ML050040267

From kanterella
Jump to navigation Jump to search
Technical Specification Bases (Tsb) Change
ML050040267
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 12/28/2004
From: Rosalyn Jones
Duke Energy Corp, Duke Power Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML050040267 (134)


Text

Duke RON A. JONES L7ftPower. Vice President Oconee Nuclear Site A Duke Energy Company Duke Power ONO1 VP / 7800 Rochester Highway Seneca, SC 29672 864 885 3158 864 885 3564 fax December 28, 2004 U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Document Control Desk

Subject:

Oconee Nuclear Station Docket Numbers 50-269, 270, and 287 Technical Specification Bases (TSB) Change Please see attached revisions to Tech Spec Bases 3.1.4, 3.1.6, 3.1.7, 3.3.1, 3.3.2 and 3.3.3, in addition to Tech Spec Bases 3.8.8 Distribution systems- Operating. Also, please see Tech Spec Bases 3.6.5. All of these revisions were implemented on December 14, 2004.

Attachment 1 contains the new TSB pages and Attachment 2 contains the marked up version of the Bases pages.

If any additional information is needed, please contact Graham Davenport at 864-885-3044.

Very r y yours, R e Vice President Oco Nuclear Site www. dukepower. corn 0

U. S. Nuclear Regulatory Commission December 28, 2004 Page 2 cc: Mr. L. N. Olshan Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Mr. W. D. Travers, Regional Administrator U. S. Nuclear Regulatory Commission - Region II Atlanta Federal Center 61 Forsyth St., SW, Suite 23T85 Atlanta, Georgia 30303 Mel Shannon Senior Resident Inspector Oconee Nuclear Station Mr. Henry Porter Director Division of Radioactive Waste Management Bureau of Land and Waste Management Department of Health & Environmental Control 2600 Bull Street Columbia, SC 29201 CONTROL ROD Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 CONTROL ROD Group Alignment Limits BASES BACKGROUND The OPERABILITY (e.g., trippability) of the CONTROL RODS is an initial condition assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial condition assumption in the safety analysis that directly affects core power distributions and assumptions of SDM. An inoperable CONTROL ROD that is unable to respond to positioning signals from the Rod Drive Control System may still meet its SDM capabilities if it is capable of responding to a valid trip signal (i.e., inoperable but trippable). It would, however, have the potential to adversely affect core power distribution due to its inability to maintain itself within the group average. An inoperable CONTROL ROD which is not "trippable" would satisfy neither the capacity to supply SDM requirements nor the ability to maintain itself in alignment with the group to assure acceptable core power distribution.

The applicable criteria for these design requirements are ONS Design Criteria (Ref. 1)and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plantsw (Ref. 2).

Mechanical or electrical failures may cause a CONTROL ROD to become inoperable or to become misaligned from its group. CONTROL ROD inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CONTROL ROD worth for reactor shutdown. Therefore, CONTROL ROD alignment and OPERABILITY are related to core operation within design power peaking limits and the core design requirement of a minimum SDM.

Limits on CONTROL ROD alignment and OPERABILITY have been established, and all CONTROL ROD positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

CONTROL RODS are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its rod 3/4 inch for one revolution of the roller nut assembly, but at different rates (jog and run) depending on the signal output from the Rod Drive Control System (RDCS).

OCONEE UNITS 1, 2, 8 3 B 3.1.4-1 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES BACKGROUND The CONTROL RODS are arranged into rod groups that are radially (continued) symmetric. Therefore, movement of the CONTROL RODS does not introduce radial asymmetries in the core power distribution. The CONTROL RODS provide required negative reactivity worth for immediate reactor shutdown upon a reactor trip. The regulating rods provide reactivity control during normal operation and transients, and their movement is normally governed by the Integrated Control System.

The axial position of CONTROL RODS is indicated by two separate and independent systems, which are the relative position indicator transducers and the absolute position indicator transducers (see LCO 3.1.7, "Position Indicator Channels").

