63 REV. 16, APRIL 2006

LSCS-UFSAR Trend Logging The Process Computer System has digital trend capability for logging the values of as many as 10 nuclear boiler system operator-selected analog inputs and calculated variables. The periodicity of the log is limited to a nominal selection of internals, which can be adjusted as desired by program control. Analog and Digital Monitor and Alarm The Process Computer System is capable of monitoring both analog and digital inputs and system alarms. The records include point description and time of occurrence. Alarm Logging The Process Computer System is capable of informing the operator by means of the alarm summary display of computer system malfunctions, system operations exceeding acceptable limits, and potentially unreasonable, off-normal, or failed input sensors. Color Graphics Displays The Process Computer System is capable of providing color graphic displays of the more important plant systems and is selectable by the operator. These displays inform the operator of the systems current status. 7.7.7.2.3 Rod Worth Minimizer Equipment Design The rod worth minimizer (RWM), independent of the Process Computer System, assists the operator with an effective control rod monitoring routine. This routine enforces adherence to established startup, shutdown, and power level control rod procedures. The rod worth minimizer prevents the operator from establishing control rod patterns that are not consistent with prestored RWM sequences by initiating appropriate rod withdrawal block, and rod insert block interlock signals to the reactor manual control system rod block circuitry. The RWM sequences are stored in memory and are based on control rod withdrawal procedures designed so each RWM (A&B) CPU will limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design-basis rod drop accident. The RDA is not of significant concern above the LPSP. Reference 3 describes the Technical Specifications Amendment to allow the RWM to be the primary means of mitigating the consequences of the postulated RDA and lowering the LPSP of the RWM to 10% rated power. Reference 9 updates the CRDA methodology and further lowers the LPSP. 7.7-64 REV. 25, APRIL 2022

LSCS-UFSAR The RWM function does not interfere with normal reactor operation and in the event of a failure does not itself cause rod patterns to be established. The RWM function can be bypassed and its block function can be disabled only by specific procedural control initiated by the operator. The H13-P603 Status Display, Rod Select Display, and H13-P659 Maintenance Display replace the RWM CRT in the Control Room. The RWM signal processing, I/O signals, and Plant Process Computer (PPC) interfaces are included in the RCMS Controller functions. RWM information shall be available on the Rod Select Display, Status Display, or RCMS Maintenance Display. Replacement of the 4-Rod Display and RWM Display with a Status Display mounted directly below the Core Map Display in the area originally occupied by the Rod and Detector Display. RWM software functions are performed in the RCMS controller channels. Comparisons between both the rod control and the RWM results are made by reviewing data from the alternate channel. Any disagreement shall be alarmed in the control room for decision of the faulty channel by the operator. Combining the RWM functions within each RCMS Controller channel improves system reliability (there are common control parameters used for both Rod Control and RWM logic). In addition, the two redundant RCMS Controller channels improve system availability. 7.7-64a REV. 18, APRIL 2010

LSCS-UFSAR The following indications and operator selected inputs are provided at the RWM on the Main Control Board.

a. RWM Display and Controls Rod and sequence information and system status are available to the operator by selection of the appropriate options.

b. Normal/Bypass Mode Switch A Bypass mode permits the operator to apply permissives to RWM rod block functions at any time during plant operation.

For the RCMS, downloading from the RWM Sequence Computer via 2 Ethernet data links shall be used to acquire operating sequence information for the RWM. Both RWM-A and RWM-B shall maintain and cross-check the sequence data.

c. Deleted

d. Deleted

e. Control Rod Drive Selected and Driving The RWM program utilizes this input as a logic diagnostic verification of the integrity of the rod select input data.

f. Control Rod Drift The RWM program recognizes a position change of any control rod using the control rod drift signal input.

g. Reactor Power Level Steam flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power setpoint and the low power alarm setpoint, can be used to disable the RWM function at power levels above the intended service range of the RWM function.

7.7-65 REV. 18, APRIL 2010

LSCS-UFSAR Isolated contact outputs to plant instrumentation provide RWM block functions to the rod control management system to permit or inhibit withdrawal, or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod. The RWM system displays the following indications:

a. Insert Error Control rod coordinate identification of insert errors.

b. Withdrawal Error Control rod coordinate identification of withdrawal errors.

c. Latched Group Identification of the RWM sequence group number currently enforced by the computer.

d. RWM Bypass Indication that the RWM is manually bypassed.

e. Select Error Indication of a control rod selection error.

f. Blocks Indication that a withdrawal block or insertion block (or both) is being applied by the RWM.

g. Deleted

h. Below Low Power Setpoint Indication that reactor power, based on steam flow, is below the LPSP is provided.

7.7-66 REV. 18, APRIL 2010

LSCS-UFSAR Additionally the RCMS will display the following:

a. The type of rod block applied

b. Rods using substitute positions

c. Rods Out of Service

d. Single rod test information

e. Error messages

f. Help messages

g. Date and Time 7.7.7.2.4 Environmental Considerations All the computer equipment, except for peripherals, are designed for continuous duty up to 29qC and 60% humidity. These are normally installed in an air-conditioned room. The peripherals are designed to operate at 50qC.

7.7.7.2.5 Reactor Calculations Power Distribution Calculations The Process Computer System calculates reactor thermal power distribution using a three dimensional diffusion method with provisions for adjusting thermal limit calculation to measured plant data. This calculation is done periodically or by operator demand. Plant inputs to this calculation include reactor pressure, core flow, control rod positions, and core thermal power. Total core thermal power is determined using a heat balance of the reactor system. The results of this calculation are power levels for each six inch axial segment (node) of each fuel bundle in the core and the margin to the thermal limits. The raw calculation can be adjusted to plant instruments for enhanced accuracy. A log is printed upon the conclusion of the power distribution calculations indicating the relation of the reactor's present state to thermal limits, and the most limiting core locations. Other useful data is included on this log. 7.7-67 REV. 19, APRIL 2012

LSCS-UFSAR Exposure Accounting A distribution of fuel exposure increments is periodically determined using the power distribution data, and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the six inch axial nodes used in the power distribution calculation. This data may be printed on operator demand. Exposure increments are determined periodically for each six-inch axial segment of each control rod. The corresponding cumulative exposure totals are periodically updated and may be printed on operator demand. The exposure increment of each LPRM is determined periodically and is used to update both the cumulative ion chamber exposures and the correction factors for exposure dependent LPRM sensitivity changes. This data may be printed on operator demand. 7.7-67a REV. 19, APRIL 2012

LSCS-UFSAR Isotopic Composition Accounting The Process Computer System provides capability to determine the isotopic composition for each six-inch axial segment of each fuel bundle in the core. This evaluation consists of computing the weight of neptunium, uranium, and plutonium isotopes as well as the total uranium and total plutonium content. 7.7.7.3 Analysis The Process Computer System is designed to provide the operator with certain categories of information as defined in Subsection 7.7.7.2. The system augments existing information from other systems such that the operator can start up, operate at power, and shutdown in an efficient manner. This system is not required to initiate any engineered safeguard or safety-related system. The process computer has no specific regulatory or IEEE requirements. 7.7.8 Reactor Water Cleanup (RWCU) System Instrumentation and Controls 7.7.8.1 Design Bases The purpose of the system is to provide continuous processing of the reactor water to maintain the purity within specified limits. The system also provides the means for removal of reactor water. Although the RWCU system is of importance to startup and long-term operation, the reactor may operate while the RWCU is out of service. This is not a safety system. 7.7.8.2 System Description The purpose of the RWCU system instrumentation and control is to provide protection for the system equipment from overheating and overpressurization and to provide operator information concerning the effectiveness of operation of the system. This is a power generation system and is classified as not related to safety. 7.7.8.2.1 Power Sources The RWCU instrumentation is fed from a plant instrument bus. No backup power source is necessary since the RWCU system is not a safety-related system. Adequate fuse protection is provided so that a short circuit within the system will have only a local effect which can be easily corrected without interrupting the reactor operation. 7.7.8.2.2 Equipment Design The RWCU system is described in Chapter 5.0. This subsection describes the systems used to protect the resin and the filter-demineralizer. These circuits are shown in Drawing Nos. M-97 and M-143. 7.7-68 REV. 13

LSCS-UFSAR To prevent resins from entering the reactor recirculation system, in the event of a filter-demineralizer resin support failure, a strainer is installed on the outlet of each filter-demineralizer unit. Each strainer is provided with a control room alarm, which is energized by high differential pressure. A bypass line is provided around the filter-demineralizer units for bypassing the units when necessary. Drawing Nos. M-97 (sheets 2 through 4) and M-143 (sheets 2 through 4) describe the filter-demineralizer instrumentation and control. Relief valves and instrumentation are provided to protect the equipment against overpressurization and the resins against overheating. The system is automatically isolated for the reasons indicated when signaled by any one of the following occurrences:

a. High temperature downstream of the nonregenerative heat exchanger - to protect the ion exchange resins from deterioration due to high temperature.

b. Reactor vessel low water level - to protect the core in case of a possible break in the RWCU system piping and equipment (see Subsection 7.3.2).

c. Standby liquid control system actuation - to prevent removal of the boron by the cleanup system filter-demineralizers.

d. High cleanup system ambient temperatures - (part of the plant leak detection system).

e. High temperature increase across the system's ventilation ducts

                    - (part of the plant leak detection system).

f. High change in system inlet flow in comparison to the system outlet flow - (part of the plant leak detection system).

In the event of low flow or loss of flow in the system, flow is maintained through each filter-demineralizer by its own holding pump. Sample points are provided upstream and downstream of each filter-demineralizer unit for continuous indication and recording of system conductivity. High conductivity is annunciated in the control room. The influent sample point is also used as the normal source of reactor coolant samples. Sample analysis also indicates the effectiveness of the filter-demineralizer units. Because the RWCU system is usually in service during plant operation, satisfactory performance is demonstrated without the need for any special inspection or testing beyond that specified in the manufacturer's instructions. 7.7.8.2.3 Environmental Considerations 7.7-69 REV. 13

LSCS-UFSAR The RWCU system is not required for safety purposes, nor required to operate after the design-basis accident. The RWCU system is required to operate in the normal plant environment for power generation purposes only. RWCU control instrumentation located in the RWCU equipment area is subject to the environment described in Section 3.11. 7.7.8.2.4 Operational Considerations The RWCU system instrumentation and control is not required for safe operation of the plant. It provides a means of monitoring parameters of the system and protecting the system. 7.7.8.3 Analysis The RWCU is not a safety-related system. Therefore, the instrumentation supplied is for the plant equipment protection and for operator information only. The cleanup system is protected against overpressurization by relief valves. The ion exchange resin is protected from high temperature by temperature switches upstream of the filter demineralizer unit. One switch activates an alarm while a second switch closes the isolation valve which subsequently trips the cleanup pumps. The isolation valves will also close automatically on a reactor low water level signal and when the standby liquid control system is actuated. The pumps will also trip on high cooling water temperature or low discharge flow. A high differential pressure across the filter-demineralizer or its discharge strainer will automatically close the unit's outlet valve after sounding an alarm. The holding pump starts whenever there is low flow through a filter-demineralizer. The precoat pump does not automatically operate when the level in the precoat tank is low. Sampling stations are provided to obtain reactor water samples from the entrance and exits of all three filter-demineralizers. The system control and instrumentation for flow, pressure, temperature, and conductivity are recorded or indicated on a panel in the control room. Instrumentation and control for backwashing and precoating the filter-demineralizers are on a local panel in the containment. Alarms are sounded in the control room to alert the operator to abnormal conditions. Regulatory Guides This topic is covered in Appendix B of the UFSAR. 7.7-70 REV. 15, APRIL 2004

LSCS-UFSAR 7.7.9 Area Radiation Monitoring System Instrumentation 7.7.9.1 Design Bases 7.7.9.1.1 Safety Design Bases The area radiation monitoring system complies with the requirements of 10 CFR 50 Appendix A, General Design Criterion 63. 7.7.9.1.2 Power Generation Design Bases The design bases of the area radiation monitoring system are to provide operating personnel with:

a. Indication in the control room of gamma radiation levels at selected locations within plant buildings.

b. Indication and local alarms where it is necessary to give an audible alarm if the radiation level increases beyond a predetermined level.

7.7.9.2 System Description The objective of the area radiation monitoring system is to indicate and record gamma radiation levels in certain areas where radioactive material may be present, stored, handled or inadvertently introduced. 7.7.9.2.1 Power sources The power source for the area radiation monitoring system is the 120-Vac instrument bus. 7.7.9.2.2 Equipment Design The area radiation monitoring system is shown as a functional block diagram in Figure 7.7-8. Each channel consists of: a combined sensor and converter unit; a combined indicator and trip unit; a shared power supply; and a shared multipoint recorder. Some channels also have a local audio alarm auxiliary unit. Each monitor has an upscale trip that indicates high radiation and a downscale unit that may indicate instrument trouble. These trips sound alarms, but cause no control action. The trip circuits are set so that loss of power causes an alarm. There are two trip indicating lights in the front face of an indicator and trip unit. The ranges of the channel are 4 to 6 decades and are selected to cover both normal and possible maximum radiation levels at the monitoring location. 7.7-71 REV. 13

LSCS-UFSAR The monitors are located (Table 7.7-3) at various places in the reactor building, radwaste facility, turbine building, control room, and other areas where radiation monitoring is desired, based on the following objectives:

a. to monitor the radioactivity level in areas where personnel may be required to work, and

b. to provide a record of the radioactivity as a function of time at key locations throughout the plant.

Ranges and sensitivities are selected for each location based on the anticipated radioactivity level as provided by experimental measurements of levels in similar plants and shielding calculations. Local alarming and indication is provided at those remote sensor locations where a substantial increase in radiation levels might be of immediate importance to people in the area. An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a real trip. All trip circuits are the latching type and must be manually reset at the front panel. Facilities for calibrating these monitor units are provided. A portable test unit is designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit. The sources used are capable of calibrating the entire range for this system. CS137 and CO60 sources are used in the calibration. A cavity in the calibration unit receives the sensor and converter unit. Located on the back wall of the cylindrical lower half of the cavity is a window through which radiation from the source emanates. A chart on each unit indicates the radiation levels available from the unit from the various control settings. 7.7.9.2.3 Environmental Considerations The detector, sensor, and converter are designed to operate under the environmental conditions at the monitoring locations. The control room instruments, namely indicator/trip unit and the power supply, are designed to operate under control room environmental conditions and the a-c power source fluctuations to guarantee successful operation of the system. 7.7.9.2.4 Operational Considerations An annunciator window is provided for each operational area such as turbine building area or reactor building area, etc., though there are a number of ARM channels in the area, with any one of them being able to trip the annunciator. 7.7-72 REV. 13

LSCS-UFSAR The operator, however, should be able to identify the channel that caused the annunciation by checking the indicating lights of the indicator/trip units. 7.7.9.3 Analysis General Functional Requirement Conformance

a. Sensor/converters monitor the gamma radiation levels at the selected locations and send a d-c signal, proportional to the gamma level, to the control room, where indicator/trip units display the signal on galvanometers.

b. Wherever it is necessary to have the local indication and alarm, an auxiliary unit and a horn are installed at the location. The auxiliary unit receives the signal from the indicator/trip unit both for display and alarm. The local display consists of a galvanometer, a yellow or amber light, and a horn. The light and horn are energized if the alarm level is exceeded.

Specific Requirement Conformance 10 CFR 50 Appendix A Criterion 63 To meet requirements of General Design Criterion 63, monitors are placed in fuel and waste storage areas to give continuous display of gamma levels and to give alarm if the level exceeds a preselected level. 7.7.10 Gaseous Radwaste System Instrumentation and Controls 7.7.10.1 Design Bases Specific requirements met by the gaseous radwaste system are listed in Table 7.1-2. The instrumentation and control system is designed to:

a. Monitor and control the gaseous processing system and subsystems.

b. Detect, indicate, and alarm a system or subsystem upset to provide sufficient time for corrective action.

7.7.10.2 System Description The objective of the gaseous radwaste system is to process and control the release of gaseous radioactive wastes to the site environs so that the total radiation exposure 7.7-73 REV. 13

LSCS-UFSAR to persons outside the controlled area is as low as reasonably achievable and does not exceed applicable regulations. This system is required for power generation only and is classified as not related to safety. Table 7.1-2 lists the reference design information. 7.7.10.2.1 Power Source The 120-Vac instrument bus provides power for the gaseous radwaste system instrumentation. 7.7.10.2.2 Equipment Design The radiation levels at the air ejector off-gas treatment system are continuously monitored by detectors described in Subsection 7.7.14.1. This system is monitored by flow and temperature instrumentation, and hydrogen analyzers to ensure correct operation and control, and to ensure that hydrogen concentration is maintained below the flammable limit. Table 7.7-2 lists process instruments that cause alarms and whether they are indicated or recorded in the control room. Catalytic Recombiner Instrumentation The catalytic recombiner vessel temperatures are monitored by thermocouples and recorded. High or low temperatures are annunciated in the main control room. The standby recombiner is temperature controlled, monitored, and recorded. Inlet process gas is monitored for temperature and annunciated in the main control room if temperatures are low. Off-Gas Condenser Condensate Level The off-gas condenser condensate high and low levels are annunciated in the main control room. The level switches also control the condenser drain valve. A handswitch mounted on the main control board provides remote/manual control of this valve. Off-Gas System Inlet Gas Measurements The gas inlet to each off-gas train (two total) is monitored for pressure, temperature, flow, and hydrogen concentration. Pressure is indicated in the main control room. Temperature and flow are recorded in the main control room. In addition, gas inlet hydrogen concentration is recorded and alarmed (high) in the main control room. 7.7-74 REV. 18, APRIL 2010

LSCS-UFSAR Hydrogen Analyzer Measurement System A single two train hydrogen monitoring panel utilizing hydrogen partial pressure is used to measure the hydrogen content of the off-gas process stream downstream of the recombiners and upstream of the charcoal beds. The hydrogen concentration percentage output from the analyzers is indicated and recorded in the main control room along with independent alarm annunciation from a high hydrogen concentration percentage in the dryer outlet stream. Independent sample lines are provided for each off-gas train and a crossover line allows both analyzers to simultaneously monitor the operating off-gas stream in parallel. Each analyzer train has an independent power source and annunciation loop. There are no internal barriers providing separation between the components and cables for the two trains inside the analyzer panel. Each analyzer train continuously withdraws a sample of the process off-gas, analyzes the hydrogen content and returns the sample gas to the main condenser. Drain pots are provided at low points in the sample stream to prevent condensation accumulation from obstructing the flow path and sample conditioning is provided to prevent moisture accumulation in the flow control and indication equipment. During normal plant operation, the main condenser provides the pumping force to withdraw the sample gas from the off-gas process line and through the hydrogen monitoring panel. An auxiliary vacuum pump is provided to withdraw sample gasses in the absence of sufficient main condenser vacuum. Sample gas flow, pressure and temperature are monitored within each hydrogen analyzer train, and an alarm annunciation in the main control room is provided to notify the operator of a malfunction within the hydrogen monitoring panel. No special design considerations were provided for explosion protection of the hydrogen monitoring panel due to small volume of off-gas within the sample piping. Hydrogen percentage calibration checks are made by injecting a hydrogen calibration gas directly onto the hydrogen sensor. This is accomplished automatically at periodic intervals by a sequencer or manually by switches at the hydrogen monitoring panel. A loss of a-c power to either analyzer train will isolate the respective train's sample gas inlet and outlet valves and provide annunciation to the main control room. 7.7-75 REV. 18, APRIL 2010

LSCS-UFSAR Charcoal Vessel and Vault Temperature Monitoring and Control The charcoal vessels are each temperature monitored and recorded in the main control room. High vessel temperature is alarmed and annunciated in the main control room. Differential Pressure Measurements Differential pressure measurements are made across the prefilter, afterfilter, and charcoal beds. High differential pressure is alarmed in the control room. 7.7-76 REV. 14, APRIL 2002

LSCS-UFSAR 7.7.10.2.3 Environmental Considerations The off-gas system control systems are not required for safety purposes, nor required to operate after the design-basis accident. The off-gas control systems are required to operate in the normal plant environment for power generation purposes only. Off-gas control and instrumentation located in the off-gas equipment area are subject to the environment under design requirements listed in Section 3.11. The control circuitry, remote control units, and instrument terminals in the control room experience the normal design environment listed in Section 3.11. Local Instrument Panels The local instrument panels are located in the operating area outside of the shield wall from the process. The environmental conditions are the same as described above. Specially designed instrumentation panels house all of the instruments with sensing lines connected to the off-gas system process stream. The panels are furnished with exhaust blowers which discharge out through a duct which is routed into a radiation control portion of the building. This keeps the inside of the panels at a negative pressure with respect to the immediate area. This will exhaust any off-gas leak, if it should develop, into a control area or duct. Air and water purging and drainage means are provided to permit instrument or device removal for maintenance purposes. The hydrogen analyzer detection chambers, sample pumps, and associated process piping are housed in a NEMA 12 floor mounted enclosure. Each of these enclosures have a discharge duct routed to the turbine building discharge plenum. This keeps the inside of the enclosure at a negative pressure with respect to the immediate area. The radiation level at the hydrogen monitoring panel could be on the order of rads per hour, since a sample of the off-gas process stream is continuously pumped through these enclosures for combustible gas analysis. The other environmental conditions are the same as above. 7.7.10.2.4 Operational Considerations No operator action is required on the equipment described unless an alarmed condition occurs. Operator indicators and alarms are described in Subsection 7.7.10.2.2. 7.7-77 REV. 18, APRIL 2010

LSCS-UFSAR 7.7.10.2.5 Setpoints A hydrogen level setpoint of less than 4 vol. % will alarm and annunciate in the main control room. A low flow of 6 scfm will alarm and annunciate in the main control room. 7.7.10.3 Analysis General Functional Requirement Conformance The flow recorder is provided to keep a record of all discharge volumes. The flow measurements and recording accuracies are within 5% of indication for the flows measured. All instrumentation with connections to the off-gas process lines are purchased and installed so as not to exceed a maximum leak rate of 1 X 10-6 atm cm3/sec to limit any release of radioactive gases other than through the controlled process system release point after treatment. Specific Requirement Conformance Regulatory Guides This topic is covered in Appendix B. 7.7.11 Liquid Radwaste System Instrumentation and Controls 7.7.11.1 Design Bases Specific requirements met by the liquid radwaste system are listed in Table 7.1-2. The instrumentation and control system is designed to provide dependable measurement and control for the various liquid processing systems during normal and expected occurrence conditions. 7.7.11.2 System Description The safety objective of the liquid radwaste system is to control the release of liquid and solid radioactive waste material to the environs and to package in suitable containers for offsite shipment and burial those wastes that cannot be released. This system is required for power generation only. There are no Safety Class 1 components in this system. 7.7-78 REV. 14, APRIL 2002

LSCS-UFSAR The radwaste system instrumentation and controls support manual processing and disposing of the radioactive process wastes generated during power operation. The radwaste control system includes liquid radwaste and gaseous radwaste subsystems. 7.7.11.2.1 Power Sources 120-Vac instrument power is used for the liquid radwaste system. Power supplies convert ac to dc for transducers and some sensors. 120-Vac control power is used for the liquid radwaste system. 7.7.11.2.2 Equipment Design The liquid radwaste system is designed to process liquid waste water to remove particulates, impurities, and other materials and return the processed water for plant usage. The resulting solid wastes are then packaged in suitable containers for offsite burial. Only those portions of the liquid radwaste system providing information which requires operator attention are described to show operator ability to take corrective action when needed. The radiation levels of the waste materials packaged for burial are monitored by plant personnel and are not part of this control system. Waste water is collected in various sumps throughout the plant and is pumped into the radwaste collection tanks where it will be processed. Excess processed liquids that are discharged from the plant are radiation monitored, flow controlled, and recorded. The instrumentation and control system of the radwaste process is typical of a standard chemical and water treatment process. Tank levels are recorded in the radwaste control room and high tank levels are annunciated in the radwaste control room. The only exceptions to the above information are the filter aid tank, the boil-out tank, and the concentrated waste tanks. Since these tanks are no longer in service, the high and low tank level alarms for these tanks have been defeated. Drywell Sumps Control The drywell sumps are pumped or gravity drained to the radwaste system waste collector tanks. Each sump is equipped with two pumps that automatically start and stop on high and low sump level respectively. A high-high level is provided by the level switch which annunciates an alarm in the main control room. The suction lines to the pumps from the drywell sumps are provided with two isolation valves which close on containment isolation signal. Instead of pumped flow from the Drywell Sumps, the Drywell Sumps can alternatively be drained via the Drywell Equipment Drain System gravity drain flow path or the Drywell Floor Drain System gravity drain flow path. Use of the gravity drain flow path precludes the use of pumped flow while the gravity drain method is selected. 7.7-79 REV. 24, APRIL 2020

LSCS-UFSAR Reactor Building, Radwaste Building, and Turbine Building Sumps These sumps collect waste water from their respective areas and automatically pump out the sumps on level control. These are not safety systems, and an alarm and annunciation in the main control room will occur on a high-high sump level to allow the operator to take corrective action. Tank Level and Process Control All tanks containing waste liquids throughout the radwaste liquid processing system are provided liquid level recorders as well as alarm and annunciation in the radwaste control room for high liquid level to inform the operator that corrective action is to be taken. The only exceptions to the above information are the filter aid tank, the boil-out tank, and the concentrated waste tanks, since these tanks are no longer in service. The process control is primarily initiated by an operator from the radwaste control room panel. Automatic operation of the reactor building equipment drain tank level is provided. The control system is designed for manual startup and automatic stop when a process is completed (i.e., tank liquid contents have been emptied to the next process). Since this is a batch system, the operator has full control and responsibility for the system control process. 7.7.11.2.3 Environmental Considerations The radwaste control systems are not required for safety purposes, nor are they required to operate after the design-basis earthquake. The RWCU phase separators tank level instrumentation is not seismically mounted and is not required to operate in the operating-basis earthquake. The radwaste control systems are required to operate in the normal plant environment for power generation purposes only. The environmental requirements are listed in Section 3.11. 7.7.11.2.4. Operational Considerations The operator is in full control of the process system batches. Recorders are provided for all liquid tanks to inform the operator of the status of the system. Alarms and annunciation are provided to inform the operator that a tank must be emptied or processed, or that a particular piece of equipment has malfunctioned and that corrective action is to be taken. The only exceptions to the above information are the concentrator waste tanks, the boil-out tanks, and the filter aid tank. Since these tanks are no longer in service, the high and low tank level alarms for these tanks have been defeated. All tank levels are set to alarm and annunciate at about 90% of overflow level. This allows sufficient time for the operator to take corrective action in the process control. 7.7-80 REV. 24, APRIL 2020

LSCS-UFSAR 7.7.11.3 Analysis General Functional Requirement Conformance - Liquid Radwaste The liquid radwaste flow for discharge to the lake blowdown to the river is flow controlled monitored for activity level. The discharge flow shutoff valve is a locked closed manual valve which requires plant supervisory and procedural control of any releases. The liquid radwaste flows are recorded in the radwaste control room and main control room. Radioactivity and quantity is the responsibility of plant supervisory personnel. Specific Requirement Conformance Regulatory Guides This topic is covered in Appendix B. 7.7.12 Spent Fuel Pool Cooling and Cleanup System Instrumentation and Controls 7.7.12.1 Design Bases The purpose of the spent fuel pool cooling and filtering system instrumentation and control is to provide annunciation and control so that the spent fuel pool cooling system can maintain the shielding water in the spent fuel and equipment storage pools and the reactor water well below a desired temperature and at a degree of clarity necessary to refuel and service the reactor. 7.7.12.2 System Description The spent fuel pool cooling system instrumentation and control system consists of pressure, level, and temperature, sensors, which provide necessary control and alarm functions for effective system operation. Flow switches are also provided for leak detection as described. Sample Points are available for conductivity grab Sample analysis and monitoring. 7.7.12.2.1 Power Sources The spent fuel pool cooling instrumentation and control is fed control power from the power sources which feed the equipment being controlled. System equipment design provides for redundant operating capabilities. Adequate fuse protection is provided to localize short circuits to effect corrective action without system shutdown. 7.7-81 REV. 18, APRIL 2010

LSCS-UFSAR 7.7.12.2.2 Equipment Design The circulating pumps are controlled individually from handswitches on the local control panel, and pressure switches are provided on each pump suction which will effect shutdown when pump suction head becomes insufficient for pump operation. A level switch on the fuel pool skimmer surge tank will operate a low level alarm on low water level. Skimmer surge tank level switches annunciate high and low levels, and circulating pump discharge pressure switches annunciate low discharge pressure on the local control panel. Discharge temperatures of the fuel pool cooling heat exchangers are monitored and logged on the process computer. Temperature control valves are provided in the fuel pool heat exchanger cooling water discharge. Temperature elements which sense the fuel pool water discharge from these heat exchangers provide a signal to individual temperature controllers, which modulate the control valves to maintain pool water temperature within limits. The spent fuel pool cooling system is not required for operation of the plant and can be shut down for periods of time during which the individual components can be tested and verified for proper operation. 7.7.12.2.3 Environmental Considerations The spent fuel pool cooling instrumentation and control system is classified nonessential. The components are located in the fuel pool cooling equipment area and are selected to meet the normal plant environment requirements as described in Table 3.11-3. 7.7.12.2.4 Operational Considerations The spent fuel pool cooling system instrumentation and control system is not required for operation of the plant. It provides means of monitoring operating parameters and protecting system equipment. 7.7.12.3 Analysis General Functional Requirement Conformance The spent fuel pool cooling system is monitored for conductivity, flow, leakage, and pool level. The conductivity measurements provide the operator with the information required to assure that impurities in the water are maintained at acceptable levels. 7.7-82 REV. 13

LSCS-UFSAR The temperature and flow (circulating pump discharge pressure) monitoring provide the operator with the information required to assure that the desired temperature is being maintained and that circulation is being maintained for cooling and filtering. Pool level and leakage monitoring provide the operator with the information required to assure that adequate water depth is being maintained for shielding. Specific Requirement Conformance: 10 CFR 50, Appendix A Criterion 61 Controls and instrumentation for this system are designed to provide control and monitoring which enable the operator to assure that pool water filtering, temperature, and level are being maintained. 7.7.13 Refueling Interlocks System Instrumentation and Controls 7.7.13.1 Design Bases Refueling interlocks meet the following safety design bases:

a. During fuel movements in or over the reactor core, all control rods shall be in their fully inserted positions.

b. No more than one control rod shall be withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.

7.7.13.2 System Description The purpose of the refueling interlocks system is to restrict the movement of control rods and the operation of refueling equipment to reinforce operational procedures that prevent making the reactor critical during refueling operations. 7.7.13.2.1 Power Sources There is only one source of power for both channels. However, this power source supplies the control rod drive system as well. A failure of this power supply prevents any rod motion. 7.7-83 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.13.2.2 Equipment Design The refueling interlocks logic senses the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated to prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Refueling interlock components and circuitry are designed with redundancy in that no single interlock failure will inhibit the design bases defined in Section 7.7.13.1 above. Interlock components and circuitry are provided to sense the following conditions:

a. refueling platform positioned near or over the core,

b. refueling platform hoists fuel-loaded (fuel grapple, frame-mounted hoist, trolley-mounted hoist),

c. reactor mode switch in REFUEL position.

The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement. The Full-In condition for each rod is established by monitoring the status of magnetically operated reed switch(es) in the rod position indicator probe. If all rods are Full-In, an all-rods-in signal is generated. During refueling operations, no more than one control rod is permitted to be withdrawn. This is enforced by a logic circuit that uses the all-rods-in signal, the Mode Switch Position signal, and a rod selection signal (from the Rod Control Management System) to prevent the selection of a second rod for movement with any other rod not fully inserted. Operation of refueling equipment is prevented by interrupting the power supply to the equipment. The refueling platform is provided with two mechanical switch contacts attached to the platform, which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switch contacts open before the platform or any of its hoists are physically located over the reactor vessel to indicate the approach of the platform toward its position over the core. Load readout is provided for the refueling platform hoists. Indicators display given hoist load directly to the operator. Each hoist utilizes a load weighing system. The load weighing system for the refueling platform hoists, use transducers that provide signals that are proportional to the load. The transducer output signal is processed and provided as input to the interlock logic and for operator display. The load weighing system associated with each of the three refueling platform hoists sends the transducer output to setpoint modules. The contacts in these setpoint modules open when the hoist is fuel-loaded. 7.7-84 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.13.2.3 Bypasses and Interlocks The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks which restrict operation of the platform hoist and grapple provide a third level of interlock action, since they are required only after a failure of a rod block and refueling platform interlock. It is pertinent to note that the strict procedural control exercised during refueling operations may be considered a fourth level of backup. 7.7.13.2.4 Redundancy Although the refueling interlocks are not designed nor required to meet the IEEE 279-1971 criteria for nuclear power plant protection systems, a single interlock failure cannot cause an accident. They are provided for use during planned refueling operations. Criticality is prevented during the insertion of fuel, providing control rods in the vicinity of the vacant fuel space are fully inserted during the fuel insertion. The interlock systems accomplish this by:

a. preventing operation of the fuel loaded refueling equipment over the core whenever any control rod is withdrawn,

b. preventing control rod withdrawal whenever fuel loaded equipment is over the core, and

c. preventing withdrawal of more than one control rod when the mode switch is in the refuel position.

The refueling interlocks have been carefully designed utilizing redundancy of sensors and circuitry to provide a high level of reliability and assurance that the stated design bases are met. Each of the individual refueling interlocks discussed above need not meet the single failure criterion because the four essentially independent levels of protection provide assurance that the design bases are met. For any of the situations listed in Table 7.7-7, a single interlock failure cannot cause an accident or result in potential physical damage to fuel or result in radiation exposure to personnel during fuel handling operations. 7.7.13.2.5 Testability Complete functional testing of all refueling interlocks before any refueling outage positively indicates that the interlocks operate in the situations for which they were designed. The interlocks can be subjected to valid operational tests by loading each hoist with a dummy fuel assembly, positioning the refueling platform, and withdrawing control rods. Where redundancy is provided in the logic circuitry, tests are performed automatically, on a periodic basis, to assure that each redundant logic element can independently perform its function. 7.7-85 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.13.2.6 Environmental Considerations Equipment (refueling) will not be subjected to the conditions listed in Section 3.11 during normal operation. The refueling interlocks are not required to operate under these conditions. 7.7.13.2.7 Operational Considerations The refueling interlocks system is required only during refueling operations. When moving fuel in the core with the mode switch in SHUTDOWN, the over the core limit switches can be defeated. In the Refueling mode, the control room operator has an indication when one rod is not fully inserted and all other control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display. Furthermore, whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logging of the rod block. He can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist in order to move control rods; otherwise, a control rod withdrawal block is placed into effect. Failure of one channel may initiate a rod withdrawal block and does not prevent application of a valid control rod withdrawal block from the remaining operable channel. In terms of interlocks for the refueling platform, an interlock display panel provides the platform operator with the status of each interlock (i.e., hoist interlocks, rod block interlocks, bridge & trolley interlocks, fault lockout) position readouts and load readouts. The vertical position of the main hoist grapple is provided. Indication of hoist load are provided for each of the three refueling platform hoists. The platform operator can immediately determine whether the platform and hoists are responding to local instructions and can, in conjunction with the control room operator, verify proper operation of each of the three categories of interlocks listed previously. 7.7.13.3 Analysis 7.7.13.3.1 Conformance to Functional Requirements The refueling interlocks, in combination with core nuclear design and refueling procedures, limit the probability of an inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform provides redundant 7.7-86 REV. 21, JULY 2015

LSCS-UFSAR methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Table 7.7-7 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and mode switch manipulation. The initial conditions in Situations 4 and 5 appear to contradict the action of refueling interlocks, because the initial conditions indicate that more than one control rod is withdrawn, yet the mode switch is in REFUEL. Such initial conditions are possible if the rods are withdrawn when the mode switch is in STARTUP and then turned to REFUEL. The scram indicated in Situation 16 of the table is not a result of the refueling interlocks; it is the response of the reactor protection system to downscale neutron monitoring system channels when the mode switch is shifted to RUN. In all cases, correct operation of the refueling interlock prevents either the operation of loaded refueling equipment over the core when any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn; a second rod can not be selected until the rod withdrawn is re-inserted. 7.7.13.3.2 Specific Requirements Conformance No specific regulatory requirements apply to refueling interlocks. The refueling interlocks are designed to be normally energized (fail safe) and single-failure tolerant of equipment failures. IEEE standards do not apply because the refueling interlocks are not required for any postulated design-basis accident or for safe shutdown. The interlocks are required only for the refueling mode of plant operation. 7.7.14 Process Radiation Monitoring System Instrumentation and Controls A number of radiation monitors and monitoring subsystems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. These include the following:

1. air ejector off-gas radiation monitors and sampling subsystem,

2. station radiation monitoring subsystem,

3. process liquid radiation monitoring subsystem, and

4. carbon bed vault radiation monitoring subsystem,

5. main steamline radiation monitoring subsystem.

7.7-87 REV. 21, JULY 2015

LSCS-UFSAR These subsystems are described individually on the following pages. Safety-related subsystems of the process radiation monitoring system are discussed in Subsection 7.6.1. 7.7.14.1 Air Ejector Off-Gas Radiation Monitor and Sampler Subsystem 7.7.14.1.1 Design Bases 7.7.14.1.1.1 Safety Design Bases The air ejector off-gas radiation monitoring subsystem meets the following safety design bases. The subsystem shall:

a. Provide alarms to warn the operator about the radioactivity reaching various short-term limits.

b. Record radioactivity released by the air ejector off-gas line.

c. Initiate appropriate action to prevent release to the environs of radioactive materials in the air ejector off-gas in excess of short-term limits.

d. Provide grab samples for laboratory analysis.

The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Tables 7.1-2 and 7.1-7. 7.7-88 REV. 21, JULY 2015

LSCS-UFSAR 7.7.14.1.1.2 Power Generation Design Bases The power generation design bases:

a. Provide an indication and record of gross gamma radiation level in the effluent upstream of the off-gas catalytic recombiner system.

b. Provide an indication and record of count rate from the radiation activities in the effluent downstream of the off-gas catalytic recombiner system.

c. Provide grab samples from both downstream and upstream of the off-gas catalytic recombiner system treatment.

d. Provide controls to the off-gas outlet valve and the drain valve.

e. Provide controls to the off-gas bypass and treatment line valves.

f. Provide purging capability for both on-line and off-line sample chambers.

7.7.14.1.2 System Description The air ejector off-gas radiation monitoring subsystem indicates when radioactive material released to the environs approaches specified limits and initiates appropriate control of the off-gas so that the limits are not exceeded. 7.7.14.1.2.1 Power Sources The 125-Vdc Bus B powers the off-gas pretreatment monitor, and the + 24-Vdc Buses A and B power the two off-gas posttreatment monitors. The + 24-Vdc Bus A powers the off-gas pretreatment linear monitor. 7.7-89 REV. 19, APRIL 2012

LSCS-UFSAR 7.7.14.1.2.2 Equipment Design The air ejector off-gas radiation monitoring subsystem is shown in Drawing No. M-153 and specifications are given in Table 11.5-2. The subsystem consists of two main divisions, one monitoring before the charcoal treatment, another after the treatment. The pretreatment monitor is designed to provide alarms if the radiation level is approaching the technical specification limit or the level where off-gas system isolation is required. The posttreatment monitors provide not only alarms, but also control signals, one to prohibit bypassing the charcoal beds and another to isolate the off-gas system whenever the radiation reaches the predetermined levels. Off-Gas Pretreatment Radiation Monitor The off-gas pretreatment monitor draws an off-gas sample from the downstream side of the recombiner prior to the carbon beds and monitors it for gross gamma by means of offline in situ detection and provides a grab sample for laboratory analysis. A remotely controlled purging system is provided for the sample chamber. The off-gas pretreatment monitor has two instrument channels. One consists of a gamma-sensitive ion chamber, a log radiation monitor, and a recorder. The monitor and the recorder are located in the main control room. The second instrument channel consists of a gamma-sensitive ion chamber, a linear radiation monitor and a recorder. The monitor and recorder are located in the main control room. The ion chamber for the log radiation monitor is positioned adjacent to the vertical sample chamber. The sample chamber is internally polished to minimize plateout. A sample is drawn from the off-gas line through the sample chamber by the main condenser suction. The log radiation monitor has two upscale trips and a downscale trip. Each of the upscale trips and the downscale trip sounds an alarm in the control room. No control action is performed by this channel. Off-Gas Posttreatment Monitor The off-gas posttreatment monitor draws an off-gas sample from the downstream side of the carbon beds prior to the discharge valve and monitors it for gross gamma by means of offline in situ detection and provides a grab sample for laboratory analysis. The sample rack provides dual sample chambers, local and remote purging capability, flow alarms, flow and pressure indication, and remote control check sources. 7.7-90 REV. 15, APRIL 2004

LSCS-UFSAR Each of the two posttreatment monitoring channels consists of a gross gamma detector, a count rate monitor with a power supply and a meter, and a recorder point. The monitors and the recorder are located in the main control room. Each monitor has three upscale trips and a downscale trip. An upscale trip indicates high radiation. A downscale trip indicates instrument trouble. Any single trip will give an alarm in the control room. During off-gas system operation in the AUTO mode, an upscale high radiation trip in both channels of the posttreatment radiation monitor closes the carbon bed filter bypass valve if it is open and opens the off-gas line to the carbon bed if it is closed. Two upscale high-high-high radiation trips, one upscale high-high-high radiation trip and one downscale trip, or two downscale trips isolate the off-gas system outlet and drain valves. The third upscale trip (RHH) alarms at a preset release rate limit. Although all isolation signals remain unchanged, and no changes were made to the redundant trip circuitry of the off gas outlet vent valves, the actuators on valves 1(2)N62-F057 were changed from "fail closed" to "fail open". These changes reduced vulnerabilities, such as loss of air, which would inadvertently cause the valves to close resulting in a potential SCRAM on loss of condenser vacuum. Administrative controls are in place to verify that valves 1(2)N62-F057 close(s) upon a valid isolation signals and to manually close 1(2)N62-F057, if necessary. Manual closure of the outlet vent valve(s) is a time sensitive activity to ensure that off-site dose remains a fraction of the ALARA dose. 7.7.14.1.2.3 Testability The scintillation detectors of the posttreatment monitoring channels are tested with a built-in test source, and each channel of the system can be calibrated by analyzing a grab sample. 7.7.14.1.2.4 Environmental Considerations The components of this subsystem have been designed for and tested in environmental conditions more severe than that expected of the equipment location. 7.7.14.1.2.5 Operational Considerations The air ejector off-gas radiation monitoring subsystem is not required to initiate emergency equipment. It provides a monitoring function as described in the circuit description and is in operation during all normal conditions. 7.7-91 REV. 23, APRIL 2018

LSCS-UFSAR 7.7.14.1.3 Analysis General Functional Requirement Conformance The air ejector off-gas radiation monitoring subsystem monitors the off-gas system before and after the carbon bed and provides alarm annunciators and off-gas system isolation under appropriate "out of acceptance range" radiation levels. The air ejector off-gas radiation monitors have monitoring characteristics sufficient to provide accurate indication of radioactivity in the air ejector off-gas. The subsystem provides the operator with sufficient information to easily control the activity release rate. Sufficient redundancy is provided to allow maintenance on one channel without losing the system indications. 7.7-91a REV. 23, APRIL 2018

LSCS-UFSAR Specific Requirement Conformance 10 CFR 50 Appendix A Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. Criterion 20 The subsystem conforms to Criterion 20 in that activation of the trip circuit will result in alarm annunciator activation and a trip indication being sent to the off-gas isolation circuits. Criterion 64 The subsystem conforms to Criterion 64 in that radiation monitoring is provided for this discharge path under all conditions. 7.7.14.2 Stack/Standby Gas Treatment Radiation Monitoring System 7.7.14.2.1 Design Bases 7.7.14.2.1.1 Safety Design Bases These subsystems shall monitor the radioactivity within the station vent stack and within the standby gas treatment stack to generate alarms if the activity level reaches either short-term or long-term release limits. The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Tables 7.1-2 and 7.1-7. 7.7.14.2.1.2 Power Generation Design Bases The subsystem shall:

a. Provide an indication and record of the radioactive level of the station vent stack/standby gas treatment effluent in terms of release rate.

b. Provide a filter system to collect particulate and halogen samples.

7.7-92 REV. 13

LSCS-UFSAR

c. Provide a regulated sample flow to guarantee the measured flow of sample through the filter system and the gaseous sample chamber regardless of the variation in pressure drop across filters, valves, pipes, etc.

d. Provide a truly representative sample collection.

7.7.14.2.2 System Description

a. The station vent stack radiation monitoring system indicates the radioactive material release rates in the station's single gaseous effluent stack. It also indicates and records the rate of release of radioactive material during planned operations.

b. The standby gas treatment system (SGTS) stack monitoring subsystem indicates the radioactivity level in the standby gas treatment system stack exhaust whenever either of the two trains are running. The SGTS monitor takes a sample from the SGTS stack which is located inside the main stack.

7.7.14.2.2.1 Power Sources

a. The station vent stack monitor for Unit 1 and Unit 2 is powered from bus 135Y energized by diesel generator 1A or diesel generator 2A, respectively.

b. The SBGT monitor for Unit 1 and Unit 2 is powered from bus 136X energized by diesel generator 0.

See Section 8.1 for additional information. 7.7.14.2.2.2 Equipment Design

a. The station vent stack radiation monitoring system is shown in Drawing No. M-153, sheets 1 and 7; sensitivity range of the detectors are given in Table 11.5-3. A detailed description of the station vent stack radiation monitoring system is given in Subsection 11.5.2.2.1.

b. The SGTS stack monitoring system arrangement details are shown in Drawing No. M-153. Sensitivity and ranges are given in Table 11.5-3. A detailed description of the SGTS stack monitoring system is given in Subsection 11.5.2.2.2.