For Unit(s) with CRDCS digital upgrade not complete, the relative position I indicator transducer is a potentiometer coupled to a pulse stepping motor that is driven by electrical pulses from the RDCS. For Unit(s) with CRDCS digital upgrade complete, the relative position indication is processed by a Programable Logic Controller (PLC) which counts sequential electrical pulses sent to the CRD motor stator. There is one relative position transducer (absolute position or relative position is selectable for display on one position indication meter) for each CONTROL ROD drive. Individual rods in a group (for Unit(s) with the CRDCS digital upgrade not complete, when aligned to the same power supply), receive the same signal to move; therefore, the counters for all rods in a group should normally indicate the same position. The Relative Position Indicator System is considered highly precise (one rotation of the roller nut assembly will result in 3/4 inch in rod motion). However, if a rod does not move for each demand pulse, the counter (for Unit(s) with CRDCS digital upgrade not complete) or PLC (for Unit(s) with CRDCS digital upgrade complete) will still count the pulse and incorrectly reflect the position of the stuck (or mechanically constrained) rod.

The Absolute Position Indicator System provides an accurate indication of actual CONTROL ROD position, but at a lower precision than the relative position indicators. This system is based on analog signals from a series of reed switches.

APPLICABLE CONTROL ROD misalignment and inoperability are analyzed in the SAFETY ANALYSES safety analysis (Ref. 3). The criteria for addressing CONTROL ROD inoperability or misalignment are that:

a. There shall be no violations of:
1. specified acceptable fuel design limits, or
2. Reactor Coolant System (RCS) pressure boundary damage; and OCONEE UNITS 1, 2, & 3 B 3.1.4-2 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES APPLICABLE b. The core must remain subcritical after accident transients, except SAFETY ANALYSES for a main steam line break (MSLB). The analysis results for a (continued) MSLB with a coincident failure of the most reactive rod to insert results in a return to criticality.

Two types of misalignment are distinguished. During movement of a CONTROL ROD group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking.

The second type of misalignment occurs when one CONTROL ROD drops partially or fully into the reactor core. With ICS in manual, this event causes an initial power reduction followed by a return towards the original power due to positive reactivity feedback from the negative moderator temperature coefficient. Increased peaking during the power increase may result in excessive local linear heat rates (LHRs).

The accident analysis and reload safety evaluations define regulating rod position limits that ensure the required SDM can always be achieved if the maximum worth CONTROL ROD is stuck fully withdrawn (Ref. 3). If a CONTROL ROD is stuck in or dropped in, continued operation is permitted.

The Required Action statements in the LCOs provide conservative reductions in THERMAL POWER and verification of SDM to ensure continued operation remains within the bounds of the safety analysis (Ref. 3).

The CONTROL ROD group alignment limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 4).

LCO The limits on CONTROL ROD group alignment, safety rod position, and APSR alignment, together with the limits on regulating rod position, AXIAL POWER IMBALANCE, and QPT, ensure the reactor will operate within the fuel design criteria. The Required Actions in these LCOs ensure that deviations from the alignment limits will either be corrected or that THERMAL POWER will be adjusted, so that excessive local LHRs will not occur and the requirements on SDM and ejected rod worth are preserved.

The limit for individual CONTROL ROD misalignment is 6.5% (9 inches) deviation from the group average position. This value is established, based on the distance between reed switches, with additional allowances for uncertainty in the equipment used to determine this value. For the purpose of complying with this LCO, the position of a misaligned rod is not included in the calculation of the rod group average position.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDM or ejected rod worth, all of which may constitute initial conditions inconsistent with the safety analysis.

OCONEE UNITS 1, 2, & 3 B 3.1.4-3 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES (continued)

APPLICABILITY The requirements on CONTROL ROD OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in which significant neutron (or fission) power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the unit. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the reactor is shut down and resultant local power peaking would not exceed fuel design limits. In MODES 3, 4, 5 and 6, the OPERABILITY of the CONTROL RODS has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES 3, 4, and 5, and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during MODE 6.