7.7-93 REV. 13

LSCS-UFSAR 7.7.14.2.2.3 Environmental Considerations The components of this system have been designed for and tested in environmental conditions more severe than that expected at the equipment location. 7.7.14.2.2.4 Operational Considerations The stack radiation monitoring systems are not required to initiate emergency equipment. They provide a backup monitoring function only. 7.7.14.2.3 Analysis General Functional Requirement Conformance The stack radiation monitoring subsystem monitors the radiation level of the station's gaseous effluent, activating alarm annunciators if the observed level is outside of the allowable range. The stack radiation monitors are selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity being released to the environs through the concentric single station vent stack and standby gas treatment system stack. Specific Requirement Conformance Regulatory Guides This topic is covered in Appendix B. 10 CFR 50 Appendix A Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. 7.7.14.3 Process Liquid Radiation Monitoring Subsystem 7.7.14.3.1 Design Bases 7.7.14.3.1.1 Safety Design Bases Process liquid radiation monitors located in effluent pipes that normally discharge to the environs shall clearly indicate to operations personnel if the radioactivity level in the pipe reaches or exceeds preestablished limits for the discharge of 7.7-94 REV. 14, APRIL 2002

LSCS-UFSAR radioactive material. Actual control of liquid release is via sampling, analysis, and controlled flow. The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Tables 7.1-2 and 7.1-7. 7.7.14.3.1.2 Power Generation Design Basis Process liquid radiation monitors located in pipes that do not discharge to the environs shall clearly indicate to operations personnel if the radioactivity level in the pipe reaches or exceeds a preestablished limit above the normal radiation level of the pipe. 7.7.14.3.2 System Description The purpose of the process liquid radiation monitors is to indicate to operations personnel the radioactivity level of a liquid stream being released to the environs. 7.7.14.3.2.1 Power Sources The 125-Vdc Buses A and B are the power sources for this subsystem. 7.7.14.3.2.2 Equipment Design The process liquid radiation monitoring subsystem is shown in Drawing No. M-153, sheets 4 and 6; specifications are given in Table 7.7-8. Five individual channels are provided. One channel monitors the service water effluent, another channel monitors the reactor building closed cooling water, the third channel monitors the discharge from the liquid radwaste system, and the fourth and fifth channels monitor the service water discharge from separate RHR heat exchangers. Each channel has a scintillation detector and a radiation monitor. Each detector monitors a sample of the process liquid for gamma activity. The sample is drawn from the process system, flows through the shielded sample chamber where it is monitored, and then is returned to the process system. Four monitors and recorders are located in the control room; the radwaste system recorders are located on the local radwaste control panel and in the main control room. Each channel has an upscale trip to indicate high radiation level and a downscale trip to indicate instrument trouble. The trips give alarms but perform no control action for four monitors. The radwaste monitor trip will close the discharge valve. Plant service water is used to cool nonradioactive areas such as air compressors, turbine auxiliary systems, and pump bearings. It also cools the reactor building 7.7-95 REV. 14, APRIL 2002

LSCS-UFSAR closed cooling water system through a heat exchanger. An increase in the radiation level of this service water stream may indicate a leak into the system from a contaminated source. The reactor building closed cooling water system provides cooling for potentially contaminated areas such as the nonregenerative heat exchanger, recirculation pumps, and various sample coolers. Changes in the normal radiation level could indicate leaks of radioactive water into this system. The RHR service water provides a heat sink for the RHR heat exchangers, which may contain radioactive water. Leaks in the heat exchangers that could contaminate the service water are detected by the two monitors on the service water effluent from the heat exchangers. The liquid radwaste system collects waste liquids through various drainage systems. The process liquid monitoring channel on the liquid radwaste system discharge indicates radiation levels. All alarm trip circuits can be tested by using test signals. 7.7.14.3.2.3 Environmental Considerations The environmental requirements are given in Section 3.11. 7.7.14.3.2.4 Operational Considerations These monitors are not required to initiate automatic emergency procedures. They are provided as a process monitor only. 7.7.14.3.3 Analysis General Functional Requirement Conformance The channels of the process liquid radiation monitoring subsystem monitor their respective process liquids and will indicate to operations personnel when the radiation level exceeds the preestablished limits. The service water and liquid radwaste discharge radiation monitors possess radiation detection and monitoring characteristics sufficient to inform plant operations personnel of discharge radiation levels above preset limits. Specific Requirement Conformance Regulatory Guides This topic is covered in Appendix B. 7.7-96 REV. 14, APRIL 2002

LSCS-UFSAR 10 CFR 50 Appendix A Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. Criterion 64 This subsystem conforms to Criterion 64 in that radiation monitoring is provided for the liquid process effluent discharge paths under all reactor conditions. 7.7.14.4 Carbon Bed Vault Radiation Monitoring Subsystem 7.7.14.4.1 Design Bases To accomplish its safety design basis, this subsystem provides local and control room indication of the radiation level present in the off-gas system carbon bed vault. The subsystem instrumentation and controls shall conform to the specific requirements shown in Tables 7.1-2 and 7.1-7. The subsystem is designed to provide vault area gross gamma radiation level display and alarm in the control room. 7.7.14.4.2 System Description The purpose of the carbon bed vault monitor is to provide local and control room indication of the radiation level in the off-gas charcoal vault. 7.7.14.4.2.1 Power Sources The 120-Vac RPS Bus A is the power source for this subsystem. 7.7.14.4.2.2 Equipment Design The monitoring channel includes a gamma-sensitive sensor and converter, and indicator and trip unit, a locally mounted auxiliary unit, and an upscale and a downscale alarm (Drawing No. M-153, sheets 3 and 5). The channel includes a built-in source that provides for a slightly upscale reading in the absence of external radiation. 7.7-97 REV. 14, APRIL 2002

LSCS-UFSAR Operation also can be verified through use of a portable gamma source. Specifications are given in Table 7.7-8. 7.7.14.4.2.3 Environmental Considerations The components of this subsystem have been designed for and tested in environmental conditions more severe than that expected at the equipment location. 7.7.14.4.2.4 Operational Considerations The carbon bed vault radiation monitor is not required to initiate automatic emergency equipment. It is used only as a monitor alarm and annunciator. 7.7.14.4.3 Analysis General Functional Requirement Conformance A sensor/converter is placed in the local area, along with an auxiliary unit to provide the local level indication. An indicator/trip unit is in the control room to display the level and to generate alarms. Specific Regulatory Requirement Conformance 10 CFR 50 Appendix A Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. 7.7.14.5 Main Steamline Radiation Monitoring Subsystem 7.7.14.5.1 Design Bases The main steamline radiation monitoring subsystem is designed to meet the following safety design bases:

a. The subsystem is able to detect a gross release of fission products from the fuel under any anticipated operating combination of main steamlines.

b. The subsystem shall promptly indicate a gross release of fission products from the fuel.

7.7-98 REV. 14, APRIL 2002

LSCS-UFSAR

c. On detection of a gross release of fission products from the fuel the subsystem shall provide an alarm in the control room.

7.7.14.5.2 Power Generation Design Basis The main steamline radiation monitoring subsystem is designed to display in the control room an indication of gross gamma radiation level at the main steam tunnel. 7.7.14.5.3 System Description 7.7.14.5.3.1 Subsystem Identification The objective of the main steamline radiation monitoring subsystem is to monitor for the gross release of fission products from the fuel and, upon indication of such release, to provide a control room indication and alarm. This subsection is classified as discussed in Section 3.2. 7.7.14.5.3.2 Power Sources The 120-Vac RPS Buses A and B are the power sources for the main steamline radiation monitoring subsystem. Two channels are powered from one RPS bus and the other two channels from the other RPS bus. 7.7.14.5.3.3 Equipment Design Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steamlines. The detectors are physically located near the main steamlines just downstream of the outboard main steamline isolation valves. The detectors are geometrically arranged to detect significant increases in radiation level with any number of main steamlines in operation. Their location along the main steamlines allows the earliest practical detection of a gross fuel failure. Each monitoring channel consists of a gamma-sensitive ion chamber and a log radiation monitor, as shown in Drawing Nos. M-153, sheets 1 and 6. Capabilities of the monitoring channel are listed in Table 7.3-3. Each log radiation monitor has four trip circuits. One upscale trip circuit is used to alarm. A second upscale circuit is used for an alarm and is set at a level below that of the first upscale trip circuit. The third circuit is a downscale trip that actuates an instrument trouble alarm in the control room. The fourth circuit is an inoperative trip which is not used. The output from each log radiation monitor is displayed on a six-decade meter in the control room. 7.7-99 REV. 13

LSCS-UFSAR 7.7.14.5.3.4 Redundancy and Diversity The number of monitoring channels in this subsystem provides the required redundancy and is verified in the circuit description. 7.7.14.5.3.5 Testability A built-in source of adjustable current is provided with each log radiation monitor for test purposes. The operability of each monitoring channel can be routinely verified by comparing the outputs of the channels during power operation. 7.7.14.5.3.6 Environmental Considerations This subsystem is designed to meet the environmental requirements in Table 3.11-2. 7.7.14.5.3.7 Operational Considerations In the event of a high-high or an inop trip, high or low radiation level trip within any of the channels, the subsystem automatically activates the appropriate alarm annunciator and provides indication on a meter in the control room. 7.7.14.5.4 Analysis General Functional Requirement Conformance The main steamline radiation monitoring subsystem will detect and promptly indicate a gross release of fission products from the fuel under any operation for any combination of main steamlines. On detection of a gross release of fission products from the fuel, the subsystem initiates appropriate alarm annunciators. Criterion 13 The subsystem conforms to Criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. 7.7.15 Leak Detection System Instrumentation and Controls 7.7.15.1 Design Basis The instrumentation and controls associated with the leak detection system are discussed in Subsection 5.2.5. 7.7-100 REV. 19, APRIL 2012

LSCS-UFSAR The purpose of the leak detection instrumentation and controls is to provide the signals necessary to detect and isolate leakage from the reactor coolant pressure boundary before predetermined limits are exceeded. 7.7.15.2 System Description 7.7.15.2.1 Power Sources Power separation is applicable to leak detection signals that are associated with the isolation valve systems. Four power sources are used to comply with separation criteria. Equipment associated with Division 1 is powered by 120-Vac Instrument Bus A. Division 2 equipment is powered by 120-Vac Instrument Bus B. 7.7.15.2.2 Equipment Design The systems or parts of systems which contain water or steam coming from the reactor vessel or which supply water to the reactor vessel, and which are in direct communication with the reactor vessel, are provided with leakage detection systems as listed above (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Similar items of water utilization equipment within the drywell share a common area and therefore a common leakage detection system. The unidentified leakage detection systems inside the drywell are designed with a capability to detect leakage less than established leakage rate limits. Certain major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals, valve stem packing, equipment warming drains), are contained and piped to an equipment sump and thereby identified. Equipment associated with systems within the drywell (e.g., vessels, piping, fittings and some valve stem packing) share a common free volume and therefore common leakage detection systems. Steam or water leaks from such equipment are ultimately collected in the floor drain sumps. Each of the sumps is protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources. The equipment drains collecting system and area drains collecting system are designed to detect unidentified leakage in excess of 1 gpm within 1 hour. As added backup to the unidentified drain system, the main steamlines within the steam tunnel inside the secondary containment are monitored by wall-mounted temperature detectors within the tunnel. The locations of the sensors are controlled so that steam leaks in excess of 1 gpm will also be detected within 1 hour. 7.7-101 REV. 13

LSCS-UFSAR Outside the drywell, the equipment and piping within each system monitored for leakage is in compartments or rooms separate from other systems wherever feasible so that leakage may be detected and identified in drains, by area temperature indications, high process flow, or radiation monitoring. 7.7.15.2.3 Recirculation Pump Leak Detection Subsystem Function The purpose of the recirculation pump leak detection subsystem is to monitor the rate of coolant seepage or leakage past the pump shaft seals. Excessively high rates of coolant flow past the seal and results in annunciator activation. Theory of Operation There are two recirculation pump leak detection subsystems, one for each of the pumps in the recirculation loop. The recirculation pump leak detection system consists of two types of monitoring circuits (Figure 7.7-14). The first of these monitors the pressure levels within the seal cavities, presenting the plant operator with a visual display of the sensed pressure in each of the two cavities. The second monitors the rate of liquid flow from the seal cavities. The pressure levels within seal cavity No. 1 and seal cavity No. 2 are measured with identical instruments arranged similarly. Only one circuit, seal cavity No. 1 pressure monitoring, is discussed. The pressure within seal cavity No. 1 is measured using a pressure transmitter. The pressure transmitter produces an output signal whose magnitude is proportional to the sensed pressure within its dynamic range. This output signal is then applied to pressure indicators for plant operator readout. All condensate flowing past the recirculation pump seal packings and into the seal cavities is collected and sent by one of two drain systems to the drywell equipment sump for disposal. The first drain system drains the major portion of the condensate collected within the No. 2 seal cavity. The condensate flow rate through the drain system is measured (high/low) by a flow switch. The point at which the microswitch closes can be adjusted so that switch actuation occurs only above or below certain flow rates. Excessively high or low flow rates through this drain system activates an annunciator in the main control room. The second drain system drains the cavity beyond the No. 2 seal cavity, collecting the condensate that has seeped (or leaked) past the outer seal. The condensate flow rate through this drain system is also measured (high), using a flow switch. The physical construction of this switch is similar to the flow switch described above, with only one contact set used to indicate the high flow rate. A high flow rate through this system activates an annunciator in the main control room. 7.7-102 REV. 13

LSCS-UFSAR 7.7.15.2.4 Spent Fuel Pool System Leak Detection Subsystem Function The purpose of the fuel pool leak detectors is to monitor leakage from the fuel pool lines and seal bellows, activating an annunciator in the event of a system leak of sufficient magnitude. Theory of Operation The spent fuel pool leak detection subsystem consists of turbine type transmitters, connected in the fuel pool lines drain and in the fuel pool bellows seal drain. The transmitter produces a signal proportional to the leakage flow in the drain line. The leakage rate is displayed in the main control room, and an alarm is activated when leakage reaches a predetermined value. 7.7.15.2.5 Drywell and Reactor Building Leak Detection Subsystem Function Drywell pressure and temperature, drywell and reactor building floor drain and equipment drain sump levels (see Subsection 7.7.15.2.8), air radioactivity, reactor vessel seal leakage pressure, condensate drain from the coolers, and valve stem leakage are variables measured as an indication of leakage within the drywell and reactor buildings (Figure 7.3-7 and Drawing Nos. M-155 and M-157). Theory of Operation Figure 7.3-7 and Drawing Nos. M-155 and M-157 show the drywell cooling system, which recirculates the drywell atmosphere through heat exchangers to maintain the drywell at its design operating temperature. In order to maintain this drywell temperature with the drywell atmospheric coolers operating inside the sealed drywell, the cooling water inlet and outlet temperature difference is maintained within specified limits. Any increase of the closed cooling water differential temperature or drywell ambient temperature indicates the leakage inside the drywell. High differential temperature is annunciated in the main control room. In addition, the condensate drain from the coolers is monitored by a flow transmitter. A flow indicating switch and annunciator are located in the main control room. 7.7-103 REV. 14, APRIL 2002

LSCS-UFSAR 7.7.15.2.6 Safety/Relief Valve Leak Detection Theory of Operation A temperature element (sensor) is placed in an instrument well on the exhaust line of each safety/relief valve in order to remotely detect the passage of steam through each exhaust line. The output of the temperature elements are, in turn, parallel connected to a common temperature recorder. Normally, the safety/relief valves are in the shut tight condition and are all at about the same temperature. Steam passage through the valve elevates the sensed temperature at the exhaust, causing an "abnormal" temperature reading on the recorder. Output contacts on the recorder, adjusted to actuate at a predetermined setpoint, close to complete an annunciator circuit. Safety valve operation usually occurs only after relief valve actuation. Leakage from a valve is usually characterized by a temperature increase on a single input. At LSCS Unit 1, an electromechanical lift indicating assembly is directly mounted atop the SRV. Valve position is sensed by a spindle mounted, position acting reed switch arrangement. Electrical output from the reed switches are fed to the control room for direct indication of SRV position. At LSCS Unit 2, an electromechanical lift indicating assembly is mounted directly atop the SRV. Valve position is sensed by an LVDT, which senses spindle shaft movement and sends its output to the Valve Position Cabinet in the Control Room. In this cabinet, the LVDT output energizes solid state relays to provide indication and alarm for SRV position indication. 7.7.15.2.7 Reactor Vessel Head Seal Ring Leak Detection Theory of Operation A pressure between the inner and outer head seal ring is sensed by a pressure switch. If the inner seal fails, the pressure at the pressure switch is the vessel pressure and the pressure switch trips and actuates an alarm. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak is detected by an increase in drywell temperature and pressure. 7.7.15.2.8 Sump Monitoring System Subsystem Function The sump-monitoring subsystem monitors liquid level and inflow rates of the floor drain and equipment drain sumps in the reactor building and initiates sump pumpout while the pumps are in automatic. When the pumps are not in service, the floor drain and equipment drain sumps use the gravity drain flow path. 7.7-104 REV. 24, APRIL 2020

LSCS-UFSAR Each sump is equipped with duplex pumps, a level switch, and timers. High level, excessive fill rate, and excessive pumpout time are annunciated in the main control room. Theory of Pumped Operation While the Drywell Sump Pumps are in service, pumping is initiated automatically with one of the duplex pumps when the sump level switch senses a high liquid level. When the pump motor starts, a timing interval is started by the pumpout timer. It initiates an annunciator in the main control room if the pump motor is running at the end of the time interval. This annunciation indicates an excessive sump pumpout time and a higher than normal inflow rate to the sump. If the liquid level in the sump increases to where the sump level switch senses a high-high level, the second of the duplex pumps is initiated automatically, and high level is annunciated in the main control room. If the liquid level decreases to the deactuation point of the level switch which stops the pump and resets the pumpout timer prior to the end of the time interval, the annunciator circuit is not energized. When the sump pump motor stops, a timing interval is started by the sump fillup timer. This initiates an annunciator in the main control room if the pump restarts prior to the end of the timing interval. This annunciator indicates a higher than normal inflow rate to the sump. If the pump does not start prior to the end of the time interval, the timer resets automatically and the annunciator circuit is not energized. Theory of Gravity Drain Operation While the Drywell Sumps are in gravity drain mode, a constant flow rate from the sumps is provided from the Drywell Equipment Drain and Drywell Floor Drain. The pumps are not in service while the gravity drain flow path is selected. 7.7.15.2.9 Testability The proper operation of the sensors and the logic associated with the leak detection systems is verified during the leak detection system preoperational test and during inspection tests that are provided for the various components during plant operation. All temperature switches, both ambient and differential types, are connected to dual thermocouple elements. Each temperature switch can be checked for operation by observing the ambient temperature or differential temperature and then turning the trip point adjustment and determining that the switch operates at the proper temperature. Each temperature switch contains a trip light which lights when the temperature exceeds the setpoint. The setpoint is manually reset to its required value by observing the setpoint on the meter in the main control room. In addition, keylock 7.7-105 REV. 24, APRIL 2020

LSCS-UFSAR test switches are provided so that the logic can be tested without sending an isolation signal to the system involved. Thus, a complete system check can be confirmed by checking activation of the isolation relay associated with each switch. The reactor building drain monitoring subsystems are tested by supplying makeup water to the sump at a sufficient flow rate to bring the water level above the sump high-level pump actuation point in less than a predetermined time. 7.7-105a REV. 24, APRIL 2020

LSCS-UFSAR Testing of flow, reactor vessel level, and pressure leak detection equipment is described in Subsection 7.3.2. 7.7.15.2.10 Environmental Considerations The sensors, wiring, and electronics which are associated with the isolation valve logic are designed to withstand the conditions that follow a loss-of-coolant accident. 7.7.15.3 Analysis 7.7.15.3.1 General Functional Requirement Conformance The part of leak detection system instrumentation that is related to the system isolation circuitry is designed to meet requirements of the primary containment and reactor vessel isolation control system. There are at least two different methods of detecting abnormal leakage from each reactor coolant pressure boundary system within the primary containment and in each area. The instrumentation is designed so that it may be set to provide alarms at established leakage rate limits and isolate the affected system if necessary. The alarm points are determined analytically, based on design data and on measurements of appropriate parameters made during startup and preoperational tests. This satisfies the power generation design basis and safety design basis. The unidentified leakage rate limit is based, with an adequate margin for contingencies, on the crack size large enough to propagate rapidly. The established limit is sufficiently low so that even if the entire unidentified leakage rate were coming from a single crack in the reactor coolant pressure boundary, corrective action could be taken before the integrity of the barrier is threatened with significant compromise. The limit on total leakage rate is established so that in the absence of normal a-c power and feedwater, and without using the emergency core cooling systems, the leakage loss from the nuclear system could be replaced. The limit on total leakage also allows a reasonable margin below the discharge capability of either the floor drain or equipment drain sump pumps. Thus, the established total leakage rate limit allows sufficient time for corrective action to be taken before either the nuclear system coolant makeup or the drywell sump removal capabilities are exceeded. 7.7.15.3.2 Specific Requirement Conformance Conformance with regulatory requirements is discussed in Section 7.A under Leak Detection System. 7.7-106 REV. 14, APRIL 2002

LSCS-UFSAR 7.7.16 Additional Analysis Supplement No. 1 to the LaSalle County Station Safety Evaluation Report (NUREG-0519) identified additional instrumentation and control concerns. These concerns were multiple control systems failure due to: (1) high energy line breaks (HELBs), or (2) common electrical power source or sensor malfunctions (including sensor impulse lines) that could either result in consequences more severe than considered in the plant safety analysis (Chapter 15.0) or initiate an unanalyzed event. All HELB's identified in Chapter 15.0 were analyzed to determine the worst case event assuming the failure of all affected non-safety systems in the worst direction. Affected systems are those that are in proximity of a specific line break, i.e., located within the same environmental zone as the HELB per Section 3.11 delineation of harsh environmental zones. All safety systems are assumed to operate as delineated in the "Ninety Day Report" for environmental qualification. Table 7.7-9 lists a matrix of all non-safety control systems evaluated for the HELB events. Note that for the LOCA, MSLB and FWLB events no more than two of the non-safety control systems can be affected simultaneously because:

a. By definition, the LOCA occurs inside primary containment and none of the safety related control systems is located inside primary containment (Zone H2). Failure of the non-safety related equipment during a LOCA was treated in Chapter 15.0 safety analyses.

b. The main steam line break occurs inside the main steam tunnel which is separated from the remainder of the reactor building.

None of these non-safety related control systems is located, in whole or in part, inside the main steam tunnel.

c. By definition the feedwater line break occurs outside primary containment within the main steam tunnel (Zone H5). It does not affect zone HA4 which is the annular zone between the primary containment and the ECCS cubicles which are environmentally separate, as is the RWCU room. The safety analysis for the feedwater line break is dominated by the LOCA with respect to consequences. This feedwater line break does not affect the turbine control system nor the process rad monitoring system. The effects of this HELB combined with recirculation flow control system failure events are bounded by Chapter 15.0 safety analyses.

There is no single line break inside or outside containment that can affect any more than two of the non-safety control systems 7.7-107 REV. 13

LSCS-UFSAR simultaneously due to physical separation, etc. An analysis was performed to determine the effect of malfunctions of more than one non-safety control system due to the loss of AC power and to find whether these events are bounded by the Chapter 15.0 Loss of AC Power event. For this analysis, all 480V AC non-ESS switchgear (load centers), all non-ESS 480V AC Motor Control Centers (MCC) and 120/208V non-ESS AC buses, as well as those 480V AC non-ESS MCC's connected to 480V AC ESS switchgear (load centers) and 120/208V AC non-ESS buses connected to 480V AC ESS MCC were considered. In the case of each 480V or 120/208V bus, each load connected to these buses was individually examined regarding its function and interface and the effect of power loss on multiple control systems. The effect on the control systems due to the loss of these AC power systems collectively was also examined. It was determined by this analysis that after considering all higher level power sources, the loss of the next-higher-level-bus initiated events that were bounded by the Chapter 15,0 Loss of AC Power analysis. Simultaneous malfunctions of non-safety control systems resulting from sensor, impulse line, or power supply malfunctions were analyzed. All of the feedwater control system and approximately 80% of the recirculation flow control system have a 120V AC common power source, MCC 131A-2 compartment F1. Both systems, on power supply loss, fail in place and the feed pump turbines and recirculation flow control valves maintain their position at the time of power loss. Other common power sources do not cause any simultaneous failures of control systems. There are no common impulse line malfunctions that could cause events not already bounded by Chapter 15.0 events. 7.7.17 References

1. W. R. Morgan, "In-Core Neutron Monitoring System for General Electric Boiling Water Reactors", APED-5706, November 1968 (Rev. April 1969).

2. Letter, Ashuk C. Thudani (NRC) to J. S. Charnley (GE), "Acceptance for Referencing of Licensing Topical Report NEDE-24011-P-A,

           'General Electric Standard Application for Reactor Fuel', Revision 8, Amendment 17," December 27, 1987.

7.7-108 REV. 14, APRIL 2002

LSCS-UFSAR

3. Letter from R.J. Stransky, NRR, to T.J. Kovach, CECo, Issuance of Amendment 88 to LaSalle Unit 1 Facility Operating License No.

NPF-11 and Amendment 73 to LaSalle Unit 2 Facility Operating License No. NPF-18 and including Safety Evaluation Report dated December 4, 1992.

4. SPC letter, MLH: 96:032, Applicability of the Rod Worth Minimizer 10% Low Power Setpoint to SPC Fuel, M.L. Hymas to R.J. Chin, June 12, 1996.

5. Westinghouse Report PNTC 00-261, LaSalle Unit 1 - Reactor Recirculation Flow Control, RRFC Functional Description (Proprietary)

6. Westinghouse Report PNTC 00-258, LaSalle Unit 1 - Reactor Water Level Control, RWLC Functional Description (Proprietary)

7. Westinghouse Report PNTC 01-129, LaSalle Unit 2 - Reactor Recirculation Flow Control, RRFC Functional Description (Proprietary)

8. Westinghouse Report PNTC 01-128, LaSalle Unit 2 - Reactor Water Level Control, RWLC Functional Description (Proprietary)

9. LTR NEDE-33885P-A, Revision 1, GNF CRDA Application Methodology, March 2020.

7.7-109 REV. 25, APRIL 2022

LSCS-UFSAR TABLE 7.7-1 (SHEET 1 OF 2) Deleted TABLE 7.7-1 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.7-1 (SHEET 2 OF 2) Deleted TABLE 7.7-1 REV. 18, APRIL 2010

LSCS-UFSAR TABLE 7.7-2 GASEOUS RADWASTE PROCESS INSTRUMENTS PARAMETER MAIN CONTROL ROOM ALARM ALARM INDICATED RECORDED HIGH LOW SJAE intercondenser pressure --- X X X Second stage SJAE flow --- X X X Preheater inlet pressure X --- --- --- Recombiner inlet temperature X --- --- X Recombiner temperatures --- X X X Recombiner outlet hydrogen --- X X --- Off-gas condenser level --- --- X X Off-gas condenser outlet temperature --- --- X --- Prefilter differential pressure X --- X --- Off-gas reheater inlet temperature --- X X X Off-gas reheater outlet temperature X --- --- --- Charcoal bed inlet moisture --- X X --- Charcoal bed temperature --- X X --- Charcoal bed differential pressure X --- X --- Afterfilter differential pressure X --- X --- Off gas system flow --- X X X TABLE 7.7-2 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 1 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND 2 (mR/hr) (mR/hr) (mR/hr) ARM-l-1 STANDBY GAS 1.00 TO 10000 5.0 25.0 -- STAT NO. 1 ARM-1-2 RWCU 1.00 TO 10000 5.0 25.0 -- STAT NO. 2 PHASE SEP. ARM-1-3 RX BLDG SAMPLE SINK 0.10 TO 1000 5.0 25.0 Local indicator and STAT NO. 3 alarm ARM-1-4 CONTAINMENT 1.00 TO 10000 5.0 25.0 -- STAT NO. 4 PURGE ARM-1-5 NORTH HCU 0.10 TO 1000 0.5 2.5 -- STAT NO. 5 MODULES ARM-1-6 SOUTH HCU 0.10 TO 1000 0.5 2.5 -- STAT NO. 6 MODULES ARM-1-7 OFF-GAS EQUIP. 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 7 AND SAMPLE alarm ARM-1-8 TIP ROOM 1.00 TO 10000 10-100 100.0 Local indicator and STAT NO. 8 alarm ARM-l-9 RX BLDG MEZZ- 0.10 TO 1000 1.0 5.0 -- STAT NO. 9 ANINE FLOOR ARM-1-10 CRD STORAGE 0.10 TO 1000 2.0 10.0 -- STAT NO. 10 AND REPAIR ARM-l-11 NW RHR HX 1.00 TO 10000 60 100.0 -- STAT NO. 11 ARM-1-12 SE RHR HX 1.00 TO 10000 60 100.0 -- STAT NO. 12 ARM-1-13 TURBINE BLDG 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 13 SAMPLE SINK alarm TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 2 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND 2 (mR/hr) (mR/hr) (mR/hr) ARM-l-14 COND.DEMIN REGEN STAT NO. 14 VALVE AISLE 100 TO 10000 10-100 100.0 -- ARM-1-15 URC VALVE AISLE 1.00 TO 10000 10-100 100.0 -- STAT NO. 15 ARM-1-16 RCIC TURBINE 1.00 TO 10000 5-30 30.0 Local indicator and STAT NO. 16 alarm ARM-1-17 HPCS PUMP 0.10 TO 1000 0.5 2.5 -- STAT NO. 17 ARM-1-18 COND. BOOSTER 0.10 TO 1000 0.5 2.5 -- STAT NO. 18 PUMPS ARM-1-19 AUX EQUIP ROOM 0.10 TO 1000 0.5 2.5 -- STAT NO. 19 ARM-1-20 SPARE ---- --- --- --- STAT NO. 20 ARM-1-21 SPARE ---- --- --- --- STAT NO. 21 ARM-l-22 SPARE --- --- --- -- STAT NO. 22 CHANNEL ARM-1-23 SPARE --- --- --- -- STAT NO. 23 CHANNEL ARM-l-24 SPARE --- --- --- -- STAT NO. 24 ARM-1-25 SPARE --- --- --- -- STAT NO. 25 TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 3 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND 2 (mR/hr) (mR/hr) (mR/hr) ARM-l-26 SPARE --- --- --- -- STAT NO. 26 ARM-1-27 SPARE --- --- --- -- STAT NO. 27 ARM-1-28 SPARE --- --- --- --- STAT NO. 28 ARM-1-29 SPARE --- --- --- -- STAT NO. 29 ARM-1-30 SPARE --- --- --- -- STAT NO. 30 ARM-2-1. STANDBY GAS 1.00 TO 10000 5.0 25.0 --- STAT NO 1 ARM-2-2 RWCU PHASE SEP 1.00 TO 10000 5.0 25.0 --- STAT NO 2 ARM-2-3 RX BLDG SAMPLE 0.10 TO 1000 5.0 25.0 Local indicator and alarm STAT NO 3 SINK ARM-2-4 CONTAINMENT 1.00 TO 10000 5.0 25.0 --- STAT NO 4 PURGE ARM-2-5 NORTH HCU 0.10 TO 1000 0.5 2.5 --- STAT NO. 5 MODULES ARM-2-6 SOUTH HCU 0.10 TO 1000 0.5 2.5 --- STAT NO. 6 MODULES TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 4 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND (mR/hr) (mR/hr) (mR/hr) ARM-2-7 OFF-GAS EQUIP 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 7 AND SAMPLE alarm ARM-2-8 TIP ROOM 1.00 TO 10000 10-100 100.0 Local indicator and STAT NO. 8 alarm ARM-2-9 RX BLDG MEZZ- 0.10 TO 1000 1.0 5.0 -- STAT NO. 9 ANINE FLOOR ARM-2-10 CRD STORAGE 0.10 TO 1000 2.0 10.0 -- STAT NO. 10 AND REPAIR ARM-2-11 NW RHR HX 1.00 TO 10000 60.0 100.0 -- STAT NO. 11 ARM-2-12 SE RHR HX 1.00 TO 10000 60.0 100.0 -- STAT NO. 12 ARM-2-13 TURBINE BLDG 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 13 SAMPLE SINK alarm ARM-2-14 COND DEMIN 1.00 TO 10000 10-100 100.0 -- STAT NO. 14 REGEN VALVE AISLE ARM-2-15 SPARE -- -- -- -- STAT NO. 15 ARM-2-16 RCIC TURBINE 1.00 TO 10000 5-30 30.0 Local indicator and STAT NO. 16 alarm ARM-2-17 HPCS PUMP 0.10 TO 1000 0.5 2.5 -- STAT NO. 17 ARM-2-18 COND BOOSTER 0.10 TO 1000 0.5 2.5 -- STAT NO. 18 PUMP TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 5 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND 2 (mR/hr) (mR/hr) (mR/hr) ARM-2-19 AUX EQUIP ROOM 0.10 TO 1000 0.5 2.5 - STAT NO. 19 ARM-2-20 SPARE - - - - STAT NO. 20 ARM-2-21 SPARE - - - - STAT NO. 21 ARM-2-22 SPARE - - - - STAT NO. 22 ARM-2-23 SPARE - - - - STAT NO. 23 ARM-2-24 SPARE - - - - STAT NO. 24 ARM-2-25 SPARE - - - - STAT NO. 25 ARM-2-26 SPARE - - - - STAT NO. 26 ARM-2-27 SPARE - - - - STAT NO. 27 ARM-2-28 SPARE - - - - STAT NO. 28 ARM-2-29 SPARE - - - - STAT NO. 29 ARM-2-30 SPARE - - - - STAT NO. 30 TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 6 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND (mR/hr) (mR/hr) (mR/hr) ARM-3-1 REFUEL FLR 0.100 TO 106 1.0 1000 Local indicator and STAT NO. 31 HIGH RANGE alarm ARM-3-2 REFUEL FLR 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 32 LOW RANGE alarm ARM-3-3 NEW FUEL 0.10 TO 1000 8.0 25.0 - STAT NO. 33 STORAGE VAULT ARM-3-4 REFUEL FLR 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 34 EQUIP HATCH alarm ARM-3-5 VENT STACK 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 35 SAMPLE alarm ARM-3-6 MAIN CONTROL 0.10 TO 100 0.5 2.5 - STAT NO. 36 ROOM ARM-3-7 HP TURBINE 0.10 TO 1000 0.5 2.5 - STAT NO. 37 ARM-3-8 TURBINE BLDG 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 38 DECON PIT alarm ARM-3-9 RX BLDG 0.10 TO 1000 0.5 2.5 - STAT NO. 39 TRACKWAY ARM-3-10 HOT LAB 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO.40 CORRIDOR alarm ARM-3-11 TURBINE BLDG 0.10 TO 1000 0.5 2.5 - STAT NO. 41 BSMT ELEVATOR ARM-3-12 O.G. HVAC 0.10 TO 1000 0.5 2.5 - STAT NO. 42 EXHAUST AREA TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 7 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND (mR/hr) (mR/hr) (mR/hr) ARM-3-13 O.G. UPPER 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 43 BSMT alarm ARM-3-14 O. G. CHAR. ADS. 1.00 TO 10000 5.0 30.0 Local indicator and STAT NO. 44 VALVE AISLE alarm ARM-3-15 SERVICE BLDG 0.01 TO 100 0.5 2.5 - STAT NO. 45 OFFICE CORRIDOR ARM-3-16 LAUNDRY 0.10 TO 1000 0.5 2.5 - STAT NO. 46 ARM-3-17 MACHINE SHOP 0.10 TO 1000 0.5 2.5 Local indicator and STAT NO. 47 alarm ARM-3-18 SERVICE BLDG 0.01 TO 100 0.5 2.5 - STAT NO. 48 LUNCH ROOM CORRIDOR ARM-3-19 SPARE - - - - STAT NO. 49 ARM-3-20 SPARE - - - - STAT NO.50 ARM-4-1 CONC WASTE 0.1 TO 1000 60.0 100.0 - STAT NO. 1 TANKS ARM-4-2 UNIT 1 FL. DR. 0.1 TO 1000 60.0 100.0 - STAT NO. 2 CONC. PUMP & VALVE ROOM TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-3 (SHEET 8 OF 8) AREA RADIATION MONITORS CHANNEL 1 ARM RANGE ZONE SETPOINT 3 OTHER 4 IDENTIFICATION NAMEPLATE LEGEND 2 (mR/hr) (mR/hr) (mR/hr) ARM-4-3 UNIT 2 FL. DR. CONC. 0.1 TO 1000 60.0 100.0 - STAT NO. 3 PUMP & VALVE ROOM ARM-4-4 CHEM WST. CONC. 0.1 TO 1000 60.0 100.0 - STAT NO. 4 PUMP & VALVE RM ARM-4-5 RADWASTE CONTROL 0.01 TO 100 0.5 2.5 - STAT NO. 5 ROOM ARM-4-6 DRUM LABELING 0.1 TO 1000 0.5 2.5 - STAT NO. 6 STA. ARM-4-7 RADWASTE 0.1 TO 1000 0.5 2.5 - STAT NO. 7 COMPACTOR ARM-4-8 N. HIGH LEVEL 1.0 TO 10000 60.0 100.0 - STAT NO. 8 DRUM STORAGE ARM-4-9 S. HIGH LEVEL 1.0 TO 10000 60.0 100.0 - STAT NO. 9 DRUM STORAGE ARM-4-10 SERVICE BLDG TECH 0.1 TO 1000 0.5 2.5 - STAT NO.10 SUPPORT CENTER

1. Channel Identification code: ARM numbers and station (STAT) numbers are those specified in radiation zone maps.

2. The actual ARM nameplate legend contains, or implies, in somewhat abbreviated form, the ARM location by building and area.

3. These are tentative. Actual setpoints will be changed in accordance with the station setpoint change procedure as determined by the rad chem department.

4. Dash entry in this column means no special provisions on this monitor. All have recorders.

TABLE 7.7-3 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-4 SRM SYSTEM TRIPS TRIP FUNCTION NORMAL SETPOINT TRIP ACTION SRM upscale (high) or *,*** Rod block, amber light display, annunciator SRM instrument inoperative ** Rod block, amber light display, annunciator Detector Retraction Permissive

• Bypass detector full-in limit switch when above (SRM downscale) preset limit, annunciator, green light display, rod block when below preset limit with IRM range switches on first two ranges SRM period 50 sec Annunciator, amber light display SRM downscale *,*** Rod block, annunciator, white light display SRM bypassed White light display
• For Normal Setpoint, Accuracy, Calibration, and Design Allowable Basis information, see the applicable calculation.
  • SRM is inoperative if module interlock chain is broken. Operate-calibrate switch is not in operate position or detector polarizing voltage is below 300 volts.
    • See UFSAR Table 7.3-5 for more information.

TABLE 7.7-4 REV. 14, APRIL 2002

LSCS-UFSAR TABLE 7.7-5 LPRM SYSTEM TRIPS TRIP FUNCTION TRIP RANGE TRIP SETPOINT TRIP ACTION LPRM downscale 2% to full scale 3% White light and annunciator LPRM upscale 2% to full scale 100% Amber light and annunciator LPRM bypass Manual switch White light and APRM averaging compensation TABLE 7.7-5 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-6 RBM SYSTEM TRIPS TRIP FUNCTION NOMINAL SETPOINT ALLOWABLE TRIP ACTION RBM upscale (high) Note* Note*** Rod block, annunciator, amber light display RBM inoperative 1* N/A Rod block, annunciator, amber light display RBM downscale Note* Note*** Rod block, annunciator, amber light display RBM bypassed Manual switch or N/A White light display Peripheral rod selected or APRM reference below 30%

• For Nominal Setpoint, see the applicable calculation.
  • RBM is inoperative if module interlock chain is broken, OPERATE-CALIBRATE switch is not in OPERATE position, less than 50% of available LPRM signals are above 3% threshold, or internal logic self-test circuits indicate trouble.
    • See UFSAR Table 7.3-5 for more information.

TABLE 7.7-6 REV 14 - APRIL 2002

LSCS-UFSAR TABLE 7.7-7 REFUELING INTERLOCK EFFECTIVENESS REFUELING SERVICE CONTROL REFUELING PLATFORM HOISTS MODE SITUATION PLATFORM PLATFORM ATTEMPT RESULT TMH

• FMH
• FG
• RODS SWITCH POSITION HOISTS Move refueling

1. Not near core UL* UL* UL* UL* All rods in Refuel No restrictions platform over core Cannot withdraw more

2. Not near core UL UL UL UL A11 rods in Refuel Withdraw rods than one rod One rod Move refueling

3. Not near core UL UL UL UL Refuel No restrictions withdrawn platform over core Any hoist One rod Move refueling Platform stopped

4. Not near core UL Refuel loaded withdrawn platform over core before over core Cannot withdraw more

5. Over core UL UL UL UL All rods in Refuel Withdraw rods than one rod Any hoist

6. Over core All rods in Refuel Withdraw rods Rod block loaded

7. Not near core UL UL UL L* All rods in Refuel Withdraw rods Rod block

8. Deleted

9. Deleted Move refueling Platform stopped

10. Not near core UL UL UL UL All rods in Startup platform over core before over core Operate service

11. Not near core UL UL UL L A11 rods in Startup No restrictions platform hoist One rod Operate service Hoist operation

12. Not near core UL UL UL L Startup withdrawn platform hoist prevented

13. Not near core UL UL UL L All rods in Startup Withdraw rods Rod block

14. Not near core UL UL UL UL All rods in Startup Withdraw rods No restrictions

15. Over core UL UL UL UL All rods in Startup Withdraw rods Rod block Any condition, Turn mode switch to

16. Any Any condition Any condition reactor not at Startup Scram run power Any hoist One rod Hoist operation

17. Over core Refuel Operate hoist loaded withdrawn prevented TABLE 7.7-7 REV. 19 - APRIL 2012

LSCS-UFSAR TABLE 7.7-8 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS MONITORING SUBSYSTEM INSTRUMENT* INSTRUMENT SCALE TRIPS PER CHANNEL (Decade Log) UPSCALE DOWNSCALE Air ejector off-gas (pretreat) 1 to 106 mR/h 6 1 1 (posttreat) 10 to 106 5 3 1 counts/min Station vent stack 10-7 to 105 Ci/cc 5 2 1 Process liquid 10 to 106 5 1 1 counts/min** Carbon bed vault 1.0 to 106 mR/h 6 1 1 Range of measurements depends on items such as source geometry, background radiation, shielding, energy levels, and method of sampling. Readout depends on the pulse height discriminator setting TABLE 7.7-8 REV. 0 - APRIL 1984

LSCS-UFSAR TABLE 7.7-9 MATRIX OF NON-SAFETY CONTROL SYSTEMS AFFECTED BY HELB EVENTS HELB EVENTS NON-SAFETY CONTROL INSTRUMENT SYSTEMS LOCA MSLB FWLB LINE BREAK Reactor Vessel Instrumentation X and Controls Rod Control Management System X Recirculation Flow Control X System Feedwater Control System X X Pressure Regulator and Turbine X X Generator Controls Neutron Monitoring Systems (Non-Safety Portion) Process Computer System Reactor Water Cleanup System Area Radiation Monitoring System X X Gaseous Radwaste Control System Liquid Radwaste Control System Spent Fuel Pool Cooling and Cleanup System Refueling Interlocks System Process Radiation Monitoring X X System Leak Detection System X NOTE: Blank areas mean that HELB events do not affect non-safety-related Control Systems. For the instrument line break, note that all individual non-safety control systems cannot be affected by a single or common type HELB due to physical and electrical separation of these control systems throughout the plant. TABLE 7.7-9 REV. 18, APRIL 2010

LSCS-UFSAR 7.8 STATUS DISPLAYS 7.8.1 Engineered Safety Features Display The purpose of the ESF status display system is to provide the control room operator with a continuous visual display of those plant safety-related systems which have been bypassed or rendered inoperative for any purpose and whose functions meet all of the following conditions:

a. The bypass or inoperable condition affects a system that is designed to perform automatically a function that is important to the safety of the public.

b. The bypass condition is expected to be established by plant personnel or the inoperable condition can reasonably be expected to occur more frequently than once a year.

c. The bypass or inoperable condition is expected to occur when the affected system is normally required to be operable.

The ESF status display system consists of the process computer dedicated terminal and audible alarm, digital input cabinets, computer input console, and the station computer system and is not a safety system. ESF status indications and alarms are presented on a dedicated display terminal and can be displayed on a number of other PPC display terminals at the request of an operator. ESF status indications (buttons) with active alarms (item bypassed) are presented in red (blinking if unacknowledged). When the point goes out of alarm status (not bypassed) the status indication will be green. The instantaneous status of ESF bypasses can be displayed and printed on demand. Wherever practical, automatic indication of the status of ESF safety-related systems and components is hard-wired into the digital input cabinets. Many of the inputs are from field mounted devices such as limit switch contact 14-14C on suppression pool suction valve 1E12-F004A, limit switch contact LS(O) A-B on maintenance valve 1E12-F027A, auxiliary relay K40 for HPCS diesel generator governor control power, etc. These inputs are routed to locally-mounted digital input cabinets, where they are isolated from one another and from the BOP circuits in the cabinet. The digital input cabinets transmit a multiplexed signal to the station computer system. 7.8-1 REV. 16, APRIL 2006

LSCS-UFSAR For those activities that affect a safety-related system and do not result in an automatic indication of a system bypassed or an inoperable condition, per conditions stated in The Technical Specifications, a procedure number will be entered into the computer through the computer input console. Such activities include operation of manual valves such as diesel-generator cooler outlet ODG01A, HPCS diesel cooler inlet E22-F313, instrument maintenance on main steamline low-pressure switch B21-N015D, RHR water supply high flow detection E31-N012A, improper position of control room HVAC emergency makeup blower discharge damper OVC044A, and similar components. Whenever an automatic input is received by the computer, or a procedure number is manually entered through the computer input console, the computer software logic makes the determination as to which ESF system(s) are rendered inoperable or bypassed. The computer then activates the appropriate system button on the ESF status display. The system button(s) initially flash(es) red and then changes to a solid red when the display condition is acknowledged by the operator. An audible alarm sounds and the initiating inputs or procedure entry is available for display or printing. When all of the automatic inputs and procedure entries associated with a particular safety-related system have been returned to a safe condition, the computer turns off that system's indicator on the ESF status display. 7.8.2 Safety Parameter Display System (SPDS) 7.8.2.1 General The purpose of the Safety Parameter Display System (SPDS) is to provide to the reactor operator in a single display the value/status of primary variables which directly indicate the status of the safety parameters indicating the accomplishment or maintenance of plant safety functions. Plant safety functions are core cooling, reactivity control, reactor coolant system integrity, containment integrity, and radioactive effluents. The SPDS functions as an indicator only and it is intended that all SPDS readings be confirmed by the operator using existing control room instrumentation. 7.8-2 REV. 16, APRIL 2006

LSCS-UFSAR 7.8.2.2 Description 7.8.2.2.1 Primary Display The basic primary display format is shown in Figure 7.8-1. The display consists of three main sections.

a. Heading:

This section contains the display title, the station and unit being displayed, and the time of day.

b. Bar Graphs:

This section contains bar graphs for seven variables: reactor water level, reactor pressure, drywell pressure, drywell temperature, suppression pool level, suppression pool temperature, and reactor power. Associated with each bar graph is the variable name (below the graph), digital display of variable value, and digital display of rate of change and direction (increasing/decreasing) of the variable (both above the graph). The bar graphs are separated into three groups: Primary system variables, containment variables, and reactor power.

c. Status Boxes:

This section contains five boxes displaying the status of five variables/parameters: core spray system operation, safety relief valve positions, primary containment isolation, containment radiation, and radioactive release to the environment. The seven bar graphs and digital values are composed points generated from multiple inputs. The inputs are sampled at frequent intervals. The inputs are first validated by comparing the electronic input signal with the instrument range. Invalid (out of range) inputs may be used to verify the accuracy of valid inputs but are not displayed. Valid inputs are compared and/or combined to provide a verified, accurate value for the variable. This value is displayed as a digital value (top of bar graph) and as the relative height of the bar. This verified value is also compared with a previous value (user definable) and a direction and rate of change calculated and converted to units/minute and the verified value and rate of change are displayed and updated periodically. 7.8-3 REV. 16, APRIL 2006

LSCS-UFSAR If no valid inputs are available or a valid input is contradicted by other inputs, then the displayed variable is considered to be unverified and invalid. The SPDS will notify the operator of this condition. Each bar graph is typically provided with a green bogey (expected value) line based on normal 100% power conditions and red and green bands indicating high, low and normal limits. The five status boxes indicate the normal/alarm condition of functions, components, or variables relating to the safety parameters. The input variables are validated and verified where possible. The inputs are then compared against pre-determined values or conditions to ascertain the normal or alarm status of the function, component, or variable being displayed. Abnormal or alarm conditions will cause the upper portion and outline of the box to change color from green to red. Loss of valid inputs will cause the color to change to cyan. Wording in the bottom of the box will change according to the status of the monitored function, component, and variables. 7.8.2.2.2 Safety Parameters and Associated Displays 7.8.2.2.2.1 Core Cooling The adequacy of core cooling is assessed by measuring reactor water level and operation of the core spray systems. Verification of reactor water level to be above 2/3 core height is sufficient to ensure adequate core cooling. If water level indication is lost or level cannot be determined, verification of design flow rates in either the low pressure or high pressure core spray system is sufficient to ensure adequate core cooling.

a. Reactor Water Level Reactor water level is indicated using the RX LEVEL bar graph with associated value and trend digital displays. The values displayed are a composite of the following water level inputs:

Upset Range (1 input) 0 to 180 inches Narrow Range (2 inputs) 0 to 60 inches Wide Range (4 inputs) -150 to 60 inches Fuel Zone Range (2 inputs) -311 to -111 inches The selection/combination of signals to be displayed is based on the following selection priority; considering the availability of valid/verified input values:

1. Narrow Range 7.8-4 REV. 13

LSCS-UFSAR

2. Wide Range

3. Fuel Zone Range

4. Upset Range The following values are indicated on the bar graph:

Bogey: 35 inches (green value) High Alarm: 55.5 inches (red band) Low Alarm: 12.5 inches (red band)

b. Core Spray Operation Core spray system operation is indicated using the CORE SPRAY ON (OFF) status box to alert the operator to off-normal operation. The inputs consist of high and low pressure, systems flows, and pump discharge pressures. The measured flows are verified by comparison with pump design flow/pressure characteristics using the discharge pressure inputs. Core spray demand is determined from reactor level and drywell pressure values. If a demand signal is present and neither the high nor the low pressure system are operating at or above design flow conditions (3500 gpm for HPCS and 6350 gpm for LPCS) the status box will indicate an alarm condition. At greater than 1000 gpm on either system the wording in the lower portion of the box will change to ON from OFF.