ACTIONS A.1 For Unit(s) with CRDCS digital upgrade not complete, alignment of the I inoperable or misaligned CONTROL ROD may be accomplished by either moving the single CONTROL ROD to the group average position, or by moving the remainder of the group to the position of the single inoperable or misaligned CONTROL ROD. Either action can be used to restore the CONTROL RODS to a radially symmetric pattern. For Unit(s) with CRDCS digital upgrade complete, alignment of the inoperable or misaligned CONTROL ROD must be accomplished by moving the single CONTROL ROD to the group average position to restore the CONTROL RODS to a radially symmetric pattern. However, this must be done without violating the CONTROL ROD group sequence, overlap, and position limits of LCO 3.2.1, "Regulating Rod Position Limits," given in the COLR.

THERMAL POWER must also be restricted, as necessary, to the value allowed by the position limits of LCO 3.2.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is acceptable because local xenon redistribution during this short interval will not cause a significant increase in LHR. For Unit(s) with CRDCS digital upgrade not complete, the option of inserting the group to the position of the misaligned rod is not available if a safety rod is misaligned, since the limits of LCO 3.1.5, "Safety Rod Position Limits,"

would be violated.

A.2.1.1 Compliance with Required Actions of Condition A allows for continued power operation with one CONTROL ROD declared inoperable due to inoperable position indication but trippable, or misaligned from its group average position. These Required Actions comprise the final alternate for Condition A.

OCONEE UNITS 1, 2, & 3 B 3.1.4-4 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS A.2.1.1 (continued)

If realignment of the CONTROL ROD to the group average or alignment of the group to the misaligned CONTROL ROD (for Unit(s) with CRDCS digital upgrade not complete) is not completed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1 not met), the rod shall be considered inoperable. Since the rod may be inserted farther than the group average position for a long time, SDM must be evaluated. Ensuring the SDM meets the minimum requirement specified in the COLR within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter is adequate to determine that SDM requirements are met.

A.2.1 .2 Restoration of the required SDM requires increasing the RCS boron concentration, since the CONTROL ROD may remain misaligned and not be providing its normal negative reactivity on tripping. RCS boration must occur as described in Bases Section 3.1.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to initiate boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time for aligning the required valves and starting the boric acid pumps. Boration will continue until the required SDM is restored.

A.2.2 Reduction of THERMAL POWER to < 60% ALLOWABLE THERMAL POWER ensures that local LHR increases, due to a misaligned rod, will not cause the core design criteria to be exceeded. The required Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allows the operator sufficient time for reducing THERMAL POWER.

A.2.3 Reduction of the nuclear overpower trip setpoints, based on flux and flux/flow imbalance, to < 65.5% ALLOWABLE THERMAL POWER, after THERMAL POWER has been reduced to 60% ALLOWABLE THERMAL POWER, maintains both core protection and an operating margin at reduced power similar to that at RTP. The required Completion Time of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> allows the operator 8 additional hours after completion of the THERMAL POWER reduction in Required Action A.2.2.1 to adjust the trip setpoints.

OCONEE UNITS 1, 2, & 3 B 3.1.4-5 BASES REVISION DATED 12/14/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS A.2.4 (continued)

The existing CONTROL ROD configuration must not cause an ejected rod to exceed the limit of 0.18% Ak/k at RTP, 0.36% Ak/k at 80% RTP, or 0.7% Ak/k at zero power. This evaluation may require a computer calculation of the maximum ejected rod worth based on nonstandard configurations of the CONTROL ROD groups. The evaluation must determine the ejected rod worth for the duration of time that operation is expected to continue with a misaligned rod. Should fuel cycle conditions at some later time become more bounding than those at the time of the rod misalignment, additional evaluation will be required to verify the continued acceptability of operation. The required Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is acceptable because LHRs are limited by the THERMAL POWER reduction and sufficient time is provided to perform the required evaluation.

B.1 If the Required Actions and associated Completion Times for Condition A are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems.

C.1.1 More than one trippable CONTROL ROD becoming inoperable or misaligned, or both inoperable but trippable and misaligned from their group average position, is not expected and may violate the minimum SDM requirement. Therefore, SDM must be evaluated. Ensuring the SDM meets the minimum requirement within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows the operator adequate time to determine the SDM.