7.8.2.2.2.2 Reactivity Control Reactivity control is assessed by the measurement of reactor power level. The reactor power level is indicated using the RX POWER bar graph and associated digital value and trend displays. Inputs to the reactor power measurement are the six APRM's and four SRM's. If the APRM's are reading onscale in run or startup, they are used to determine power level; in shutdown and refuel when the APRM's are downscale the SRM's are used with preference given to SRM's which are inserted. Following a scram demand signal, an SRM reading above 105 or APRM's on scale could indicate a failure to scram. Should either of these conditions occur, a box around the Rx (reactor) power bar graph will turn RED. The following values are indicated on the bar graph: Bogey: 100% power (green value) High Alarm 110% power (red band) Low Alarm: None provided 7.8-5 REV. 16, APRIL 2006

LSCS-UFSAR 7.8.2.2.2.3 Reactor Coolant System Integrity Maintenance of reactor coolant system integrity is assessed by the measurement of reactor pressure, drywell pressure, containment activity, safety/relief valve (SRV) positions, and isolation of PCIS valves in groups 1 and 2. Rapid RPV depressurization, high drywell pressures, high containment activity, open SRV's, and open isolation paths all indicate actual or potential breaches of the reactor coolant system integrity. In addition, excessively high reactor pressure would cause SRV's to open and could potentially threaten the reactor coolant system physical boundary.

a. Reactor Pressure Reactor pressure is indicated using the RX PRESS bar graph and associated digital valve and trend displays. The four reactor pressure input signals are as follows:

Narrow Range (2) 850 - 1050 psig Wide Range (2) 0 - 1500 psig Valid signals are compared against each other and preferentially selected for display in the order listed above, if verified. Because of the increasing span in the ranges, this provides for the most accurate value. If only the last 2 wide range inputs can be verified, they are averaged. If none of the valid signals can be verified, the highest of the valid readings is selected (greatest potential threat to RCS integrity). The following values are indicated on the bar graph: Bogey: 1000 psig (green value) High Alarm: 1043 psig (red band) Low Alarm: None Provided

b. Drywell Pressure Drywell pressure is indicated using the DW PRESS bar graph and associated digital value and trend displays. The three drywell pressure input signals are as follows:

Narrow range (2) -5 to +5 psig Wide range (1) 0 to 135 psig Valid signals are compared for verification. If agreement is verified, the signals are averaged. Preference is given to the narrow range readings due to greater accuracy associated with the narrow span. If signal agreement cannot be verified, the 7.8-6 REV. 20, APRIL 2014

LSCS-UFSAR valid narrow range signal is selected, or the highest of disagreeing positive signals or the lowest of disagreeing negative signals. The following values are indicated on the bar graph: Bogey: 0 psig (green value) High Alarm: 1.69 psig (red band) Low Alarm: -0.5 psig (red band)

c. Containment Activity Containment activity is monitored using the CONTAIN RAD NORM (HIGH) status box to alert the operator to an abnormal operating condition. Two containment activity signals are used as inputs, each with a range of 1 R/hr to 108 R/hr. Valid signals are compared and averaged if in agreement or the highest signal selected if in disagreement. The high alarm limit is 100 R/hr which is a GSEP Emergency Action Level (EAL).

d. Safety Relief Valve (SRV) Positions The position of the SRV's is monitored using the SRV CLOSED (OPEN) status box to alert the operator to an abnormal operating condition. Inputs to this indicator are the SRV position limit switches, reactor pressure from the SPDS, reactor level from the SPDS, drywell pressure from the SPDS, and low pressure ECCS pump discharge pressures. The demand for SRV pressure relief is determined from the reactor pressure value and the demand for ADS actuation is determined from the water level, drywell pressure, and low pressure ECCS pumps discharge pressure values. The valve position is then compared to the demand to determine any off-normal states, i.e. valves open with no signal present or valves closed when a signal is present.

e. PCIS 1 and 2 Valve Positions Reactor and containment isolation (groups 1, 2 and 10 only) is monitored using the PCIS status box to alert the operator of a failure to isolate. Inputs to this indicator are the PCIS groups 1, 2, and 10 valve position limit switches and group 1, 2, and 10 isolation logic contacts. Valve positions are compared with the isolation demand signal and failure of all valves in any isolation path to close with an isolation signal present initiates an alarm state.

7.8-7 REV. 20, APRIL 2014

LSCS-UFSAR 7.8.2.2.2.4 Containment Integrity Maintenance of containment integrity is assessed by the measurement of drywell pressure, drywell temperature, suppression pool level, suppression pool temperature, and containment isolation valve (groups 1, 2, and 10) positions. Excessive drywell pressure, drywell temperature, and suppression pool temperature, and high or low suppression pool level indicate conditions which may violate containment design bases and potentially degrade containment integrity. Open isolation paths would indicate a breach of the containment boundary.

a. Drywell Pressure See Section 7.8.2.2.2.3.b

b. Drywell Temperature Drywell temperature is indicated using the DW TMP bar graph and associated digital valve and trend displays. Four drywell average temperature inputs are used for this indication. The four signals are validated and then averaged. The averaged value is displayed. The following values are indicated on the bar graph.

Bogey: 125°F (green value) High Alarm: 135°F (red band) Low Alarm: 70°F (red band)

c. Suppression Pool Level Suppression pool level is indicated using the SUPP LVL bar graph and associated digital value and trend displays. The three inputs to this indicator are as follow:

Narrow Range: -14 to + 14 inches Wide Range (2): -18 to + 14 feet Valid signals are compared for verification. Selection of the narrow range signal is preferred because of its accuracy. Wide range signals are averaged if in agreement, and where no agreement is found, the valid input with the greatest absolute value (greatest deviation from 0) is selected. The following values are indicated on the bar graph: Bogey: 0" (green value) High Alarm: +3" (red band) Low Alarm: -4.5" (red band) 7.8-8 REV. 16, APRIL 2006

LSCS-UFSAR

d. Suppression Pool Temperature Suppression Pool Temperature is monitored using the SUPP TMP bar graph and associated digital value and trend displays.

Sixteen local temperature sensors provide inputs for this indicator. (Fourteen positioned about one foot below normal water level and two positioned about 17-feet below normal water level). The following values are indicated on the bar graph: Bogey: 85°F (green value) High Alarm: 105°F (red band) Low Alarm: A low alarm is provided at 32!F although this value is below the bar graph's lowest value

e. PCIS 1 and 2 Valve positions See section 7.8.2.2.2.3.e 7.8.2.2.2.5 Radioactive Effluents Radioactive effluents are assessed by the measurement of radiation levels or release rates at the gaseous and liquid release points. Excessive releases or radiation levels are indicated using the RAD RELEASE NORM (HIGH) status box.

Inputs to the radioactive release status box came from the offgas pretreatment log rad monitor; SBGT and station vent stack rad monitors; SBGT and station vent stack flow meters; and the liquid radwaste, service water discharge, and RHR loops A and B discharge rad monitors. Although the offgas system at the monitor location does not provide a direct path to the environment, high radiation at this point would indicate degradation of a fission product barrier and the potential for a radioactive release. Validation (signal within instrument range) is performed on all signals. The liquid pathway and offgas monitors are single instruments and no signal verification can be performed. The same is true for the SBGT and station vent stack flow sensors. The SBGT and station vent stack radiation monitors consist of three instruments each with overlapping ranges. If two of three signals agree, the one with the lowest range is chosen for greater accuracy. Where no agreement exists, the lowest range reading is chosen. This signal is then combined with a measured flow rate to produce a release rate. The sum of the SBGT and station vent stack release rates is compared to the high alarm limit. If the value for any effluent path exceeds the alarm point or has no valid inputs, the status box color will change to RED or CYAN, respectively. The following is a list of inputs for each effluent path: 7.8-9 REV. 16, APRIL 2006

LSCS-UFSAR Off Gas - Pretreatment monitor, 1 to 1x106 mR/hr SBGT Radiation - Low Range, 10-7 to 10-1 uCi/cc

                   - Mid Range,               1.0x10-4 to 1.0x102 uCi/cc
                   - High Range,              10-1 to 105 uCi/cc SBGT Flow - flow element 1FT-VG003             0-5000 CFM Station vent stack Radiation - Same as SBGT Radiation.

Station vent stack - Flow element OFT-VR019, 0-1.5x106 CFM Liquid Radwaste - Discharge Monitor, 10 to 106 CPM Plant Service Water - Discharge Monitor, 10 to 106 CPM RHR Loop "A" - Discharge Monitor, 10 to 106 CPM RHR Loop "B" - Discharge Monitor, 10 to 106 CPM The high alarm limits for the various paths are based on existing high alarm limits or GSEP EAL. Off Gas, (existing alarm point) SBGT plus station vent stack (as calculated) Liquid Radwaste, (as calculated) Service Water, RHR "A", and RHR "B", (existing alarm limit) 7.8.2.3 Alarms and Messages (Deleted) 7.8.2.3.1 Audible Alarms (Deleted) 7.8-10 REV. 16, APRIL 2006

LSCS-UFSAR 7.8.2.3.2 Error Messages (Deleted) 7.8-11 REV. 16, APRIL 2006

LSCS-UFSAR ATTACHMENT 7.A - ANALYSIS OF CONFORMANCE OF INSTRUMENTATION AND CONTROL SYSTEMS WITH IEEE CRITERIA 7.A.1 INTRODUCTION This attachment provides an analysis of the conformance of the LaSalle plant instrumentation and control systems with applicable IEEE criteria. General Conformance to IEEE Criteria Conformance to IEEE 317-1972 IEEE 317-1972, "IEEE Standard for Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations," provides an acceptable method of complying with Appendix B and General Design Criterion 50 of Appendix A to 10 CFR 50 with respect to mechanical, electrical, and test requirements for the design, construction, and installation of electric penetration assemblies in containment structures for water-cooled nuclear power plants, subject to the following qualifications:

a. Section 4 should be supplemented as follows: the electric penetration assembly should be designed to withstand, without loss of mechanical integrity, the maximum possible fault current versus time conditions (which could occur because of single random failures of circuit overload protection devices) within the two leads of any one single-phase circuit or the three leads of any one three-phase circuit. Incorporating adequate self-fusing characteristics within the penetration conductors themselves constitutes an acceptable design approach. Where self-fusing characteristics are not incorporated, the circuit overload protection system should conform to the criteria of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations" (also designated ANSI N 42.7-1972).

b. The maximum containment pressure to be specified in accordance with Section 4.3 should be construed as being synonymous with maximum containment internal pressure as defined in Footnote 1 to Article NE3000 of Section III of the ASME Boiler and Pressure Vessel Code (Summer 1972 Addenda).

c. The specific applicability or acceptability of the codes, standards, and guides referenced in Section 3 will be covered separately in other guides where appropriate.

7.A.1-1 REV. 13

LSCS-UFSAR

d. Section 8 should be supplemented as follows: the quality assurance requirements for the design, construction, installation, and testing of electric penetration assemblies shall be in accordance with the requirements set forth in ANSI N 45.2-1971, "Quality Assurance Program Requirements for Nuclear Power Plants," and ANSI N 45.2.4-1972, "Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations" (also designated IEEE 336-1971).

Conformance to IEEE 323-1971 Written procedures and responsibilities are developed for the design and qualification of all Class 1 electric equipment. This includes preparation of specifications, qualification procedures, and documentation for Class 1 equipment. Qualification testing or analysis is accomplished prior to release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. Conformance to IEEE 336-1971 Specifications, where applicable, include requirements for conformance to IEEE 336 and will be submitted with test results. Conformance to IEEE 338-1971 This discussion is presented on a system basis in the analysis portions of Sections 7.A.2, 7.A.3, 7.A.4 and 7.A.5. 7.A.1-2 REV. 13

LSCS-UFSAR 7.A.2 REACTOR PROTECTION SYSTEM 7.A.2.1 Criteria for Protection Systems for Nuclear Power Generating Stations (IEEE 279-1971) 7.A.2.1.1 Scram Discharge Volume High Water Level Scram General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the scram discharge volume high-water-level scram trip is to assure that adequate volume remains to accommodate the water discharged from the withdrawn control rod drives in the event that a reactor scram occurs. The water level setpoint is set such that sufficient volume remains to accomplish any subsequent reactor scram. Due to the hydraulic design of the piping and the volume, the rate of change of water level is relatively slow and is assumed to be negligible in terms of its transient influence on the sensor. The only response time imposed upon the sensor is that the electrical contact open within 1 second after the water level has risen to the setpoint value. Single-Failure Criterion (IEEE 279, Par. 4.2) The scram discharge volume high-water-level scram trip meets the single-failure criterion. The four sensors are divided into two groups. The A and B sensors are connected to one process tap, and the C and D sensors are connected to another process tap. The two process taps are separated and isolated in their physical connections to the discharge volume. Wiring from each sensor to the control room relay cabinets is run in a separate rigid conduit to maintain the electrical and physical separation of the sensor trip channels. A separate distinct trip channel relay is provided for each sensor. These relays are separated from one another by cabinet wall barriers to maintain independence from the trip channels. Quality of Components and Modules (IEEE 279, Par. 4.3) These components have been previously used successfully in all GE BWR power plants for this function. 7.A.2-1 REV. 13

LSCS-UFSAR Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that the component will perform in accordance with the requirements listed on the purchase specification. These are based on the intended application. This qualification, augmented by the existing field experience with these components in this application, serves to qualify these components. GE Nuclear Energy Division conducts qualification tests of the relay panels to confirm their adequacy for this service. In situ operational testing of these sensors, channels, and the entire protection system will be performed at the project site during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are specified to operate under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four trip channels are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The four trip channels comply with this design requirement. Each trip channel output relay uses two contacts (in series) within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room. There is no single failure that will prevent proper functioning of this protection system when such action is required. Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of discharge volume water level is an appropriate variable for this protective function. The desired variable is "available volume" to accommodate a reactor scram. However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume, since the total volume is a fixed, predetermined value established by the design. 7.A.2-2 REV. 14, APRIL 2002

LSCS-UFSAR Capability for Sensor Checks (IEEE 279, Par. 4.9) During reactor operation, the discharge volume level switches may be tested by using the locked instrument valves in proper sequence in conjunction with quantities of demineralized water. The test procedure is similar to the calibration procedure for this protective equipment. Capability for Test and Calibration (IEEE 279, Par. 4.10) The test of the level switches associated with discharge volume water level measurement can be performed during full power operation. At plant shutdown, the level switches may be calibrated by introducing a fixed volume of water into the discharge volume and observing that all level switches operate at the appropriate volumetric levels. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Individual level switches may be removed from service under administrative control described in the preceding test procedure. Since only one level switch associated with reactor scram is valved out of service at any given time, and since the test interval to confirm proper level switch response is relatively short, the protective function is maintained by means of the one level switch in service on one of the trip systems and the two level switches in service on the other trip system. Furthermore, the operator can ascertain that the discharge volume is empty prior to the start of any single level switch test. Operating Bypasses (IEEE 279, Par. 4.12) An operating bypass is provided in the control room to enable the operator to bypass the trip outputs. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS following reactor scram. Compliance of this bypass function with IEEE 279 is described in Subsection 7.A.2.1.13 dealing with trip bypass functions. Indication of Bypasses (IEEE 279, Par. 4.13) Operating bypasses are annunciated in the main control room by the discharge volume high water level trip bypass annunciator. The control room operator must exercise control judgment over valving one level switch out of service at a time during the periodic test of the trip channel level switches. When the level switch is placed in its tripped condition as a result of the test, the operator is informed of the trip by the discharge volume high-water-level trip annunciator and the trip channel identification logged by the annunciator system. 7.A.2-3 REV. 13

LSCS-UFSAR The discharge volume high-water-level, trip-bypassed annunciator provides the operator with indication that one or more operating bypass channels have been placed into effect. Manual bypasses are indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means for Bypassing (IEEE 279, Par. 4.14) All instrumentation valves associated with the periodic testing of individual level switches are either locked-open or locked-closed valves depending upon their normal state. The operator has direct control of these valves. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The level switches trip at the setpoint value and remain in a tripped condition as long as the water level exceeds the setpoint value. Hence, the trip channel output to the RPS trip logic will be in its tripped state whenever the setpoint is exceeded. It is necessary only that the process sensors remain in a tripped condition for a sufficient amount of time to deenergize the scram contactors and open the seal-in contact in the trip logic associated with the scram contactors. Once this action is accomplished, the trip actuator logic initiates reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the scram discharge volume high water level instruments for calibration is anticipated during reactor operation and is under administrative control. Identification of Protective Actions (IEEE 279, Par. 4.19) Any one of the four level switches will initiate a control room annunciator when the trip setpoint has been exceeded. Identification that the particular trip channel has exceeded its setpoint is accomplished as a typed record from the annunciator system or visual observation of the relay contacts at the RPS panels. 7.A.2-4 REV. 14, APRIL 2002

LSCS-UFSAR Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of a scram discharge volume high water level trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Because the water level measurement and its one-to-one relationship between a given level switch and its associated trip channel output relay are inherently simple, the design facilitates maintenance of this protective function. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as reactor protection system wiring. 7.A.2.1.2 Main Steamline Isolation Valve Closure Scram Trip General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the main steamline isolation valve closure scram trip is to protect the reactor whenever its link to the heat sink (turbine or condenser) is in the process of being removed. The valve stem position of each main steamline isolation valve is monitored by limit switches. The limit switch setpoint is set at 8% or less, valve motion away from the full open position. In this way, the instrument channel signals the reactor protection system to anticipate imminent closure of the isolation valves, and the response time of the switch contacts is specified to be less than or equal to 10 msec after the valve has reached its setpoint position. Each division logic receives inputs from both valves in two main steamlines. The logic arrangement is established to enhance frequent testing of these valves without causing a half scram (trip of one of the two pilot solenoids on each scram valve) for each valve test. The chosen logic arrangement is labeled as "three-out-of-four" steamlines isolated to produce reactor scram, rather than the general one-out-of-two twice arrangement characteristic of the GE BWR. Single-Failure Criterion (IEEE 279, Par. 4.2) The main steamline isolation valve closure scram trip meets the single-failure criterion. 7.A.2-5 REV. 14, APRIL 2002

LSCS-UFSAR Each main steam isolation valve was originally designed to use a limit switch junction box in close proximity to the valve. However, the use of these junction boxes was eliminated and individual conduits were run directly to the switches. One switch is used with the RPS A trip system, and the other switch is used with the RPS B trip system. Failure of any single limit switch will thus not prevent proper protection system operation when it is required. For the eight instrument channels utilizing 16 limit switches, an attempt has been made to diversify the assignment of limit switch contacts so as to minimize the effect of any common mode failure affecting the same contact of each switch. One limit switch associated with the inboard valve in one main steamline is connected in series with one limit switch associated with the outboard valve in that same main steamline. The valve opening contacts energize a trip channel relay whenever both valves in the main steamline are open 92% or less. Wiring from the limit switch on each valve to the control room RPS relay panels is required to be run in two separate conduits, one for each contact of the limit switch, to maintain the necessary electrical and physical separation. The two relays associated with any one trip logic (for example relays A and E of the A1 trip logic) are located in one panel that is physically and electrically separated from the panels containing the other trip logic circuits. Quality of Components and Modules (IEEE 279, Par. 4.3) These components have been successfully used in all GE BWR power plants for this function. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that these components will perform in accordance with the requirements listed on the purchase specification for the intended application. This qualification, augmented by existing field experience with these components in this application, suffices to qualify the parts. GE Nuclear Energy Division conducts qualification tests of the relay panels to confirm their adequacy. In situ operational testing of the limit switches and other channel components will be performed at the site during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. 7.A.2-6 REV. 13

LSCS-UFSAR Channel Independence (IEEE 279, Par. 4.6) The eight trip channels are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The eight trip channels comply with this requirement. The limit switches calling for RPS use are routed through separate conduit connections relative to the other limit switches used for indicator lights in the control room. After the cabling emerges from the limit switch, it is routed separately from any other cabling in the plant to the RPS panels in the control room. Each trip channel output relay uses two contacts (in series) within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room. There is no single failure that will prevent proper functioning of this protective equipment when such action is required. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of main steamline isolation valve position is an appropriate variable for the reactor protection system. The desired variable is "loss of the reactor heat sink"; however, isolation valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink. It should be noted that other valves in this steam path, such as turbine stop valves, etc., are also monitored by the reactor protection system to assure proper response of the reactor to path blockages downstream of the main steamline isolation valves. Capability for Sensor Checks (IEEE 279, Par. 4.9) A specific test procedure will cause the limit switches to operate at the setpoint value of the valve position. The logic of four instrument channel logics is as follows:

a. Al (tripped) = Inboard or outboard valve partially closed in MSL-A, and inboard or outboard valve partially closed in MSL-B; 7.A.2-7 REV. 13

LSCS-UFSAR

b. A2 (tripped) = Inboard or outboard valve partially closed in MSL-C, and inboard or outboard valve partially closed in MSL-D;

c. Bl (tripped) = Inboard or outboard valve partially closed in MSL-A, and inboard or outboard valve partially closed in MSL-C; and

d. B2 (tripped) = Inboard or outboard valve partially closed in MSL-B, and inboard or outboard valve partially closed in MSL-D.

For any single valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the channel logics will be tripped, and no RPS annunciation or computer logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS. The observation that no RPS trips result is a valid and necessary test result. At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer logging of the trip channel identification. For example, closure of one valve in main steamline A and another valve in main steamline B will produce an A1 trip logic trip and should not produce trips in the B1 or B2 channel logic circuits. These observations are another important test result that confirms proper RPS operation. Each possible combination of single valve closure and switch operation is performed in sequence to confirm proper operation of all eight instrument channels. These test results confirm that the valve limit switches operate as the valves are manually closed. Capability for Test and Calibration (IEEE 279, Par. 4.10) During reactor shutdown, calibration of the main steamline isolation valve limit switch setpoint at a valve position of less than or equal to 8% closure is possible by physical observation of the valve stem. During plant operation, the operator can confirm that the limit switches operate during valve motion, from full open to full closed and vice versa, by comparing the time that the RPS trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fully open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. 7.A.2-8 REV. 16, APRIL 2006

LSCS-UFSAR Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Due to the use of valve limit switches, it is not possible for the operator to remove an instrument channel from service. Limit switch testing is an integral part of the main steamline isolation valve test. Operating Bypasses (IEEE 279, Par. 4.12) An operating bypass is provided for this RPS protective function. This bypass requires that the reactor system mode switch, which is under the direct control of the operator, be placed in other than the RUN position. The only purpose of this bypass is to permit the reactor protection system to be placed in its normal energized state for operation at low power levels with the main steamline isolation valves not fully open. Compliance of this trip bypass function with IEEE 279 is described in Subsection 7.A.2.1.14 dealing with trip bypass functions. Indication of Bypasses (IEEE 279, Par. 4.13) The main steamline isolation valve closure trip bypass annunciators provide the operator with the indication that one or more operating bypass channels have been placed into effect for this RPS protective function. The switches that bypass the main steam differential temperature isolation signals are provided with alarm indication in the main control room whenever the switches are turned to the "bypass" position. A total of two alarms are provided, one per ESF division. Access to Means for Bypassing (IEEE 279, Par. 4.14) Compliance of the operating bypass is discussed in the subsection dealing with trip bypass functions. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The limit switches trip at the fixed setpoint value and remain in that condition for valve positions between 92% open and the fully closed position. Hence, the trip channel output to the RPS logic is in its tripped state whenever the setpoint is exceeded. It is necessary only that the process sensors remain in a tripped condition for a sufficient amount of time to deenergize the scram contactors. Once this action is 7.A.2-9 REV. 13

LSCS-UFSAR accomplished, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the process limit switch inputs is not possible during reactor operation due to the ambient temperature and radiation conditions. Identification of Protective Actions (IEEE 279 Par. 4.19) Partial or full closure of any main steamline valve causes a change in the status of position indicator lights in the control room. These indications are not a part of the reactor protection system, but they do provide the operator with valid information pertinent to the valve status. Partial or full closure of one or both valves in a particular set of two main steamlines initiates a control room annunciator when the trip setpoint has been exceeded. This same condition permits identification of the tripped trip channels in the process computer or visual inspection of the relay contacts at the RPS panels. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is both annunciation and relay position indication of a MSIV closure scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Due to the inherent simplicity of the valve limit switch for the process sensor and the relationship of one limit switch contact for the inboard valve and one limit switch for the outboard valve feeding one trip channel output relay, the design of the system facilitates maintenance of this protective function. During power operation, it may be necessary to reduce power in order to close valves in more than one main steamline. With this arrangement, a sequence of valve tests will permit the operator to determine fully a defective component or to isolate the difficulty to one of two limit switches in a given main steamline. 7.A.2-10 REV. 16, APRIL 2006

LSCS-UFSAR Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.3 Turbine Stop Valve Closure Scram General Functional Requirements (IEEE 279, Par. 4.1) The purpose of the turbine stop valve closure scram trip is to protect the reactor whenever its link to the heat sink is in the process of being removed. The valve stem position of each turbine stop valve is monitored by limit switches. The limit switch setpoint is set at 6% or less valve motion away from the full open position. In this way the instrument channel signals to the reactor protection system anticipate imminent closure of the stop valves, and the response time of the switch contacts is specified to be less than 10 msec after the valve has reached the setpoint position. Each division logic receives inputs from two stop valves. The logic arrangement is established to enhance frequent testing of these valves without causing a half scram (trip of one of the two pilot solenoids on each scram valve) for each valve test. The chosen logic is labeled as three-out-of-four stop valve closures to produce reactor scram rather than the general one-out-of-two-twice arrangement characteristic of the GE BWR. Single-Failure Criterion (IEEE 279, Par. 4.2) The turbine stop valve closure scram trip meets the single-failure criterion. Physical separation of individual switch boxes is on the order of 56 inches for a typical plant. Operation of one turbine stop valve for test purposes will not result in an RPS trip. Partial or full closure of three turbine stop valves will initiate reactor shutdown if the initial operating power level is greater than or equal to 25% of rated core thermal power. Wiring from the limit switch junction box for each stop valve is run so as to maintain the necessary electrical and physical separation. 7.A.2-11 REV. 17 APRIL 2008

LSCS-UFSAR Quality of Components and Modules (IEEE 279, Par. 4.3) Highly reliable components have been selected for the limit switches and relays. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that these components will perform in accordance with the requirements listed on the purchase specification for the intended application. This qualification, augmented by field experience with these components in this application, serves to qualify the parts. GE Nuclear Energy Division conducts qualification tests of the relay panels to confirm their adequacy for this application. In situ operational testing of the limit switches and other channel components was performed at the site during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The eight trip channels are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The eight trip channels comply with this design requirement. The limit switch cables for RPS use are routed through separate conduit connections relative to the other limit switch contacts used for indicator lights and turbine control purposes. After the cabling emerges from the limit switch junction box for each turbine stop valve, it is routed separately from any cabling in the plant to the RPS panels in the control room. Each trip channel output relay uses two contacts (in series) within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room. There is no single failure that will disable this protective function when it is required. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. 7.A.2-12 REV. 13

LSCS-UFSAR Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of turbine stop valve position is an appropriate variable for this RPS protective function. The desired variable is "loss of the reactor heat sink." However, stop valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink. Capability for Sensor Checks (IEEE 279, Par. 4.9) The logic of the four instrument channel logics is as follows:

a. A1 (tripped) = Turbine Stop Valve 1 partially closed, and Turbine Stop Valve 2 partially closed;

b. A2 (tripped) = Turbine Stop Valve 3 partially closed, and Turbine Stop Valve 4 partially closed;

c. B1 (tripped) = Turbine Stop Valve 1 partially closed, and Turbine Stop Valve 3 partially closed; and

d. B2 (tripped) = Turbine Stop Valve 2 partially closed, and Turbine Stop Valve 4 partially closed.

For any single stop valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the channel logics will be tripped, and no RPS annunciation or computer logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid and necessary test result. At power levels which are reduced but greater than or equal to 25% of rated core thermal power, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. These observations are another important test result that confirms proper RPS operation. In sequence, each possible combination of single valve closure and switch operation is performed to confirm proper operation of all eight instrument channels. Capability for Test and Calibration (IEEE 279, Par. 4.10) During reactor shutdown, calibration of the setpoint of the turbine stop valve limit switch at a valve position of less than or equal to 8% closure is possible by physical observation of the valve stem. 7.A.2-13 REV. 16, APRIL 2006

LSCS-UFSAR During plant operation, the operator can confirm that the limit switches operate during valve motion from full open to full closed, and vice versa, by comparing the time that the RPS trip occurs with the time that the valve position lights in the control room signal showing that the valve is fully open or fully closed. This test does not confirm the exact setpoint but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) The eight trip channels meet this design requirement. Because of the use of valve limit switches, it is not possible for the operator to remove a trip channel from service. Limit switch testing is an integral part of the turbine stop valve test. Operating Bypasses (IEEE 279, Par. 4.12) An operating bypass is provided for this protective function in that the turbine stop valve trip output will not be operable whenever the turbine is operating at an initial power level below 25% of rated core thermal power. The only purpose of the bypass is to permit the reactor protection system to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open. Compliance of this trip bypass function with IEEE 279 is described in Subsection 7.A.2.1.15 dealing with trip bypass functions. Indication of Bypasses (IEEE 279, Par. 4.13) The turbine stop and control valve fast-closure trips bypassed annunciator provides the operator with indication that one or more operating bypass channels have been placed into effect. Access to Means for Bypassing (IEEE 279, Par. 4.14) No manual controls are provided in the system design for bypass of the RPS function. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The limit switches trip at the fixed setpoint value and remain in that condition for valve positions between the trip set point and fully closed. Hence, the trip channel output to the RPS logic is in its tripped state whenever the setpoint is exceeded. 7.A.2-14 REV. 16, APRIL 2006

LSCS-UFSAR It is only necessary that the process sensors remain in a tripped condition for a sufficient amount of time to deenergize the scram contactors and open the seal-in contact in the trip logic associated with the scram contactors. Once this is accomplished, the trip actuator logic initiates reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the limit switches is not anticipated during reactor operation due to ambient environmental conditions. The reactor operator is permitted full access to the turbine stop valve test controls, since motion of the valve during this test produces a valid sensor response. Identification of Protective Actions (IEEE 279, Par. 4.19) Partial or full closure of any turbine stop valve is indicated by valve position indicator lights in the control room. These indications are not a part of the RPS, but they do provide the operator with valid information pertinent to the valve status. An RPS channel logic trip due to partial or full closure of turbine stop valves initiates a control room annunciator when the trip point has been exceeded. This same condition permits identification of the tripped instrument channels in the process computer or by visual observation of the channel trip device in the logic cabinets. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is both annunciation and relay position indication of turbine stop valve closure scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Because of the inherent simplicity of the valve limit switch for the process sensor and the relationship of a limit switch contact with its associated channel logic, the design of the system facilitates maintenance of the protective function. During power operation, it may be necessary to reduce power in order to close more than one turbine stop valve in order to accomplish a specific RPS test. The sequence of tests permits the operator to determine a defective limit switch contact or instrument channel logic device. 7.A.2-15 REV. 16, APRIL 2006

LSCS-UFSAR Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.4 Turbine Control Valve Fast Closure Scram General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the turbine control valve fast closure scram is to protect the reactor whenever its link to the heat sink is in the process of being removed. Turbine control valve fast closure is monitored by pressure switches mounted on the EHC oil lines. The control valve fast closure pressure switches must provide RPS inputs within 30 msec after the control valves start their rapid closure. The logic arrangement is the one-out-of-two twice form characteristic of the GE BWR, since the expected test frequency for the generator load rejection sensing portion of the turbine control system is less than that anticipated for the turbine stop valve equipment. Single Failure Criterion (IEEE 279, Par. 4.2) The turbine control valve fast closure scram meets the single-failure criterion. One of the four pressure switches is used in each RPS instrument channel. Quality of Components and Modules (IEEE 279, Par. 4.3) The pressure switch used is of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that these components will perform in accordance with the requirements listed on their purchase specification for the intended application for the devices. This qualification, augmented by existing field experience with these components in this application, will serve to qualify the parts. GE Nuclear Energy Division conducts qualification tests of the logic cabinets including mounted components to confirm their adequacy for this application. In situ operational testing of the devices and other channel components was performed at the site during the preoperational test phase. 7.A.2-16 REV. 13

LSCS-UFSAR Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunction, and accidents. Channel Independence (IEEE 279, Par. 4.6) The instrument channels are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) All trip channels of this protective function comply with this design requirement. Pressure switch contacts for RPS use are routed separately relative to other contacts of these devices used for indicator lights and turbine control purposes. After the cabling emerges from the junction boxes, it is routed in Class lE wireways to the logic cabinets in the control room. One contact from each instrument channel logic device goes to the annunciator system in the control room. For these configurations, there is no single failure that will prevent proper functioning of this protective function when such action is required. Interlocks exist to the control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable for this protective function. The desired variable is "rapid loss of the reactor heat sink;" consequently, some measurement of control valve closure rate is indicated. Protection system design practice has discouraged use of rate-sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation is a more positive means of determining fast closure of the control valves. 7.A.2-17 REV. 13

LSCS-UFSAR Loss of hydraulic pressure in the EHC oil lines is monitored to initiate fast closure of the control valves. These measurements provide indication that fast closure of the control valves is imminent. This measurement is considered an adequate and proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control valve fast closure rate. Capability for Sensor Checks (IEEE 279, Par. 4.9) During the control-valve fast-closure test, the RPS channels are tested using method five discussed in Section 7.2.2.10 above which will prevent an actual RPS channel trip from occurring. The four RPS instrument logics are arranged as follows, assuming initial operation above at greater than or equal to 25% of rated core thermal power:

a. A1 (tripped) = Pressure Switch A loss of oil pressure,

b. A2 (tripped) = Pressure Switch C loss of oil pressure,

c. Bl (tripped) = Pressure Switch B loss of oil pressure, and

d. B2 (tripped) = Pressure Switch D loss of oil pressure.

During plant operation, the individual pressure switches may be valved out of service, and the turbine control system may be used to operate the turbine bypass valves so as to perform a periodic test of the RPS inputs and channel logic. Capability for Test and Calibration (IEEE 279, Par. 4.10) Actual calibration of the setpoint can only be accomplished at plant shutdown. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) The four instrument channels comply with this design requirement. They utilize pressure switch contacts as the process input, and administrative controls are imposed to ensure that each channel is returned to service following its being valved out of service during periodic tests. Operating Bypasses (IEEE 279, Par. 4.12) An operating bypass is provided for the control valve fast closure function, since the trip will not be operable whenever the turbine is operating at an initial power level 7.A.2-18 REV. 14, APRIL 2002

LSCS-UFSAR of less than 25% of rated core thermal power. Compliance of this trip bypass function with IEEE 279 is described in Subsection 7.A.2.1.15 dealing with trip bypass functions. Indication of Bypasses (IEEE 279, Par. 4.13) The turbine stop and control valve fast closure trips bypassed annunciator provides the operator with indication that the operating low power bypass has been placed into effect for this protective function. During turbine control valve fast closure testing, manual bypasses are indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means for Bypassing (IEEE 279, Par. 4.14) The operating low power bypass for both configurations is discussed in Subsection 7.A.2.1.15 dealing with trip bypass functions. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The instrument channels on the EHC oil line pressure remain in a tripped condition until the sensed oil pressure is restored. For each of these inputs, it is necessary only that the instrument channel sensors remain in a tripped condition in excess of the logic time delay to seal in the tripped condition. Once this action is accomplished, the actuator logic proceeds to initiate reactor scram regardless of the state of process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Testing of the instrument channels is accomplished with the turbine test controls that are fully accessible to the reactor operator during plant operation. 7.A.2-19 REV. 14, APRIL 2002

LSCS-UFSAR Identification of Protective Actions (IEEE 279, Par. 4.19) Any time EHC oil line pressure exceeds the setpoint, control room annunciators will be initiated for that protective function and identification of the tripped instrument channels will be provided in the process computer. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of turbine control valve fast closure scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) During the periodic test, the operator can determine any defective component and replace it during plant operation. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.5 Reactor Vessel Low Water Level Scram Trip General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the reactor vessel low water level scram trip is to protect the reactor from being uncovered as a result of falling water level in the vessel. Reactor vessel low water level is monitored by four differential pressure transmitters mounted on separate instrument lines. Each transmitter provides an input signal to a trip unit in one of the four RPS channels. The normal reactor vessel water level is between 30 and 40 inches above the trip setpoint, and the trip signal input to the reactor protection system must occur within 1 second after the level has just exceeded the fixed setpoint. The logic arrangement is the normal GE BWR one-out-of-two twice configuration. Single-Failure Criterion (IEEE 279, Par. 4.2) The reactor vessel low water level scram trip meets this design requirement. Wiring from one differential pressure transmitter/trip unit is run separately from the wiring associated with the other differential pressure transmitters/trip units on the other instrument line. 7.A.2-20 REV. 16, APRIL 2006

LSCS-UFSAR Quality of Components and Modules (IEEE 279, Par. 4.3) The level transmitter and trip unit are highly reliable and of high quality. Equipment Qualification (IEEE 279, Par. 4.4) Vendor certification is required that these components will perform in accordance with the requirements listed in the purchase part drawing for the intended application. This certification, in conjunction with field experience with these components in this application, serves to qualify the parts. GE Nuclear Energy Division conducts qualification tests of the relay panels to confirm their adequacy for this application. In situ operational testing of the devices and other channel components was performed at the site during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The trip channels for this protective function are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) All trip channels of this protective function comply with this design requirement. Electrical cables for RPS use are routed through separate conduit runs. Each trip channel output relay uses two contacts (in series) within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room. There is no single failure that will prevent proper functioning of this protective function when such action is required. The system does not interlock to control systems. 7.A.2-21 REV. 13

LSCS-UFSAR Derivation of System Inputs (IEEE 279, Par. 4.8) Actual water level is the desired variable, and the selected sensors monitor this variable directly. Capability for Sensor Checks (IEEE 279, Par. 4.9) Because of the normal one-out-of-two twice configuration of the RPS logic for this protective function, one level transmitter and/or trip unit may be removed from service to perform the periodic test on any trip channel. The transmitter can be checked for operability by valving it out from the sensing lines and applying a test pressure source. The trip units in the control room can be checked separately by applying a calibration signal and verifying the setpoint. Capability for Test and Calibration (IEEE 279, Par. 4.10) During calibration, a variable differential pressure is applied to the differential pressure transmitter and is measured with a highly accurate precalibrated test gauge. Then the operation of the trip unit and indicator scale may be checked against the scale reading of the test gauge. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) During periodic test of any one trip channel, the level transmitter and/or trip unit is removed from service and is returned to service under administrative control procedures. Since only one level transmitter and/or trip unit is removed from service at any given time during the test interval, protective capability is maintained through the remaining instrument channels. Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable to this protective function. Indication of Bypasses (IEEE 279, Par. 4.13) When an instrument is bypassed, the bypass is annunciated in the control room and indicated on the logic cabinets. Manual bypasses are also indicated in the control room on the ESF status indication panel as described in Section 7.8. 7.A.2-22 REV. 13

LSCS-UFSAR Access to Means for Bypassing (IEEE 279, Par. 4.14) During the periodic test, administrative control procedures must be followed to remove one level transmitter and/or trip unit from service and subsequently return it to service. Since no operating bypasses are available for this protective function, this design requirement does not apply. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The instrument channels remain in a tripped condition as long as the indicated water level is less than the established setpoint. For these inputs, it is necessary only that the instrument channels remain in a tripped condition in excess of the logic time delay to seal in the trip condition. Once this action is accomplished, the actuator logic proceeds to initiate reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the reactor vessel water level instrument is anticipated during reactor operation and is under administrative control of the plant personnel. Identification of Protective Actions (IEEE 279, Par. 4.19) Actuation of any level sensor to produce a tripped condition initiates a control room annunciator and produces a record of identification of the trip channel in the process computer. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of reactor vessel low water level scram trip and that the scram logic has been actuated. 7.A.2-23 REV. 16, APRIL 2006

LSCS-UFSAR System Repair (IEEE 279, Par. 4.21) The one-to-one relationship between a level sensor and its instrument logic channel permits the plant personnel to identify any component failure during operation of the plant. Provisions have been made to facilitate repair of the channel components during plant operation. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.6 Main Steamline High Radiation Scram Trip (Deleted) 7.A.2.1.7 Neutron Monitoring System Scram Trip General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the neutron monitoring system scram trip is to limit the reactor power to an established maximum value. Those portions of the neutron monitoring system that provide a gross power protective function are the average power range monitor (APRM) with flow reference scram and the intermediate range monitor (IRM). The portion that provides power oscillation protective function is the oscillation power range monitor. Single-Failure Criterion (IEEE 279, Par. 4.2) The neutron monitoring system scram trip meets the single-failure criterion. Quality of Components and Modules (IEEE 279, Par. 4.3) The NMS detectors and associated electronic equipment are of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) At the component and module level, the Nuclear Energy Division of General Electric Company has conducted qualification tests to qualify the items for this application. 7.A.2-24 REV. 17, APRIL 2008

LSCS-UFSAR General Electric Company's Nuclear Energy Division conducts qualification tests of the logic cabinets including mounted components to confirm their adequacy for this service. In situ operational testing of the detectors, monitors, channels, and other portions of the reactor protection system was conducted during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The eight IRM, six APRM and four OPRM channels (eight modules) are electrically isolated and physically separated from one another to comply with this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The IRM, APRM and OPRM trip channels for this protective function comply with this design requirement. Within the IRM and APRM modules, prior to their output trip unit driving the RPS, analog outputs are derived for use with control room meters, recorders, and the process computer. Electrical isolation has been incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip unit. The trip unit outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels. Within the RPS panels, each trip channel output relay uses two contacts in series within the RPS trip logic. One additional contact from each relay is wired to a common annunciator in the control room. There is no single failure of these outputs that will prevent proper protection system action when it is required. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of neutron flux is an appropriate variable to determine the reactor power relative to a predetermined setpoint. In addition, the OPRM receives 7.A.2-25 REV. 17, APRIL 2008

LSCS-UFSAR reactor coolant flowrate signal from differential pressure transmitters in the reactor coolant recirculation lines. Capability for Sensor Checks (IEEE 279, Par. 4.9) During reactor operation in the RUN mode, the IRM detectors are stored below the reactor core in a low-flux region. Movement of the detectors into the core permits the operator to observe the instrument response from the different IRM channels and confirms that the instrumentation is operable. In the power range of operation, the individual LPRM detectors respond to local neutron flux and provide the operator with an indication that these instrument channels are responding properly. The six APRM channels may also be observed to respond to changes in the gross power level of the reactor to confirm their operation. Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input, and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input. During these tests, proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators. Capability for Test and Calibration (IEEE 279, Par. 4.10) The APRM's are calibrated to reactor power by using the reactor heat balance (TIP) system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined. The OPRM provides a means of testing and calibrating the channel logic module and LPRMs. The OPRM functions to perform automatic testing of the individual hardware modules and report any detected failures. Each OPRM channel logic module is capable of automatic and manual testing. The gain-adjustment factors for the LPRM's are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. When incorporated into the LPRM's, these adjustments permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) A sufficient number of IRM channels has been provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 design requirements. 7.A.2-26 REV. 13

LSCS-UFSAR One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. In order to accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, at least two and generally three IRM channels remain in operation to satisfy the protection system requirements. In a similar manner, one APRM manual bypass switch has been provided for each RPS trip system to permit one of the three APRM's to be bypassed at any time. Mechanical interlocks have been provided with the bypass switch, and electrical interlocks have been provided in the bypass circuitry to accommodate the possibility of switch failure. With the maximum number of APRM's bypassed by the switches, sufficient APRM channels remain in operation to provide the necessary protection for the reactor. Also, a sufficient number of OPRM channels (each channel consisting of two modules) have been provided to permit any one OPRM module in a given trip system to be manually bypassed, while still ensuring that the remaining operable OPRM channels comply with the IEEE 279 design requirements. Operating Bypasses (IEEE 279, Par. 4.12) Operating bypass capability is not provided for the neutron monitoring system instrument channels, except for the OPRM channels. The OPRM trip logic is automatically activated when the reactor power and recirculation flow are in the appropriate operating regions of the reactor power/flow map. The OPRM automatically enables its pre-trip and trip alarm outputs upon entry into the high power, low core flow region of the power/flow operating map, thereby ensuring the OPRM system protection function is available as needed. Maintenance, test, or calibration bypasses are accomplished by the manual bypass switches for any IRM or APRM channel during reactor operation. Indication of Bypasses (IEEE 279, Par. 4.13) When any IRM, APRM or OPRM instrument channel output to the RPS is bypassed, this fact is indicated by lights for each channel located on the main control room panels. Manual bypasses are also indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means for Bypassing (IEEE 279, Par. 4.14) 7.A.2-27 REV. 17, APRIL 2008

LSCS-UFSAR Manual bypassing of any IRM, APRM, or OPRM channel is accomplished with control room selector switches under the administrative control of the operator. Multiple Setpoints (IEEE 279, Par. 4.15) The trip setpoint of each IRM channel is established at the 120/125% of full scale mark for each range of IRM operation. The IRM is a linear, half-decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip setpoint tracks the operator's selection. In the transition from STARTUP to RUN modes of operation, the reactor system mode switch is used to convert from IRM protection to APRM protection. Each of these multiple setpoint provisions is a portion of the reactor protection system and complies with the design requirements of IEEE 279. The OPRM does not have multiple setpoints to accommodate different operating conditions. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The IRM, APRM, and OPRM trip unit outputs remain in a tripped condition whenever the trip setpoint is exceeded. It is only necessary that the trip units remain in a tripped condition in excess of the logic time delay to seal in the tripped condition. Once this action is accomplished, the actuator logic initiates reactor scram regardless of the state of the IRM or APRM instrument channels that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the IRM, APRM and OPRM setpoint adjustments, calibration controls, and test points is under the administrative control of the plant personnel. The calibration and setpoint controls are located in the NMS cabinets, except for the OPRM, and the transition from IRM to APRM coverage is controlled by the keylocked reactor system mode switch. OPRM calibration and setpoint adjustment is accomplished via the maintenance terminal, with OPRM in the test mode. The OPRM mode is administratively controlled by a key-locked switch. 7.A.2-28 REV. 17, APRIL 2008

LSCS-UFSAR Identification of Protective Actions (IEEE 279, Par. 4.19) Neutron monitoring system annunciators provided in the control room indicate the source of the RPS trip. The process computer provides a typed record of the tripped neutron monitoring system channel as well as identification of individual IRM and APRM channel trips. For the OPRM system, a sequence of events recorder provides a record of system trips. Each instrument channel, whether IRM, APRM, or OPRM has control room panel lights indicating the status of the channel for operator convenience. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of neutron monitoring system scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the neutron monitoring system may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.8 Drywell High-Pressure Scram General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the drywell high-pressure scram is to detect an increase in the drywell pressure. The increase in pressure within the drywell may be the result of increasing temperature or a possible loss of coolant from the reactor vessel. Drywell high pressure is monitored by four pressure taps and pressure switches. The time response requirement imposed upon the operation of the instrument channel is within 0.6 seconds after the setpoint is exceeded. 7.A.2-29 REV. 13

LSCS-UFSAR Single-Failure Criterion (IEEE 279, Par. 4.2) The drywell high pressure scram trip meets the single-failure criterion. One pressure switch is mounted on each pressure tap, and the redundant taps are physically separated from one another by the reactor vessel. Wiring from each pressure switch is run in a separate rigid conduit from the pressure switch to the RPS cabinets in the control room to maintain both physical and electrical separation and isolation among the trip channels. A separate trip channel output relay is provided for each pressure switch and is physically separated in the RPS cabinets. Quality of Components and Modules (IEEE 279, Par. 4.3) The RPS trip pressure switches are of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required for the pressure switches and trip channel output relays to prove that the parts perform in accordance with the requirements listed on the purchase specification for the intended application. This qualification, augmented by existing field experience with these components in this application, serves to qualify these components. General Electric Nuclear Energy Division will conduct qualification tests of the relay panels to confirm their adequacy for this service. In situ operational testing of the sensors, channels, and the entire protection system was performed during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunction, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four trip channels of this protective function are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The four trip channels of this protective function comply with this design requirement. The system interlocks to control systems only through isolation 7.A.2-30 REV. 13

LSCS-UFSAR devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Each trip channel output relay uses two contacts in series within the RPS trip logic. One additional contact from each relay is wired to a common annunciator in the control room. For all of these outputs, there is no single failure that will prevent proper functioning of this protective function when such action is required. Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of drywell high pressure is an appropriate variable to detect an abnormal condition within this boundary. High pressure within the drywell could indicate a break in the reactor coolant pressure boundary, and these sensors would respond to limit the consequences of such a break. Capability for Sensor Checks (IEEE 279, Par. 4.9) During reactor operation one pressure switch may be valved out of service at a time to perform testing under administrative control. At the conclusion of the test, administrative control must be used to ensure that the pressure sensor has been properly returned to service. Capability for Test and Calibration (IEEE 279, Par. 4.10) Once a pressure switch has been properly valved out of service under administrative control, testing of the pressure switch and its setpoint may be performed using a variable source of pressure. When the trip setpoint has been exceeded, the control room operator will obtain an annunciation of the trip and a typed record of the trip channel identification. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Individual pressure switches may be removed from service under administrative control in order to perform periodic tests or maintenance. No automatic bypass functions are provided in the RPS design for this protective function. Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable to this protective function. 7.A.2-31 REV. 13

LSCS-UFSAR Indication of Bypasses (IEEE 279, Par. 4.13) When a pressure switch has been valved out of service for periodic testing and the simulated input has exceeded the trip setpoint, a control room annunciator for this protective function indicates a tripped condition, and the process computer logs the instrument channel identification. Manual bypasses are also indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means for Bypassing (IEEE 279, Par. 4.14) This design requirement is not applicable to this protective function. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The instrument channels for this protective function remain in a tripped condition whenever the trip setpoint is exceeded. It is only necessary that the instrument channel remain in a tripped condition in excess of the logic time delay for seal-in of the tripped condition. Once this action is accomplished, the actuator logic initiates reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the instrument channel adjustments is under the administrative control of plant personnel. Identification of Protective Actions (IEEE 279, Par. 4.19) The four instrument channels initiate a control room annunciator for this protective function when the setpoint is exceeded. Identification of the instrument channel is provided by the typed log from the annunciator system. 7.A.2-32 REV. 13

LSCS-UFSAR Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of drywell high pressure scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Due to the one-to-one relationship of pressure switch and instrument channel logic, this design requirement is satisfied by this protective function. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.9 Reactor Vessel High Pressure Scram General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the reactor high-pressure scram trip is to limit the positive pressure effect on reactor power. An increase in reactor pressure while the plant is operating tends to compress the steam voids and results in a positive reactivity effect and increased reactor heat generation. This reactor scram trip is established to reduce the heat generation within the reactor whenever the high-pressure setpoint is reached. Reactor pressure is monitored by four pressure switches connected to four process instrument lines. A time response of 0.5 second is required from the time that the setpoint is exceeded to the time that the switch contacts of the pressure switch open. The pressure switch contacts are connected into the trip channels in the normal one-out-of-two twice configuration. Single-Failure Criterion (IEEE 279, Par. 4.2) The reactor high-pressure scram trip meets the single-failure criterion. Each pressure switch is connected to a reactor vessel tap physically separated from the other related taps. Wiring from the contacts of each pressure switch is run in a metal conduit from the sensor to the RPS cabinets in the control room to maintain both physical separation and electrical isolation of the redundant channels. A pressure switch channel output relay is associated with each sensor and is physically separated within the RPS cabinets from the redundant channels. 7.A.2-33 REV. 13

LSCS-UFSAR Quality of Components and Modules (IEEE 279, Par. 4.3) The pressure sensor is of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) At the component level, vendor qualification is required to prove that the pressure switch and trip channel output relay will perform in accordance with the requirements listed on the purchase part drawings. This qualification, augmented by existing field experience for these components in this application, serves to qualify these components. The Nuclear Energy Division of General Electric conducts qualification tests of the relay panels to confirm their adequacy for this application. In situ operational testing of the sensor, channels, and RPS was performed during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) Channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four trip channels for this protective function are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) All trip channels of this protective function comply with this design requirement. Pressure switch contacts are routed in metal conduit from the sensor to the RPS panels in the control room. Each trip channel output relay uses two contacts in series within the RPS trip logic. One additional contact from each relay is wired to a common control room annunciator. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) For this protective function, selection of reactor vessel pressure is an appropriate variable to provide the required protective function. 7.A.2-34 REV. 13

LSCS-UFSAR Capability for Sensor Checks (IEEE 279, Par. 4.9) Administrative controls are required to valve one sensor out of service at a time to perform a periodic test of the trip channel. During this test, operation of the sensor, its contacts, and the balance of the RPS trip channel may be confirmed. Capability for Test and Calibration (IEEE 279, Par. 4.10) Once a pressure switch has been valved out of service under administrative control, confirmation of the pressure setpoint can be made by use of a variable source of pressure. As the setpoint is exceeded, the control room operator obtains annunciation of the trip and a computer record of the trip channel identification. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Individual sensors may be valved out of service under administrative control to perform the periodic test or maintenance. No automatic bypass provisions are included in the design for this protective function. Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable to this protective function. Indication of Bypasses (IEEE 279, Par. 4.13) The control room operator must exercise administrative control over the valving out of service of one pressure switch at a time. Once a pressure switch has been removed from service and a simulated pressure has been introduced in excess of the setpoint, a control room annunciator indicates the tripped condition and provides a typed record of the channel identification. Manual bypasses are also indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means for Bypassing (IEEE 279, Par. 4.14) This design requirement is not applicable to this protective function. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. 7.A.2-35 REV. 13

LSCS-UFSAR Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) Pressure switches for this protective function remain in a tripped condition whenever the trip setpoint is exceeded. It is necessary only that the process sensors remain in a tripped condition for a sufficient length of time to deenergize the scram contactors and open the seal-in contact of the trip logic associated with the scram contactors. Once this action is accomplished, the trip actuator logic initiates reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Access to the pressure switch setpoint adjustment is under the administrative control of plant personnel. Identification of Protective Actions (IEEE 279, Par. 4.19) When the trip setpoint is exceeded for any one of the four pressure switches, a control room annunciator is initiated and a typed record provides an identification of the trip channel. Information Readout (IEEE 279, Par. 4.20) The data presented to the control room operator is both annunciation and relay position indication of reactor vessel high pressure scram trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Due to the one-to-one relationship of pressure switch and trip channel output relay, this design requirement is satisfied for this protective function. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection system," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2-36 REV. 13

LSCS-UFSAR 7.A.2.1.10 CRD Low Charging Pressure Scram General Functional Requirement (IEEE 279, Par. 4.1) The purpose of the CRD low charging pressure scram is to assure that adequate pressure remains in the charging header to accomplish CRD rod insertion in the core when the mode switch is in Startup or Refuel. CRD low charging pressure setpoint is established such that sufficient accumulator pressure remains to accomplish a normal reactor scram. The selected scram setpoint is consistent with control rod minimum insertion times, thus obviating the need to derive different insertion times for other reference pressures. Single-Failure Criterion (IEEE 279, Par. 4.2) The CRD low charging pressure scram trip meets the single-failure criterion. The four pressure transmitters are connected to individual taps. The four process taps are separated and isolated via their physical connections to the charging header. Wiring from each transmitter to the control room relay cabinets is run in a separate conduit to maintain the electrical and physical separation of the trip channels. A separate trip relay is provided for each transmitter. The trip units and relays are separated from one another by cabinet wall barriers to maintain independence. Quality of Components and Modules (IEEE 279, Par. 4.3) Similar components have been previously used in many GE BWR power plants for this type of safety function. Equipment Qualification (IEEE 279, Par. 4.4) Equipment qualification is required to establish that the component will perform in accordance with the functional requirements within the environment zone of the intended application. This LaSalle safety-related Class 1E equipment is to be qualified to the requirements of NUREG-0588, Category I (IEEE 344, 1975 and IEEE 323,1974). In situ operational testing of these trip units and relays, channels, and the entire protection system will be performed at the project site during the preoperational test phase. 7.A.2-37 REV. 13

LSCS-UFSAR Channel Integrity (IEEE 279, Par. 4.5) The channel components are specified to operate under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four trip channels are physically separated and electrically isolated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The four trip channels comply with this design requirement. Each trip channel output relay uses two contacts (in series) within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room, and another contact on each relay is wired to the process computer to provide a record of the channel trips. There is no single failure that will prevent proper functioning of this protection system when such action is required. Derivation of System Inputs (IEEE 279, Par. 4.8) The measurement of CRD low charging pressure is an appropriate variable for this protective function. The desired variable is "available pressure" to accommodate a reactor scram. Capability for Sensor Checks (IEEE 279, Par. 4.9) During reactor operation, one of the four pressure transmitter trip channels at a time may be taken out of service to perform calibration. Operation of the transmitter and trip unit is confirmed separately in each channel. Capability for Test and Calibration (IEEE 279, Par. 4.10) The test of the pressure transmitters associated with measurement of CRD low charging pressure can be performed during full power operation. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Individual pressure transmitters and/or trip units may be removed from service for maintenance or replacement. A single transmitter/trip unit for one channel may be removed at any time because the protective function is maintained by the other three channels. 7.A.2-38 REV. 16, APRIL 2006

LSCS-UFSAR Operation Bypass (IEEE 279, Par. 4.12) No bypasses exist for the CRD system low charging pressure scram. The CRD low charging-pressure scram is not active when the reactor mode switch is in the RUN position because the reactor vessel is at operating pressure. It is also not required in the SHUTDOWN position because no control rods can be withdrawn in this position. Indication of Bypasses (IEEE 279, Par. 4.13) The low charging water pressure scram in the CRD system is not needed in the RUN or SHUTDOWN modes hence its subordination to the mode switch. Manual bypasses are indicated in the control room on the ESF status indication panel as described in Section 7.8. Access to Means of Bypassing (IEEE 279, Par. 4.14) The reactor mode switch, which interlocks the CRD low charging water pressure scram to be active only in the STARTUP or REFUEL positions, is a key-locked switch located on the main control board. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The trip units for pressure transmitters trip at the setpoint value and remain in a tripped condition as long as the pressure is less than the setpoint value. Hence, the trip channel output to the RPS trip logic remains in its tripped state whenever the setpoint is attained. It is necessary only that the process sensors remain in a tripped condition for a sufficient amount of time to deenergize the scram contactors and open the seal-in contact in the trip logic associated with the scram contactors. Once this action is accomplished, the trip actuator logic initiates reactor scram regardless of the state of the process sensors that initiated the sequence of events. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this protective function. 7.A.2-39 REV. 13

LSCS-UFSAR Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) All access to setpoint adjustments, calibration controls, and test points is under administrative control. Identification of Protective Action (IEEE 279, Par. 4.19) Any one of the four pressure transmitters will initiate a control room annunciator when the trip setpoint is attained. Identification that the particular trip channel has attained its setpoint is accomplished via visual observation of the relay contacts at the RPS panels. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is both an annunciation and relay position indication of a CRD low charging pressure trip and that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Because the charging pressure measurement and its one-to-one relationship between a given pressure transmitter and its associated trip channel output relay are inherently simple, the design facilitates maintenance of this protective function. 7.A.2.1.11 Manual Pushbutton Scram General Functional Requirement (IEEE 279, Par. 4.1) This design requirement is not applicable to RPS functions requiring manual intervention by the control room operator. Single-Failure Criterion (IEEE 279, Par. 4.2) The four manual scram pushbuttons are arranged in a one-out-of-two twice logic. The four manual scram pushbuttons are located on one panel in two groups of two with approximately 6 inches separation in each group to permit the operator to initiate protective action with one motion of one hand. The two groups of switches are separated by 3 or more feet, and the switch contact blocks are installed in metal barriers. This logic arrangement satisfies the single-failure criterion. 7.A.2-40 REV. 13

LSCS-UFSAR Quality of Components and Modules (IEEE 279, Par. 4.3) The manual scram switches are selected to be of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that the switch performs in accordance with the requirements of this application. This qualification, augmented by existing field experience with this component in this application, serves to qualify the device for this application. In situ operational testing of the switch was performed during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The manual scram pushbutton is designed to be operable under the normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The manual scram pushbutton is a channel component. The trip channels are physically separated and electrically isolated to comply with this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) There is no control interaction with the manual scram. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) These design requirements are not applicable. Capability for Sensor Checks (IEEE 279, Par. 4.9) These design requirements are not applicable. Capability for Test and Calibration (IEEE 279, Par. 4.10) During reactor operation, one manual scram pushbutton may be depressed to test the proper operation of the switch. Once the RPS has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a 7.A.2-41 REV. 13

LSCS-UFSAR control room annunciation is initiated and the process computer identifies the pertinent trip. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Since actuation of one manual scram pushbutton places its RPS trip system in a tripped condition, it is in compliance with this design requirement. Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable. Indication of Bypasses (IEEE 279, Par. 4.13) This design requirement is not applicable. Access to Means for Bypassing (IEEE 279, Par. 4.14) This design requirement is not applicable. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) Once the manual scram pushbuttons are depressed, it is necessary only to maintain them in that condition until the manual scram contactors have deenergized and open the seal-in contact of the manual trip logic associated with the scram contactors. At this point, the trip actuator logic initiates reactor scram regardless of the state of the manual scram pushbuttons. Manual Initiation (IEEE 279, Par. 4.17) The four manual scram armed pushbuttons (one in each of the four RPS trip logics) comply with this design requirement. The logic for the manual scram is one-out-of-two twice. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram pushbuttons are implemented into the scram contactor coil circuits in order to minimize the dependence of manual scram capability on other equipment. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable. 7.A.2-42 REV. 16, APRIL 2006

LSCS-UFSAR Identification of Protective Action (IEEE 279, Par. 4.19) When any manual scram pushbutton is depressed, a control room annunciation is initiated and the process computer identifies the tripped RPS trip logic. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation of manual pushbutton scram trip and relay position indication and annunciation that the scram logic has been actuated. System Repair (IEEE 279, Par. 4.21) Due to the simplicity of the manual scram function, the design complies with this requirement. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinet is identified as part of the reactor protection system wiring. 7.A.2.1.12 Reactor System Mode Switch General Functional Requirement (IEEE 279, Par. 4.1) When the reactor system mode switch has been placed in one of its four possible positions, it performs two protective functions: (l) selection of particular sensors for the scram functions, and (2) selection of appropriate bypasses for certain sensors. In addition to these protective functions, the mode switch performs certain interlock functions that are not associated with the RPS. Among these interlock actions are restrictions on control rod withdrawal and movement of refueling equipment. The mode switch consists of a single manual actuator connected to four distinct switch banks. Each bank is housed within a fire-retardant cover. Contacts from each bank are wired to individual metallic terminal boxes in conduit. When the mode switch is set to a given position, it enables those protective functions pertinent to that mode of operation to perform the necessary automatic protective action. 7.A.2-43 REV. 16, APRIL 2006

LSCS-UFSAR Single-Failure Criterion (IEEE 279, Par. 4.2) The reactor system mode switch complies with the single-failure criterion. For the protective functions, each bank of the mode switch is associated with a specific RPS trip logic, and the banks of the mode switch have been physically separated and electrically isolated from one another to meet this design requirement. Quality of Components and Modules (IEEE 279, Par. 4.3) The switch chosen for this application is of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that this switch operates in accordance with the requirements of this application. In addition, General Electric Nuclear Energy Division conducts operational in situ tests of the mode switch during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The mode switch is designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The mode switch banks are physically separated and electrically isolated to comply with this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) The reactor system mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement. The system interlocks to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) Since the mode switch is used to connect appropriate sensors into the RPS logic depending upon the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function. 7.A.2-44 REV. 13

LSCS-UFSAR Capability for Sensor Checks (IEEE 279, Par. 4.9) Operation of the mode switch may be verified by the operator during plant operation by performing certain sensor tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests, since the connection of appropriate sensors to the RPS logic as well as disconnection of inappropriate sensors may be confirmed from the sensor tests. Capability for Test and Calibration (IEEE 279, Par. 4.10) Operation of the reactor system mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration. During tests of the trip channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected into the RPS logic and that any other sensors are disconnected from the RPS logic in an appropriate manner for the given position of the mode switch. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) The use of four banks of contacts for the mode switch permits any RPS trip channel which is connected into the mode switch to be periodically tested in a manner that is independent of the mode switch itself. Consequently, for any stated position of the mode switch, a sufficient number of trip channels remain operable during the periodic test to fulfill this design requirement. Movement of the mode switch handle from one position to another disconnects all redundant channels associated with the former position and connects all redundant channels pertinent to the latter position. In this manner, the mode switch complies with this design requirement. Operating Bypasses (IEEE 279, Par. 4.12) There are no operating bypasses that are imposed upon the RPS trip channels or RPS trip logic as the result of the position of the mode switch itself. For the scram discharge volume high water level trip channels, the operating bypass is imposed when the mode switch and another bypass switch are placed in specific positions. The main steamline isolation valve closure trip channels are bypassed only when the mode switch is in specified positions and when the reactor pressure is less than normal operating pressure. For each of these operating bypasses, four independent bypass channels are provided through the mode switch to assure that all of the protection system criteria are satisfied. 7.A.2-45 REV. 13

LSCS-UFSAR Indication of Bypasses (IEEE 279, Par. 4.13) When the conditions for any single bypass channel are satisfied, the control room operator is notified by means of an annunciator for that particular set of bypass conditions. Bypassing is not allowed in the trip logic or actuator logic. Access to Means for Bypassing (IEEE 279, Par. 4.14) The mode switch is a keylock switch under the administrative control of plant personnel. Since other controls must be operated or other sensors must be in an appropriate state to complete the operating bypass logic, the mode switch itself satisfies this requirement. Multiple Setpoints (IEEE 279, Par. 4.15) Operation of the mode switch from one position to another imposes different RPS trip channels into the RPS logic in accordance with the reactor conditions implied by the given position of the mode switch. This action does not influence the established setpoint of any given RPS trip channel, but merely connects one set of channels as another set is disconnected. Consequently, the mode switch meets this design requirement. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of four given reactor operating states: SHUTDOWN, REFUEL, STARTUP, and RUN. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner. Manual Initiation (IEEE 279, Par. 4.17) Movement of the mode switch to the SHUTDOWN position initiates reactor shutdown. The design of the manual actuation is such that a minimum of equipment is employed to provide manual actuation directly to the manual trip logic and scram contactors. No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable to the mode switch protective function. 7.A.2-46 REV. 13

LSCS-UFSAR Identification of Protective Actions (IEEE 279, Par. 4.19) Identification of the mode switch in SHUTDOWN position scram trip is provided by the manual scram, the process computer, and the mode switch in SHUTDOWN annunciator. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation when the mode switch has been placed in shutdown position. System Repair (IEEE 279, Par. 4.21) The mode switch design complies with this design requirement. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinet is identified as part of the reactor protection system wiring. 7.A.2.1.13 Scram Discharge Volume High Water Level Trip Bypass General Functional Requirement (IEEE 279, Par. 4.1) Since the discharge volume high water level trip is bypassed by manual operation of a bypass switch and the reactor system mode switch, the requirement for automatic response is not meaningful for the bypass channels. This bypass function is provided to permit manual reset of the RPS following scram. Administrative control must be applied to remove the bypass once the water has been drained from the instrument volume associated with the discharge piping. Single-Failure Criterion (IEEE 279, Par. 4.2) Since this bypass requires manual operation of a bypass switch and the mode switch to establish four bypass channels, the design of the bypass function complies with this design requirement. For the bypass switch, a single operator connects to four physically and electrically separated blocks of switch contacts within the switch body. Wiring from the contacts is routed in conduit to separate metallic terminal boxes. One set of switch contacts, in conjunction with mode switch contacts, is used to energize each trip channel bypass relay when the bypass condition is desired. 7.A.2-47 REV. 16, APRIL 2006

LSCS-UFSAR There is no single failure of this bypass function that will satisfy the condition necessary to establish the bypass condition. Hence, this function complies with the single-failure criterion. Quality of Components and Modules (IEEE 279, Par. 4.3) The bypass switch is of high reliability and quality. Equipment Qualification (IEEE 279, Par. 4.4) Vendor qualification is required to prove that the switch performs in accordance with the requirements of this application. This qualification, augmented by existing field experience with this component in this application, serves to qualify the device for this application. In situ operational testing of the bypass switch was performed during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The bypass switch and associated bypass channel relays are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The bypass circuitry complies with this design requirement. Sufficient physical separation and electrical isolation exists to assure that the bypass channels are satisfactorily independent. Moreover, the conditions for bypass have been made quite stringent in order to provide additional margin. Control and Protection System Interaction (IEEE 279, Par. 4.7) This bypass function complies with this design requirement. For each trip channel bypass relay, two contacts are used in the bypass logic. One contact of each relay is also wired to a common annunciator in the control room and one contact is wired to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. There are no control system interactions with these bypass relay outputs. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. LU2000-060 7.A.2-48 REV. 14, APRIL 2002

LSCS-UFSAR Derivation of System Inputs (IEEE 279, Par. 4.8) Due to the manual action required for this bypass function, this design requirement is satisfied by operator interaction with a single bypass switch and the mode switch. Capability for Sensor Checks (IEEE 279, Par. 4.9) During plant operation in the startup and run modes, imposition of this bypass function is inhibited by the reactor system mode switch. Under these circumstances, operation of the bypass switch should not produce a bypass condition for any single trip channel, and this fact can be determined from the control room annunciator, a visual inspection of the bypass relays, and the process computer indication of any discharge volume high water level trip channel placed in a tripped condition prior to the bypass switch test. Capability for Test and Calibration (IEEE 279, Par. 4.10) In the startup and run modes of plant operation, the preceding procedure may be used to confirm that trip channels are not bypassed as a result of operation of the bypass switch. In the shutdown and refuel modes of plant operation, a similar procedure may be utilized to produce bypassing of all four trip channels. Due to the discrete "ON-OFF" nature of the bypass function, calibration is not meaningful. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Individual bypass of the four trip channel bypass networks is not provided in the design. Due to the stringent conditions required to achieve trip channel bypass, the protection system trip channels are not bypassed by the bypass switch function during operation of the plant in the startup or run modes. Operating Bypasses (IEEE 279, Par. 4.12) The discharge volume high water trip channels are bypassable only in the shutdown and refuel modes of operation. The bypass is manually initiated and must be manually removed to commence control rod withdrawal. Since the bypass is used for RPS reset after a reactor scram, automatic removal of the bypass is not a meaningful design requirement. Indication of Bypasses (IEEE 279, Par. 4.13) Bypass of any single discharge volume high water level trip channel produces a control room annunciation. 7.A.2-49 REV. 16, APRIL 2006

LSCS-UFSAR Access to Means for Bypassing (IEEE 279, Par. 4.14) Both switches needed to achieve this bypass are located on the same panel and both require keylock operations by plant personnel. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this trip bypass function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) This bypass function is required only after a reactor scram when the discharge volume has accumulated water and must be drained. If the mode switch is placed in the shutdown position so as to effect the bypass function, the reactor scrams to satisfy the protective action completion requirement. Consequently, this bypass function permits completion of protective action once it is initiated and satisfies this design requirement. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this trip bypass function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable to this trip bypass function. Identification of Protective Actions (IEEE 279, Par. 4.19) The bypass function does not initiate protective action; hence, two control room annunciators are provided to indicate the bypass condition from one or more bypass channels. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation when the discharge volume high water level trip has been bypassed. System Repair (IEEE 279, Par. 4.21) The design of this bypass function complies with this design requirement. 7.A.2-50 REV. 14, APRIL 2002

LSCS-UFSAR Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System", and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.14 Main Steamline Isolation Valve Closure Trip Bypass General Functional Requirement (IEEE 279, Par. 4.1) The main steamline isolation valve closure trip bypass function is a semiautomatic bypass in that the reactor system mode switch must be placed in the SHUTDOWN, REFUEL, or STARTUP position in order to obtain the trip bypass. This bypass is provided to permit the RPS to be manually reset when the plant is operating in one of the three aforementioned modes with the isolation valves closed. The automatic removal of this bypass by movement of the mode switch to the RUN position immediately institutes the isolation valve trip as a protective function to the RPS. Single-Failure Criterion (IEEE 279, Par. 4.2) The bypass function complies with the single-failure criterion. One contact from each bank of the mode switch energizes one of four bypass relays whose contacts are connected into the RPS trip logic. The relationship of these bypass relays to the RPS trip channels is on a one-to-one basis. Consequently, four particular bypass relays must be energized in order to bypass the protective function, hence no single failure in the bypass circuitry will interfere with the protective action of the trip channels. Quality of Components and Modules (IEEE 279, Par. 4.3) The circuit components are of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) These same components have been described in earlier portions of this report, and the basis for equipment qualification is identical in all respects. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. 7.A.2-51 REV. 13

LSCS-UFSAR Channel Independence (IEEE 279, Par. 4.6) The four bypass channels comply with this design requirement. One contact from each bank of the mode switch is physically separated and electrically isolated from the others to satisfy this requirement. The four bypass relays are independent of one another and are physically separated and electrically isolated from one another. Control and Protection System Interaction (IEEE 279, Par. 4.7) This bypass function has no interaction with any control system in the plant. Two contacts of each relay are used to initiate a control room annunciator for this bypass function. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) The instrumentation furnished for this bypass function complies with this design requirement. The main steamline isolation valve closure trip results from valve closure whenever the reactor is operating in the RUN mode. This constraint has been selected to permit manual reset of the RPS under specified conditions whenever the main steamline isolation valves are partially or fully closed. Capability for Sensor Checks (IEEE 279, Par. 4.9) Testing of the entire bypass circuit is possible in the SHUTDOWN, REFUEL, or STARTUP positions of the mode switch. Confirmation that the bypass is not in effect in the RUN mode may be made at operating conditions. Capability for Test and Calibration (IEEE 279, Par. 4.10) Testing of the bypass circuit can be accomplished only when the mode switch is not in the run position. Hence, this test may be performed in the startup operating phase. Since it can be confirmed that the bypass is not in effect when operating in the RUN mode, the suggested tests are adequate to confirm proper bypass status during plant operation. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) 7.A.2-52 REV. 13

LSCS-UFSAR During normal plant operation, the bypass circuit is not in operation, and its circuitry is in a passive, deenergized state. Removal of the bypass capability is permitted during plant operation since it has no effect upon plant safety. Under plant conditions where the bypass is operable, one channel may be removed from service for test purposes without causing a reactor scram or influencing any aspect of reactor safety. Operating Bypasses (IEEE 279, Par. 4.12) This operating bypass complies with this design requirement. Whenever permissive conditions for bypass are not met, the bypass is automatically removed. Four channels are provided for this bypass to assure compliance with the IEEE 279 requirements. Indication of Bypasses (IEEE 279, Par. 4.13) Whenever one of the four bypass channels is placed in the bypass state, a control room annunciator is initiated. If the associated protective trip channel were in its tripped state at this time, the process computer identifies the return to normal condition for the trip. Access to Means for Bypassing (IEEE 279, Par. 4.14) The mode switch is under the keylock supervision of plant personnel. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this trip bypass function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) Under ordinary circumstances, this bypass function will have no effect upon the main steamline isolation valve closure trip. If the trip channels assume the tripped condition for a sufficient time to deenergize the scram contactors and open the seal-in contact of the scram contactors in the RPS trip logic prior to initiation of two or more specific trip bypass channels, the reactor will scram. Since this delay time is on the order of 13 msec between opening of the process sensor contact and opening of the seal-in contact of the scram contactor, this transition region is inconsequential. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this trip bypass function. 7.A.2-53 REV. 16, APRIL 2006

LSCS-UFSAR Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable to this trip bypass function. Identification of Protective Actions (IEEE 279, Par. 4.19) This bypass function does not initiate protective actions, therefore, one control room annunciator has been provided to indicate the bypass condition from one or more bypass channels. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation when the MSIV closure trip has been bypassed. System Repair (IEEE 279, Par. 4.21) The design of this bypass function complies with this design requirement. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.15 Turbine Stop Valve and Control Valve Trip Bypass General Functional Requirement (IEEE 279, Par. 4.1) The turbine stop valve and control valve trip bypass senses turbine first-stage pressure by means of two taps and four pressure switches so as to activate a trip bypass if the turbine is operating below 25% of rated core thermal power for the plant. This bypass is provided to permit continued reactor operation at low power levels when the turbine valves are closed. The setpoint of less than 25% of rated core thermal power for actuation of this bypass is required to meet transient analysis assumptions which take into account the resultant consequences of a bypassed turbine RPS trip as a function of reactor operating power. Removal of this bypass is automatically accomplished as the reactor power and turbine first-stage pressure reach the setpoint value equivalent to 25% of rated core thermal power. Single-Failure Criterion (IEEE 279, Par. 4.2) This bypass function complies with the single-failure criterion. 7.A.2-54 REV. 13

LSCS-UFSAR Two pressure switches are connected to each of two turbine first-stage pressure taps. Cables from the contacts of the pressure switches are routed in conduit to the RPS cabinets in the control room. The logic configuration for the bypass is the standard one-out-of-two twice arrangement such that a single bypass channel is associated with a single trip channel for stop valve closure and a single trip channel for control valve fast closure. Each pressure switch contact is connected to a single bypass channel output relay. No single failure of this bypass circuitry will interfere with the normal protective action of the RPS trip channels. Quality of Components and Modules (IEEE 279, Par. 4.3) The four pressure switches selected for this bypass function are of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) These same components have been described in earlier portions of this report, and the basis for equipment qualification is identical in all respects. Channel Integrity (IEEE 279, Par. 4.5) The channel components are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four bypass channels comply with this design requirement. One contact from each pressure switch is connected to one bypass relay in the RPS cabinets. The pressure switches and taps are physically separated and their wiring is electrically isolated to provide channel independence. The four bypass relays are independent of one another and are physically separated to meet this design requirement. Control and Protection System Interaction (IEEE 279, Par. 4.7) This bypass function has no interaction with any control system in the plant. Two output relay contacts in series are used in the RPS trip logic and one additional contact from each relay is used to initiate a control room annunciator for this bypass function. 7.A.2-55 REV. 14, APRIL 2002

LSCS-UFSAR Derivation of System Inputs (IEEE 279, Par. 4.8) Since the intent of this bypass is to permit continued reactor operation at low power levels when the turbine stop or control valves are closed, the selection of turbine first-stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first-stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level. Capability for Sensor Checks (IEEE 279, Par. 4.9) Testing of individual pressure switches is permitted during plant operation by valving one pressure switch out of service at a time under administrative control. A variable pressure source may then be introduced to the switch to confirm the setpoint value and switch operations. Capability for Test and Calibration (IEEE 279, Par. 4.10) Administrative control must be exercised to valve one pressure switch out of service for the periodic test. During this test, a variable pressure source may be introduced to operate the switch at the setpoint value. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function is initiated. If the RPS trip channel associated with this sensor were in its tripped state, the process computer identifies the return to normal state for the RPS trip logic. When the plant is operating at greater than or equal to 25% of rated core thermal power, testing of the turbine stop valve and control valve fast closure trip channels confirms that the bypass function is not in effect. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) During normal plant operation at greater than or equal to 25% of rated core thermal power, the bypass circuitry is in its passive, deenergized state. At these conditions, removal of the bypass for periodic test is permitted since it has no effect on plant safety. Under plant conditions below 25% of rated core thermal power, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel. Operating Bypasses (IEEE 279, Par. 4.12) The turbine stop valve and control valve trip bypass comply with this design requirement. When the turbine first stage pressure reaches a level equivalent to 25% of rated core thermal power, the four pressure switches respond and open the bypass circuit in the RPS trip logics. 7.A.2-56 REV. 16, APRIL 2006

LSCS-UFSAR Indication of Bypasses (IEEE 279, Par. 4.13) Whenever one of the four bypass channels is placed in the bypass state, a control room annunciator is initiated. If the associated RPS trip channel were in its tripped state at this time, the process computer identifies the return to normal condition of this trip. Access to Means for Bypassing (IEEE 279, Par. 4.14) Under normal operating conditions, all four bypass channels are in operation and are automatically removed from service as reactor power reaches the setpoint equivalent to 25% of rated core thermal power and are automatically reinstated as reactor power is reduced below this same setpoint. During periodic test of each bypass channel, one sensor is removed from service under administrative control. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable to this trip bypass function. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) This bypass function is placed into effect only when the turbine first-stage pressure is at or below a level corresponding to 25% of rated core thermal power. For plant operation above this setpoint, the trip channels initiate protective action once the scram contactors have deenergized and opened the seal-in contact associated with the RPS trip logic. Since the required time to open the seal-in contact is on the order of 13 msec, the bypass pressure switches will not respond quickly enough to prevent completion of the protective action. Manual Initiation (IEEE 279, Par. 4.17) This design requirement is not applicable to this trip bypass function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Administrative control is required to perform any adjustments upon the pressure switches for this bypass function. Identification of Protective Actions (IEEE 279, Par. 4.19) This bypass function does not initiate protective actions. Therefore, one control room annunciator has been provided to indicate the bypass condition from one or more bypass channels. 7.A.2-57 REV. 16, APRIL 2006

LSCS-UFSAR Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is annunciation when the control valve fast closure and turbine stop valve trips have been bypassed. System Repair (IEEE 279, Par. 4.2l) The design of this portion of the RPS complies with this design requirement. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.16 Neutron Monitoring System Trip Bypass This bypass is discussed in Subsection 7.2.2.5. 7.A.2.1.17 RPS Trip Logic, Trip Actuators, and Trip Actuator Logic General Functional Requirement (IEEE 279, Par 4.1) All of the RPS "A1" trip channels terminate in the RPS "A1" trip logic, which in turn, connects to the RPS trip actuators and trip actuator logic to control the control rod drive scram solenoids. Once the trip logic has been signaled by a protection system trip channel, the series contact string is open circuited to permit deenergization of the trip actuators. The trip actuators then remain in that state until manually reset. Four trip logic strings are provided in the reactor protection system in a one-out-of-two twice arrangement. Hence, the RPS trip logic and trip actuator circuitry comply with this design requirement. Single-Failure Criterion (IEEE 279, Par. 4.2) Those portions of the RPS downstream of the trip channels comply with this design requirement. Any postulated single failure of a given trip logic does not affect the remaining three trip logics. Similarly, any single failure of a trip actuator does not affect the remaining trip actuators, and any single failure of one trip actuator logic does not affect the other trip actuator logic networks. The cabling associated with one trip logic is routed in a conduit that is physically separated from similar cabling associated with the other trip logics. Cabling from the trip actuator logic to the scram solenoid groups is routed in individual conduits to comply with this design requirement. Because any individual control rod may fail to operate from either the 7.A.2-58 REV. 13

LSCS-UFSAR "A" or "B" solenoid valves, wiring of these two solenoids for one control rod is routed together within a single conduit. Quality of Components and Modules (IEEE 279, Par. 4.3) The RPS trip logic consists of series-connected relay contacts from the trip channel output relays. The relay is of high quality and reliability. The RPS trip actuator logic consists of relay contacts connected in a specific arrangement from the trip actuators. The trip actuators are of high quality and reliability. Equipment Qualification (IEEE 279, Par. 4.4) At the component level, vendor qualification is required to prove that these parts operate in accordance with the requirements of the purchase specification. This qualification, augmented by field experience with these components in this application, serves to qualify the components. Channel Integrity (IEEE 279, Par. 4.5) Even though the channel interpretation is not appropriate to the RPS trip logic, the trip actuators and the trip actuator logic are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) This design requirement is not applicable. Control and Protection System Interaction (IEEE 279, Par. 4.7) The four RPS trip logic strings are totally separate from any other plant system. The RPS trip actuators utilize the power contacts of the scram contactors to provide the trip actuator logic and the seal-in contact of the trip actuator. They utilize auxiliary contacts for control room annunciation and initiation of the backup scram valves. Due to the design of this output and separation of the cabling, there is no interaction with control systems of the plant. The trip actuator logic has no interaction with any other plant system, and the scram solenoids are physically separate and electrically isolated from the other portions of the control rod drive hydraulic control unit. Consequently, this design requirement is met by this equipment. The system interlocks to control systems only through isolation devices such that no failure or 7.A.2-59 REV. 13

LSCS-UFSAR combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) This design requirement is not applicable. Capability for Sensor Checks (IEEE 279, Par. 4.9) This design requirement is not applicable. Capability for Test and Calibration (IEEE 279, Par. 4.10) The previously described trip logic test switch permits each individual trip logic, trip actuator, and trip actuator logic to be tested on a periodic basis. Testing of each process sensor of the protection system also affords an opportunity to verify proper operation of these components. Calibration of the time response of the trip channel relays and trip actuators may be accomplished by connection of external test equipment to test points provided in the RPS control room panels in addition to information stored in the process computer. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) This design requirement is not applicable. Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable. Indication of Bypasses (IEEE 279, Par. 4.13) This design requirement is not applicable. Access to Means for Bypassing (IEEE 279, Par. 4.14) This design requirement is not applicable. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The interface of the RPS trip logic and the trip actuators assures that this design requirement is accomplished. The trip actuator is normally energized and is sealed 7.A.2-60 REV. 16, APRIL 2006

LSCS-UFSAR in by one of the power contacts to the trip logic string. Once the trip logic string has been open-circuited as a result of a process sensor trip channel becoming tripped, the scram contactor seal-in contact opens in approximately 13 msec. At this point in time, the completion of protection action is directed without regard to the state of the initiating process sensor trip channel. Manual reset by the operator bypasses the seal-in contact to permit the RPS to be reset to its normally energized state when all process sensor trip channels are within their normal (untripped) range of operation. Manual Initiation (IEEE 279, Par. 4.17) The trip actuator logic may be placed in a tripped condition from either one of the two trip logics (i.e., Al or A2) associated with one RPS trip system. This action can be accomplished with the trip logic test switch, manual scram pushbuttons, or reactor system mode switch. As a result, the design meets this design requirement. No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable. Identification of Protective Actions (IEEE 279, Par. 4.19) Four control room annunciators are provided to identify the tripped portions of the RPS in addition to the previously described trip channel annunciators:

a. A1 or A2 trip logics tripped, and

b. B1 or B2 trip logics tripped.

These same functions are connected through independent auxiliary contacts of the scram contactors to the process computer to provide a record of the relay operations. Information Readout (IEEE 279, Par. 4.20) The data presented to the operator is both annunciation and relay position indication that the RPS trip logic has been actuated. System Repair (IEEE 279, Par. 4.21) The design of this portion of the RPS complies with this design requirement. 7.A.2-61 REV. 16, APRIL 2006

LSCS-UFSAR Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.18 Reactor Protection System Reset Switch General Functional Requirement (IEEE 279, Par. 4.1) The RPS reset switch is under the administrative control of the control room operator. Since the reset switch is introduced in parallel with the trip actuator seal in contact through auxiliary relay contacts, failure of the reset switch cannot prevent initiation of protective action when a sufficient number of trip channels assumes the tripped condition. Hence, the automatic initiation requirement for protective action is not invalidated by this reset switch. Single-Failure Criterion (IEEE 279, Par. 4.2) The RPS reset switch and associated logic comply with this design requirement. The reset switch is constructed with a single operator and four physically and electrically separated contact blocks. The wires from the contact blocks go through conduit to metallic terminal boxes. Proper operation of the reset switch and its auxiliary relays can be ascertained during periodic test of the RPS or whenever any particular channel is returned from a tripped state to the normal untripped condition. Failure would be noted as an automatic reset of specific trip actuators (depending upon the cause of failure) rather than remaining in a deenergized state until manually reset. Since opening of the process sensor trip channel is the initiating event for reactor scram, failure of the reset switch will not prevent deenergization of the trip actuators during the time interval that the process actually exceeds the trip setpoint. Quality of Components and Modules (IEEE 279, Par. 4.3) The RPS reset switch chosen for this application is of high reliability and quality. Equipment Qualification (IEEE 279, Par. 4.4) Vendor certification is required that the selected switch performs in accordance with the purchase specification requirements for this application. In addition, in 7.A.2-62 REV. 14, APRIL 2002

LSCS-UFSAR situ operational tests are performed on the switch during the preoperational test phase. Channel Integrity (IEEE 279, Par. 4.5) The RPS reset switch is not a trip channel component; rather, its auxiliary relays are elements in the individual RPS trip logic strings. Nevertheless, it functions properly under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. Channel Independence (IEEE 279, Par. 4.6) The four RPS reset channels to the trip actuators are physically separated and electrically isolated. Control and Protection System Interaction (IEEE 279, Par. 4.7) Switch contacts of the RPS reset switch are used only to control auxiliary relays. Contacts from the relays are used only in the trip actuator coil circuit. Consequently, this RPS function has no interaction with any other system in the plant. Interlocks exist to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system. Derivation of System Inputs (IEEE 279, Par. 4.8) This design requirement is not applicable. Capability for Sensor Checks (IEEE 279, Par. 4.9) This design requirement is not applicable. Capability for Test and Calibration (IEEE 279, Par. 4.10) Operation of the reset switch following a trip of one RPS trip system confirms that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip systems confirms that all portions of the switch and relay logic are functioning properly since half of the control rods are returned to a normal state for one actuation of the switch. Channel Bypass or Removal From Operation (IEEE 279, Par. 4.11) This design requirement is not applicable. 7.A.2-63 REV. 13

LSCS-UFSAR Operating Bypasses (IEEE 279, Par. 4.12) This design requirement is not applicable. Indication of Bypasses (IEEE 279, Par. 4.13) This design requirement is not applicable. Access to Means for Bypassing (IEEE 279, Par. 4.14) This design requirement is not applicable. Multiple Setpoints (IEEE 279, Par. 4.15) This design requirement is not applicable. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) Under ordinary circumstances, the process sensor initiating reactor scram remains in a tripped condition for a significant length of time (i.e., 2 to 10 seconds minimum) and causes the trip actuators to deenergize and open the seal-in contact in the trip logic. The seal-in contact is opened approximately 13 msec after the process sensor trip channel is placed in the tripped state, and the scram discharge volume high water level sensors will be in a tripped state within approximately 2 seconds. Consequently, the trip actuators will be commanded to deenergize, (1) as long as the process sensor trip channels remain tripped, or (2) as long as the seal-in contact remains open and is not bypassed by gross failure of the RPS reset switch, or (3) as long as the scram discharge volume high water level trip channels or any other RPS trip channels remain in a tripped condition. As a result, failure of the RPS reset switch in such a manner as to bypass the seal-in contacts of the trip actuators does not affect reactor shutdown in any manner. Manual Initiation (IEEE 279, Par. 4.17) Since the RPS reset function does not initiate protective action, the design complies with this design requirement. No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) This design requirement is not applicable. 7.A.2-64 REV. 13

LSCS-UFSAR Identification of Protective Actions (IEEE 279, Par. 4.19) Reset of the RPS is not a protective action; however, proper operation of the switch may be inferred from removal of annunciated and indicated conditions as the RPS returns to its normally energized state. Information Readout (IEEE 279, Par. 4.20) The information presented to the control room operator is illustrated in the preceding paragraph. System Repair (IEEE 279, Par. 4.21) The design of this protective function complies with this design requirement. Identification of Protection Systems (IEEE 279, Par. 4.22) Each system cabinet is marked with the words "Reactor Protection System," and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified as part of the reactor protection system wiring. 7.A.2.1.19 Alternate Rod Insertion (ARI) System General Functional Requirements Conformance The ARI system is designed to increase the reliability of the reactor scram system in an ATWS event. Low reactor water level and/or high reactor pressure initiate the ARI system to provide a reactor scram. The four channel trip logic is initiated by RPV high pressure and/or RPV low water level in a 1:2:2 configuration to actuate the ARI scram solenoid valves. A trip in either of the two divisions results in a reactor scram by energizing the ARI scram solenoid valves. Test switches and indicating lights are provided for testing the ARI control logic. The sensors and logics of the ARI system are not part of the CRD or other plant process control system. Therefore, the failure of process control systems instrumentation will not affect the ARI system. The ARI system is designed to meet safety grade requirements. The redundancy of Class 1E power supplies assures the reliable operation of the ARI control logic and actuation of the ARI solenoid operated valves. Operator verification that reactor scram through the ARI system has occurred may be made by observing the following indications:

a. ARI solenoid operated valves position indication

b. ARI initiation annunciator Div. 1 7.A.2-65 REV. 13

LSCS-UFSAR

c. ARI initiation annunciator Div. 2

d. Indicating light for ARI initiation Div. 1

e. Indicating light for ARI initiation Div. 2 Specific Requirement Conformance Automatic initiation of protection system action, reliability, testability, independence, and separation have been designed into this system. The design is in conformance with the following codes and standards.

Institute of Electrical and Electronics Engineers (IEEE) Standards

a. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations

b. 308-1974, Criteria for Class 1E Power Systems for Nuclear Power Generating Stations

c. 323-1974, Qualifying Class 1E Equipment for Nuclear Power Generating Stations

d. 338-1975, Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Station Class 1E Power and Protection Systems

e. 344-1975, Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations

f. 379-1977, Standard Application of the Single Failure Criteria to Nuclear Power Generating Station Class 1E Systems

g. 384-1977, Standard Criteria for Independence of Class 1E Equipment and Circuits General Functional Requirement (IEEE 279-1971 paragraph 4.1)

The ARI trip logic is initiated by RPV high pressure and/or RPV low water level in a 1:2:2 configuration to actuate the ARI scram solenoid valves. Each divisional control logic consists of two reactor water level and two reactor pressure channels with individual sensors. The reactor water level trip protects the core from being uncovered as a result of falling water level in the vessel and the high reactor pressure trip is to limit the positive pressure effect on the reactor pressure vessel. If either of these variables exceeds its setpoint, a trip signal is generated. 7.A.2-66 REV. 13

LSCS-UFSAR Single Failure Criterion (IEEE 279-1971 paragraph 4.2) The design complies. Quality of Components and Modules (IEEE 279-1971 paragraph 4.3) The division logic circuitry devices selected for the ARI system are high quality and high reliability type devices. These devices are qualified per IEEE 323-1974 and IEEE 344-1975. Equipment Qualification (IEEE 279-1971 paragraph 4.4) At the component level, vendor qualification is required that these parts will operate in accordance with the requirements of the purchase specification. All components, modules and subassemblies in the ARI system are qualified to Industry Standards IEEE 323-1974 and IEEE 344-1975 (See UFSAR 3.10). Channel Integrity (IEEE 279-1971 paragraph 4.5) The logic system complies with this requirement. Channel Independence (IEEE 279-1971 paragraph 4.6) The two divisional arrangement meet this requirement. Control and Protection System Interaction (IEEE 279-1971 paragraph 4.7) The two divisional logic elements are totally separated from any nonprotection system. Electrical cable separation and mechanical separation of the electrical devices on the ARI system assures that no interaction exists with any other plant control systems. The ARI control logic is not electrically interlocked with other plant control systems. Therefore, the failure of other plant control systems will have no effect on the ARI system. Exception of course is obvious for multiple mechanical failures of CRD drives or HCU's that support each CRD hydraulically and pneumatically. Derivation of System Inputs (IEEE 279-1971 paragraph 4.8) The design complies with this requirement. Capability for Sensor Check (IEEE 279-1971 paragraph 4.9) The reactor vessel low water level and reactor high pressure transmitters can be checked for operability by valving out the transmitter from the impulse lines and applying a test pressure source. This verifies the operability of each sensor over its 7.A.2-67 REV. 14, APRIL 2002

LSCS-UFSAR calibration range. The trip units mounted in the auxiliary electrical equipment room are calibrated separately by introducing a calibration signal source and verifying the setpoint. Capability for Test and Calibration (IEEE 279-1971 paragraph 4.10) The ARI control logic can be tested during plant operation. Test switches can be activated from the auxiliary electrical equipment room to prevent opening the ARI solenoid valves inadvertently. Indicating lights and the annunciator inform the operator that an ARI channel test is in progress and that control logic circuits are energized. The reactor water level and reactor pressure sensors for the ARI system may be tested by cross comparison of channels. In addition, each channel may be calibrated individually for its process input by introducing an electronic calibration signal into the trip unit to verify proper trip actuation. The change of state of the trip device may be observed by visual inspection of the trip device indicating light on the logic cabinet. Calibration of the sensing elements may be performed at any operational condition under proper administrative controls. The transmitters must be valved out of service for calibration against a pressure source. Channel Bypass or Removal from Operation (IEEE 279-1971 paragraph 4.11) Valving out of a sensor for calibration can be indicated by manual actuation of the out-of-service indicator. A trip unit in calibration causes automatic actuation of the out-of-service indicator. Calibration of a single transmitter or trip unit causes a channel logic trip, but not an ARI system initiation. Operating Bypasses (IEEE 279-1971 paragraph 4.12) This design requirement is not applicable. Indication of Bypasses (IEEE 279-1971 paragraph 4.13) This design requirement is complied with by indication of test bypasses. Access to Means for Bypassing (IEEE 279-1971 paragraph 4.14) This design requirement is complied with by operator control of test program. Multiple Setpoint (IEEE 279-1971 paragraph 4.15) This design requirement is not applicable. 7.A.2-68 REV. 14, APRIL 2002

LSCS-UFSAR Completion of Protective Action Once it is Initiated (IEEE 279-1971 paragraph 4.16) Once the ARI system is tripped, the ARI solenoid operated valves will be energized to initiate a reactor scram. An annunciator for each division is provided in the control room which informs the operator that the logic has tripped the ARI system. An indicating light also lights when the ARI logic is tripped. The automatic and manual actuation signals to the ARI valves seal-in for 2 minutes to assure that all control rods have time to fully insert. An indicating light is provided to indicate to the operator that manual reset of the ARI logic is permissive. Manual Initiation (IEEE 279-1971 paragraph 4.17) The unique manual ARI switches are provided for each divisional control logic. Failure of an automatic ARI initiation cannot prevent the manual portions of the system from initiating the protective action. In order to avoid inadvertent manual trip of the ARI system, two manual scram switches in each divisional control logic must be activated to permit manual initiation of the ARI function. These switches are located in close proximity to the existing RPS manual scram pushbuttons. Access to Setpoint Adjustments, Calibration and Test Points (IEEE 279-1971), paragraph 4.18 During reactor operation, access to setpoint adjustments, calibration controls, and test points for the following ARI trip variables is under the administrative control of plant supervisory personnel:

a. Reactor vessel low water level trip

b. Reactor vessel high pressure trip Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)

Control annunciators are provided to identify the tripped portions of ARI:

a. Division 1 ARI initiated.

b. Division 2 ARI initiated.

These functions are connected to the process computer to provide a record of the system status. Information Readout (IEEE 279-1971, paragraph 4.20) The information presented to the control room operator satisfies this design requirement. 7.A.2-69 REV. 16, APRIL 2006

LSCS-UFSAR System Repair (IEEE 279-1971, paragraph 4.21) During periodic testing of the logic channel sensors for the following ARI initiating variables, the operator can determine any defective component and replace it during plant operation:

a. Reactor vessel low water level trip

b. Reactor vessel high pressure trip

c. ARI DC/DC Power Supply Identification of Protection Systems (IEEE 279-1971 paragraph 4.22)

A colored nameplate identifies each panel that is part of the ARI system. The nameplate shows the division to which each panel is assigned and also identifies the function of the control panel. The system to which each relay belongs is identified on the relay panels. IEEE 308-1974 (Criteria for Class 1E Power Systems for Nuclear Power Generating Stations) Class 1E DC power is required to energize the control logic and ARI solenoid operated valves. These electrical loads are part of the essential loads, therefore, these electrical loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised. IEEE 323-1974 (Qualifying Class 1E Equipment for Nuclear Power Generating Stations) Written procedures are developed for the design and qualification of all Class 1E electric equipment. This includes preparation of specifications, qualification procedures, and documentation for Class 1E equipment. Equipment qualification is accomplished prior to operation of upgraded equipment installed as a plant modification. Standard manuals are maintained containing specifications, practices and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. IEEE 338-1975 (Standard Criteria for Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems) The design of the ARI system meets the requirements of IEEE 338. The ARI sensors and control logic and one solenoid channel can be tested during plant operation. Opening of the scram solenoid valves will not be tested during plant operation. 7.A.2-70 REV. 13

LSCS-UFSAR IEEE 344-1975 (Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) Seismic Qualification requirements are satisfied by all Class 1E ARI equipment. Records covering all essential components are maintained. IEEE 379-1977 (Standard Application of the Single Failure Criteria to Nuclear Power Generating Station Class 1E Systems) Application of the single-failure criterion to nuclear power generating station protection systems requirements is satisfied by consideration of the different single failure modes and carefully designing all single-failure modes out of the system through redundant logic design and proper separation of redundant portions of the system. IEEE 384-1977 (Standard Criteria for Independence of Class 1E Equipment and Circuits) Physical independence of the ARI system is provided by separation and isolation of redundant portions of the ARI system, including sensors, wiring, logic devices, and actuating equipment. Signals between redundant Class 1E divisions and between Class 1E and non-Class 1E circuits are electrically isolated or physically separated to preclude a credible single failure from preventing the safety function. Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and C sensors for reactor vessel low water levels, for instance, are located on two independent local instrument stands that are Division 1 equipment. The B and D sensors that are Division 2 equipment are located on two other independent instrument stands, widely separated from the Division 1 stands. The A, B, C and D sensors have independent process taps. Each process tap is quadrentially separated from the other. Disabling of one sensor in one location does not disable the control of the other division. Logic cabinets for Division 1 are in a separate physical location from those of Division 2, and each division is complete in itself, with its own essential battery control, instrument bus, and power distribution buses. The divisional split is carried all the way from the process taps to the final actuated equipment, and includes control logic power supplies. 7.A.2.2 Criteria for Class 1E Electric Systems (IEEE 308-1971) This does not apply to the reactor protection system. The reactor protection system is fail-safe, and its power supplies are thus unnecessary for scram. A total loss of power will cause a scram. A loss of one power source will cause a trip system trip. 7.A.2-71 REV. 13

LSCS-UFSAR 7.A.2.3 General Guide for Qualifying Class 1 Electric Equipment (IEEE 323-1971) This is satisfied by complete qualification testing and certification of all essential components. Records covering all essential components are maintained. 7.A.2.4 Periodic Testing of Protection Systems (IEEE 338-1971) This is complied with by being able to test the reactor protection system from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions. 7.A.2.5 Seismic Qualification of Class 1 Electric Equipment (IEEE 344-1971) These requirements are satisfied by all Class 1 RPS equipment as described in Section 3.10. 7.A.2.6 Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems (IEEE 379-1972) These requirements are satisfied by consideration of the different types of failure and carefully designing all potential violations of the single-failure criterion out of the system. 7.A.2-72 REV. 13

LSCS-UFSAR 7.A.3 Engineered Safety Features Systems 7.A.3.1 Emergency Core Cooling Systems 7.A.3.1.1 IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the emergency core cooling systems with IEEE 279-1971 is detailed below. 7.A.3.1.1.1 LPCI The following is a point-by-point comparison of the LPCI system with the requirements of IEEE 279-1971. The LPCI subsystem by itself is not required to meet all the requirements of IEEE 279 since it is backed up by LPCS and the HPCS subsystems. The following comparison is provided only to show the adequacy of the LPCI subsystem design. General Function Requirement (IEEE 279 Paragraph 4.1) IEEE-279 Requirement LPCI Design Provision AUTOINITIATION (1) Appropriate Action Appropriate action for the LPCI control system is defined as activating equipment for introducing water at low pressure into the reactor via vessel injection nozzles when reactor vessel level drops below a predetermined point, or the drywell pressure increases above a predetermined value and reactor vessel pressure is below the pump shutoff head. (2) Precision Precision is a term that does not apply strictly to the LPCI system control because of the wide range of setpoint values that could give appropriate action. However, the sensory equipment will positively initiate action before process variables go beyond precisely established limits. 7.A.3-1 REV. 13

LSCS-UFSAR (3) With Reliability Reliability of the control system is compatible with the controlled equipment so that the overall system reliability is not limited by the controls. (4) Over Full Range of Environmental Conditions

a. Power Supply Tolerance is provided to any degree Voltage of a-c power supply failure such that failures cannot negate successful low-pressure core cooling. D-C power supply failure will affect only one of the two LPCI divisions.

b. Power Supply Same as item 4a preceding.

Frequency

c. Temperature Operable at all temperatures that can result from any design-basis loss-of-coolant accident (LOCA).

d. Humidity Operability at humidities (steam) that can result from LOCA.

e. Pressure Operable at all pressure resulting from a LOCA as required.

f. Vibration Tolerance to 1.5g over frequency of 5 to 33 Hz floor acceleration.

g. Malfunctions Network tolerance to any single component failure to operate on command.

h. Accidents Network tolerance to all design-basis accidents without malfunction.

i. Fire Network tolerance to single wireway fires or mechanical damage.

7.A.3-2 REV. 13

LSCS-UFSAR

j. Explosion Explosions are not defined in bases.

k. Missiles Network tolerance to any single missile destroying no more than one pipe, wireway, or cabinet.

l. Lightning Tolerance to lightning damage limited to one auxiliary bus system.

See comments under item 4a.

m. Flood All control equipment is located above flood level by design.

n. Earthquake 1.5g, 5 to 33 Hz tolerance

o. Wind Building houses all control equipment.

p. System Response Responses are within the Time requirements of need to start ECCS.

q. System Accuracies Accuracies are within that needed for correct timely action.

r. Abnormal Ranges of Sensors are not subject to saturation Sensed Variables when overranged.

Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) Redundancy in equipment and control logic circuitry is provided so that it is highly unlikely that the complete LPCI system can be rendered inoperative. Two control logic circuits are provided. Control logic "A" is provided to initiate loop A pump and valves, and logic "B" is provided to initiate loop B and loop C equipment. Tolerance to the following single failures or events is provided in the control logic initiation circuitry so that these failures will be limited to the possible disabling of the initiation of only one loop (one of three pumps available):

a. single open circuit; 7.A.3-3 REV. 13

LSCS-UFSAR

b. single short circuit;

c. single relay failure to pick up;

d. single relay failure to drop out;

e. single module failure (including shorts, opens, and grounds);

f. single control cabinet destruction (including shorts, opens, and grounds);

g. single local instrument rack destruction (including shorts, opens, and grounds);

h. single wireway destruction (including shorts, opens, and grounds);

i. single control power supply failure;

j. single motive power supply failure;

k. single control circuit failure;

l. single sensing line (pipe) failure; and

m. burnout of any single electrical component.

Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) Components used in the LPCI control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration over the lifetime of the plant as illustrated below:

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

c. Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short-circuit interruption capabilities as well as on continuous current carrying capabilities. Short-circuit current-interrupting capabilities are many times the starting current for the motors, 7.A.3-4 REV. 13

LSCS-UFSAR so that normal duty does not begin to approach maximum equipment capability.

d. Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application demands, including testing.

e. Instrumentation and controls are heavy-duty standard industrial designs well proven by service in industry or in nuclear power plant applications.

f. These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only those components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use.

Furthermore, a quality control and assurance program is required, to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50 1975. Equipment Qualification (IEEE 279-1971 Paragraph 4.4) No components of the LPCI system are required to operate in the drywell environment except for the condensate pots used with the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider changes in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high-pressure sensors are of the same type as used for the RPS and meet the same standards. Reactor vessel low-pressure permissive switches are of the same type as those discussed for the RPS. Control panels and relay logic cabinets are located in the control room or auxiliary relay room environment, which presents no new or unusual operating considerations. All components used in the LPCI system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial applications. Channel Integrity (IEEE 279-1971 Paragraph 4.5) The LPCI system initiation channels (low water level or high drywell pressure) are designed to satisfy the channel integrity objective. 7.A.3-5 REV. 13

LSCS-UFSAR Channel Independence (IEEE 279-1971 Paragraph 4.6) Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and C sensors for reactor vessel level, for instance, are located on one local instrument rack that is identified as Division 1 equipment, and the B and D sensors are located on a second instrument rack, widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and D. Disabling of one or all sensors in one location does not disable the control for the other division. Relay cabinets for Division 1 are in a separate physical division from that of Division 2, and each division is complete in itself, with its own station battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies. Although there are only two sensors for each variable in each division, these sensors back each other up as described in the preceding paragraph. Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7) The LPCI system is a safety system designed to be independent of plant control systems. Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the system control because of electrical isolation. Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8) The inputs which start the LPCI system are direct measures of the variables that indicate need for low-pressure core cooling, viz., reactor vessel low water, high drywell pressure, and reactor low-pressure. Reactor vessel level is sensed by differential pressure transmitters which send and analog signal to the trip units. Drywell high-pressure is sensed by pressure switches. Reactor low pressure is sensed by one of two pressure switches plus a pressure switch between each LPCI injection valve and the adjacent check valve. Three pressure switches are arranged in a one-out-of-two plus one-out-of-one logic configuration for each LPCI loop. Two pressure switches sense reactor pressure for half of the logic and each dedicated LPCI pressure sensor senses line pressure between the LPCI injection valve and its adjacent check valve for the other half of the logic train. The low pressure ECCS interlock is satisfied in each LPCI loop by closure of two specific pressure switches. 7.A.3-6 REV. 13

LSCS-UFSAR Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. The reactor low-pressure switches can be easily checked for operability during plant operation by closing the instrument valve and bleeding off pressure to the low-pressure actuation point and observing channel trip. The reactor vessel level transmitters and trip units can be similarly checked for operability by closing the low-side instrument valve and bleeding off a small amount of water through the low-side bleed plugs (which are provided for venting the instruments) while observing the scale reading and channel trip indication in either the main control room or auxiliary electrical equipment room at the relay logic cabinets and then reopening the instrument valve. The drywell high-pressure switches can be checked only by application of gas pressure from a low-pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) The LPCI system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The setpoint of the trip units can be checked in place by applying a calibration signal to the unit. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers to pump against system check valves (or return to suppression pool through test valves) while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. LPCI water will not actually be introduced into the vessel except initially before fuel loading. Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without coincident operation of a second channel. Removal of an instrument channel from service during calibration will be brief and in compliance with the special provision of IEEE 279-1971 Paragraph 4.11 for one-out-of-two times two systems. 7.A.3-7 REV. 13

LSCS-UFSAR Operating Bypasses (IEEE 279-1971 Paragraph 4.12) The LPCI subsystem has no provision for automatic operating bypasses. Indication of Bypasses (IEEE 279-1971 Paragraph 4.13) The LPCI subsystem has no automatic operating bypasses. Manual bypasses are indicated in the control room via the ESF status indication panel as described in Section 7.8. Manual bypasses consist of "racking-out" pump breakers, opening starter feeder breakers at valve motor control centers, shutting isolation valves to instruments and sensors which actuate the subsystem, and other operations meeting the three conditions given in Regulatory Guide 1.47. The LPCI has test bypasses generated by the insertion of test jacks. Any test bypass will annunciate at the system level, e.g., "LPCI in test" in the control room. Refer to Section 7.8 for further discussion on ESF Status Display. Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) Access to switchgear is procedurally controlled by the use of lockable doors on the emergency switchgear rooms. Multiple Setpoints (IEEE 279-1971 Paragraph 4.15) Paragraph 4.15 of IEEE 279-1971 is not applicable because all setpoints are fixed. Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) The final control elements for the LPCI system are essentially bistable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which occurs when the valve open limit switch is reached). In the event of an interruption in a-c power, the control system resets itself and recycles on restoration of power. Protective action once initiated must thus go to completion or continue until terminated by deliberate operator action. Manual Initiation (IEEE 279-1971 Paragraph 4.17) In no event can failure of an automatic control circuit for equipment in one division disable the manual electrical control circuit for the other LPCI division. Single electrical failures cannot disable manual electric control of the LPCI function. 7.A.3-8 REV. 13

LSCS-UFSAR The LPCI A has an armed manual initiation pushbutton in parallel with the automatic initiation logic. This manual initiation also initiates LPCS. The LPCI B and C systems have armed manual initiation pushbuttons in parallel with the automatic initiation logic. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Setpoint adjustments for the LPCI system reactor low pressure and high drywell pressure instrument trip channels are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Setpoint adjustments for the reactor vessel low level instrument trip channels are integral with the trip units in the relay logic cabinets and also require the use of tools. Test points are incorporated into the control relay cabinets, which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure switches is not adjustable. Because of these restrictions, compliance with this requirement of IEEE 279-1971 is considered complete. Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, trip unit indicating lights, or action of the sensor relay, which has an identification tag and a clear glass-front window permitting convenient, visible verification of the relay position. Any one of these indications should be adequate, so this combination of annunciation and visible verification relay actuation fulfills the requirements of this criterion. Information Readout (IEEE 279-1971 Paragraph 4.20) The LPCI data is indicated/annunciated to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is the means provided for verifying the operability of the LPCI components. By proper selection of test period, compatible with the historically established component reliability, authentic and timely indications are made available. Information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCI function is available or/is operating properly. In addition to the annunciators, there are other indications on the main control room panel as follows:

a. valve position lights, 7.A.3-9 REV. 13

LSCS-UFSAR

b. pump monitor lights,

c. pump flow indicators.

System Repair (IEEE 279-1971 Paragraph 4.21) The LPCI control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months. Recognition and location of a failed component is routinely accomplished during periodic testing. The simplicity of the logic makes the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the type relays used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and could be changed in less than 1 hour, including electrical connection replacement. Identification (IEEE 279-1971 Paragraph 4.22) A colored nameplate identifies each panel and instrument rack that is part of the LPCI system. The nameplate shows the division to which each panel or rack is assigned, and also identifies the function in the system of each item on the control panel. The system to which each relay belongs is identified on the relay panels. 7.A.3.1.1.2 LPCS The following is a point-by-point comparison of the LPCS system with the requirements of IEEE 279-1971. The LPCS is a single pump system which by itself is not required to meet all the requirements of IEEE 279-1971, since it is backed up by LPCI and the HPCS systems. General Functional Requirement (IEEE 279-1971 Paragraph 4.1) IEEE 279-1971 Requirement LPCS Design Provision AUTO/INITIATION OF 7.A.3-10 REV. 13

LSCS-UFSAR (1) Appropriate Action Appropriate automatic action for the LPCS control system is defined as the activation of equipment for introducing low pressure water through the LPCS sparger when reactor vessel level drops below a predetermined point or the drywell pressure increases above a predetermined value, and the vessel pressure is below a predetermined value lower than the pump shutoff head. (2) Precision Precision is a term that does not apply strictly to the LPCS system control because of the wide range of setpoint values that could give appropriate action. However, the sensory equipment will positively initiate action before process variables go beyond precisely established limits. (3) Reliability Reliability of the control system is compatible with the controlled equipment so that the overall system reliability is not limited by the controls. (4) Over Full Range of Environmental Conditions

a. Power Supply System will not tolerate Division 1 a-c or d-c Voltage power failure; however, network redundancy assures adequate core cooling capability.

b. Temperature System operates at all temperatures that can result from an accident.

c. Humidity System operates at humidities (steam) that can result from loss-of-coolant accident.

d. Pressure System operates at all pressures resulting from LOCA as required.

e. Vibration Tolerance to 1.5g floor acceleration over frequency of 5 to 33 Hz.

7.A.3-11 REV. 13

LSCS-UFSAR

f. Malfunctions Network tolerance to any single component failure to operate on command.

g. Accidents Network tolerance to all design-basis accidents without malfunction.

h. Fire Network tolerance to single wireway fire mechanical damage.

i. Explosions Explosions not defined in bases.

j. Missiles Network tolerance to any single missile destroying no more than one pipe, wireway, or cabinet.

k. Lightning Ungrounded d-c system not subject to lightning strikes.

l. Flood All control equipment is located above flood level by design.

m. Earthquake 1.5g, 5 to 33 Hz floor acceleration tolerance.

n. Wind Seismic Category I building houses all control equipment.

o. System Response Time Responses within the requirements of need to start ECCS.

p. System Accuracies Accuracies within that needed for correct timely action.

q. Abnormal Ranges Sensors are not subject to saturation when of Sensed Variables overranged.

Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) The LPCS alone is not required to meet the single-failure criterion. The control logic circuits for initiation and control are housed in a single relay cabinet, and the power supply for the control logic and other equipment is from a single d-c power source. 7.A.3-12 REV. 13

LSCS-UFSAR The LPCS initiation sensors do, however, meet the single-failure criterion. Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) Components used in the LPCS control system have been carefully selected for the specific application. Ratings have been selected to ensure against significant deterioration over the lifetime of the plant as illustrated below:

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

c. Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short-circuit interruption capabilities as well as on continuous current-carrying capabilities. Short-circuit current-interrupting capabilities are many times the starting current for the motors being started, so that normal duty does not begin to approach maximum equipment capability.

d. Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application demands, even including testing.

e. Instrumentation and controls are heavy-duty standard industrial designs well proven by service in industry or in nuclear power plant applications.

f. These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the LPCS control system.

Furthermore, a quality control and assurance program is required, to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.A.3-13 REV. 13

LSCS-UFSAR Equipment Qualification (IEEE 279-1971 Paragraph 4.4) - Environmental No components of the LPCS control system are required to operate in the drywell environment except for the condensation pots of the vessel level sensors. Other process sensor equipment for LPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Panels and the relay cabinet are located in the control room and/or auxiliary relay room environment. There are no components in the LPCS control system that have not demonstrated their reliable operability in previous applications in nuclear power plant protection system or in extensive industrial use. Channel Integrity (IEEE 279-1971 Paragraph 4.5) The LPCS system instrument initiation channels satisfy the channel integrity objective of this paragraph. Channel Independence (IEEE 279-1971 Paragraph 4.6) Channel independence does not strictly apply to the LPCS system, since the one-out-of-two taken twice logic is combined in a single logic trip system. Independence is provided between LPCS and the redundant portions of the ECCS network in Divisions 2 and 3. Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7) The LPCS system is a safety system designed to be independent of plant control systems. Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the system control because of the electrical isolation. Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8) The inputs that start the LPCS system are direct measures of the variables that indicate need for low-pressure core cooling; viz., reactor vessel low water level, high drywell pressure, and reactor low-pressure. Reactor vessel level and drywell pressure sensors are described in Subsection 7.3.1.2.3.2. Reactor low-pressure is sensed by one of two pressure switches plus a pressure switch between the LPCS injection valve and its adjacent check valve. Three pressure switches are arranged in a one-out-of-two plus one-out-of-one logic configuration for the LPCS loop. Two pressure switches directly sense reactor 7.A.3-14 REV. 13

LSCS-UFSAR pressure for half of the logic and one pressure sensor between the LPCS injection valve and its adjacent check valve senses pressure there for the other half of the logic train. The low pressure interlock is satisfied for LPCS by closure of two specific pressure switches. Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown. The reactor low-pressure switches can be easily checked for operability during plant operation by closing the instrument valve and bleeding off pressure to the low-pressure actuation point while observing channel trip. The reactor vessel level transmitters and trip units can be similarly checked for operability by closing the low-side instrument valve and bleeding off a small amount of water through the low-side bleed plugs (which are provided for venting the instruments) while observing the scale reading and channel trip indication in either the main control room or the auxiliary electrical equipment room at the relay logic cabinets and then reopening the instrument valve. The drywell high-pressure switches can be checked only by application of gas pressure from a low-pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) The LPCS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The setpoint of the trip units can be checked in place by applying a calibration signal to the unit. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers to pump against system check valves (or return to suppression pool through test valves) while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. LPCS water is not actually introduced into the vessel except initially before fuel loading. Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) Calibration of a sensor which introduces a single instrument channel trip does not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during 7.A.3-15 REV. 13

LSCS-UFSAR calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration is brief. Operating Bypasses (IEEE 279-1971 Paragraph 4.12) The LPCS has no provision for operating bypasses. Indication of Bypasses (IEEE 279-1971 Paragraph 4.13) The LPCS subsystem has no automatic operating bypasses. Manual bypasses are indicated in the control room via the ESF status indication panel as described in Section 7.8. Manual bypasses consist of "racking-out" pump breakers, opening starter feeder breakers at valve motor control centers, shutting isolation valves to instruments and sensors which actuate the subsystem and other operations meeting the three conditions given in Regulatory Guide 1.47. The LPCS controls have test bypasses generated by the insertion of test jacks. Any test bypass annunciates at the system level, i.e., "LPCS in test." Refer to Section 7.8 for further discussion on ESF Status Displays. Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) Access to switchgear, motor control centers, and instrument valves is procedurally controlled by the following administrative means or other suitable alternatives:

a. seals (or locks) on instrument valves,

b. lockable doors on the emergency switchgear rooms, and

c. lockable breaker control switch handles in the motor control centers.

Multiple Setpoints (IEEE 279-1971 Paragraph 4.15) Paragraph 4.15 of IEEE 279-1971 is not applicable because all setpoints are fixed. Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) The final control elements for the LPCS system are essentially bistable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop 7.A.3-16 REV. 13

LSCS-UFSAR out (which will occur when the valve open limit switch is reached). In the event of an interruption in a-c power, the control system resets itself and recycles on restoration of power. Thus protective action once initiated must go to completion or continue until terminated by deliberate operator action. Manual Initiation (IEEE 279-1971 Paragraph 4.17) The LPCS has an armed manual initiation pushbutton in parallel with the automatic initiation logic. This manual initiation also starts LPCI A. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Setpoint adjustments for the LPCS reactor low pressure and high drywell pressure instrument trip channels are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Setpoint adjustments for the reactor vessel low level instrument channels are integral with the trip units in the relay logic cabinets and also require the use of tools. Test points are incorporated into the control relay cabinets, which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure switches is not adjustable. Because of these restrictions, compliance with this section of IEEE 279-1971 is considered complete. Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, trip unit indicating lights, or action of the sensor relay, which has an identification tag and a clear glass-front window permitting convenient, visible verification of the relay position. Any one of these indications is adequate, so this combination of annunciation and visible verification of relay actuation fulfills the requirements of this criterion. Information Readout (IEEE 279-1971 Paragraph 4.20) The LPCS data is indicated/annunciated to provide the operator with accurate and timely information pertinent to its status. Periodic testing is the means provided for verifying the operability of components. By proper selection of the test period, compatible with the historically established component reliability, authentic and timely indications are made available. Information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCS function is available or/is operating properly. 7.A.3-17 REV. 13

LSCS-UFSAR In addition to the annunciators, there are other indications on the main control room panel as follows:

a. valve position lights,

b. pump monitor lights, and

c. pump flow indicators.

System Repair (IEEE 279-1971 Paragraph 4.21) The LPCS control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months. Recognition and location of a failed component is accomplished during periodic testing. The simplicity of the logic makes the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the relays used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and could be changed reasonably in less than 1 hour, including electrical connection replacement. Identification (IEEE 279-1971 Paragraph 4.22) A colored nameplate identifies each panel and instrument rack that is part of the LPCS system. The nameplate shows the division to which each panel or rack is assigned and also identifies the function in the system of each item on the control panel. The system to which each relay belongs is identified on the relay panels. 7.A.3.1.1.3 Automatic Depressurization System (ADS) The following is a point-by-point comparison of the ADS with the requirements of IEEE 279-1971: 7.A.3-18 REV. 13

LSCS-UFSAR General Functional Requirement (IEEE 279-1971 Paragraph 4.1)

a. Appropriate Action Appropriate action is defined as initiating the opening of a specified number of valves when loss of primary coolant is detected by reactor vessel low level which persists for approximately 2 minutes and is confirmed by high drywell pressure, provided that low-pressure core cooling equipment is available and operating. The high drywell pressure signal can be automatically bypassed as described in Section 7.3.1.2.2.3.

The ADS design accomplishes the "appropriate action" described above.

b. With Precision The accuracy requirements for initiating ADS (like those for the LPCI) are not such that precision of measurement is required.

Sensors are of the same type and subject to the same errors as those for the LPCI system. "Precision" provided by these instruments is adequate to give positive automatic depressurization initiation before the vessel water level can go below a tolerable point. The ADS control design achieves the degree of precision necessary to ensure appropriate initiation of the protective function when needed and precludes inadvertent initiation under extremes of environment related errors in instrumentation.

c. Reliability The reliability of the automatic depressurization control system is higher than the reliability of the actuated equipment (valves).

The ADS consists of physically isolated dual, independent channels: sensors, logics, and actuating devices.

d. Over the full range of environmental conditions, e.g., fire, accidents, missiles, etc., the LPCI tabulation applies to ADS.

Separate routing of the ADS conduits within the drywell reduces to a very low probability the potential for missile damage to more than one conduit to ADS or damage to the pilot solenoid assemblies of ADS valves. 7.A.3-19 REV. 13

LSCS-UFSAR Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) The ADS system, comprised of two independent sets of controls for the two pilot solenoids, meets all credible aspects of the single failure criterion. At least two failures would have to occur to cause actuation. Tolerance to the following single failures or events has been incorporated into the control system design and installation:

a. single open circuit;

b. single short circuit;

c. single relay failure to pick up;

d. single relay failure to drop out;

e. single module failure (including multiple shorts, opens, and grounds);

f. single control cabinet destruction (including multiple shorts, opens, and grounds);

g. single instrument rack destruction (including multiple shorts, opens, and grounds);

h. single wireway destruction (including multiple shorts, opens, and grounds);

i. single control power supply failure (any mode);

j. single motive power supply failure (any mode);

k. single control circuit failure;

l. single sensing line (pipe) failure; and

m. burnout of any single electrical component.

Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) Components used in the ADS control system have been carefully selected on the basis of suitability for the specific application. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below: 7.A.3-20 REV. 13

LSCS-UFSAR

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

c. Instrumentation and controls are heavy-duty standard industrial designs well proven by service in industry or in nuclear power plant applications.

d. These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the ADS.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. Equipment Qualification (IEEE 279-1971 Paragraph 4.4) The solenoid valves, their cables, and the relief valve mechanical operators of the automatic depressurization system are located inside the drywell and must remain operable in the loss-of-coolant accident environment. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design-basis loss-of-coolant accident and have been environmentally tested to verify the selection. Gamma and neutron radiation is also considered in the selection of these items and only materials which are expected to tolerate the integrated dosage superimposed on other environmental factors for at least a 40-year period of normal plant operation without excessive deterioration (i.e., no need for a replacement is anticipated) are used. Other components of the ADS control system which are required to operate in the drywell environment are the condensate pots for the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high-pressure sensors are of the same type as used for the RPS and meet the same standards. Control panels and relay logic cabinets are located in the control room or auxiliary relay room environment, which presents no new or unusual operating considerations. 7.A.3-21 REV. 13

LSCS-UFSAR All components used in the ADS control system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications. Channel Integrity (IEEE 279-1971 Paragraph 4.5) The ADS system initiation channels (low water level or high drywell pressure) satisfy the channel integrity objective of this paragraph. Channel Independence (IEEE 279-1971 Paragraph 4.6) Channel independence for sensors exposed to each variable is provided by electrical and mechanical separation. The A sensors for reactor vessel level for instance are located on one local instrument rack identified as Division 1 equipment, and the B sensors are located on a second instrument rack widely separated from the first and identified as Division 2 equipment. The A sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors B. Disabling of one or both sensors in one location does not disable the control for both of the automatic depressurization control channels. Logic relays for the ADS are separated into Division 1 and Division 2 located in separate cabinets. Separate locations are provided on the control panels for all ADS controls. Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7) The automatic depressurization system is a safety system designed to be independent of plant control systems. Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8) Inputs which start the automatic depressurization are direct measures of the variables that indicate need and acceptable conditions for rapid depressurization of the reactor vessel; viz., reactor vessel low water verified by high drywell pressure and at least one low-pressure core cooling subsystem developing adequate discharge pressure. The high drywell pressure signal can be automatically bypassed as described in Section 7.3.1.2.2.3. Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves which allow for the application of a test pressure for calibration and/or functional tests during normal plant operation or during 7.A.3-22 REV. 13

LSCS-UFSAR shutdown. Actuation of one, two, or three sensors cannot initiate automatic depressurization. The reactor vessel level transmitters and trip units can be checked for operability by closing one instrument valve and bleeding off a small amount of water through the bleed valves provided for venting the instruments while observing the scale reading and channel trip indication in either the main control room or auxiliary electrical equipment room at the relay logic cabinets. Indicators can be exercised slowly over their entire range during normal plant operation by this mechanism. The drywell high-pressure switches can be checked only by application of gas pressure from any convenient low-pressure source (instrument air or inert gas bottle), after closing the instrument valve and opening the calibration valve. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) The ADS is not tested in its entirety during actual plant operation, but provisions are incorporated so that operability of all elements of the system can be verified at periodic intervals. The operability of individual valves may be verified by means of the individual control switches on the main control room panels. Testing of control circuitry is accomplished at the control relay cabinets by means of test jacks, switches, and indicator lights while exercising sensors one at a time. The test method is generally as follows: Action Observation

1. Exercise a sensor or a. Sensor relay pickup trip unit b. Alarm is given

2. Start an LPCS or RHR a. Off-normal alarm (LPCI mode) pump b. Low-pressure cooling system available relay pickup

3. Exercise logic channel by a. Logic channel relay pickup means of plug-in test switch b. Continuity lights on each valve circuits are energized

4. Reset logic channel a. Annunciators clear

5. Repeat above steps for Same as for associated other sensor, other low steps above.

pressure core cooling pumps, other logic channels. 7.A.3-23 REV. 13

LSCS-UFSAR Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) Calibration of each sensor introduces a single instrument channel trip. This does not cause a protective action without the coincident trip of three other channels. Removal of an instrument channel from service during calibration is brief and does not significantly increase the probability of failure to operate. The high drywell pressure signal to ADS can be bypassed as discussed in Section 7.3.1.2.2.3. This will not prevent the trip channels from functioning. Removal of a sensor from operation during calibration does not prevent the redundant trip circuit from functioning if accident conditions occur. The manual reset buttons can interrupt the automatic depressurization for a limited time. However, releasing either one of the two reset buttons allows automatic timing and action to resume. A manual inhibit switch is provided in each division to allow the operator to inhibit the system without repeatedly pressing the reset button. Operating Bypasses (IEEE 279-1971 Paragraph 4.12) The ADS system has no provisions for operating bypasses of a protective function. The ADS high drywell pressure signal bypass as discussed in Section 7.3.1.2.2.3. acts as a interlock and is not technically a bypass as discussed in IEEE 279. Indication of Bypasses (IEEE 279-1971 Paragraph 4.13) A manual inhibit switch in each division manual operation of both of the reset buttons in the two ADS redundant divisions, and opening the control power breakers is the only electrical means for disabling the ADS. Control power loss or use of the manual inhibit switch is annunciated. The ADS controls have test bypasses generated by the insertion of test jacks. Any test bypass annunciates at the system level i.e., "ADS in test." Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) Instrument valves are sealed or locked in normal operating position and cannot be operated without permission of responsible authorized personnel. Reset buttons are on the control panel in the main control room. Control power breakers are in d-c distribution cabinets which are normally locked and under control of the operator. Multiple Setpoints (IEEE 279-1971 Paragraph 4.15) All trip points are fixed except the seven low-low set valves. The requirement is met with single-failure-proof setpoint transfer and annunciation as discussed in Subsection 7.3.1.2.2.10. 7.A.3-24 REV. 13

LSCS-UFSAR Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) Each of the redundant systems for the automatic depressurization control seals in electrically and remains energized until manually reset by one of the two reset pushbuttons. Manual Initiation (IEEE 279-1971 Paragraph 4.17) The ADS has four manual initiation switches. Two switches are in each of the two ADS systems (A&B). Both switches for one system have to be closed to initiate ADS manually. To further preclude inadvertent actuation, each switch is equipped with a collar which must be turned before electrical contacts of the pushbutton are effective. Thus, to initiate ADS manually, the operator must turn two collars and depress two pushbuttons. Whenever a collar is turned, an annunciator is actuated. The ADS automatic initiation delay timer is provided to give HPCS ample time to automatically restore vessel level so that ADS actuation will not be needed. This delay timer is not provided for manual initiation, since the operator does not initiate ADS until he determines it necessary without further delay. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Comments of the LPCI discussion of Paragraph 4.18 are pertinent to this item and show compliance. Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Comments of the LPCI discussion of Paragraph 4.19 are also applicable here. In addition the following indications are provided:

a. ADS timers initiated (either one of two),

b. ADS control power failure (any normal supply deenergized),

c. ADS auxiliary relays energized (either one of two),

d. high drywell pressure sealed in (any one of four), and

e. relief valve discharge pipe high-temperature (any one).

7.A.3-25 REV. 13

LSCS-UFSAR Information Readout (IEEE 279-1971 Paragraph 4.20) The information provided to the operator pertinent to ADS status is as follows:

a. annunciators listed above,

b. valve position lights for each valve, and

c. reactor vessel level indication in auxiliary electrical equipment room or control room.

From the foregoing it can be seen that change of state of any active component from its normal condition is called to the operator's attention; therefore, the indication is considered to be complete and timely. The condition of the ADS pertinent to plant safety is also considered to be adequately covered by the indications and alarm delineated above. System Repair (IEEE 279-1971 Paragraph 4.21) The ADS system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the duty cycles to be imposed. Since this "duty cycle" is composed completely of testing at infrequent intervals, the lifetime of active components other than sensors is more a matter of shelf life than active life. However, all components are selected for continuous duty plus thousands of cycles of operation (far beyond that anticipated in actual service). Recognition and location of a failed component is normally accomplished during periodic testing. The simplicity of the logic makes the detection relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Estimated replacement time for the relays used is about 30 minutes. Other relays with fewer contacts can be replaced in less time. Sensors which are connected into the instrument piping cannot be changed as readily, but they are connected with nonwelded fittings at the instrument and could reasonably be changed in less than 1 hour. Identification (IEEE 279-1971 Paragraph 4.22) A colored nameplate identifies each panel and instrument rack that is part of the ADS system. The nameplate shows the division to which each panel or rack is assigned and also identifies the function in the system of each item on the control panel. The system to which each relay belongs is identified on the relay panels. 7.A.3-26 REV. 13

LSCS-UFSAR 7.A.3.1.1.4 High-Pressure Core Spray (HPCS) The following is a point-by-point comparison of the HPCS with the requirements of IEEE 279-1971: General Functional Requirements (IEEE 279-1971 Paragraph 4.1) IEEE 279-1971 Requirement HPCS Design Provision AUTOINITIATION OF (1) Appropriate Action Appropriate action for the HPCS control system is defined as activating equipment for introducing water at high pressure into the reactor when reactor vessel level drops below a predetermined point, or the drywell pressure increases above a predetermined value. (2) With Precision Precision is a term which does not apply strictly to the HPCS system control because of the wide range of setpoint values that would give appropriate action. However, the process sensor equipment initiates action before process variables go beyond precisely established limits. (3) With Reliability Reliability of the control system is compatible with the controlled equipment so that the overall system reliability is not limited by the controls. (4) Over Full Range of Environmental Conditions

a. Power Supply Network tolerance to complete loss of Voltages station a-c power, but not loss of the d-c source of power for the HPCS system.

However, network ECCS capability is maintained.

b. Power Supply No a-c control.

Frequency

c. Temperature Operable at all temperatures that can result from an accident.

7.A.3-27 REV. 14, APRIL 2002

LSCS-UFSAR

d. Humidity Operability at humidities (steam) that can result from loss-of-coolant accident.

e. Pressure Operable at all pressures resulting from loss-of-coolant accident as required.

f. Vibration Tolerance to 1.5g floor acceleration over frequency of 5 to 33 Hz.

g. Malfunctions Network tolerance to any single component malfunctions.

h. Accidents Network tolerance to all DBAs without malfunction.

i. Fire Network tolerance to single wireway fire or mechanical damage.

j. Explosion Explosions not defined in bases.

k. Missiles Network tolerance to any single missile destroying no more than one pipe, wireway, or cabinet.

l. Lightning Ungrounded d-c system relatively immune to lightning strikes.

m. Flood All control equipment is located above flood level by design.

n. Earthquake 1.5g, 5-33 Hz floor acceleration tolerance.

o. Wind Seismic Category I building houses all control equipment.

p. System Response Responses within the requirements Time of need to start ECCS.

q. System Accuracies Accuracies within that needed for correct timely action.

7.A.3-28 REV. 14, APRIL 2002

LSCS-UFSAR

r. Abnormal Ranges of Sensors are not subject to saturation Sensed Variables when overranged.

Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) The HPCS by itself is not required to meet the single-failure criterion. The control logic circuits for initiation and control are housed in a single relay cabinet, and the power supply for the control logic and other HPCS equipment is from a single d-c power source. The HPCS initiation sensors and wiring up to the HPCS relay logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent initiation. Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) Components used in the HPCS control system have been carefully selected on the basis of suitability for the specific application. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

c. Motor starters and breakers are effectively derated for motor starting applications, since their nameplate ratings are based on short-circuit interruption capabilities as well as on continuous current-carrying capabilities. Short-circuit current-interrupting capabilities are many times the starting current for the motors so that normal duty does not begin to approach maximum equipment capability.

d. Normal motor starting equipment ratings include allowance for a much larger number of operating cycles than the emergency core cooling application will demand, even including testing.

e. Instrumentation and controls are heavy-duty standard industrial designs well proven by service in industry or in nuclear power plant applications.

7.A.3-29 REV. 13

LSCS-UFSAR

f. These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the HPCS control system.

Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50 1975. Equipment Qualification (IEEE 279-l971 Paragraph 4.4) No components of the HPCS control system are required to operate in the primary containment environment except for the condensation pots of the vessel level sensors. Other process sensor equipment for HPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Panels and relay cabinets are located in the station control room and/or auxiliary relay room environment. The HPCS control system components have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use. Channel Integrity (IEEE 279-l971 Paragraph 4.5) The HPCS system instrument initiation channels satisfy the channel integrity objective of this paragraph. Channel Independence (IEEE 279-l971 Paragraph 4.6) Channel independence for initiation sensors monitoring each variable is provided by mechanical separation. The A and C sensors for reactor vessel level, for instance, are located on one local instrument rack, and the B and D sensor are located on a second instrument rack widely separated from the first. The A and C sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors B and D. Disabling of one or both sensors in one location does not disable the control for initiation. HPCS independence from the other redundant ECCS portions is maintained. 7.A.3-30 REV. 13

LSCS-UFSAR Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7) The HPCS system is a safety system designed to be independent of plant control systems. Annunciator circuits using contacts of sensor relays and logic relays cannot impair the operability of the system control because of electrical separation. Derivation of System Inputs (IEEE 279-l971 Paragraph 4.8) The inputs that start the HPCS system are direct measures of the variables that indicate need for high-pressure core cooling, viz., reactor vessel low water level or high drywell pressure. Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. The reactor vessel level transmitters and trip units can be checked for operability by closing the low-side instrument valve and bleeding off a small amount of water through the low-side bleed plugs (which are provided for venting the instruments), while observing the scale reading and channel trip indication in either the main control room, or Div. 3 switchgear room at the relay logic cabinets and then reopening the instrument valve. The drywell high-pressure switches can be checked by application of gas pressure from a low-pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) The HPCS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The setpoint of the trip units can be checked in place by applying a calibration signal to the unit. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers to pump against system check valves (or return to suppression pool through test valves) while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. HPCS water is not actually introduced into the vessel except initially before fuel loading. 7.A.3-31 REV. 13

LSCS-UFSAR Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) Calibration of a sensor which introduces a single instrument channel trip does not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration is very brief. Operating Bypasses (IEEE 279-l971 Paragraph 4.12) The HPCS has no provision for operating automatic bypasses. Indication of Bypasses (IEEE 279-l971 Paragraph 4.13) The HPCS subsystem has no automatic operating bypasses. Manual bypasses are indicated in the control room via ESF status indication panel as described in Section 7.8. Manual bypasses consist of "racking-out" pump breakers, opening starter feeder breakers at valve motor control centers, shutting isolation valves to instruments and sensors which actuate the subsystem and other operations meeting the three conditions given in Regulatory Guide 1.47. The HPCS controls have test bypasses generated by the insertion of test jacks. Any test bypass will annunciate at the system level, i.e., "HPCS in test." Refer to Section 7.8 for further discussion on ESF Status Display. Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) Access to motor control centers and instrument valves is controlled as discussed in the LPCI section. Access to other means of bypassing is located in the main control room and is therefore under administrative control. Multiple Setpoints (IEEE 279-l971 Paragraph 4.15) This is not applicable because all setpoints are fixed. Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) The final control elements for the HPCS system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out (which they do when the limit switch is reached). In the case of pump starters, the autoinitiation signal is electrically sealed in. 7.A.3-32 REV. 13

LSCS-UFSAR Thus protection action once initiated (i.e., flow established) must go to completion or continue until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals. Manual Initiation (IEEE 279-l971 Paragraph 4.17) The HPCS has an armed manual initiation pushbutton in parallel with the automatic initiation logic. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Setpoint adjustments for the HPCS high drywell pressure instrument trip channels are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Setpoint adjustments for the reactor vessel low level instrument trip channels are integral with the trip units in the relay logic cabinets and also require the use of tools. Test points are incorporated into the control relay cabinets which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure switches is not adjustable. Because of these restrictions, compliance with this requirement of IEEE 279-l97l is considered complete. Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, trip unit indicating lights, or action of the sensor relay which has an identification tag and a clear glass window front which permit convenient visible verification of the relay position. This combination of annunciation and visible relay actuation is considered to fulfill the requirements of this criterion. Information Readout (IEEE 279-1971 Paragraph 4.20) The HPCS data is indicated/annunciated to provide the operator with accurate and timely information pertinent to its status. Periodic testing is the means provided for verifying the operability components. By proper selection of the test period, compatible with the historically established component reliability, authentic and timely indications are made available. Information is provided on a continuous basis so that the operator can have a high degree of confidence that the HPCS function is available or/is operating properly. In addition to the annunciators, there are other indications on the main control room panel as follows: 7.A.3-33 REV. 13

LSCS-UFSAR

a. valve position lights,

b. pump monitor lights, and

c. pump flow indicators.

System Repair (IEEE 279-l971 Paragraph 4.21) The HPCS control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months. Recognition and location of a failed component is normally accomplished during periodic testing. The simplicity of the logic makes the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the relays used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and could be changed reasonably in less than 1 hour, including electrical connection replacement. Identification (IEEE 279-l971 Paragraph 4.22) A colored nameplate identifies each panel and instrument rack that is part of the HPCS system. The nameplate shows the division to which each panel or rack is assigned and also identifies the function in the system of each item on the control panel. The system to which each relay belongs is identified on the relay panels. 7.A.3.1.2 IEEE 308-1971 (IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations) Class 1 a-c power supply system ECCS loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised. Safety system power supply loads are rigorously divided into Division l, Division 2, and Division 3. 7.A.3-34 REV. 13

LSCS-UFSAR 7.A.3.1.3 IEEE 323-1971 (Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations) See Subsection 7.A.1. 7.A.3.1.4 IEEE 338-1971 (Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems) The design of the ECCS meets the requirements of IEEE 338-1971. 7.A.3.1.5 IEEE 344-1971 (Guide for Seismic Qualification of Class 1E Electrical Equipment of Nuclear Power Generating Stations) See Section 3.10. 7.A.3.1.6 IEEE 379-1972 The single-failure criterion of IEEE 279-1971 Paragraph 4.2 as further defined in IEEE 379-1972, "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems" is met as described in this document. 7.A.3.2 Primary Containment and Reactor Vessel Isolation Instrumentation and Controls 7.A.3.2.1 Conformance to IEEE 279-1971, Criteria for Protection Systems For Nuclear Power Generating Stations The following is a point-by-point comparison of the containment and reactor vessel isolation control system with the "Requirements" section of IEEE 279: General Functional Requirements (IEEE 279-1971 Paragraph 4.1) Key words indicating the referenced paragraph are used as headings for the following discussion of conformance:

a. Appropriate Action Appropriate action is defined as initiating closure of specific valves upon trip signals from specified process variables and maintaining the valves closed without further application of power until such time as a reset is permissible either from determination of process variables or by procedural control as pertinent.

The control system action, from sensor to final control signal to 7.A.3-35 REV. 13

LSCS-UFSAR the valve actuator, is capable of initiating appropriate action and of doing it in a time commensurate with the need for valve closure. Total time, from the point where a process out-of-limits condition is sensed to the energizing or deenergizing of appropriate valve actuators, is less than 200 msec. The closure time of valves ranges upward from a minimum of 3 seconds for the main steam isolation valves, depending upon the urgency for isolation considering possible release of radioactivity. Thus it can be seen that the control initiation time is at least an order of magnitude lower than the minimum required valve closure time. Speed of the sensors and valve actuators are chosen to be compatible with the isolation function considered.

b. Precision Accuracy of each of the sensing elements is sufficient to accomplish the isolation initiation within required limits without interfering with normal plant operation. Accuracies of each of the types of sensing instruments used for isolation are given in Table 7.3-5.

c. Reliability The reliability of the isolation control system is compatible with and higher than the reliability of the actuated equipment (valves).

d. Over full range of environmental conditions Provision of Isolation Requirements of IEEE 279 System Design

a. Power supply voltage Tolerance exists to any degree of power supply failure in one motive power system or one control power system.

b. Power supply frequency Tolerance exists to any degree of power supply failure in one power system or one control power system.

c. Temperature System operates within required time limit at all temperatures that can result from an accident.

7.A.3-36 REV. 13

LSCS-UFSAR

d. Humidity System operates within required time limit at humidities (steam) that can result from a loss-of-coolant accident.

e. Pressure System operates at all pressures resulting from LOCA as required.

f. Vibration Tolerance is 1.5g over frequencies of 5 to 33 Hz floor acceleration.

g. Malfunctions System is tolerant to any single component malfunction in any mode.

h. Accidents Tolerance exists for any design-basis accident without malfunction of either subsystem.

i. Fire System is tolerant to any single wireway fire.

j. Explosion Explosions are not defined in design bases.

k. Missiles System has tolerances to any single missile destroying no more than one pipe, wireway, or cabinet.

l. Lightning Tolerance to lightning damage is limited to one auxiliary bus system.

m. Flood All control equipment is located above flood level by design.

n. Earthquake Tolerance is 1.5g at 5 to 33 Hz.

o. Wind and tornado Seismic Category I buildings house all control equipment.

p. System response time Responses are within the requirements of need to start ECCS.

q. System accuracies Accuracies are within that needed for correct timely action.

7.A.3-37 REV. 13

LSCS-UFSAR

r. Abnormal ranges of Sensors are not subject to sensed variables saturation when overranged.

Valves and wiring which must function in the drywell environment in the event of a loss-of-coolant accident normally fulfill their function within a very short time after such an event has occurred, probably before the environment has attained the design-basis values. Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) Tolerance to the following single failures has been incorporated into the control system design and installation:

a. single open circuit;

b. single short circuit;

c. single relay failure to pickup;

d. single relay failure to drop out;

e. single module failure (including multiple shorts, opens, and grounds);

f. single control cabinet destruction (including multiple shorts, opens, and grounds);

g. single instrument panel destruction (including multiple shorts, opens, and grounds);

h. single wireway destruction (including multiple shorts, opens, and grounds);

i. single control power supply failure (any mode);

j. single motive power supply failure (any mode);

k. single control circuit failure;

l. single sensing line (pipe) failure; and

m. burnout of any single electrical component.

7.A.3-38 REV. 13

LSCS-UFSAR Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) Components used in the isolation system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant illustrated as follows:

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Isolation control is deenergized to trip, instead of energized to trip, and is thus made to call attention to the failures that may occur in coil circuits, connections, or contacts.

c. Instrumentation and controls are heavy-duty standard industrial designs well proven by service in industry or in nuclear power plant applications.

d. These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the isolation system.

Furthermore, a quality control and assurance program is required, to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. "Minimum" maintenance has been assumed to have been achieved if components can be reasonably expected to last 40 years or more without wearing out or failing under their maximum anticipated duty cycle (including testing). Equipment Qualification (IEEE 279-l971 Paragraph 4.4) No sensory components of the isolation system are required to operate in the drywell environment with the exception of the condensing chambers. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high-pressure sensors are of the same type as used for the RPS and meet the same standards. Control panels and relay logic cabinets are located in 7.A.3-39 REV. 13

LSCS-UFSAR the control room or auxiliary relay room environment, which presents no new or unusual operating considerations. All components used in the isolation system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications. Channel Integrity (IEEE 279-l971 Paragraph 4.5) The isolation system is designed to tolerate the spectrum of failures listed under the general requirements and the single failure criteria (listed above) and thus satisfies the channel integrity objective of this paragraph. Channel Independence (IEEE 279-l971 Paragraph 4.6) Channel independence for sensors exposed to each process variable is provided by electrical and mechanical separation. Physical separation is maintained between redundant elements of the multiple channel control systems for added reliability. Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7)

a. Classifications of Equipment There is no control function in the system. It is strictly a protection system.

b. Isolation Devices No isolation devices are required.

c. Single Random Failure No single random failure of a control system can prevent proper action of the isolation channel designed to protect against the condition.

d. Multiple Failures Resulting from a Credible Single Event Analysis of part 4.7(3) applies directly.

Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8) The inputs which initiate isolation valve closure are direct measures of variables that indicate a need for isolation, viz., reactor vessel low level, drywell high-pressure, and pipe break detection. Pipe break detection utilizes methods of recognition of the presence of a material that has escaped from the pipe, rather than 7.A.3-40 REV. 13

LSCS-UFSAR detecting actual physical changes in the pipe itself, so the system might more properly be called a leak detection system, and this is, in fact, the terminology most generally accepted and used at present. Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) The reactor vessel instruments can be checked one at a time by application of simulated signals. These include level, pressure, radiation, and flow. Temperature sensors along the main steamline are testable by altering main steamline flow and observing the resulting ambient temperature change for recorded points and by lowering the setpoint until trip occurs for points connected to temperature switches. Temperature sensors in the ventilation ducts are checked periodically by removing them from their wells and applying heat to the sensitive zone, and also by calibration, which requires removal from the circuit during calibration and replacement by calibrated units. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) All active components of the containment isolation control system, with the exception of the main steamline high-temperature sensors and the main steamline radiation sensors, can be tested and calibrated during plant operation. The radiation sensors can be cross-checked against their companions for verification of operability. Since they are used with reference to background, they do not require actual sensitivity verification on a frequent basis. It is very easy to observe the contact action on an HFA type relay during a channel trip condition to verify actual drop-out when deenergized. Thus, complete testability of every element of the system except the main steamline high-temperature switches can be demonstrated without shutting down the plant. Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) Calibration of each sensor introduces a single instrument channel trip. This does not cause a protective function without the coincident trip of at least one other instrument channel. The trip function of the main steam line isolation trip channels may also be bypassed during the calibration and functional testing of the sensor to prevent a system trip. Special test equipment is installed across the trip channel output contact in the isolation trip logic. This test equipment allows the trip function of the instrument channel to be verified without actuating the associated logic circuit during the calibration and functional testing of the sensor. 7.A.3-41 REV. 13

LSCS-UFSAR Operating Bypasses (IEEE 279-l971 Paragraph 4.12) The isolation valve control system has a bypass condition, which is imposed manually by placing the mode switch in other than RUN. The mode switch cannot be left in any position other than the RUN position when neutron flux measures power above 15% of rated power without imposing a scram. Therefore the bypass is considered to be removed in accordance with the intent of IEEE 279-1971, although it is a manual action that removes it rather than an automatic one. The low condenser vacuum bypass is imposed by means of a manual bypass switch in conjunction with closure of the turbine stop valves. Bypass removal is accomplished automatically by the bypass switch in normal position. Hence, the bypass is considered to be removed in accordance with IEEE 279-1971. In the case of the motor-operated valves, automatic or manual closure can be prevented by shutting off electric power to the motor starters. This action is indicated in the main control room by indication lights going out. Both indication lights are deenergized because their power supply is taken from the same circuit as the valve motor starter. As in other engineered safeguards systems, many of the sensors for process variables operate from instrument lines hooked up, by necessity, with root valves and instrument valves. Shutting off these valves in certain selected combinations can disable redundant sensors and thus prevent operation of the system. Access to instrument valves is procedurally controlled by the use of seals or locks on the instrument valves or by some suitable alternative. Indication of Bypasses (IEEE 279-1971 Paragraph 4.13) The bypass of the main steamline low-pressure isolation signal is not indicated directly in the control room except by the position of the mode switch handle. The bypass of the low condenser vacuum is directly indicated in the control room by an annunciator. The bypass of the primary containment isolation signal for the reactor building closed cooling water isolation valves is not indicated directly in the control room except by the position of the key locked bypass switch. Refer to Section 7.8 for further discussion on ESF Status Display. Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) The mode switch, reactor building closed cooling water isolation valve primary containment isolation signal bypass switch and condenser vacuum bypass switch are the only bypass switches affecting the containment isolation control system. They are centrally located on the operator's main control console and are keylocked. 7.A.3-42 REV. 23, APRIL 2018

LSCS-UFSAR As discussed in the paragraphs above, access to instrument valves is procedurally controlled by the use of seals or locks on the instrument valves or by some suitable alternative. Multiple Setpoints (IEEE 279-1971 Paragraph 4.15) Paragraph 4.15 of IEEE 279-1971 is not applicable because all setpoints are fixed. Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) All isolation decisions are sealed in downstream of the decision making logic, so valves go to the closed position which ends protective action. Manual reset action is provided by two reset switches so that inboard valves are reset independently of outboard valves. This feature is incorporated only to augment the electrical separation of the inboard and outboard valves and not for any need to reset them separately. Manual Initiation (IEEE 279-1971 Paragraph 4.17) The PCRVICS has four divisionally separated manual initiation switches which separately activate each of the four MSIV logic streams and isolation system initiation at the system level. The logic for manual initiation is one-out-of-two twice for the main steamline isolation valves and one-out-of two for the other isolation valves. The manual initiation switches require two distinct operator actions (armed pushbuttons), to initiate the safety action. The manual initiation circuits are, at the system level, redundant, separated, and testable during power operation and will meet the single-failure criterion. Manual controls are separated so that a single failure does not inhibit an isolation. The separation of devices is maintained in both the manual and automatic portions of the system so that no single failure in either the manual, automatic or common portions can prevent an isolation by either manual or automatic means. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Setpoints and adjustments for the isolation system sensors are integral with the sensors on the local instruments and cannot be changed without the use of tools to remove covers over these adjustments. Test points are incorporated into the control relay cabinets which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell pressure switches is not adjustable. 7.A.3-43 REV. 14, APRIL 2002

LSCS-UFSAR Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Protective actions (here interpreted to mean pickup of a single sensor relay) are directly indicated and identified by action of the sensor relay, which has an identification tag and a clear glass-front window permitting convenient, visible verification of the relay position. Any one of the sensor relays also actuates an annunciator, so that no single channel "trip" (relay pickup) will go unnoticed. Either of these indications should be adequate, so this combination of annunciation and visible verification relay actuation fulfills the requirements of this criterion. In addition, indicator lights are provided to show pickup of sensor relays. Information Readout (IEEE 279 - 1971 Paragraph 4.20) The information presented to the operator by isolation control system is as follows:

a. annunciation of each process variable which has reached a trip point;

b. computer indication of trips on main steamline tunnel temperature or main steamline excess flow;

c. control power failure annunciation on each channel;

d. annunciation of steam leaks in each of the systems monitored, viz., main steam, cleanup, and RHR; and

e. open and closed position lights for each isolation valve.

This information is considered to fulfill the requirements for information readout. System Repair (IEEE 279-1971 Paragraph 4.21) These components which are expected to have a moderate need for replacement are designed for convenient removal. This includes the temperature amplifier units and thermocouples in the ventilation ducts. The amplifier units are of the circuit card or replaceable module construction. The thermocouples or RTD's are replaceable units with disconnectable heads. Pressure sensors, vessel level sensors, etc., can be replaced in a reasonable length of time, but these devices are considered to be permanently installed although they have nonwelded connections at the instrument, which will allow replacement. As with other safeguards, system reliability is built in rather than approached by accelerated maintenance. All devices in the system can be reasonably expected to last 40 years without failure with the duty cycle expected to be imposed, including testing. However, failures can be detected during periodic testing, and replacement time is nominal. Probable 7.A.3-44 REV. 16, APRIL 2006

LSCS-UFSAR replacement and restoration time to service a level switch is several hours including fitting of piping connections, electrical hookup, and calibration after refilling and venting. Other devices normally require less time to replace. The main steam tunnel temperature switches are not accessible during normal plant operation because of radiation from the main steamlines. Therefore, a failed open switch is jumpered out as permitted by technical specifications and replaced during plant shutdown. Similarly, the main steamline low-pressure switches are not readily accessible during operation because of radiation from steamlines. Identification of Protection Systems (IEEE 279-1971 Paragraph 4.22) Panels and racks which house isolation system equipment are identified by a distinctive color marker plate listing the system name and the designation of the particular redundant portion of the system. Cables, conduits, and wireways, exclusive of General Electric's supply, are color coded displaying the appropriate redundant portion of the system. 7.A.3.2.2 Conformance to IEEE 338-1971 The system is testable during reactor operation. A complete check of the sensors through to the final actuators is made to demonstrate independence of channels and to disclose any credible failures without negating the isolation function. 7.A.3.2.3 Conformance to IEEE 344-1971 The components of the nuclear steam supply shutoff system are covered by Section 3.10. 7.A.3.2.4 Conformance to IEEE 323-1971 The components of the nuclear steam supply shutoff system are covered by Subsection 7.A.1. 7.A.3.2.5 Conformance to IEEE 379-1972 The single-failure criterion of IEEE 279 as defined by IEEE 379-1972 is fully complied with in the design of the PCRVICS. 7.A.3.3 Main Control Room and Auxiliary Electric Equipment (AEE) Room Atmospheric Control Systems 7.A.3-45 REV. 13

LSCS-UFSAR 7.A.3.3.1 Specific Conformance of the Instrumentation and Control to IEEE-279-1971 a4.1 General Functional Requirements - the Control Room and AEE room HVAC systems perform the normal and safety functions during all phases of station operation and during postulated accident conditions. Except for the emergency makeup filter train, which is automatically initiated on high radiation, the systems continue to operate before, during, and after an accident. a4.2 Single-Failure Criteria - The control room and AEE room HVAC systems consist of two full-capacity independent equipment trains which are powered from separate buses and actuated by separate control circuits. The air handling trains are equipped with redundant components described in Subsection 7.3.4.3.1 to ensure that a single failure will not affect the habitability of the control room and auxiliary electric equipment room. a4.3 Quality of Components and Modules - All components of these systems are fully described in the manufacturers' technical manuals. These components are specified to comply with the functional requirements of the service in which they are used. a4.4 Equipment Qualification - All equipment is factory inspected and tested in accordance with the applicable equipment specifications, quality assurance requirements, and codes. System ductwork and erection of equipment are inspected during various construction stages for quality assurance. Construction tests are performed on all mechanical components, and the system is balanced for the design air flow. Controls, interlocks, and safety devices are cold checked, adjusted and tested to ensure the proper sequence of operation. A final calibration and integrated preoperational test is conducted with all equipment to verify the system's performance. a4.5 Channel Integrity - The instrumentation and control devices are designed to operate in the maximum environmental extremes expected. Control signals for the essential components of this system remain functional under all station conditions, including a postulated accident condition. a4.6 Channel Independence - Electrical and mechanical separation are maintained between the instrumentation and controls of the redundant loops. 7.A.3-46 REV. 13

LSCS-UFSAR a4.7 Control and Protection Interaction - The instrumentation and controls do not provide control and protective action from the same device. Those that provide a protective function are classified essential. Other than automatic startup of an emergency makeup filter unit by radiation or ionization monitor, all control action is manual. a4.8 Derivation of System Inputs - The signals for essential instruments are direct measures of desired variable parameters. a4.9 Capability for Sensor Checks - Sensor checks can be made by perturbation of parameters and by cross-check with other calibrated instruments. a4.10 Capability for Test and Calibration Capability for calibration of the sensors is provided in the design. a4.11 Channel Bypass or Removal from Operation - The HVAC system is designed to permit independent testing of either redundant equipment train and associated instrumentation during power operation without affecting control and AEE room environmental conditions. a4.12 Operating Bypasses - The main control room and AEE room atmospheric control systems have no operating bypasses. a4.13 Indication of Bypasses - The use of the pull-to-lock handswitch position on the auxiliary control panel or on the main control board will cause an annunciator to alarm in the main control room, and the status panel will indicate bypass automatically. a4.14 Access to Means for Bypassing - There is no possibility of an access for the bypassing of start and stop control switch for the control room HVAC system. The AEE room HVAC start-stop control switch and other auxiliary controls are located on an auxiliary panel in the auxiliary building. a4.15 Multiple Setpoints - This is not applicable. a4.16 Completion of Protective Action Once It Is Initiated - It is not necessary that the protective actions of this system go to completion. Only by deliberate operator action can the protective action be stopped or reversed. 7.A.3-47 REV. 13

LSCS-UFSAR a4.17 Manual Initiation - Startup of major components of each control room equipment train can be initiated from the main control room, and major components of each AEE room HVAC system from the auxiliary building. a4.18 Access to Setpoint Adjustments, Calibration, and Test Points - Critical local instruments are installed in lock-in type enclosures. Local instruments having noncritical functions are accessible for adjustment by removal of cover plates. a4.19 Identification of Protective Actions - Lights associated with equipment handswitches indicate the operating status of the system. Room temperatures are indicated in the main control room and the auxiliary building. High radiation levels are annunciated in the main control room, as are high ammonia levels. a4.20 Information Readout - Lights associated with equipment handswitches indicate the operating status of the system. Room temperatures are indicated in the main control room and the auxiliary building. High radiation levels are annunciated in the main control room as are high ammonia levels. a4.21 System Repair - Indicators, indicating lights, and alarms are provided in the main control room for the control room HVAC system and in the auxiliary building for the AEE room HVAC system to permit monitoring of system operation and to detect equipment failure. Equipment and control system redundancy and physical separation will permit testing, maintenance, repair or replacement of components without interference in the operation of companion equipment train components. a4.22 Identification - During design and engineering phases, an essential classification is assigned to each safety-related device. During construction, the locations of redundant parts are chosen to meet the separation requirements, and piping and cable are selectively run to retain the separation. Color coding is used to denote the essential classification of the components, cable, and instrumentation and control. 7.A.3.4 Containment Spray Cooling System - Instrumentation and Controls 7.A.3.4.1 IEEE 279-1971 7.A.3-48 REV. 13

LSCS-UFSAR 7.A.3.4.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1) IEEE 279-1971 Requirement Containment Spray Design Provision AUTO-INITIATION Containment spray is not automatically initiated, however, its safety function is adequately assured by manual initiation. (1) Appropriate Action Appropriate action for the containment spray control system is defined as activating equipment for introducing water into the containment spray discharge valves. (2) Precision Precision is a term that does not apply strictly to the containment spray system control because of the wide range of setpoint values that could give the appropriate signal to allow manual initiation. (3) Reliability Reliability of the control system is compatible with the controlled equipment. (4) Over Full Range of Environmental Conditions

a. Power supply voltage Tolerance is provided to any degree of a-c power supply voltage fluctuation within one division such that voltage regulation failures in one division cannot negate successful low pressure core cooling. D-C power supply failure will likewise affect only one of the two containment spray divisions.

b. Power Supply Same as (4)a above.

frequency Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division as required. 7.A.3-49 REV. 13

LSCS-UFSAR

c. Temperature Operable at all temperatures that can result from any design basis loss-of-coolant (LOCA) accident.

d. Humidity Operable at humidities (steam) that can result from LOCA.

e. Pressure Operable at all pressures resulting from a LOCA as required.

f. Vibration Tolerance to conditions stated in Section 3.10.

g. Malfunctions Tolerance to any single component failure to operate on command.

h. Accidents Tolerance to all design-basis accidents without malfunction.

i. Fire Tolerance to a single raceway or enclosure fire or mechanical damage.

j. Explosion Explosions not defined in design bases.

k. Missiles Tolerance to any single missile destroying no more than one pipe, raceway, or electrical enclosure.

l. Lightning Tolerance to lightning damage limited to one auxiliary bus system. See comments under (4)a.

m. Flood All control equipment is located above flood level by design or protected against flooding.

n. Earthquake Tolerance to conditions stated in Section 3.10.

7.A.3-50 REV. 13

LSCS-UFSAR

o. Wind Seismic Class I building houses all control equipment.

p. System response Responses are within the requirements of time need to start containment spray

q. System Accuracies Accuracies are within that needed for correct timely action.

r. Abnormal ranges of Sensors do not saturate sensed variables when overranged.

7.A.3.4.1.2 Single-Failure Criterion (IEEE 279-1971, Paragraph 4.2) Redundancy in equipment and control logic circuitry is provided so that it is not possible that the complete containment spray system can be rendered inoperative using single failure criteria. Two division logics are provided. Division 1 logic is provided to initiate loop A equipment and Division 2 logic is provided to initiate loop B equipment. Tolerance to the following single failures or events is provided in the sensing channels, trip logic, actuator logic, and actuated equipment so that these failures will be limited to the possible disabling of the initiation of only one loop.

a. single open circuit;

b. single short circuit;

c. single component failure open;

d. single component failure shorted or grounded;

e. single module failure (including shorts, opens, and grounds);

f. single electrical enclosure involvement (including shorts, opens, and grounds);

g. single local instrument cabinet destruction (including shorts, opens, and grounds);

h. single raceway destruction (including shorts, opens, and grounds);

7.A.3-51 REV. 13

LSCS-UFSAR

i. single control power supply failure;

j. single motive power supply failure;

k. single control circuit failure;

l. single sensing line (pipe) failure; and

m. single electrical component failure.

7.A.3.4.1.3 Quality Components (IEEE 279-1971, Paragraph 4.3) Components used in the containment spray control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated in the following:

a. Switch and relay contacts carry no more than 50% of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

c. Motor starters and circuit breakers are effectively derated from motor starting applications since their nameplate ratings are based on short circuit interruption capabilities. Short-circuit current interrupting capabilities are many times the starting current for the motors being started.

d. Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, including testing.

e. Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located.

f. These components are subjected to the manufacturers normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use.

7.A.3-52 REV. 13

LSCS-UFSAR Furthermore, a quality control and assurance program is required, to be implemented and documented by equipment vendors, which the intent of complying with the requirements set forth in Appendix B of 10 CFR 50. 7.A.3.4.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4) No components of the containment spray system are required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation with wider variations in ambient temperature than results from normal or abnormal (loss of ventilation and loss-of-coolant accident) conditions. All components used in the containment spray system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial operation. See subsection 3.11.2. 7.A.3.4.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5) The containment spray system instrument channels are designed to maintain necessary functional capability under extreme conditions. 7.A.3.4.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6) Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and C sensors for reactor vessel low water levels, for instance, are located on one local instrument panel that is identified as Division 1 equipment, and the B and D sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and C sensors have a commonn process tap, which is widely separated from the corresponding tap for sensors B and D. Disabling of one or all sensors in one location does not disable the control for the other division. Relay cabinets for Division 1 are in a separate physical location from that of Division 2, and each division is complete in itself, with its own station battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final activated equipment, and includes both control and motive power supplies. Although there are only two sensors for each variable in each division, these sensors back up each other as described in the preceding paragraph. 7.A.3.4.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7) The containment spray system is a safety system designed to be independent of plant control systems. Annunciator circuits receiving outputs from system cannot impair the operability of the system control because of electrical isolation. 7.A.3-53 REV. 13

LSCS-UFSAR 7.A.3.4.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8) The inputs which are permissive for the containment spray system are direct measures of the variables that indicate need for containment cooling. Drywell high pressure is sensed by drywell pressure sensors. Reactor vessel water level 1 trip is sensed by vessel water level sensors. LPCI injection valve closure is sensed by limit switch positions on the valve operator. 7.A.3.4.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9) All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. The drywell high pressure sensors can be checked only by application of gas pressure from a low pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve. The reactor vessel level transducers can be similarly checked for operability by valving out each transducer and applying a test pressure source. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the control room are calibrated separately by introducing a calibration source and verifying the setpoint through the use of a digital readout on the trip calibration module. 7.A.3.4.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10) The containment spray system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed as the system is tested. The pump can be started via appropriate breakers. Sensors can be exercised by applying test pressure. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. 7.A.3.4.1.11 Channel Bypass or Removal from Operations (IEEE 279-1971, Paragraph 4.11) Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without coincident operation of a second channel. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration will be brief. 7.A.3-54 REV. 14, APRIL 2002

LSCS-UFSAR 7.A.3.4.1.12 Operation Bypasses (IEEE 279-1971, Paragraph 4.12) Containment spray has no operating bypasses. 7.A.3.4.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13) There are no automatic bypasses of any part of the containment control system. Deliberate opening of the valve motor breaker will give annunciation and deenergization of both valve position lights in the control room. The racking-out of 4160-V breakers is controlled procedurally and access is limited to authorized personnel. Consequently, this is considered equivalent to removing a valve or pump for maintenance. This is a maintenance procedure which is administered by tagging the removed breaker control switch located in the control room. In addition, abnormal position of the only breaker is indicated in the main control room. 7.A.3.4.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14) Access to switchgear, motor control centers, and instrument valves may be procedurally controlled by the following:

a. Administrative control of access to instrument valves.

b. Administrative control of access to emergency switchgear rooms.

c. Administrative control of access to motor control centers.

7.A.3.4.1.15 Multiple Trip Settings (IEEE 279-1971, Paragraph 4.15) There are no multiple trip settings. 7.4.3.4.1.16 Completion of Protection Action Once It Is Initiated (IEEE 279-1971, Paragraph 4.16) The final control elements for the containment spray system are essentially bistable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached). In the event of an interruption in a-c power the control system will reset itself and recycle on restoration of power. Thus, protective action once initiated must go to completion or continue until terminated by deliberate operator action. 7.A.3-55 REV. 13

LSCS-UFSAR 7.A.3.4.1.17 Manual Actuation (IEEE 279-1971, Paragraph 4.17) Containment spray is a totally manual system. 7.A.3.4.1.18 Access to Setpoint Adjustment (IEEE 279-1971, Paragraph 4.18) Setpoint adjustments for the containment spray system sensors are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Test points are incorporated into the control relay cabinets which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure transducers is not adjustable. Because of these restrictions, compliance with this requirement of IEEE-279 is considered complete. 7.A.3.4.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19) Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, or action of the sensor relay which has an identification tag and a clear glass front window permitting convenient, visible verification of the relay position. Either of these indications should be adequate, so this combination of annunciation and visible verification fulfills the requirements of this criterion. 7.A.3.4.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20) Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the containment spray function is available and/or operating properly. 7.A.3.4.1.21 System Repair (IEEE 279-1971, Paragraph 4.21) The containment spray control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles with periodic maintenance. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months. 7.A.3-56 REV. 13

LSCS-UFSAR Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Sensors which are connected to the instrument piping are connected with separate screwed or bolted fitting and could be changed in approximately 1 hour, including electrical connection replacement. 7.A.3.4.1.22 Identification (IEEE 279-1971, Paragraph 4.22) A nameplate identifies each logic cabinet and instrument panel that are part of the containment spray system. The nameplate shows the division to which each panel or cabinet is assigned, and also identifies the function in the system of each item on the control panel. Identification of cables and raceways is discussed in Subsection 8.3.1.3. Panels in the control room are identified by tags which indicate the system and logic contained in each panel. 7.A.3.4.2 IEEE 308-1971 Criteria for Class 1E Electric Systems for Nuclear Power Generating Station Class 1 a-c power supply system containment spray loads are physically separated and electrically isolated into redundant load groups so that safety action provided by redundant counterparts are not compromised. 7.A.3.4.3 IEEE 379-1972 The single failure criteria of IEEE 279-1971, Paragraph 4.2 as further defined in IEEE 379-1972, "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection System," is met as described in Subsection 7.A.3.4.1.2. 7.A.3-57 REV. 13

LSCS-UFSAR 7.A.4 Systems Required For Safe Shutdown 7.A.4.1 Reactor Core Isolation Cooling System Instrumentation and Controls 7.A.4.1.1 IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations Single-Failure Criterion (IEEE-279, Par. 4.2) The RCIC system is not required to meet the single-failure criterion. The control logic circuits for the RCIC subsystem initiation and control are housed in a single relay cabinet and the power supply for the control logic and other RCIC equipment is from a single d-c power source. The RCIC initiation sensors and wiring up to the RCIC relay logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent RCIC initiation. Wiring separation between divisions also provides tolerance to single wireway destruction (including shorts, opens, and grounds) in the accident detection portion of the control logic. The single-failure criterion is not applied to the logic relay cabinet or to other equipment required to function for RCIC operation. Equipment Qualification (IEEE 279, Par. 4.4) Environmental No components of the RCIC control system are required to operate in the drywell environment except for the condensate pots of the vessel level sensors. The RCIC steamline isolation valve located inside the drywell is a normally open valve and is therefore not required to operate except under test and isolation conditions. Other process sensor equipment for RCIC initiation is located outside the containment and is capable of accurate operation in the temperature conditions that result from abnormal conditions. Panels and relay cabinets are located in the control room and/or auxiliary equipment room environment so environmental testing of components mounted in these enclosures was not warranted at unusual environmental conditions. The components in the RCIC control system have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use. 7.A.4-1 REV. 13

LSCS-UFSAR Channel Integrity (IEEE 279, Par. 4.5) The RCIC system instrument initiation channels satisfy the channel integrity objective. Channel Independence (IEEE 279, Par. 4.6) Channel independence for initiation sensors is provided by electrical and mechanical separation. The A sensors for reactor vessel level, for instance, are located on one local instrument panel identified as Division 1 equipment and the B sensors are located on a second instrument panel widely separated from the first and identified as Division 2 equipment. The A sensors have a common pair of process taps which are widely separated from the corresponding taps for the B sensors. Disabling of one or both sensors in one location does not disable the control for RCIC initiation. Control and Protection System Interaction (IEEE 279, Par. 4.7) The RCIC system has no interaction with plant control systems. Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the RCIC control system because of electrical isolation. Derivation of System Inputs (IEEE 279, Par. 4.8) The RCIC system uses a direct measure of the need for coolant inventory makeup, e.g., reactor vessel low water level. Capability for Sensor Checks (IEEE 279, Par. 4.9) All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. The reactor vessel level transmitters and trip units can be checked for operability by closing the low side instrument valve and bleeding off a small amount of water through the low side bleed valves (which are provided for venting the instruments) while observing the scale reading and channel trip indication in either the main control room or the auxiliary electrical equipment room at the relay logic cabinets, and then reopening the instrument valve. Capability for Test and Calibration (IEEE 279, Par. 4.10) The RCIC control system is capable of being completely tested during normal plant operation to verify that each element of the system, whether active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The setpoint of the trip unit can be checked in place by applying a 7.A.4-2 REV. 13

LSCS-UFSAR calibration signal to the unit. Pumps can be started by closing the appropriate breakers, to pump against system check valves (or return to suppression pool through test valves) while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. Channel Bypass or Removal from Operation (IEEE 279, Par. 4.11) Calibration of a sensor which introduces a single instrument channel trip cannot cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning. Removal of an instrument channel from service during calibration is brief. Operating Bypasses (IEEE 279, Par. 4.12) Manual Bypasses There are several means by which the RCIC system could be deliberately rendered inoperative by plant operating personnel:

a. Manually opening feeder breakers to the motor starter for valves, pumps, etc., that are required to function during RCIC operation. Manually opening a breaker for a specific motor deenergizes the control power to the motor starter and thus deenergizes the valve position lights and so indicates to the operator that an off-normal condition exists. Tagging procedures may also be used to indicate out-of-service equipment and are considered an adequate indication of equipment status. Manual opening of breakers is a requirement for safe maintenance of equipment.

b. Manually opening d-c control power feeder breakers. Tripping or opening a d-c control power feeder breaker gives a loss-of-power alarm.

c. Manually shutting off instrument line valves in various specific combinations.

d. Placing of the flow controller from "Auto" to "Manual" operation in the main control room or adjusting "Auto" setpoint to an incorrect position. Manual operation of the flow controller is provided to allow operator intervention should the auto portion of the controller fail. The availability of an auto setpoint control on the controller is desirable so that the operator can regulate 7.A.4-3 REV. 13

LSCS-UFSAR the flow to maintain water level rather than cycling the turbine between the auto trip and start level setpoints without going to the "Manual" mode of operation. The controller is in the main control room and therefore under the direct supervision of the control room operator. All of these items are under operator control and are not automatically defeated by RCIC initiation signals. Automatic Bypasses The following is a list of automatic bypasses which can render the RCIC system inoperative:

a. RCIC steamline isolation signal; and

b. RCIC turbine trip caused by:

1. RCIC isolation signal,

2. RCIC pump suction pressure low,

3. RCIC turbine exhaust pressure high, and

4. RCIC turbine overspeed.

These functions are discussed in Subsection 7.4.1.2.3. In summary, there is no violation of the operating bypass section of IEEE 279, since RCIC and HPCS cannot be simultaneously disabled. Indication of Bypasses (IEEE 279, Par. 4.13) Automatic indication of bypasses is provided by individual annunciators to indicate what function of the system is out of service, bypassed, or otherwise inoperative. In addition, each of the indicated bypasses also activates a "system inoperative" annunciator. Manual "system inoperative" switches are provided for operator use for items that are only under supervisory control. Access to Means for Bypassing (IEEE 279, Par. 4.14) Access to motor control centers and instrument valves is controlled as previously discussed in this subsection. Access to other means of bypassing is located in the main control room and therefore under the administrative control of the operators. 7.A.4-4 REV. 13

LSCS-UFSAR Multiple Setpoints (IEEE 279, Par. 4.15) This is not applicable because all setpoints are fixed. Completion of Protective Action Once It Is Initiated (IEEE 279, Par. 4.16) The final control elements for the RCIC system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out. In the case of pump starters, the auto initiation signal is electrically sealed-in. Thus, once protective action is initiated (i.e., flow established), it must go to completion until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals. Manual Actuation (IEEE 279, Par. 4.17) Each piece of RCIC actuation equipment required to operate (pumps and valves) is capable of manual initiation from the main control room. Failure of logic circuitry to initiate the RCIC system will not affect the manual control of equipment. However, failures of active components or control circuits which produce a turbine trip may disable the manual actuation of the RCIC system. Failures of this type are continuously monitored by alarms. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Par. 4.18) Setpoint adjustments for the RCIC high drywell pressure instrument trip channels are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Setpoint adjustments for the reactor vessel low level instrument trip channels are integral with the trip units in the relay logic cabinets and also require the use of tools. Control relay cabinets are capable of being locked to prevent unauthorized actuation. The range (or span) of the reactor vessel pressure switches is not adjustable. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete. Identification of Protective Actions (IEEE 279, Par. 4.19) Protective actions are directly indicated and identified by annunciator operation, trip unit indicating lights, or action of the sensor relay which has an identification tag and a clear glass window front which permits convenient visible verification of 7.A.4-5 REV. 13

LSCS-UFSAR the relay position. The combination of annunciation and relay observation is considered to fulfill the requirements of this criterion. Information Readout (IEEE 279, Par. 4.20) The RCIC control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is provided for verifying the operability of the RCIC components and, by proper selection of test periods to be compatible with the historically established reliability of the tested components, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the RCIC function is available and/or operating properly. System Repair (IEEE 279, Par. 4.21) The RCIC control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the specified duty cycle. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of shelf life than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. Recognition and location of a failed component is accomplished during periodic testing. The simplicity of the logic makes the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the type of relay used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and can be changed reasonably in less than 1 hour, including electrical connection replacement. Identification (IEEE 279, Par. 4.22) All controls and instruments are located in one section of the control room panel and are clearly identified by nameplates. Relays are located in one panel for RCIC use only. Relays and panels are identified by nameplates. 7.A.4.1.2 IEEE 323-1971 Trial-Use Standard - General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations Specific conformance to requirements of IEEE 323 is covered in Subsection 7.A.1. 7.A.4-6 REV. 13

LSCS-UFSAR 7.A.4.1.3 IEEE 338-1971 Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems The only paragraphs of IEEE 338-1971 that apply to the design of the RCIC system are covered as follows:

a. capability for Sensor Checks (IEEE 338-1971, 2.1)(Reference Subsection 7.4.1.3.2); and

b. capability for Test and Calibration (IEEE 338-1971,2.2)

(Reference Subsection 7.4.1.3.2). 7.A.4.1.4 IEEE 344-1971 Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations The conformance to the requirements of IEEE 344-1971 is detailed in Section 3.10. 7.A.4-7 REV. 13

LSCS-UFSAR 7.A.5 Other Instrumentation Systems Required For Safety 7.A.5.1 Main Steamline Radiation Monitoring Subsystem 7.A.5.1.1 Specific Requirement Conformance IEEE 279-1971 Conformance to IEEE 279 is shown in Subsection 7.A.2.1.6. IEEE 323-1971 Qualification of the components of this subsystem is covered in Subsection 7.A.1. IEEE 338-1971 This subsystem is testable during reactor operation as described in Subsection 7.A.2.1, Paragraphs 4.9, 4.10, 4.11, 4.13, and 4.14. IEEE 344-1971 Seismic qualification of the components of this subsystem is covered in Section 3.10. IEEE 379-1972 This subsystem meets the single-failure criterion as described in Subsection 7.A.2.1, Paragraph 4.2. 7.A.5.2 Reactor Building Ventilation Exhaust Plenum Radiation Monitoring 7.A.5.2.1 Specific Requirement Conformance IEEE 279-1971 General Functional Requirement (IEEE 279-1971 Paragraph 4.1) The purpose of this subsystem is to initiate isolation of potentially contaminated plant ventilation effluent paths and initiate standby gas treatment in the event of excessive amounts of radioactive gases and particulates in the reactor building vent plenum. For two channels, two-out-of-two high-high radiation or inoperative trips shall:

a. shut down and isolate the reactor building vent system outboard valves, 7.A.5-1 REV. 13

LSCS-UFSAR

b. close outboard drywell and suppression pool purge and vent valves, and

c. initiate one standby gas treatment train.

For the other two channels, the same signals will operate equivalent inboard valves (a and b) and initiate the other standby gas treatment train (c). Single-Failure Criterion (IEEE 279-1971 Paragraph 4.2) This criterion is met since there are two independent pairs of channels which initiate redundant equipment. One failure affects only one pair of channels. Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) The sensor and converters as well as the indicator and trip units are fully described in GE technical manuals and have been used in all GE boiling water reactor power plants. Equipment Qualification (IEEE 279-1971 Paragraph 4.4) On the component and module level, General Electric's Nuclear Energy Division conducts qualification tests to qualify the items for this application. In situ operational testing of the detectors, monitors, and channels is performed at the site during the preoperational test phase. Channel Integrity (IEEE 279-1971 Paragraph 4.5) The channel components are operable under the predetermined normal and abnormal circumstances. The trip channel components have been selected to fulfill these minimum requirements. Channel Independence (IEEE 279-1971 Paragraph 4.6) The four trip channels of this protective function are electrically isolated and physically separated in order to meet this design requirement. Control and Protection System Interaction (IEEE 279-1971 Paragraph 4.7) The four monitors for this protective function comply with this design requirement. Isolated contacts are used to provide isolation signals to close appropriate valves. 7.A.5-2 REV. 13

LSCS-UFSAR Separation of inboard and outboard circuitry prevents postulated failures from impairing subsystem operation. Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8) The measurement of radiation in the reactor building ventilation exhaust plenum is the appropriate variable to determine radioactive releases into the containment. Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9) Due to the two-out-of-two configuration of the trip logic, one channel at a time may be removed from service to perform periodic tests. Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10) An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a trip. All trip circuits are the latching type and must be manually reset at the front panel. Facilities for calibrating these monitor units are provided. It is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and convertor unit. It provides several gamma radiation levels between 1 and 250 mrem/hr. The calibration unit source is Co60. A cavity in the calibration unit receives the sensor and convertor unit. Located on the back wall of the cylindrical lower half of the cavity is a window through which radiation from the source emanates. A chart on each unit indicates the radiation levels available from the unit for the various control settings. Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11) During the periodic test of any given channel, the controls associated with a monitor permit the monitor to be tested for proper operation. The two-out-of-two trip system logic prevents system level protective action. The two-out-of-two trip system logic channel when in the test mode provides an inoperative trip signal in order to meet the single-failure requirements. Operating Bypasses (IEEE 279-1971 Paragraph 4.12) This design requirement is not applicable to this protective function. 7.A.5-3 REV. 13

LSCS-UFSAR Indication of Bypasses (IEEE 279-1971 Paragraph 4.13) A downscale annunciation is produced during the monitor tests with its front panel controls. Substitution of the process input with a simulated input to the monitor produces downscale and upscale annunciations in the control room under specific conditions of the test. Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14) During the periodic test, administrative control procedures must be followed to remove one monitor from service and subsequently return it to service. Multiple Setpoints (IEEE 279-1971 Paragraph 4.15) This design requirement does not apply to this protective function. Completion of Protective Action Once It Is Initiated (IEEE 279-1971 Paragraph 4.16) The monitor output trip circuit remains in a tripped state whenever the gamma radiation level exceeds the established setpoint. Manual Initiation (IEEE 279-1971 Paragraph 4.17) This design requirement is not applicable to this protective function. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971 Paragraph 4.18) Access to the monitors is under the administrative control of plant personnel. Operation of the monitor front panel controls, whether for calibration or test purposes, results in a downscale annunciation from that channel in the control room. Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19) Actuation of any radiation monitor to produce a tripped condition will initiate a control room annunciator for this protective function. System Repair (IEEE 279-1971 Paragraph 4.21) The one-to-one relationship of detector, monitor, and trip circuitry permits the operator to identify a faulty channel and determine the defective component. 7.A.5-4 REV. 13

LSCS-UFSAR Provisions have been made to facilitate repair of the channel components during plant operation. Identification (IEEE 279-1971 Paragraph 4.22) Special identification is provided for these monitors by special colored marker plates which identify the reactor protection system division with which the units are associated. IEEE 323-1971 Qualification of components of this subsystem is covered in Subsection 7.A.1. IEEE 338-1971 This subsystem is testable during reactor operation as described under the IEEE 279 conformance description above, Paragraphs 4.9, 4.10, 4.11, 4.13 and 4.14. IEEE 344-1971 Seismic qualification of the components of the subsystem is covered in Section 3.10. IEEE 379-1972 This subsystem meets the single-failure criterion as described under the IEEE 279 conformance description above, Paragraph 4.2. 7.A.5.3 Recirculation Pump Trip System 7.A.5.3.1 Specific Requirements Conformance IEEE 279 General Functional Requirement (IEEE 279-1971 Paragraph 4.1) Two instrument channels are connected to both division logics. In the division logics, the channels lose their identity since they are combined. The combination is two-out-of-two. When both instrument channels inputting a common divisional logic and monitoring the same variable exceed their setpoint, RPT occurs if an inhibit is not present. Single-Failure Criterion (IEEE 279-171 Paragraph 4.2) The design complies. 7.A.5-5 REV. 13

LSCS-UFSAR Quality of Components and Modules (IEEE 279-1971 Paragraph 4.3) The division logic consists of high-quality circuitry that has been proved to be highly reliable and is qualified per IEEE 323. The actuators are devices selected to be operated substantially within their capabilities and are of high quality and reliability and qualified for their application per IEEE 323. Equipment Qualification (IEEE 279 Paragraph 4.4) At the component level, vendor certification is required that these parts will operate in accordance with the requirements of the purchase specification. General Electric will qualify the system and its components, modules, and subassemblies. In addition, in situ operational tests will be performed on the system during the preoperational test phase. Channel Integrity (IEEE 279-1971 Paragraph 4.5) The logic system complies with this requirement. Channel Independence (IEEE 279 Paragraph 4.6) The two-division arrangement meets this requirement. Control and Protection System Interaction (IEEE 279 Paragraph 4.7) The two division logics are totally separate from any nonprotection system. Due to the design of this output and separation of the cabling, there is no interaction with control systems of the plant. The actuator logic has no interaction with any other plant system, and the breaker trips are physically separate and electrically isolated from the other portions of the recirculation pump power supply. Consequently, this design requirement is met by this equipment. Any system interlocks to control systems are isolated such that no failure or combination of failures in the control systems has any effect on RPT. Derivation of System Inputs (IEEE 279 Paragraph 4.8) This design requirement is met by the instrument channels selected for inputs. Capability for Sensor Checks (IEEE 279 Paragraph 4.9) This design requirement is not literally applicable but by interpretation can be applied and is fully complied with by the input tests, logic tests, and output tests for 7.A.5-6 REV. 13

LSCS-UFSAR which provisions are made. The system utilizes RPS sensors addressed in Subsection 7.2.3. Capability for Test and Calibration (IEEE 279 Paragraph 4.10) Refer to Subsections 7.A.2.1.3 and 7.A.2.1.4. Channel Bypass or Removal from Operation (IEEE 279 Paragraph 4.11) This design requirement is not applicable. Operating Bypasses (IEEE 279 Paragraph 4.12) This design requirement is not applicable. Indication of Bypasses (IEEE 279 Paragraph 4.13) This design requirement is complied with by indication of test bypasses. Access to Means for Bypassing (IEEE 279 Paragraph 4.14) This design requirement is complied with by operator control of test program. Multiple Setpoints (IEEE 279 Paragraph 4.15) This design requirement is not applicable. Completion of Protective Action Once It Is Initiated (IEEE 279 Paragraph 4.16) Once the RPT relays are tripped, they in turn trip the trip coils of the recirculation pump breakers. An annunciator for each division is provided in the control room which informs the operator that the logic has initiated the RPT. The process computer logs the fact that an RPT has occurred. Manual Actuation (IEEE 279 Paragraph 4.17) Not applicable. Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279 Paragraph 4.18) This design requirement is met. Refer to Subsection 7.2.3. 7.A.5-7 REV. 13

LSCS-UFSAR Identification of Protective Actions (IEEE 279 Paragraph 4.19) Control room annunciators are provided to identify the tripped portions of RPT in addition to the previously described instrument channel annunciators associated with the RPS:

a. Division 1 logic tripped, and

b. Division 2 logic tripped.

These same functions are connected to the process computer to provide a record of the system status. Information Readout (IEEE 279 Paragraph 4.20) The information presented to the control room operator satisfies this design requirement. Systems Repair (IEEE 279 Paragraph 4.21) The design of this portion of the RPS complies with this design requirement. Identification of Protection Systems (IEEE 279 Paragraph 4.22) Refer to Subsections 7.A.2.1.3 and 7.A.2.1.4. Criteria for Class 1E Electric Systems (IEEE 308) This does not apply to the logic system, which is fail safe. Its power supplies are thus unnecessary for RPT. A 1E system is required to energize the breaker trip coils. Standard for Qualifying Class 1 Electric Equipment (IEEE 323) See Subsection 7.A.1. Periodic Testing (IEEE 338) Refer to Subsection 7.2.3. Seismic Requirements (IEEE 344) - All Class 1E equipment will meet the requirements of Section 3.10. 7.A.5-8 REV. 16, APRIL 2006

LSCS-UFSAR Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems (IEEE 379) These requirements are satisfied by consideration of the different types of failures and carefully designing all violations of the single-failure criterion out of the system. An exception is imposed during periodic logic testing. 7.A.5.4 Leak Detection System 7.A.5.4.1 Specific Requirement Conformance Unless otherwise noted, specific regulatory requirements discussed below apply only to those portions of the leak detection system which supply signals to the primary containment and reactor vessel isolation control system. IEEE 279-1971 and IEEE 379-1972 Leak detection system compliance with IEEE 279 and IEEE 379 is included in the IEEE 279 and IEEE 379 compliance discussions of the primary containment and reactor vessel isolation control system, Subsection 7.3.2.3, for which this system provides logic trip signals. IEEE 323-1971 Leak detection compliance is shown in Subsection 7.A.1. IEEE 338-1971 Leak detection compliance with IEEE 338 is shown. All active components of the leak detection system associated with the isolation signal can be tested during plant operation. IEEE 344-1971 Leak detection system compliance is shown in Section 3.10. 7.A.5.5 Intermediate Range Monitor Subsystem 7.A.5.5.1 Specific Requirement Conformance IEEE 279-1971 The IRM design is shown to comply with the design requirements of IEEE 279, "Neutron Monitoring Scram Trip", in Subsection 7.A.2.1. 7.A.5-9 REV. 13

LSCS-UFSAR IEEE 323-1971 IRM compliance is shown in Subsection 7.A.1. IEEE 338-1971 IRM compliance with IEEE 338 is shown in Subsection 7.A.2.1 under "IEEE 279 Conformance - Neutron Monitoring Scram Trip" (Paragraphs 4.9 and 4.10). IEEE 344-1971 IRM compliance is shown in Section 3.10. IEEE 379-1972 IRM signal separation, cabinet separation, use of isolation circuitry, and number of channels per trip system are methods used to meet the single-failure criterion. Convenient test and calibration circuits permit frequent checks for undetected failures. 7.A.5.6 Average Power Range Monitor Subsystem 7.A.5.6.1 Compliance with IEEE 279-1971 The APRM design is shown to comply with the design requirements of IEEE 279 in Subsection 7.A.2.1 under IEEE 279-1971. Compliance with IEEE 323 APRM compliance is shown in Subsection 7.A.1 and Topical Report NEDO 10698. Compliance with IEEE 338 APRM compliance with IEEE 338 is shown in Subsection 7.A.2.1. Compliance with IEEE 344 APRM compliance will be shown in Section 3.10. Compliance with IEEE 379 LPRM signal separation, cabinet separation, use of isolation circuitry, and number of channels per trip system are methods used to meet the single-failure criterion. Convenient test and calibration circuits permit frequent checks for undetected failures. 7.A.5-10 REV. 13

Eees ECCS INSTRUMENT INSTRUMENT RACK RACK (RPS 1 Al IRPS 2 Bl

                                                               /
                                                            /

OAYWELL 270* 90* RCIC STEAM TO TURBINE (1) ECCSINSTRUMENT ECCS INSTRUMENT RACK (RPS 1 B) RACK (RPS 2 A) (I) NOTES: (I) SEPARA TlON AGAINST DESIGN BASIS EVENT USEO BETWEEN SOURCE OF DAMAGE AND ELECTRICAL EQUIPMENT OF DifFERENT DIVISIONS AS DENOTED BY 1, 2. AND 3. (II) EITHER OF' THE INSTRUMENT RACKS 3 CAN ACTUATE HPCS. LA SALLE COU NTY STATION IJPOATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.1-1 SCHEMATIC ARRANGEMENT OF RPV NOZZLES FOR ECCS AND INSTRUMENTS RF.V. 0 - APRIL 1984

                                                                                           ~

v '///ij////////'/ PENETRATION B RACEWA If N8

• I I

INSTRUMENT NON NEUTRON CHA~NELS C A 8 0 SENSORS SAM & DIV IIA APRM APAM DlV IA lAM DIV 18 DlV liB A B a&F I I I I I I I I PENET A

                                     'IP                                                          ,                      PENET 0

~r_ ~ .. SRM" IRM TAIP l.OGIC

                                                 -         PWR PWA "A" "8"

TRIP LOGIC LPAM r--

                                                                                                                                          ~
                                                                                                                                          ~

~ AlfiE A INDIVIDUAL 9'" 8 A

                                                                                                                                          ~

~ APRM I-LOGIC EXT. . \ OUTM I- APRM F ~ E ~ l- INTER-

                                                                                                                                          ~

r/ ~ L.PRM TRIP CONNECTION TRIP SRM & IRM

                                                                                                                                          ~

~ ~ B l.OGIC

                                                                                                      ~o...4
                                                                               ~"J G4""",=-                                                         LOGIC                            D&H
                                                                                                                                      '-~

C 0 ~,- G3 ~ G3 G2......- ~;2 RACeWAY NA" SAMC&

                                                                                          +                 RACEWAY NO'

• APRM C

lAM APAM 0 lr TRIPS LOGIC C&G TRIPS LOGIC OUTPUT A OUTPUT B J ~

                                       ~
                                                                                                   ~GROUPl I

GROUP1~ ( r/ '/// / / / "/////7//1 TYPICAL OF RACEWAY NC' GROUPS 2.3. &4 PENETC r-----------.., COMMON~---

                                                      ----_.                   _ _ _ ...J Ir ENCLOSURE                                  Y"//. ' / / / / / / / / / / / '/.' /

_______ L-_ PENETRATION'

• r SCRAM GROUP RACEWAY 1 IL OA EQUIVALENT -...lI ONE CONDUIT - - -.....-

FOR EACH ROD .---1._ _....... .....

                                               '--_ __._-J---...._....J
                                                                                         """"L-.__ HYDRAUUC RPS TERMINAL BOX ON CONTROL UNIT AIR-----l                                    ~-- SCRAM SOLENOIDS FOR ONE ROO
        'RACEWAYS NA. NB, ETC. MAY BE ASSIGNED TO SEPARATE DIVISIONS AS APPROPRIATE TO PLANT LAYOUT. RATHER THAN REOUIRING EIGHT SEPARATE DIVISIONS.
       "IF THE WIRING FOR MORE THAN ONE ROO GROUP GOES THROUGH THE SAME PENETRATION, A METAL BARRIER WHICH EXTENDS THROUGH THE PENETRATION MUST 8E PROVIDED BETWEEN THE WIRING FOR THE DIFFERENT GROUPS.

LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPuRT FIGURE 7.1-2 RPS SEPARATION CONCEPT REV. 0 - APRIL 1984

a o lD

                                                                ,....I u.J
 ..j..j'"  ..j 'J"I>  ~~             a::Q.             ..j..j   0:::

wwZ ..j"'a:: 0- <0  ::l (J>>W wWO 1-::> (J>w'" ~a::(J> a:: " 1-0 <<0  ::>a:: t:.!:l

 ~..j      )-Q.Z          ..j        :::Jw             ZI-      l-i
                                                       <Z       LL.

oa:: W (J> I-u  ::EO U I.J.J

                                     <<                          I.J.J VJ
                                                                +:

LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.1-3 EMERGENCY CORE COOLING SYSTEMS (EeCS) SEPARATION SCHEME REV. 0 - APRIL 1984

SENSORS WIREWAVS c 4 TRIP TRIP TRIP TRIP NS LOGIC LOGIC LOGIC LOGIC LOGIC A B C D NON-APS NON-RPS SENSORS SENSORS AUXILIARY RELAYS MANUAL MANUAL AUXILIARY RELAYS OUTBOARD VALVES SWITCH SWITCH INSOARD VALVES MOTOR STARTERS (FOR MOV'S ONL VI DIV 1 I ...._.,..._..

                                                                           ...........- - D I V 2 POWER POWER AC AND/OR DC                                  I                                               AC ANDIOR DC I

M.O. I M.D. OR SOL. I OR SOL. I I I I I LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.1-4 NSSS SEPARATION CONCEPT REV. 0 - APRIL 1984

COMMON PROCESS TAl' I COMMON PROCESS TAl' (OPTIONAL) I (OPTIONAL) I I SENSORS I I CONDUITS CONDUITS I I DIV 1 CONDUIT RPS PANELS FAILSAFE i-- ----, I LOGIC TRIP I TRIP DIV 2 TRIP I TRIP LOGIC A I LOGIC B CONDUIT LOGIC 0 I LOGICC I I AUXILIARY RELAYS MANUAL MANUAL AUXILIARY RELAYS OUTBOARD VALVES SWITCH SWITCH INBOARD VALVES 2 INDIVIDUAL 2 INDIVIDUAL CABLES IN A CABLES IN A SINGLE RACEWAY SINGLE RACEWAY

                                                                  ~~~~~~~~~CONTAINMENT E                     PENHi'll' noN COMMON RACEWAY o
                                                                                 !'J aen (II
                          -<                                                   III OUTBOARD VALV E                                  INBOARD VALVE LA SALLE COUNTY STATION

• INTERCONNECTING UPDATED FINAL SAFETY ANALYSIS REPORT CONDUITS USED FOR MAIN STEAM ISOLATION VALVE LOGIC ONLY FIGURE 7.1-5 MAIN STEAMLINE ISOLATION SEPARATION CONCEPT REV. 0 - APRIL 1984

A C B o SEE MULTIPLE CIRCUIT

                                                                   .1      .1         ..L   A REACTOR VESSEL LEVEL SENSORS       +-k                 +-k                         -        r-T I

NOTE oTHER t

• OTHER I I DIV 2 WIREWAY DIV1 DIV1 DIV 2 INPUT INPUT TERMINAL BOX l

CONTAINING DIV 1 RelC CONTROL 01 VI WIREW AY LOG'C "'RCU7 TO DIV 2 EQUIP RCle CONTROL LOG IC DIV 2 PANEL CABINET DIV 1 NOTE: CIRCUITS FOR RelC INITIATIONS UTILIZE CONTACTS ELECTRICALL" SEPARATE FROM THOSE USED FOR OTHER DIV 2 INPUTS LA SALLE COU NTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.1-6 RCIC SENSOR SEPARATION SCHEME REV. 0 - APRIL 1984

it *.

                                        *                                      *          *                    *

• 10 .

                                     ~ )

/II. _ _.---110

                                              ---a I *
                                                                                                                                 "I naououm
                                                                                                                               .. a ..

aoaaflnoaa aonannonaona<- I I

                                                                                                                               *I * *

• I I

_T

                                               .----0 I
                                                  ------.                                                            Uaaaoaaoaaaao  I

• I

                                                                                                                                               *t

• I

                                                       ---......                                                        loanoaaaonaao  t

• I 1.

Ie1 IdMAt= ^~Il~ Y~I~IfMt~T couccuo*

• Done " I 9L (II

                                                -----1L1t
                                                       ----~

I wGY1wt1. I Mf

• nannoaanaaaa " *"I I

I I I nanaanaaaaoa " t I ad f I UW11fNL M10 ' ~, aaonananaclo

J ----

I<e~ lm

                                                                                                                                                  *"    I                                                               T oaaanaaooaa r~av             r'~wn I I
                                                                                 ~                                         ooaoaaooaao            "t

• nomanoaaao t IMP ~" AN-00 a

Iw~I1A wLI~ i" Win/ 0oam In IRMr '/

                                                                                                                     1804 4Y11" w "KWwIlW1 " allOf lit
                                                                                                                                                                                                 ! "L aanoaaa
                                           ---                                    _Ill

• I. ~1 Il"0"II AMAI aws ! wlr " nw Iwr me i w 1. 1 t"wlt wAt wl .r[ rqr 110" R' wlr ILC'IIlIC/IIL &. i. mr wlu ~

                                                                                                                                                                                        "falo. rAre m   aG Iwl           Il0 " I rrfs is ani" s 1"                                ,

was

                                            ~
                                                                                                £       IM'I'"

All. . IwwAg. tlllw " m lflllllwq',

                                                                    ,<:It/             ,C.. "                                                                             ,.1. r=~=..,.,=,=_:.=_",,,,::::,,~,,,,-                          IVOIIOOR iAWt          w11G1
                                           -.-                          , &.      _Ill                                           .!at.

r.

                                          .~                                                                                                                                     " " AWwIAllw                                                             .
                                                                    "                                                                                                     *.1.. wl Iww,          rA rmr, smim w[ xr e:-                                  t"ItnA,.
                                                                                                                                                                          .~     WI                   _                              '"          .e-.t l'tllnII::'IDI
                                                                                       "        A       ~1Il 1"
                                                                                                                                                                                 ~-::u~

nw M tlw mlgm enA e111A Yl W ...... _ -.. , ,.. .wY D W.  ::Jf"'=:'L.'...,.. 14 M11"n "1 w -www Amao wrP IUtJ (¢11

                                                                                                                                                                                =.

1'. dA -

        ~=------.

I .....

              -ND-li.

11. R~ti11~wSAIYIIA'm

                                                                                                                                                                                     ~u:.~-=~~~

It. ===::.~&':=~-..

• It,

                                                                                                                                                                        ...      ~.

PIII "IOY" IIIA. ~n1Ai

                                                                                                                                                                                          . .q Mt ----- "".......
                                                                                                                                                                                                    ~
                                                                                                                                                                                                ..f" 41 A&"
                                                                                                                                                                                                     "1 ~

Y wL Ma

                                                                                                                                                                                                                           ~

r "%

M, i1f fWSICM.LY 1 ~ AII~MYi

                                                                                                                                                                                                                                                ~Yw! A v1A ~t1* __ *.
                                                                                                                                                                                                                                                                . IN
                                                                                                                                                                                                                                                         ¢IG`40Y1m...   . .",
                                                     -------------------1------------
                                                                                                                 ...                                                                      lu "+~~~~"

w t R =~

                                                                                                                                                                        &4.      ~ ~ -:':-:"l~ C1'l'l,.                    (lGl, ...   ! _.-.o..c.aa
                                                                                                                                                                                                                                          " H"04" GAD .                Mn  .i'.

I  :::;"'J:=r:::::.-:...:;-:::::;;;-=..;W:... I " ~S IAl~ l l~ ~A ..,

                    --.,.-~~~---J                                                                                                                                                MI
                                                                                                                                                                        -0'" . ..,...                                                                              &l.

I )

                 .--1-- ,

I. 1IlJC_~ J. 1 . ¢KI" w04T1a yA ¢NA

1. ~

west "

                                                                                                                                                                        !t.. NClUa w.

I. _ . COJ.

• m-f . 1". 11¢A MW M lanlA e"YellAlln t * ...-

elms Ift to MPO

                                                                                                                                                                                                              " . . . c t.. '
                                                                                                                                                                                                                         "¢. .we.

mlr

                                                                                                                                                                                                               ,., IEStIII             Me. ... . . . . . ,.--..a.n M w . . . . . . AI A cU-fotl til tc>>

M . . . . . . . . . . . . . . . ,GN4n1 "J

                                                                                                                                                                                                                                                                   ,JI-.oJ,O
                                                                                                                                                                                                                                         . . . . . . . . . . G71"l111
                                                                                                                                                                                                                                                                 . iaww OU"!tmO "1
                                                                                                                                                                                                                                                                     .. -aero i~ ,SIIOi t * . . . , . D(DI M rca                                                                          ,. .

1. t "!Iw plb M ro . . . . . . . . . . . . . . . . . AI "Ial

1. 101113 "1 curt eM rw . . . . . . . . . . . . .

J. ~ _ . .C_SII *** * .. *

                                                                                                                                                                                                                                                                        "l C.. * . "*
                                                                                                                                                                        ** ~ _                                  I'QJ                                     "'",       .. ..
                                                                                                                                                                                                                                                                   <.Ii ..l . .

1. wRm"l " n1Mrm . . . . . . . . . . . . .Gy.iW Sam R" . " . . . . . . . .. . . . . . . . W.InI - ".

mwi "n fta~ In N" . . . '". . . . . . . ". . . E.,. t~ml.. 1.

t. ~"lDI"""

H. i~i iijJf~1 le* . . - . aft

u. naAwl"r111 u * .-.:oa . . _ .. "wwmm

                                                                                                                                                                                                        ~         "_ . . . .
                                                                                                                                                                                                                                                      .uvaa...
                                                                                                                                                                                                                                                         . . . . a;a..'"
                                                                                                                                                                  . .U.IwaA1m1-.r

_u

                                                                                                                                                                                             . - . . .~1
                                                                                                                                                                                      . - . . .~'l:JI" *. ..t . .. ... ... .."'... "'. . ."' . . .            -Im 11.
                                                                                                                                                                      .a.       tom     ! .IwIIa01                   . . . . . . . . . . . .c..              . . . YFI"1  1*

• 11, .-ra

                                                                                                                                                                     ,**        ffmcm    twlm CMIVII:I ~~      ....." ~       ¢A1100111            "   "
                                                                                                                                                                                                                                                  ---       to on CII

("""11. YYt

                                                                                                                  .                                                            t . rsw an¢ slaw rm "A R. ola.
                                                                                                                                                                               . . . . . . . . . . . .1& . . . . . . . . . . . . . 8'U. 01.2'

• s:;~ ~~O~J:.~

cart : K BXTIIKAL M0INCTOM AMMMY (Ef,. 1111P _ Nlf

                                                                                                                                                                                           . VQL_  CRAYOIlYCAI161  _                     CO OYBt , V0 I'I\l:GIIUttV.         .TA LROMA -KLUGE a uSloot Mtak Acy.
                                                                                                                                                              --1" H                      ~~-_"'I

__ f:==::'~"rNCJa14) 16 . A SINGLE SCRAM

16. A SINGLE SCRAM PILOT PILOT VALVE VALVE WITH WITH DUAL DUAL SOLENOID OPERATED SOLENOIO OPERATED PILOT PILOT ASSEUBLIES ASSEMBLIES

                                                                                 ~==

(NOT. 14) MAY UAY BE BE INSTALLED INSTALLED IN IN PLACE PlACE Of OF TWO TWO SCRAMSCRAM PILOT VALVES.

                                                                                                                                                                                            ""ES
                  .                                              i*~
                                                                 .~

I i5:1~~ __..d.J

                    '+-- (NOTE r-.t1l~~

H5) I I I .. I II L__.J ~" , I norMlR L J----------r-----<::=_'~ L_ ClI-'" .. LA SALLE COUNTY STATION

UPDATED FINAL SAFETY ANALYSIS REPORT

    ===-                    *                                                  *          *                    *

• FIGURE 7.2-1 REACTOR PROTECTION SYSTEM rED (SHEET 1 OF 4)

REV. 18 REV. 18 -- APRIL APRIL 2010 2010

8 7 6 5 4 2 F E E , o o c c B e f'*

                                             ~=:

• ~L( COUNTY STATION A UPOAT£O n~ WETY ANAlYSJS REPORT FlCURE 7.2-1 RtACTOR PROT£CTJON SYS1EM lED SHEET 2 Of 4) e 7 ~:-.6_ _[ __5_ 4 .3 2 REVISION 13 1

8 7 6 5 4 .3 2

                                                                            ~_~t(lI:ItlLl"""'t.f'           __

8i*.-~

 ,...... <&:I:D -'--
                           .-   ---~

_.---T-.. ---

                                                              - -..,- .,                      ..yt\~~,.-         ------------. r - - -                                                                                                                                     F
                                                                    ~:

I

 ,..,) ,,\ <.:&::E:I:l- - \. -
           ~_l.-

__

• I

i--

I J

                                                                  ~   ..      ....~
                                                                                  .                                 r:,J. t:
                                                                                                                "I.~~r
                                                                      ~ __ .___

• 1

                                                                                                                          ** -1 I
                                                                                                                                   ,   t t    J E                                                                                                                    ~ {f;',1 1.14'Ol'          ;,.
                                                                                                                     -T:.J;) . .                                             tot** '

_ .* ...J - -r:Er:)

0

            ~--- ----~
            <Hfj]fJ---- it~~~ ~f'           "                   --_._-

WAClOII

                                                                                         ... t6000"'U I~---------
                                                                                                                                                        '"'1

_ _ _-+-I_ _--.:::.:J tmID

                                                                                                                                                                       ~                                                                                                      o r._l~
              ' 'A .,
            <:IDi:3- - -        ---r..1..-'tf~. '"' "'-
                                                                \ \ --                   ..,.
                                                                                          -..c.~tbet
                                                                                          ....... 1.I"w14.           -      .......... .---.
            ~\.fu---           -ii'~~

I~.. c.""__ . \

     .... "                                                               \

i~ij G!L}----, ~U""* !t~1H LOCA'~ c ~t~* 91,1;  :,' c

                                                                                                                ~"a-
                                                                                                                .~k*"

4'

                                                                                                                 .~i L.::===t-".,.-;:;

Sl~ 'Jbt~~"'-" l.~

                                                                                                              ~OIT.

B ~ . C 3 : l - - - .. - - , r------- ~ B Ma,

                                                                                                 ~           . ---;J-. J.

(';~Ut~ L.- __ ...,.'. (-$().(.~" . I".~-:;-;-

                                                                                                                               ~-......

0lIiC~

                                                                                                                               ~         .                                                          -'---'=-..
                                                                                                                                                                                                -..e-.'1#  I(~ ......~ . . .
                                                                                                                                                                                                                           --c-;-:--,---,.-..,.-_-.J A

UPO~LE COUNTY STATION I fiNAL SAF'ElY ANALYSJ S 8 r--==-=7~---==C==~6==J==~5==:I==~==:lL_;;-__r----:~I::;;RE~pOR~r~~:j _-.-,,-,.- 4 3 IED

o TRIP tOlL REC,IRC PUMP TR\P 5Y5IEM A TYP fOR S"S "8~ E:t.C,EPT A5 ~t10Wt-.l IN (;) H L.A SALLE COU NTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-1

  .                                                                                                                                                  REACTOR PROTECTION SYSTEM lED (SHEET 4 of 4)
 --l~--_L---r--~--"""----::------'r--i--.~---:--r---;---Y----.:----r---:;:-----r-Il:rl ----;;---...,..---;;-----;rr---.-*~ff_'':I-. . .- -_ _- - - - - - - - - - - - - - - - -. . .
      =:t=..- t                                                                                                                                                  REV It 0 - APRIL 1984

LSCS-UFSAR CftC C" .... CI~G

                                                                                                                                  US      ~OW
                                                                         ...IJT"O"                           ......NST.....
                                                                                                                                ~OOI SWITe~

00000 'TQfI'fIIG I.I..n IN Sl AJIIT"'"

                                                                        . IfItliltTP                       ISO~T.D
                                                                                                                                 ~::. it!:T\.;"!:.

I TV".. MODI! ,",TeM MCOI ""Te" "CO, SW. n:" COO/TIlO. IN ""UlI. IN IT.aT IN""'" "ALVI

                                                                                                                                               ....,. tI.OIV"I HUCU""                                              1CIl....

OPRM OtSC.. VOL ",UT"Oto l'U....flflS1"gp

                                         ,Y,nM                                            au"'....Gf TRIP             ....NU.'"               ""'.UUlt.            ..1Ci" 1..... 1.

NOT ..... "11 VOLU....."TI" UVU ..tGOO MOOItTOHC UNili ,.... '" V-Lyl CI.OIUlI,

                                           "'0"
                                                                                              ~

i{MODI _Te", ,

     'NSMUTCIOWN lI"-.I.L
                          ............1 II      "'vU....

oOC1'O" "AT'" LlV....._ I 1..... n .... 00I _ TUO TCH l POWER 2f>%FtATED MCII:II_n:too I SC;""" LASALLE COUNTY STATION UPDATED FINAL SAFETY A.,."JALYSIS REPORT FIGURE 7.2-2 REACTOR PROTECTION SYSTEM SCRAM FUNCTIONS REV. 17, APRIL 2008

TRIP SYSTEM A ACTUATORS TRIP SYSTEM B

                                                                                       .                    I                  ~

LOGIC LOGIC At LOGIC lOGIC A2 81 82 EAl GA2 B81 fal He2 ACTUATOR LOGICS ASSOCIATED ACTUATOR LOGICS ASSOCIATED WITH TRIP SYSTEM A WITH TRIP SYSTEM B

                                                  /r--               - - IA                       ,
                                                                                                                     /r--------JI'                           ,

C

                              -0 0     r
              )::>            >>     >>

n -t AAt :z: EA1  :;;l: EAl ;t!: AAI DB2  ;;:. HB2 ~ H82

              -t             tTl    (J)                                                                                                                        Dez C               0
              -t 0              ......
                             " r
              ;;0            z r Vl              >> 111
   ....."--..                r-j    If) :t:>        "......

G'> () nz c Vl

r: 0  :;0 CA2 Z GA2 Z GA2 '% CA2 Bat F81 ~ f81 8Bl

                             >>.., 0                                                                                                :z:.

m m m C 3:)::>

     >>n               '-l    -t Z
     -, -t                    < -l
     ...... C         N n>>                 I     >>     -<
   '--' -t                    Z

• J 0 w >> (J)

0 r-

J < -l 1 r- Vl

;                            >-i    >>

0 (/I -l GROUP 1 GROUP 2 GROUP 3 GROUP.- GROUP 1 GROUP 2 GROUP 3 GROUP. G'> SOLENOIDS SOLENOIDS SOLENOIDS SOLENOIDS

              ......                                                                                              SOLENOIDS    SOLENOIDS       SOLENOIDS SOLENOIDS n              :~     0
)                                       NOTE. CONTACTS SHOWN IN NORMAL CONDITION

• Vl tTl

)                            *u     Z C)

• AI

                             -i

LSCS*UF SAR C _ A I . IC!'.MI

                                ~0I'I1'IIlOT1C1'1O" SYSTIM A:I ""If' LCGIC tllalT NOTE: CONTACTS SHOWN IN NORMAL CONDITION LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FlGCRE 7.2-4 LOGICS IN ONE TRIP SYSTEM (SCHEM-".TIC)

RRV 13

LSCS-UFSAR 'HIUTIIIOI'I

...,H'TOIllNC IVrrEM I ...U&I I"MCMA_ILA 101'11 OP lIGHT!

I I I IIIUCTOlII

   'IIIotICTIOfll SYETlM
                                                     "'--..,.....- A OPRM T.IUP A OPRM BYPASS tlIlUTIlOfll _ITO_INC IYsnM LOGICS ITWO 0' lIGHT' NDTI: CONT AC"'I1 IIHOWH 'N
                                                                                      "'Oll.....L CO/llOIT_

IIIIACTCIIl 'III0TICTIOH SVSTIMLOGIC: 10fll1 0' 'aulll' LASALLE COCNTY STATION UPDATED FINAL SAFETY ....." ALYSIS REPORT FIGURE 72-5 REL,>TIONSHIP BETWEEN NEUTRON MONITORING SYSTEM AND REACTOR PROTECTION SYSTEM REV. 17, APRIL 2008

TRIP SYSTEM A POWER BUS TRIP SYSTEM B POWER BUS 5 3 3 SV05-1 A H TURBINE STOP VALVE CLOSURE CHANNELS E C G B F o H A1 A2 B1 B2 REACTOR PROTECTION SYSTEM LOGICS NOTES:

1. CONTACTS SHOWN IN NORMAL CONDITION.

2. THREE OUT OF FOUR STOP VALVES MUST CLOSE TO CAUSE A SCRAM.

LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FI GU RE 7. 2- 6 CONFIGURATION FOR TURBINE STOP VALVE CLOSURE REACTOR TRIP REV. 0 - l\ PIn L 19 8 4

                                                           .~.,,' olO.."". ~ ._", """"",,=_..,"'**,.,,, olO...,.m ""-"",,,..

f02lAIII ~ fOUAI,. fO:lt8t11 +: fOall12l +: fOlICCtI ~ fOZlCIal "% fOllOltl "% fOllOl%I (MOTOIl* GENUIATOIl } 1"-- SHA'

                                                       ~. ~~~.                                                  ~ ~                    *1.                    * !r:::~m.
                                                    '--v-J'---v-/~~'--y-J'--y--J'--y-J'-y--J STIAM          STEAM          SllAM              Sll_           sn_         su_           IUAM        nE_

LINE A LINE I lINEC LINE 0 LINE ... LINE C lINfl LINED MAIN STEAM LINE ISOLATION CHANNELS (SWITCH CONTACfS SHO....' N IN POSITIONS \;; WHEN ISOLATION VALVES ARE OPEN Q (j TlllPSVSnN A C:: TRlPSVSTIiM I 0 Z I ,......- - - - -......, I A ,

            '"tj       c:::

5 ;5 ~ c:

            ~

i:it:::

             ...,      c-
                       ...::rn                                                                                                      I::

C G oz ~~ Z~ . E!

       ;0""

t',O ."n** }- E~

       >;0        - (Jl        trI Cl c: ~Ot;:     (j
                                                                                                                                                            }

Q~ 0-

       ;oZ        ~ ~H~                               "'1                                ...2                               II                       IZ
       '"'3 t11   :--' -<:::l
       ;0'"

_t'l ':> ~ *

                  ....         rn                                                 IIIf...CTOR PIIOTECTION IVIllM LOGICS
       '1:l~           F:~                                                        ICONTACTlIHOWN IN NOll MAL CONDITIONI t'"'      -<'"'3 rn-             IllV:

Z - (JlZ 0 t'l F022A* UfAM UNf INIOAIlD VALVE F021e . STUM lINE C. INIOAIIO VALVE

                       ;0 en        ["l             F021A

• SlEAM LINE OUTIO...IlD V"'LVE f021C . STU" LINE C. OUTBOAIID VALVE 0 '1:l F0228 . STE...M LUfE I.INIOIIRD VALVE fOUD . lIE"" LINE D.IH80AIlD VALVE Foall .. STEAM LINE I. DUTIOAROVIILVE fOlIO .. STEAM L1HE O. OUT80"1II0 VALVE

             ~         ;0

0 j

                       ..,0            Note:       1. Wiring for the two switches on the same valve is physically separated.

t::: 0 2. Isolation of three or more steam lines will cause a SCRAM. <. II z w

RPS M-G 480'~ALT RpS M-G POWER 120 r "'lFEEO M PoweR SUPPLY SUPPLY C C RELAY PROTECTIVE ~ RELAY

                                                            ~   PROTECTIVE CIRCUITRY CIRCUITRY I

c ( EPA SOLID-STATE EPA EPA

                                     ~  SOLID-STATE
             -  PROTECTIVE                                  ~   SOLID-STATE CIRCUITRY              PROTECTIVE              PROTECTIVE CIRCUITRY        C      CIRCUITRY

(_ ____ .JI ____J ( ( EPA EPA EPA SOLID-STATE ~ SOLID-STATE _ SOLID-STATE

             - PROTECTive              PROTECTIVE               PROTECTIVE CIRCUITRY                                        CIRCUITRY
                                   }_~~:;TRY LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-8 BLOCK DIAGRAM - RPS PROTECTIVE CIRCUIT -

ELECTRICAL PROTECTION ASSEMBLY (EPA) REV. 0 - APRIL 1984

Rcrc LPCS DIV I RHR A DIV 1 RECIRC A NOTE: AZIMUTHS SHOWN ARE FOR REACTOR VESSEL LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-1 PIPING ARRANGEMENT REV. 0 - APRIL 1984

ACCIDENT 2 2 2 2 z 3 CORE COOLING SMALL BREAK MOOEL WHERE 1. 2 AND 3 ARE ACCIDENT ELECTRICAL DIMENSIONS 2 2 CORE COOLING LARGE IIREAK MODEL LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-2 ECCS-MECHANICAL AND INSTRUMENTATION NETWORK MODELS REV. 0 - APRIL 1~~4

~

o

• o l- >

is I. N is ilia::

                                      "'~III a>

0 l-

                                      >I-~

i5i is a: 0 I-cO ~! 0 C .  ;:)11: 1--

                          ;:)~                 z ...Z o!!2 i8
                          ... :::l uo CW c

28

                                                      ..t-1>>0 LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-3 EMERGENCY CORE COOLING SYSTEM (EceS) SEPARATION SCHEME REV. 0 - APRIL 1984

BA1'TERY B RHR 8. RHR C 2 START RHR B START RHR C HPCS STAR' BATTERY C Hl"CS STOPHPCS RCIC BATTERY A START RCrC STOP RCIC o. o. REACTOR VESSel WATER LEVEL HIGH DRYWELL PRESSURE 1.2. AND 3 ARE ELECTRICAL DIVISIONS LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-4 INITIATION LOGIC - RHR BAND C, HPCS, RCle REV. 0 - APRIL 1984

LSCS-UFSAR SEE DRAWINGS 1E-1 (2)-4201AA THROUGH 1E-1 (2)-4201AR FIGURE 7.3-5 REV. 14 - APRIL 2002

Un-rATION LOGIC 8{~TTERY A ADS A START ADSA ADS IJ 2 2 2 START ADS 8 LPCS. RHR A START START LPCS RHR A (0 . LOW REACTOR WATER LEVEL

                                                   .:>t

• TIME DELAY

o. HIGH DRYWELL PRESSURE I'.IHERE 1. 2. AND 3 REPRESENT ELECTRICAL DIVISIONS LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FrGU~E 7.3-6 I ITIATIJN LOGIC - ACS, LPCS, RHR A REV. 3 - APRIL 1987

a 7 6 5 4 2 1

                -                                                                             ,.:!..i       !MI.!,- .IM MDCD!_             i

• I F I i . F E

E

                                                                                                                                                                  . . . . . . .t ..........   ...                          ....

==--:,:u------ .~::::::

_-~ _._~ u_ ........ _. .*_.... If.

                                                                                                                                                                                    ~                       ~
                                                                                                                                                                                        --.~_
                                                                                                                                                                ,,~~--

D o

           ----1 L_
                  --. ..... I DWG. NO. 732B191AA SHEBT 1 SPBC. NO. J-2500 c                                                                                                                                                                                                                                     c
              .......... n.__
                                                                                                                                                                      ~~.._~

_-1.------.. _.. LASALLE COUNTY STATION UPDf.TED FINAL SAFETY ANALYSIS B REPORT B FIGURE 7.3-1 LIWt DETECTION SYSTEM lED SHEET 1 OF 2 REV. 13 JNSntlJV£NT5 IN 1M: HlllDUP JtOOU~ AND FIi) P':;'~ .ur $UJT!l[1l 1'1' ........".. fOf' fHl: HOlfJUP ;.Nt) riO "OI:)tIS. tnCCiQER :NSlf1n....i:NfS Mt( N61* ~ ~111A. R£SP{'CTJvn, rOR fH( HQIl..OUP AHO '/0 JtOOWS. '-ECO"'OC-': :"'S-*Rwt!'tfS M£ liII82'A .. r.tf2~ -rS"!i7'"IV£LY.

                                                                                                                                             * -'1-                                         lro-UN< omeno",

SYSl'EM OUTI..IN[

                                                            ~5 7                                5                           I                         4

3 2

LSCS-UFSAR a 5 I

• J E [

r-;,., -----------) I

                 ~

I f

• I Il o II - - . ( *
• II

:u.... ~ I~. l IL ../-

                   ~h" Tn !

___.. ~_. __.._.J I c c

                                                           ~t..lA<<lt:ifn't.n,,.JOH;
                                                         ~"., t"IMl. DFf;T'1 " * *L'f'Ua
                                                                       -.aJ"Qfflt ttCilJM'; "      '*1 LtA' ,.".'tf"'tHH4 <;TlfTf'l4 1l"1\

hUT:1W) II B A 8 7 II LASAlLE COUN'lY STATION UPDATED FINAL SAFETY ANALYSIS n~Tv'n'" FIGURE 7.3-7 Sheet 2 of2 REV. 16, APRIL 2006 LEr\K DETECTION SYSTEM

TOP VIEW 61 S9 57 55 53 51 49 r :t ~

                            ~

47 45 - II ... 43 - 41 - 39 ~ 37 35 33 - 31 - 29 - ,. . 27 25 - 23 21

   -                    ~

19 - II 17 15 13 11 09 ..... 01 05 03 01 J 1 J f J j I II

 ~   Local Power Range Monitoring System (LPRM)      43       Total Penetrations - 55
 .. Source Range Monitoring System (SRM)             4 It  Intermediate Range Monitoring System (IRM)       8 LA SALLE COUNTY STATiON UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3- 8 VESSEL PENETRATIONS FOR NUCLEAR INSTRUMENTATION REV. 1 - APRIL 1985

ISOLA TlON TRIP SYSTEM A ISOLA TlON TRIP SYSTEM B

                                       ~                                                        ~

8 ENSOR A

                                     ~

I I I

                                                                                             ~

I rt:1  ::*0' I

            ,...---r--'              .
                   ;- -;:i;                                         I

'-' _ _ ....J '--I-..J I '-_~_.J CHANNEL A CHANNEL C I CHANNEL B CHANNEL 0 A-c POWER IREACTOR A-c POWER (REACTOR PROTECTION SYSTEM M-G CHANNELS PROTECTION SYSTEM M-G SET A OR

_A_-c.,;,..PO.,;,..W..;.ER_l I SET B OR A_-c_PO..;;...W_f_R,;".1_ I la ..1..

              - - :::E - - - :E-c -}
                         ..1...1.           ..1...

I ' INPUTS FROM I- -

                                                                           'I E- --           -:r.--

I 0 __:::c I ...:r=__ l OTHER TRIP C,ANNELS , _ _ I .::r__

                         ~                 T               ISOLATION LOGICS       =-r=              T LOGIC Al           LOGIC A2                  I           LOGIC 81          LOGIC B2
                                                                               ~O~:C
                                        ~

OGIC A2 AI 1.2 I al ISOLATION ACTUATORS fROM I.e POWER fROM AC POWER FROM AC POWER FROM AC POWER RPS MG SET A RPS Me SET B RPS MG SET A RPS MG SET B Al 1 1 81 A2 1 1 821 A2 I I 82 AI I I Bl TRIP ACTUATOR LOGICS f 1 INBOARO VALVES f f OUTBOARD VALVES LA SALLE COUNTY STATION UP~ATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3- 9 ISOLATION CONTROL SYSTEM FOR MAIN STEAMLINE ISOLATION VALVES REV. 0 - APRIL I~~4

LSCS-UFSAR ISO... TIOM ,1ft" SYSTUI- I ISOLATIOIl rill,. USTO! I I I I ee

                 --.,;",;.;;..------r--...;..;;,,;;.~...;.;;,;,,;...;:.;..;;.;..;......;;--

1 ~

                                                           -~

I  : - -~:;  : ;--*0; I '-- - J l..._I_.J eMll"lllL _ CHAN"E", e CHANNEL 0 A-c I'OW£It I/lf.ACTOII I A-c "OWlII [ACTOII

                                                                                                          ,""onCTION SYSTEIoIIltlo-C I"lIOtlCTIONSYSTlN ....c SET .. Ott                                                                             SET' 011 A-e  1'OWf".                                                                           A-c "OW"",

i A J.. c I .1...1. 0

                         --;I ~---:E--,I""~~..;:o' l--~----l-

__-r

                                +/-                   f _I
                                                   ..:r:..

Tit..* CIWIINfU I t- -+- . . . -- --

                                   ,\                 It LOCIC ~

ISOLATION LOGICS I

                                                                                         - r-LOGIC 11           LOCIC C
                           ~ ~

OGlC AI OGlC A' ,I I' trOGIC

                                  . AI                     A'              I ISOLATION ACTUATORS
                                                                                              .1 oUreaAIID   \IALY£~

VALVE CONTIIIOL. "OWE"

                                  ~

Tlr--~

I Itl I I 1 L. J IIIIOTOI' CONTItOLLl!1t VALVE CLOSIHC "OWEIl VALVE CLOS""C fIOWt:lt

                -----.--:--Li?------------.--L}?-.----

• Applies to Group 2 (VP & WR) and Group 4 DC Power for LogiC Actuation for Group 2 (VI' & WR) and Group 4 LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10

_ ISOLATION CONTROL SYSTEM USING MOTOR*OPERATED VALVES REV. 13

LSCS*UFSAR LECEND (D3 WAY VALVE. NORGREN ~83 4 WAY VAL.VE:.. NORGREN NC)nlIran 3 THROT'T1.E VALVE "\ ,~".,,~~~ ~" x . . . . ~Ac1a7

.. ;I WAY ~ VALVE WAY SOLE.N.OlO VALVE

@;I WAY SOLENOID VALVE @$PEEDCONTAOl.VALVE Q):r WAY VALVE: NORGREN

@ H"l't)RAUUC     C'YUNDER r

I. I I I I I r-' I

            -I I

I I

• I I

I I

             ------r-I I

I I

     ,------,                  I I -

I I I_ _ ...J AIR SUPP\.Y LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11 SHEET 1 MAIN STEAMLINE ISOLATION VALVE (SCHEMATIC) REV. 13

REACTOR WATEA MAIN REACTOR

                    "'13-1"601       CLEANUP AND                 CONTROl. PANEL ECCS PANEL       RECIRC CONTROL              ...13*P603 PANEL ...13.,602 BARAIERS \                               rBARRIERS Ir
                \                   II DIV 3             OIV    2              OIV  1 I

I Ansa ADSA I MSLIV MSLIV INBOARD OUTBOARD CONTROLS CONTROLS HflCS HPeS AHA RHR RHR LPeS RCIC DIG C B A CONTROLS CONTROLS CONTROLS I

                                                            /  '"    --- "           \
                                                                                       \

f I

                                                       \                               I
                                                          \                          I
                                                              " ............. --"" /

I RPS CONTROLS I LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3- 12 CONTROL ROOM PANELS REV. 0 - APRIL 1984

0) LEGEND 3 'dAY V/'..LVE: AS;"} ~I GD TEE and PLUG SPRING CAt"J SOLENOID

                                                                                         \
                                                                          ~d9)

OV/ Ei'JGAGG1EIH DEV i::E EXHC,UST TO 1*1A /;1 VALVE INSTRUHENT A I R SU PPLY Q ~ 0

-':::>---ll:-~----ll---I---.I:------' ~ /

i / I AIR CYL I tJDER I LA SALLE COU NTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-13 VENT and PunGE ISOLATION VALVE REV. 3 - APRIL 1987 (SCHEMATIC)

LSCS-UFSAR See Drawings 1E-1(2)-4603AP thru AT For most current revision of REACTOR CONTROL BENCHBOARD PANEL ARRANGEMENT. FIGURE 7.5-1 REV. 18, APRIL 2010

LSCS-UFSAR See Drawings 1E-1 (2)-4601AA thru AD for most current revision of REACTOR CORE COOLING BENCHBOARD PANEL ARRANGEMENT. FIGURE 7.5-2 REV. 14 - APRIL 2002

LSCS-UFSAR See Drawings 1E-1 (2)-4602AH thru 4602AJ for most current revision of REACTOR WATER CLEANUP AND RECIRCULATION BENCHBOARD PANEL ARRANGEMENT. FIGURE 7.5-3 REV. 14 - APRIL 2002

LSCS-UFSAR

                                                               ,j     I j

j <I r=- ~

 ~           t=<l                      ~

1 '8

                        <l "2             "2III
                                                         ~

8 l-

                                                                   -g I::

t;... ~... t:. .:s.

8 j

l5

                        ""JI I::

j j j j j 1i l!

)

) 0 ~

 ~           ~

a:: 8a:: ua:: (l)

E f!

en a::

             .s         .s             j                Is         ::E I

i i i .5 :e t f. It

        .C!

I

<~

                                ~

j! I! I It ~ Ii Q i I I IQ. 8 I 0 i ,

          ~

s. f t f! f I-iI I-t! ~ c i

      ~ ~p        J               ~ J i!
                             ~                               .5
                                     !I lis Jiil                      II tOt!!

2!

                                                              ~it
                                                              ~I-JI fI-jI                       tit i
                                                             !Jw jl-a::<<l                        I-LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-1 AREA TEMPERATURE MONITORING SYSTEM BLOCK DIAGRAM FIGURE 7.6-1                                   REV. 16, APRIL 2006

rcrnw~eo+ (es+ .HNM

                                                                                                                                                                                                                                                          ~e+er TII"UI~t,T t

44 "r~ I  ;, f -- !f ,wr wN

                                                                                                                                                                                                                                                                          .La   aa LIWT
                                                                                                                                                                                                                                             ~!l                                                                     ABlREVIATIONS :

RANGE MONITOR RM NTERMEDIATE RANGE MONITOR

                                                                                                                                                                                                                                     " Iw                                                                             ROM                    ROD BLOCK MONITOR LPRM                   LOCAL POWER RANGE MONITOR
                                                                                                                                                                                                                                 ~ aui wl                                                                             APRN                   AVERAGE POWER PotNGE MONITOR TIP                    1           INCA IN-CORE PROBE l

RGE SW R ITCH

                                  +-vOLOOG                                                                                                                                                                                      Rs:-                                                                                  CH                     CHANNEL r                                                                                                                                                                                                                                                                                                                          FIG.

FIG. 1 f.-i"TUIMLOAATt Mllfic 1gNI1011j slw~c~rr~t oN

                                                                                                                                                                                                                           <<i1R`A                                                                                 57
                                                                                                                                                                                                                                                                                                                  ~7-----r-..Jt"'l r

W.~ cx " --'.~.-CAL C Ix Co. c T!Iul'!~ "IRM'i) 53

                                                                                                                                                                                                                      .#       CK    + ~1                                                                                                     +~++++t t+

48-1 1< 1 1 0+ 0~0~000 0 45-

                                                                                                                                                                                                                                                                                                                                      ++ +0+ +Q+ +Q+ ++ ++ +O+

CONTROL 41-ROOM t+.+++ F ++`++++ 37-LL a" ~>>N~ Ca o ARM 29-33 ~

                                                                                                                                                                                                                                                                                                                                      +Q+~+~+ +Q+a+~+ + +e+ + ++
                                                                                                                                                                                                                                                                                                                                      +++++d+a+ + +++                        O+ +p+                -90' 90' 25-                V ++                                  + 1+ +          +~+

INTERh1EaATE RANGE I------INTERHEDIATE RANGE MON.MON. filAi~1NEL5

                                                        ~LS--------4-----SOURCE RANGE MON,CHANNELS -----+----INTERMEDIATE                                                                          --INTERMEDIATE RANGE       RANGE HON. MON. CHANNELS---

CHANNELS - - - - I + +++++ + +++ 21 RflaC.T~ PROTtC.TOl

-RECTOR          PROTECTION SmEM-TR\p    SYTEM-TRIP SYSTEM      ~vnEM A        A                                                                                                                    REACTOR PROTECTION REACTOR        PROTECTION SYSTEM SYSTEM TRIP     TRIP SYSTEMSYSTEM "B'"  "E'                                                            ++.+++                           +XL+++   +I+

b3 0 0 OoO + .LQr RECORDERS ++ ++++++++ Ilbd/AWW/RBM ++

                                                                                                                                                                                                                                                                                                                                               ~~~~~   ++ ++ ++ + ,
                                                                                                                                                                                                                                                                                                                                                   +++++++ rjT LOG LOC               p",00              LOC                   PERIOD AUlRO" 1 p~1f,L         7wo                                                                  COUNT COUNT P£Rl00 NOTE NOTE 1.          ANT COUNT PEIIllOO NOTE 2.

NOTE 2. AU1aLYLLLM sw "v". RATE RATE 1. RATE ROW RATE ..... NOTE NOTE 1. E E NOTE NOTE 2.2. as ~ 16 4 32 46 1 4a1 12 20 26 36 44 INTERM merit INT£RMEQIAJE SOURCE RANGE RANGE MONITOR MONITOR SOURCE DETECTOR &: DETECTOR & CONTROL CONTROL ELEMENT ELEMENT ARRANGEMENTARRANGEMENT RANGE MONITOR RAH<a MON,we Kiii cu NWI lC60l (TOP VIEW (TOP VIEW Of OF CORE) COllE) bb TIIIW TRIPS LEGEND LEGEND wpMOOR DOWNWALAE ,++--H--+t-+-+-FROIo4 FROM INTERMEDIATE INTERWEOIATE VON DN INIST AIAFIMI pl fai . RANGE MgVI70R ItAHCE WONIlOR +

                                                                                                                                                                                                                                                                                                                   +   CONROL CONlROL ROOS     RODS (IO5)

(185) o 0 LPRM DETECTOR ASM IN THE F+AWER RANGE

                                                                                                                                                                                                                                                                                                                                                                      ~&,=_~pl~~A,rE LEVEL       I LEVEL          low. IMP. LEVEL                                                                   LEVEL        INDP.          PERT.          A[RY1"itVt                                                                                          ~   ~ (SEE    DETAIL A)

(SEE DETAIL A DETECTORS ASM-TRIP SYSTEM Il (21) J J J ~ J J X X SRM SI'lN DETECTORS DETECTORS (4) (4)

     ~-==-~~       r DEIAlJ.

L a

r.. .

am""~ 'e"~ wL a UK 01 SEE REFERENCE SEE REFERENCE DOCUMENT FOR FUNCTIONAL DOCUWEHT 44 FOR (m'!ID~L ICI DETAIL B r) fVNCTlONAl USE

                                                                                                                                                            )

USE OF THESE DEVICES OF THE$( DEVIC,~S b< a

                                                                                                                                                                                                                            <E u a

bLl W a bW b< o ~ J a E b~ bm ma Y J a 0.. nE o

                                                                                                                                                                                                                                                                                 ~~ ~~

bm 60 a 0.. f A A

                                                                                                                                                                                                                                                                                                                  ~

SRM SRW EMITTING SOURCES SOURCES SRM

                                                                                                                                                                                                                                                                                                                       $RW EIooImIHC SPARE SPNlE (7)

(7) o o LPRM DETECTOR ASM IN THE POWER WV~E

                                                                                                                                                                                                                                                                                                                                                                      ~CTWJ:_~pl~~~r22~E DETECTORS ASM-TRIP SYSTEM 'II' (22)

ARM DETECTORS IR~ DETECTORS (6) (e) EMITTING DImINO SOURCE SCUtCE START-UP RANGE START-UP RANGE NEUTRON NEUTRON MONITORING MONITORING POSITION POSmON (7) (7) FROM POWER RANGE NEUTRON MONITOR-SH . 2 DETAIL 0 t E FIG . :3 FIG. 3 FIG . 2 NOTES NOTES:: aowc ~ s7 11.. PARTS PARTS AREAA£. LOCATED LOCATED A"CENT AOJICENT TO TO OR OR ON THE SIGHAl ON lHE SIGNAL LOR% 55 . CONDITIONING EQUIPMENT PERF'ORM114G THE THE FUNCTION a w Tw RpaStir O 041. nw COHomONIHC INDICATED.. EQOIPWENT PERf""ORNIHG NNCTlON ItR3 tied4, Au. war car u 51 INDICATED 2.

2. PART IS LOCATED LOCATED ON ON lHETHE MAIN CONTROL ROOMROOM PANEL.

0 3 Cow Law,- PART ($ WAlN CONTROL PANEL. 1W FLOW to ) 4 9 u 3.

3. POSITION POSITION INFORMATION 1Nf"OflIiI4TlON IS (S INPUT IN"UT EVERY MR'Y 11 INCH, INCH. FLUX FLUX SOT"" or GO<<--r 43 41 U LEVEL INFORMATION IS LEVa (ff'ORMATION WITHDRAWAL .

WrTHDl'tRt'AL. IS INPVl" INPUT EVERY EVERY 33 ]NICHES INCt£S ON ON OI. A CA G CIL L CN. A CKG \ JC1LA 39

                                                                                                     ~NOTE 9                                                                           LIv"                                                                                                                                    4,

4. ALLALL EQU(PWENT EQUIPMENT AND AND INSTRUMENTS INS'rRI..JWENTS ARE PREFIXED BY AA£. PREFIXED BY NUMBER NUNBER 35 C51 UNLESS C51 OTHERWISE NOTED.

UNLESS OTHERWISE NOTED. 33 0 0 31 5. FOR

5. FOR LOCATION LOCATION AND AND lOENllFlCATION IDENTIFICATION OF OF INSTRUMENTS INSTRUMENTS SEE INSTRUWENT SEE INSTRUMENT DATA o.TA SHEET LISTED IN SHEET LISTED MPL FOR IN ~PL EACH FOR EACH

• MV*pc.

t~ V.DG 0 C3 27 25 INSTRUMENT. INSTRUIoENT. 23 6. 6. 19 17

7. EXCEPT FORFOR PNUPART NO. 10, Tt£ THE EXACT ASSIGNMENT or OF U L_ 15 7. EXCEPT NO. 18. EXACT ASSIGNIENT

                                                          ."      NUJ Tp.O       CW "     CAL w 120 MAC    porpa 11 89 TIP GUIDE TIP TO GUIDE TUBES TO SPECIFIC TU£IES FROM SPEClnc POWER F'ROM SPECIFIC POWER RANGE INDEXING MECIWlISNS SPECIfiC INDEXING DETECTOR ASSEMBLIES IWIGE DETECTOR MECHANISMS ASSELeUES IN     IN 1 .                                                                                                            e7                                                                                                RESPECTIVE GROUPS RESPECTIVE       GROUPS SHOWNSHOWN IS     IS DETERMINED DETERMINED BY   BY OTHERS OTHERS
                                                                                                                                                                                   .                                                                                                                                                 TABLE 2A T~      2A,. LASALLE I.ASAU.E E  II NINE NINE WILEMILE PT. 2. TABLE PT. 2. TABLE 28 29.. HANFORD HANFORD ONLY.

ONLY. S 83 LMM llKL ARdI. OR/LiY 0. APRM CHANNEL *'C" OUTPUT SIGNAL Swill TO THE (UPS ~,J~ RECIRC. SYSTEM~~~~~\?IISlOS:~ 0

e. ADEPT WREN CNMNNIEL ' IS BY-Note AE (NLFLRIwcaoT6CORLTOPVIEW)

MFR uL_. . i APIM Cw 0 C" . . uLn~ ~uL" I ) PASSED TO APRM 'E' PASSED APRW THE RECIRC. TO lHE now UNIT SIGNAL SHALL "r' SIGNAL RECIRC . SlSTEIot. SYSTEM. INCUJOES now SHAL1. AUTOMATICALLY AUTOWATlCALlY GO GO

                                                                                                                                                                                                                                                            !I I'l l 1 .14 11 3121141 1              56                        9. FLOW      UNIT INCLUDES           FLOW StMMERPOWER             SUPPLY II C1L                                                                                                                                                                                                                                    9.                                            SUMMER.POWER SUPPLY eyalm                                                         ~-NGTE 9                                                                                                                                                                                                                        SOLARE SQUARE ROOT        FUNCTIONS AS ROOT F"UNCTIONS             AS SHOWN SHOWN ON ON REFERENCE REFERENCE OWG. DWG. 2.

2. 62 06 1" 14 1 8 22 26 30 34 36 42 46 56 54 58 I1** O. DELETED DELETED (TOP VIEW OF CORE) bit~L+-l2e VA INST. BUS WHEN A ROD IS SELECTED IN ANY CROUP, THE LPRH.I 11,

11. N MP-2 USES NIolP-2 USES AE SUPPLIED uPS

                                                                                                                                                                                                                                                                                                                                                       ~ SUPPLIED            UPS POWER POWER..

12RNAC-+-120 v......C. C. INST. BU$----- DETECTOR ASSEMBLIES ASSIGNED TO THAT GROUP (SEE 120-2M VAC. 34 DIST. PNL REFERENCE DOCUMENTS: MPL ITEM NO. FIG. 3) ARE ROUTED VIA THE LPFD4 70 THE RBMS SUCH REfERENCE 1XlClAlENTS: MPL ~ NO. THAT THE A ! 'C' LEVEL DETECTOR SIGNALS 00 TO 11.. REACTOR ASSEMBLY ARRANGEMENT-------813-2010 REACTOR ASSEIooIIILY ARRANCEWENT-------B13-,.10 RBM S1 AND THE '" 8 b' LEVEL DETECTOR SIGNALS 2 . REACTOR

2. RECIRCULATION STS REACTOR RECIRCULATION SYS.. PokJD------BJ3/835-1818 P&ID------8M/B35-1818 TIP DRIVE MACH[ S SRM DRIVE MOTORS f-TAM DRIVE MOTORS-~ _ A RtEODRDERS--~ GO TO ROM V . WHEN A PERIPHERAL ROD (SHADED IN 3. CONTROL

3. CONTROL ROD HYDRAULIC SYS.

ROO H'1'ORAULIC FCO------C11/CI2-1018 sYS. F"CD------Cl1/C12-1818 TIC. 3 IS SELECTED, THE R19M'S ARE AUTOMATICALLY 44.. NEUTRON NEUTRON MONITORING IoIONITORINC SYS. SYS . FCD--------C51-1020 F'CD--------C51-1t20 A a 8602 R603A R6638 R613C R"3D 8YP . THE LPRbN SIGNALS ARE ROUTED TO THE S.

5. DESIGN SPECIFICATION-------------C51-4010 DESIGN SPECIFICATlON-------------C51-4.10 LPRM LEVEL . GROUP DISPLAY AS SHOWN IN FIG. 2 6.

6. REACTOR PROTECTION SYS.

REACTOR PROTECTION SYS. lED.TED,--------C71/72-1010

                                                                                                                                                                                                                                                                                                                                                                             - - - - - - - - cn /72-1.14.

WHEN A DETECTOR ASSDBY IS NOT PRESENT IN A GROUP THE CORRESPONDING READOUTS IN THE LPRM LEVEL GROUP POWER DISTRIBUTION POWER DISTRIBUTION DISPLAY WILL BE ZERO . LASALLE COUNTY

                                                                                                                                                                                                                                                                                                                                                                                       ~l£          COUNTY STATION STATION UPDATED FINAL UPDATED     FINAL SAFETY         ANALYSIS REPORT SAFETY ANALYSIS       REPORT FIGURE FICURE 7.6-27.6-2 NEUTRON NEUTRON MONITORING MONITORINC SYSTEM SYSTEM TED lED (SHEET 11 OF (SHEET         OF 2) 2)

REV, 18 REV. 18 -- APRIL 2610 APRIL NIl!)

7r~ r"r "tier.~rrr "r~~"ti"r" rr:~r"~rnr "":+lrr:"rr!lr.:"l~rrr"~"r~"a" rlrsr." /r"!isr~ri/nrH/~rrrrur~""" rr"rr/ r""c+"y isMi " c:ra OS-~ 9

                 'M"rt
                                                                       /r"/W/!

b me an :" w

~nur rr~1 " rrr"r .

M rr".!."DI r 1 "" rxhy,l t GENESIS "

                                                                                                                                                                                                                                                                                                                                                                                                                                        "1"              man "ra"ulr "lrr:"//""":+ r"'rrr/" ."Cr r:"/n!!:"1:!"r"1:+

r h r J Y Y Y h a R 3 I a

                                                                           " ;+rr :+r:"rnn ":"rr1:"trot":"re rr ".-.rNEW so""N "~""~"rrrrrr":~r.arrn'~f 1
                                                                                                                                                          ._..-.       iL                                                                                                                                                                                                                    F "ios
                                                                                         " an""/ " /rr/r ":r;:""""r":"

IFm" M1 a&-

• L.a"A l11" lF "hl#ti' T ltJ~ LFral

                                                           ~nLrra u~

r.~r"sNyl1"/""NOE 1'NYa1blard u~~a.` t 40..- (w r C

                                                               -b                                                                                                                                                                                                                                                                                                                          "----vJ "I **.

2. m~

                                    ~uemM"
                                    ~......,
                                    .. 1 pe_
                                    ................e
                                                                                                                                                          ......                                                                                                                                                                                                                            (lU"r1IIIU'Ia~D."
                                                                                                                                                                                                                                                                                                                                                                                            ~
                                                                                                                                                                                                                                                                                                                                                                                            .-ca~_
                                                                                                                                                                                                                                                                                                                                                                                                        ~

I l * * ., ..............

                                                                                                                                                          .*n r                                                                                                                                                      ....,

14<Ie k 4O-Oe Ifl 9 d 3

                                                                                                                                                                          .....o-X-+--....---lI-...... OoWoI T l

r M£T£R

                                                                                                                                                                                                                               ..._ - - - - - - - - ~ FlA:I't'W:.'TlON              t) . - . "8"
                                                                                                                                                                                                                                                         ... ' .... lttS11!M1'RIPS"t'STEM ltt$11!M1'RIPS"t'STEM                                                                                   o-=-a~              _na_..

(&..P1bI\ L. e VI L.)

                                                                                                                                                                                                       "-.0+

TVPOFI. " OJ = ISOlATED SIl>N'L N III- ~~~ I.E. 1 LEVa SIGNAl POWER RANGE NEUTRON MONITORING 0 m z rc 0z 0 Z 0 z (INSTRIJt,jENTS PART OF K6r.l UNLESS OTHERWISE NOTED) lASAI..LE COUNTY STATION UPDATED nNAL SAFETY ANALYSIS REPORT FlCUR£: 7.6-2

                                                                                                                                                                                                                                                                                                                                                                                                                                                         ~         MONITORINC SVSfEt,l lEO (SHEET 2 Of 2)

REV. 18 - APRIL 2810

LSCS-UFSAR

   ~
      --   f a

I I H--......- r--+--IMA+-"-- LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-3 SRM/IRM NEUTRON MONITORING UNIT FIGURE 7.6-3 REV. 12 - MARCH 1998

III t u III i

                                                   ;C II.

r LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-4 REV. 0 - APRIL 1984 DETECTOR DRIVE SYSTEM SCHEMATIC

I filial IE RICl1ROIR [ II(] lOR lalOUlf

   ~l                                                  TlllP 0 LOCAllAlll' 1-------
                                                                           - } TNIP OOulf'ul Uf\CM.1
                                                                                   <HI-HI) TRIP ON LIVE[

RllIOTf LOCAl LAllI' IJR,~1 CONTROL lIlP C TllIP C OUTPUT Uf\lAll I- ~ } lHli~L~lfIIOfiLE~H TlllP SU ' - - - - - - - ' LOCAl LAllI'

                     ~15 -IS

+ }IV TIIP 8 1-_____ TlilP 8 OUTPUT OOW!l*

                                                                                 } SCAlIAlARiI ON lfVll LOCAl LAlIP JIllP AOOJPUT L-1------ } INSTRUlllHT IHOP£IlAllV[
                                                               -.J LA SALLE COUNTY STATION IlOOULE IRTERlOCU                                UPDATED fINAL SAH.IY ANALYSIS [{EPorn FIGURE 7.6-5 FUNCTIONAL BLOCK DIAGRIiN OF IRf1 CHANNEL REV. 0 l\PRIL 19d4

A y I I V"

                                                                 ~:r-
                                         -"v-I       loI:    ~    ~
                                          -"--              I IL         v            I              ...

S::>INOI:I.L:>3'3

                     'llI:lOSN3S A
                                                ..          I              \0
                                                                            ~

A I e~ IXI II) i> v I '"

                                                                            '"   :It w
                                            ....            I              ...
     ~            S:lINOlU.;)3' :I
                     'II:IOSN3S OL:>I I              M
                                                                            ~

lD aDI t~ v iii I "v- at:>l I .... ....

                                               .            I         '" " "

S::>INOlU;),113 0

                                           .A        8L:>I I               Cl M

v

                      'lII:1OSN3S A

I '"

                                                                 -r:~

II) v 801 iii I Iy- at,. I I " " " ~ w

                                                                                                   ~

en

                                                                                                   )-

'"w... lu I:lI M en

                                                                -r::r-Z I§              "                      0
                                                                                                   .u 2

Z << I.U

I:

C) I  ;,;

                                                                            '"" '""                0
                                           -A                                                       ...cr V

I cr

   ...                                                                      w                      0
                                                                 -c::-:r-I A                                                      ~

v 3S,. lO l<: ';i w I

                                         ...J\r-
                                          .J\r-       39:>1 I cr 0
                                                                                                    ~

z 0

                                                                                                                              ~

(.J

                                            . .,            I iii
                                                                                                                              ...0 S:>INOI:I.J.:)n3          A w                                                 0 w
                                                                 -c:r-
                      'lI1:10SN3S 3£:>1 I                '"                                               ~
                                          ..A
                                               ..           I                                                                 ...<<>-

iii v I

                                                                                  ....;,;                                     Z

l

    <<                               .,         .,                                                                   ...... ci w

GIl s::>INOl:U.:>'113 .  :>DI I u M iri

                                                                                                                    ...... I;
    ~                III tiOSN3S v

I '" ... Z ..J

                                                                                                                - 0     <<     ...cr 0(                                   V                                                                :=:=~:t       !i (ij                                               I                                                   "":::lw
                                                                                                                >w:::!:

U Z Ifj------ ~~~~ %~III I \ , - :>C:>I I

L~~l

                                    <<          v   l\1Z:>I                                                      cr..J..J:::l I

S::>INOI:I~:l313 IlII:IOSN3S A

                                                     '\1£)1 I  I    .....

N ,...

                                                                                                                ""<C<Co(
                                                                                                                ~~f~
                                                                                                                !::>:::l1Xl
                                                                                                                              ~

u

                                                                                                                              <I(

l-I

               ~                              _V_

j . . DI I  : L _________ ..JI Q I I

                                                                                                                .,LOCO I   z 0

U iii I << M z W

                                                                                                                "''''    W "w..J '"~~~~

l-I -'\,- I " 0 z LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-6 APRM CIRCUIT ARRANGEMENT FOR REV. 0 - APRIL 1984 REACTOR PROTECTION SYSTEM INPUT

LSCS*UFSAR SRII IRII LP" io OPfRA1ICIII

                                                  ...u~4" H           H        U.

• 100 0:

                                                  ...        ~

_.... Tc Ill.

• 10 I I... ......

Cl _... ... t...* e:t

                                                                                               <I(

lOll ... II: :I:

                             ...!iclilt I
     *....::>>                                     !                                                       0.1
     ....                                         )0
    !II:                                          ...

J

l 10 10

l

                                                                                                         .01

'lI

....                                                                                          -I-               *w i                                                                                                                !

...'it - Llt la' ~ ~ Ill.

I all'

                                                                                               < I(

Cl IE

                      ..J

I

• 10-6 SOURCl If Core flow <60%

LASALLE COUNTY STATION UPDATED FINAL S.L\FETY ANALYS1S REPORT FIGURE 7.6-7 RANGES OF NEUTRON MONITORING SYSTEM REV. 13

 =1-    0 D

DDOOI 0 1 OED 0 I . . IRM DETECTOR, TRIP SYSTEM A -$- NEXT CONTROL ROD WITHDRAWN IN SEQUENCE IRM DETECTOR, TRIP SYSTEM B IRM DETECTOR, BYPASSED '*o CONTROL ROO WITHDRAWN OUT OF SeQUENCE CONTROL ROD WITHDRAWN LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-8 CONTROL ROD WITHDRAWAL ERROR FROM COLD CONDITION REV. 0 - APRIL 1984

100------------------------------, 10 w C1

<{

a: w

<{

UJ a: 8

...o w

c(

.j w

II:

)(

l

.j U.
..J

~II: w

r I-0.1 0.01 I... .....l -I. ...I.. ... ....

5 0 5 10 15 20 RADIAL DISTANCE IN FUEL BUNDLES LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-9 NORMALIZED FLUX DISTRIBUTION FOR ROD WITHDRAWAL ERROR

                                                                        ~.J U.

Z LU () a: w 0. l:J3MOd 31ll,U. VII0l:l~ NOl.J.'o'11\30 .l.N3:ll:l3d LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FI GURE 7.6- 10 APRM TRACKING WITH REDUCTION IN POWER BY FLOW CONTROL REV. 0 - APRIL 1984

4 3 2

...:<:a::

0 w

l a::

I-

ii 0

a:: u.. ~I-

f

...c> 0 ~ w u a:: w

          -1
          -2
          -3.l----....- - -...

o 2 4

                               ---...J.---_..J-e                 8
                                                                       ..I..

10

                                                                                  ..J 12 CONTROL ROO POSITION (ft WITHDRAWN)

LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.6-11 APRM TRACKING WITH ON-LIMITS CONTROL ROD WITHDRAWAL REV. 0 - APRIL 1'1 ~4

                                                                      -----L~---._
                                                                                               .:..?_---.J
                                                                                                                                     ~             J              ..L..._ _~ L                         -1 .-- --. ..1 ..- -.

BAY 1 I BAY 2 I B~Y J I

                                             /T,' ----------~----------!-,               '                                                 BAY 4 I

BA~ 5

                                                                                                                                 .;..- -~

I

                                           ,        I I                                                                        i
                                                                                                                  --I-----~---:---

lPRM A OPRM I I I I I I OP~M l_ I RBM B G APRM A i APRM C OPRM I APR'" E OPRM I t _.j c _,~! E

                                                            =

AI-C I I I 1-101 _'l'M [ ...,.. 1-" I I

                                                !       IT              No.          I      1_

J .- o APRM r OPRM r Ii [-_0 ~u i ~IW. ~:u I RBM A L DPRUI:- = - lP~M EI

                                                                                                                                                                                               'H o
                                       ,      I '

J I

                                                                                                       ,            L    I                  1
                                                                                                                                            ~               'I L.-
                                                                                                                                                                          -- ---.-/ ~
                                         "'-f-- . --------~-~~-J I
                       "..---L---.,-----~

I c

                                                                                     ~-----+I--------r-I I

1- -- - -. _- --{ 1 - - -...* _ . - - I I c F"U-B t---- -.,--_ -- f it

                                                                                                                                                         ....    ---    {
                                                                                                                                                                       --1 1-                            FU- O I

I I ru- c t--_..- - C ----{ rU- A _.-II1 1---- - (-- -- f I I I lCU _ UJMlJIOCI'II

                 ,-It
                                                                    -,                                                            _c
                                                              ,*tII 1  ,...
                                                                                                                                                                                                                                  ....1DI . . . . . . . . amr I

I _0 1lPt '

                                                                                                                                                                                                                                    **, ..~/W4

_D I _I

                                                                                                                                                                                 , ....t
                                                                                                                                                                                                                                 .,-IIM,--
                                                                                                                                                                                                                                  , _",. _ _o u hi * "

1liOUA.1 FRONT VIEW LASALLE COUNTY STATION UPDATED FINAl. SAFETY ANALVSI S R~:I)OIlT FIGURE 7.6-12 OPItM BLOCK INTERCONNEcrlON DIAGRAM POwf:n

                                                                                                          ...-. . - _.        -----=~-

RANGE NEUTRON MONITORING CABINET 1(2)1113.1'008 REV. 13

ALTERNATE REACTOR SHUTDOWN WATER LEVEL 496 IN. 400 IN. UPSET MAIN STEAM NARROW WIDE 180 [N. RANGE RANGE 60 IN. 60 IN. _O,_ DRYER SKIRT INSTRUl1ENT JL_ _o......__...... ZERO 0 FUEL ZONE -111 SHROUD TOP OF ACTIVE

                  --    --- ----~
                                -150 IN.
                                                                - - - - -          - - - -         TAf    -161 FUEL <TAF>

RECIRCULATION SYSTEM CORE JET PUMPS

  . BdTTOlf'OF                                   CALIBRATION CONDITIONS ACTIVE FUEL       L    FUEL ZONE:      '1'HE 1,,STRUMENTS ARE CAL I BMTED FOR SAT\.:AATED WATER MD STEAM CONDITIONS AT O psig I N 'rHE VESSEL A.N D THE ORYWELL WITH NO JET PUMP FLOW.

2. WIDE RANGE: TH£ INSTRUMENT S ARE CALIBRATED F OR i ooo p sig IN THE VESSEL, l35°F IN THE ORYWELL, ANO WITH ~O JET PUt1P FLOW.

3. NARROW RANGE: T HE INSTRUMENTS ARE CALIBRATED FOR SATURATED WATER l\NO STEAM CONDITIONS AT 1 000 psig IN THE VESSEL ANO 135°F IN THE ORYWELL. JET P UMP F LOW NO RMAL.

4. UPSET RANGE : THE I:-lSTRIJMENT 1S CALIB RATED l OR S.!;TlJRATEO WATER ANO STEAM COND I TIONS AT 1 000 p si g IN THE VESSEL AN D 135°F I N THE DRYWELL. JET PUMP FLOW NORMAL.

5. SHUTDOWN: THE INSTRUMENT IS CALIBRATED FOR l 20° F WATER AT 0 p sig ! N 'JESSEL ANO 80° F IN THE DRYWELL. NO JET PUMP FLOW,

6. ALT RWLIS: THE [NSTRUMENT IS CALIBRATED FOR 120'F WATER AT 0 PS I G IN VESSEL ANO 90'F I N DRYWELL WITH NO JET PUMP FLOW. IT CAN ONLY BE USED IN PLANT MODES 4 & 5 .

LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-1 REACTOR VESSEL WATER LEVEL RANGES REV. 25, APRIL 2022

1 r---- ........ .. - ..... -I r . . -- ..... ... _-- Core.......... ..:* 1 I I ---~ I I 1 1

                                                                  --~

Rod PoIltion .nbmIIon C8bInet H1~15 , To PPC (ChIn A)

                                                                                                                                                                                                                                                                                                              ,~-~

s ~-----.-._

                                                                                                                                                                                                                                                                                                                                             +   ~---_

r "" - " ___ """" _ " _r """ - "" -_ " _ " - " --------LLI r J --

                                                                                  "T-~'

I **

-4a' PHi : I I Ill ** Core Map *,

O~  :

la d II in d I I t-_~ *,~--~_I-I:~-;. .--=-V----i--*---~~-:_

• I Tt ,1 I f

_- "" ""o

                                                                                                                                                                                                                                                                                                                                                             ~!='

• fill

                                                                                                                                                                                                                           'I                                .'                         t   8 CaIIIfDIer!                        DfspISV I                                  I                          'c....

I I I I I ~ ~: +- !rl  ! .....--:.:.:+.......

                                                                                                                                                                                                            '-.......- .        :~~                                                                      :t          ,..--------.. _------..:
                                                                                                                                                                                                                                                 .~ - -------------------------r EIIImIt                 I    ,.............
                                                                                                                                                                                                                                                                                        " ._a            ,I:

ill

d 20-  :

V ill l

                                                                                                                                                                                                                                                                                              ~                      ~
                                                                                                                                                                                                                                                                                        'A CG*oIIr       H.,---!I"':""'"        Rod Select Display I

, Rod. . . J: :I Rod geIId I  ::

                                                                                                                                                                                                                                                                                   ",.,."r--------.. . - - t          Ia--......i--"""'-

wd ModlIIe J

• Swli:tta *

                                                                                                                                                                                                                                                                                                                     ~
                                                                                                                                                                                                                                                                                    ,..,...------4 5' .1------"""

I NOftMAL 1 'VP-A IVP-I I elm l I

• II II 11 i! I Analog I A11 I Ir--o;;-l-I M i tt------..

i 1 1 1 i 1 1 1 RIghttid' (R1) I______.1LOIIO**J!

                                                                                                                                                                                                                                                                                                                                    '        -r~

TrantpandiIJI IBr..aa Amplliln m LA SALLE COUNTY STAnoN O UPDATED FINAl SAFETY ANAlYSIS REPORT a 0 F-FIGURE 7.1-28 ROD CONTROl MANAGEMENT SYSTEM Rev. 18, April 2010 N 0 0 N

  .....                              2                 a

• FCF: q22D223 A

F~~ C\tt\.A5 ~. , ..I Ii-~PUJa.

           ~~        ,-    -, ~IIti£UI'TAQA
                                                       ~_pc_~_.

__ _ ______ L - _ ON 'NDICI(I1)R PROM PlN"'o. _.*. .

                                                                                                        ---.........------4,n"'..,I:1..,.~
                                                                                                                                         * *.Ac
                                                                                                                                              .....*, ~IO
                                                                                                                                                        .... ****~U
                                                                                                                                                                  ** 111 1.
                                                                                                                                                              ,.~-~~-,~y-1'R AIt. Ai. ~

8

                                                                                    .              i t

I D TG LA SALLE COUNTY STATION FINAL SAFETY ANALYSIS REPORT Fl:GtTlUB 7.7-4 ELEVE:ft-WIR£ POSITION PROBE

           ,                       a                                                                 *

• IH REV. 0 - APRIL 1984

MB300 Master Bus 300 I I

=

IAS5000S1 AEW AF100 '" Advant Fieldbus 100 MB300 I  ! LAN I MIA Stations t AC450 \ AF100 111111 I \ GateWay ~

                                           ~ AC70 + 5800 110 I*
              +

5800 I/O

                                            ~   AC70 + 5800 110 I for AWLC
                                           ~    AC70 + 8800 I/O I Jet Pump Instrumentation Flat Panel Ditoplay         F=l AC70 + 5800 1/0 I                                                      I I                                                                              I              I                 Loop B Loop A AC70 + MODBU5 ~
                                            =1   FCI + 5800 1/0 I

I HPU HPU 21 p~mpl IAALogiC

                                                ..~

Subloop A1 Subloop A2 S ( ") Process Instrumentation 120Vac

                                                                                                          --l>KJ                              f--

FCV Pump LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-5A CONFIGURATION OF THE RRFC SYSTEM REV. 15, APRIL 2004

Individual Setpeint MUX Dec Inc INT

                                                    +

Individual Position Position Error or Velocity Demand

                                                                                                                             ~

1 FCV Veloclty El--P-crc. Set 00int Man/Auto FCV Control output Servo Controller 7

                                  )--~----~~                                                  I                                       (~o-r~~~C:~a~~

Ganged Posillon Setpoln!

                              +

Function Generator Valve Position Umlter

                                                                                                                          -j MUX                             Recirculation                                                                                       From A2 subloop            Subloop A2 FCY Position        controller          --'Servo Valve I

Dec Flow Loop A Inc INT (RVOT and LVDT}

 +

Individual Setpeint FCVRunback MUX Bias Dec Inc INT MUX Function Dec Inc INT

                                                     +

FCV Velocity

 +

Man/Auto Function Position Servo Controller Subloop B1 Generator

                            +
                               '7 Individual Position Fev Control output Setpelnt                                                                                                       From B2 subloop         _  Subloop B2 FCV Position       controller                  Servo Valve (RYDT and LYDTl LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-56 TYPICAL RRFC SYSTEM CONTROL ALGORITHM OVERVIEW REV. 15, APRIL 2004

MB300 = Master Bus 300 A F 1 00 = A d van t Fie Id bus 1 00 MB300 LAN MIA Stations II AF100 L..--.f--------... TOR F P A

• LEVEL 8 TRIP FUNCTIONS

_ _ _- Process Instrum entation 125Vdc LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-5C PRINCIPAL CONFIGURATION OF THE RWLC SYSTEM REV. 15, APRIL 2004

SlnglelThree-Elemenl Conlrol - - - - . , MUX Reactor Waler level MUX Dec Selpolnl Single-Element Conlroller Dec Inc PI Inc INT TDRFP A INT Speed

           +                                                                                                                     +

Feedwater Flow Demand ~ Post Scram Profile Signal Reaclor Waler level 3 Narrow Range I Upset Range Soft MajOrity Selector

                        -~+
                        -+ M
                        -         S t IT ,-..,-.,-

level Contreller

                                                         *PI    +
                                                                           ...--,,.. r....--+...

I o- PI Man/Auto TDRFP A

                        -                 level Error              +                                   Feedwater Flow                   MUX Controller
                         =1~               -

• r---- ----' Dec Inc Sleam line Flow A-D

                         -+ ~                                                                                  Common Conlrol      +

Predefine d Feedwate r Flow Selpolnl Profile -------- 4

                                                                          .J                                   Output dUring Scram                                                                                                                               Man/Aulo Feedwale r Flow Header - +
                          -+       +

I--- ---- ---- ---- --.J + TDRFP B AandB r W (J W MUX Individual Feedwale r

                          -+          Flow                                                                                        Dec C:::
                                                                                                                                                                                   "'j

_ Equalizer Inc Flow TDRFP A and B & Bias W

                                                                                                                                    +                                              ?d
                                                                                                                                      . LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-50 RWLC SYSTEM CONTROL ALGORITHM OVERVIEW REV. 15, APRI L 2004

LSCS-UFSAR

              *,PEED/LD>P                TCV DD,(AND HJ[l1ENCE TCV F.ffERE'*.; I

[lF'."1  ;,1::*.;

• sPV Pt.(;11::m

            '                                     IJF\i}

';:: _J E!'C i_'.ONHWl i~J!l'.i.J-- l /~-('.-A-!.-'E'"=** '( OUN '(,' c;T,1\IIOf.J

                                                                                              ' ,, Ri PORT ti Pl)A_.,~l Ul F H,;/1.L SAFTIY AN1,1             ::, ...

REV. I 7, APRII. 2008

- -+---+ LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7 TRAVERSING INCORE PROBE ASSEMBLY REV. 0 - APRIL 1984

VY'C6<?Ja~/~~---.L. 2 -_3- ....L.-_ _- - - : . _...... I.-- 4 !S ~_"'-----...-_~ _ ___'_ 7 ..,___""-------8------...lo...-~9-------~---------------_, A.ee:A ~'A.TIOt-.J MONtiOe:-. ACZ,elJa.. ~DtAT\C>N MOt---J,-,-OSZ-A C,,",Afo,.Jt-.J~L'NlTHOO, /1A.Ux'. Ut---J,.T CL4ANI'Je:.L.- ""lTH J:;..UY--.. UN\,

                                                                                      \                                                                                                                                                      AANCal                                     QUANTITY (NQTL t)
                                                              ~~2:...'"

c::zJNvee.xe~ MR/HI StN~R

• tOMvtllTtR ~UX'l'~RY UttiT 'NDltf\rOR ~ TRlP UNIT

                                                                                             }

t-JoOt (T".fP~Z) NaTi.S

                                                                                                                                                                                         ~~(NPot=~)

Noot. (\'(p ()Ipt I (0) LJfo.J,-r . , } U/JI-r"', t-..lOO~

                                                         ~oo....

('TvP 0,.. llYp OF t)

                                                                                    ~)

NOC>~(T'"1'PoF~)

                                                                                                                                                                                         \o..JOO~ tt'i'P oF t:..)                                           -,

UNIT UNIT

                                                                                                                                                                                                                                                                  *z.

COMN6M

                                                                                                                                                                                                                                                                           ~Rl~

UNIT UNIT COMMQtf

                                                                                                                                                                                                                                                                                      *t   -I.      ~RI~

UMIT UNIT COYMON

                                                                                                                                                                                                                                                                                                                      *z.         ARt~

NOO!J (T'(P oF ~)

                                                                                                                                                                                                                        }   VNrT.... t:.

01-'00 l 5

• 0 0 0 t 5 fD B

t-JOO' tr'(POF"~)

                                                         ....OOt, ('-r-{POF I~)

t-JOO~ (T'1'P OF~) } U"-l\.,- .. L CONT~Py...j~ L-Oc.AL. \f.O~ DteT~e:.->VTtOt--J PAt_U~~::L-HOOt. (TY' Of ,) NC03 (TY' Of,)

                                                                                                                                                                                                                        } C.OM  ~RU*        01-1000 1-\0'
                                                                                                                                                                                                                                                             ,~

8 11 a

                                                                                                                                                                                                                                                                             \1 z.

1

!a Z.

3 , 19

                                                                                                                                                                                                                                                                                                                &      I 11          12 2.

(TYP Of~) I , CONTe:.ol-F~\'l..OVAc....

                               'PVv~

MOO' Maot (Tl' Of II) N003 iTY' Of')

                                                                                             }    COM lkt."

I I lOt. U,\, 0 0 0 0 0 ST~TtO" ~o. I 0 0

              't--Je"~E;f'...1T eue>                                  ,                                      LOCALJ                                                                           AU)l..tu~Gc!.:**-(

KD011) I I U~\T I I ~,/~oz:. ---- I tGL-.A)(ON ~O2.~/ ~z.. t"T'1'P c:>t= ~) t I lJt.."-r- \ (T'lP OF ce. e!;ta..C~)~ l)t....1 rT.£ C1'(p OF 5 ~\o-\)

                                                                                                                                                                                       ~4- tN'POF.3)
                                                                                                                                                                                       ~ ~ ("'1'(P CJF: 2. )
                                                                                                                                                                                                                          }  UNI,'"

c "Po~~'f I C.OM "I\l~ (TY' OF Z £~C.M) ~+(\Yp~.,t}) } UI-JII-W2.- K&Ol£. K001 (fYP ()f t )

               ~~~~~~-----I---r-----------~--------I                                                                                                                                   KQ04       (ryp Of , )             } COM '-Rtll.
               ~ TYelP L)t*.l\T~                  I                   I                                                                                                       I K-(oO~

see A,e>,C t:e'T~\,-\A.AII

                                                 ,                   t                                                                                                       *
                                                                                                                                                                      ...-------------------.                                                            l"tH(~lOR~ TiU" u_rr!t FOI Jo.JOle..~:
                                                                                                                                                                                                                                                                                                                              ,-   R~Mr:.l~ t"Q~L""         8'( PURl"~\E.R ~RE l,-.-6)                                                                                                    HOT£. 7                                     It--JDIGA-rOtr:.. .; T~P Ut-..J\I                                              C.O"MO" ~lt~- ",ttlL Mrr P.t.4                                          SMOWN ON 1)2.1-30'!lO.

MULTIPOINT t'r'-fp ~~) Rt.C.OROLl

                                                                                                                                                                            ~Gc::J.O' K~~(:'r'fP O'fl= ~)             }      Uf-.,J"'" I                                                                                                'L- ~o~ ~\J~G:te.'e::JTt:!!!="D 6et-J'5£:)1l-o

... _---- R"OOc.. ------ K-(oo \ (-r--<P K(pOL("r'

t--l. 'Dl!!!"CO\~

c. OMMON ~RE.I\ KiO\ (TYP O~ \)

K'Ot. (TY' Of' ) } tOM ARE.~ 3- ADDITlONAl- 2.A.wGt~ \O~ IO-~ '0" Af-..JD t - c::?F" 10-lO~ ML./HfC-A2....e" AVA.~L-A.e>Le. ~ A~ l~c.,o......,. ~"'T\~ W \\")4 T""'es A-c:>eCAC;>1!5r ~CO~fIr..... I l I "C>,-,PPL, E::P. " I I ~-+--r---------------------~ 4- ~A"-.1~eL CALl~C> E!:t< u~ I I OF' e-AL'~IC>t-J Ut-.Jt-r t-Do~ E I ~-J------------------------~ I (to-SOT 'Of.1ow~l. I I I 5- POE- Lo<:..,A..T\oto--J A ~ ,r:::=e:.l-JT1-I I L __ , r------ J F'<::::..A'-'o,.,J OF" tN'OTR...Ut-...Ae.NT6 ~ ** t--J~""~u""""'~T c:::¥\.T" ~,. I I r----~"""'---------------..I~--.. M~L n21-3050. I I 0-l'-C.ORot."~ ~I£. LOC~TE.O IN PRoc..E.~S I I MUL::T"'lPO'toJ'T R~c)IATION RE.C.ORDE.R VE.RT'C.~L BOARO, I I (C!:.e~~ ~e2.. FfZ..c:::)t-<\ Mll-'.aO. ~~A~b UNII'¢' eA-\C)wN, T"fP\CA.L ~ UNl-!:.. -- - - ,'Z,.o VA.C- 7 - ,-OMNON ~Rl~ POWlR SUPPL\t,S F II I' INe>TI2..Vt--te.t-..JT ~-e:> If....1D\CA\c:::::>~ 4\ ,e\p Ut-.J'T~ ~ INa\C.~TOR "'NO TR,\P UN'T~ f\M~ RE.(ORDlR S ~RL LOl"TE..D IN 9~tU.L ~t!!i:l- D21- Pr&:OO Dow~ Te.J~ ~AC-H ~,~Ttc:>+.J - I I U ......, . . , -o.Howt-.J -tr'< P ~L u~r,.. ~z.. ) H'3-'~Z.4. r-------,--*-------------------l De,,A..\L-"'A."

.L ~\-.e; T~~ I

~ ~--- -~--~--~--~--~ ~ ~~~~~ ,- De'e:>. ~P"!!!!C.. -e.PeaA\- WlR.e" c.Ae&..:e: - - A<Dz' -4010 2- 'D~ ~pe:..c.. ...... ~e.... ~D'A.'-IO"'-1 MO.....U -r'o - - DZ-'- 4CHO VO\\) SUPER-SE-TIED 13'( COMMaN C.OMlAOM e:EFUeu"-J <:.a ~~"Er tJE!tN FlJEL- ~ TU~t.JE. t:A::?W"-J ex::..6..L-& B c..8 E 2. ~ 5 REV 0 ---L-A-S-A-L-L-E-C-O-U-N-T-Y-S-T-A-T-IO-N--..... . ~"l~ ~RL" ~ ~ .:5T<::>IZA~ ~'L.I::J\t--J<:::a e:o.LDI.. . . <::t MONITORS MON'TQ,R.~ ~Pa.. ~ AeeA,.. ~,~'-' Hl~ H' t)a'NM~M.t HI~H \4\G::tH ...H~ \.. ,,~'-' li~.AJ:>t.f.**To-J RA.O'.o...Tto-J FINAL SAFETY ANALYSIS REPORT R~C\ATION 1Z..bO\A.\'lOto-J RA,D'b:'TIQto..J eAo\A.rnOf'J FIGtJU 7.7-8 ~ ..-. ... . . 2 4 !5 7 8 AREA RADIATION BLOCK DIAGRAM REV. 0 - APRIL 1984 lOCAl. lOCAl. PEIllOO11£ HR LC}IIETU REIIOIl LCR R£COl<<llR Roon lOCAl.l~ t---<:>---} TRIP f OUIPUT PU!IOOIiEHR PEIllOD lOCAll~ TIllP E TIIlI'RUET OUTPUI L -.Jt-----... } m~~E ,1I1-HII tOCAtlAMP TRIP 0 OUTPUT [-:]:.::r:::::-:::L j------- } UPleAt E,"" lIVEl LOCAL tAMP HUKill lRlP C ONIVI OIHTl<<ll l ..J------ OUTPUT } O[I[CTORRURACT (00W!; leAl EI +I>Y -I>V lOCAl. lAMP TRIP 8 OUIPUT l .J-----.. } OOllttSCAl. I At ARII ON L! VEl lOCAl. lAMP I RIP A It OUTPUT R U - -............o--ooq _ 9"- 1- } IHITIlUIIINI OPEl 0 t t .., +L- -.J IHOPlRAH~1 CAl. U U IIOllULI LA SALLE COUNTY STATION IllEltlOCKI UPDAT~Q fINAL SAfETY ANALYSIS REPORT fiGURE 7.7 9 FlJIICTIOIIAI BLOCK OIA(;WI/1 Of SRil CIlAIINH REV. 0 - APRIL 1984 DD aJ . . . - - - HTf.CTOIt 1M"" DD -=.a.:;;;;;;; =:.;.=-' ~ _---f - :......._ _ 'UEL IlIIOLl CClt11lCL . . IUDC DDDDDD DDDDDD DD DO ___--l-o -2" -f---- ~01 -*f 31" IJI'fIII DUf:CTOIt LENGTH Of' ACllV1 FUEL Tl~ CALI* *TIOft Tuel DETtCTOlt nUIIIILE LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7- 10 POWER RANGE MONITOR DETECTOR ASSEMBLY LOCATION REV. 0 - APRIL 1984 Note: Assignment is automa ti ca 11y initia ted upon rod select ion. 61 59 i, ",V 1'\ V r'\- V,\ Vf'\. Vf'\. y,,\ '/ 57 55 53 f\.. V V r'\. '/f'\. V V ' \ / r'\.V f'\./ ' \ / "' "V V r". 1'\ '/ *"V 51 V f'\. l/ 49 47 r\.,. V '/ " '" '/ / f'\. 45 V 43 41 - - /' '/ ~ " V f'\. 39 - 37 - V 'y" r'\. ~ v "V'" V 35 - V'" '/ I , ~ '" y/ '/ "'- I". 33 31 29 - - ~ ,/. -~ .1 I ~f' I " V ",:1 '/ '-, / I / 27 V J':~ I I V "- - '/ 25 23 - r'\.. V V

t£ - ~ -l

'/ "- 21 19 - " r'\.. V - '"'";. ::\": , '" "-V V 17 15 - V " "- /. V" 'I / 13 / I'\. / I "- / / 11 09 '/ ~I I "- / '/ "- l1'" 01 / "- 05 V "- / "- V "- / "- V "- '/ '/ V,V 03 '" V '/" '/, '/'i'. ./'V ' '" ~I j 01 I I1I rsIZJ 8~~~~~~~~~~~~~~~~~~~~~~~:~~ RSIiI AutClll1ltically Bypass ed ~ IRe.din g zerofd ) Ty,ica l Rod Y e1ding Two LPRM Str1 ngs as Input

• J I Typica l Rod tyoica l Rod 1I Yieldi Yieldi lPRM String s as Input ng ng Four Three LPRM

~~~S String s as Input LA SALL E COUN TY STAT ION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7- 11 ASSIGNMENT OF LPRM INPUT TO RBM SYSTEM REV. 0 - AJ:'RIL H~q ,...------.:-.. . .~--- .......,r__------------..,::: otCDUOW ~ Z u II: U C 1: ... ~ .J on <D i c'

5 0 II:

~ -' << 0 II: z z z '" 0 u 1: U l"l  ;: l"l l:i ~ w +.. z

i l.:

U 0 II) l"l N N 0 0 II: '- .-L..- -L. ..J.- ~---t'--__i:----~O lil ~ ~ If! § 1VIl.INI lb - WBl:l LA SALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-12 RBM RESPONSE TO CONTROL ROO MOTION (CHANNELS A AND C) REV. 0 - APRIL 1984 r-------.,....,...,..-'-'-'l,...,..-------~ <<aloe w z ... ~ a: w a u ... J: ~ U Z

i r

w ~ (.) 9al '" e 0 a: ~ 0 0 ~ 0 a: II: I-0 It> Z + 0 CD u ...z z

I:

u ri 'l:i'"" + i'"' -I- ..L. ..L- .l..-_ _.L---l'- - ...::-o I-g a 1VU.INI %

• VolIHl LA SALL E COUN TY STAT ION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7- 13 RBM RESPONSE TO CONTROL ROD MOTION (CHANNELS B AND D)

REV. 0 APRIL B134 NO.2 SEAL MOTOR CAVITY [J I NO.1 SEAL CAVITY --+- ---1......... 1 << I.. . **.. .

• FS

",---- --," - ~ "QUTER SEAL LEAUG E '1'VMPSEAL "LOW DETECTION" lHIGHI ITAGING FLOW' tHIGH/LOWI TO DRYWILL EQUIPMENT SUMP LA SALL E COUN TY STAT ION llPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-14 RECIRCULATION PUMP LEAK DETECTION BLOCK DIAGRAM REV. 0 - APRIL 1984 LSCS-UFSAR FIGURE 7.8-1 LASALLE COUNTY STATION UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.8-1 SPDS PRIMARY DISPLAY FIGURE 7.8-1 REV. 11 - APRIL 1996}}