C.1.2 If the SDM is less than the limit, then the restoration of the required SDM requires increasing the RCS boron concentration to provide negative reactivity. RCS boration must occur as described in Bases Section 3.1.1.

The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to OCONEE UNITS 1, 2, & 3 B 3.1.4-6 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS C.1.2 (continued) complete the action. This allows the operator sufficient time for aligning the required valves and starting the boric acid pumps. Boration will continue until the required SDM is restored. If more than one trippable CONTROL ROD is inoperable or misaligned from their group average position, continued operation of the reactor may cause the misalignment to increase, as the regulating rods insert or withdraw to control reactivity. If the CONTROL ROD misalignment increases, local power peaking may also increase, and local LHRs will also increase if the reactor continues operation at THERMAL POWER. The SDM is decreased when one or more CONTROL RODS become inoperable at a given THERMAL POWER level, or if one or more CONTROL RODS become misaligned by insertion from the group average position.

Therefore, it is prudent to place the reactor in MODE 3. LCO 3.1.4 does not apply in MODE 3 since excessive power peaking cannot occur. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems.

D.1.1 and D.1.2 When one or more rods are untrippable, the SDM may be adversely affected. Under these conditions, it is important to determine the SDM and, if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is adequate for determining SDM and, if necessary, for initiating emergency boration to restore SDM.

In this situation, SDM verification must include the worth of the untrippable rod as well as a rod of maximum worth.

D.2 If the untrippable rod(s) cannot be restored to OPERABLE status, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

OCONEE UNITS 1, 2, & 3 B 3.1.4-7 BASES REVISION DATED 12/14/04 l

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS D.2 (continued)

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.4.1 REQUIREMENTS Verification that individual CONTROL RODS are aligned within 6.5% of their group average height limits at a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency allows the operator to detect a rod that is beginning to deviate from its expected position. The specified Frequency takes into account other CONTROL ROD position information that is continuously available to the operator in the control room, so that during actual CONTROL ROD motion, deviations can immediately be detected.

SR 3.1.4.2 Verifying each CONTROL ROD is OPERABLE would require that each rod be tripped. However, in MODES 1 and 2, tripping each CONTROL ROD could result in radial tilts. Exercising each individual CONTROL ROD every 92 days provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each CONTROL ROD by an amount in any direction sufficient to demonstrate the absence of mechanical binding will not cause radial or axial power tilts, or oscillations, to occur. The 92 day Frequency takes into consideration other information available to the operator in the control room and SR 3.1.4.1, which is performed more frequently and adds to the determination of OPERABILITY of the rods.

Between required performances of SR 3.1.4.2 (determination of CONTROL ROD OPERABILITY by movement), if a CONTROL ROD(S) is discovered to be immovable, but is determined to be trippable and aligned, the CONTROL ROD(S) is considered to be OPERABLE. At any time, if a CONTROL ROD(S) is immovable, a determination of the trippability (OPERABILITY) of the CONTROL ROD(S) must be made, and appropriate action taken.

SR 3.1.4.3 Verification of CONTROL ROD drop time allows the operator to determine that the maximum CONTROL ROD drop time permitted is consistent with the assumed CONTROL ROD drop time used in the safety analysis. The OCONEE UNITS 1, 2, & 3 B 3.1.4-8 BASES REVISION DATED 12/14/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES SURVEILLANCE SR 3.1.4.3 (continued)

REQUI REMENTS (continued) rod drop time given in the safety analysis is 1.66 seconds at reactor coolant full flow conditions and < 1.40 seconds at no flow conditions to 3/4 insertion (Ref. 5). The zone reference lights (for Unit(s) with CRDCS digital upgrade not complete) or zone reference switch (for Unit(s) with CRDCS digital upgrade complete) will activate at 3/4 insertion to give an indication of the CONTROL ROD drop time and CONTROL ROD location. Measuring CONTROL ROD drop times, prior to reactor criticality after reactor vessel head removal, ensures that the reactor internals and CRDM will not interfere with CONTROL ROD motion or CONTROL ROD drop time. This Surveillance is performed during a unit outage, due to the unit conditions needed to perform the SR and the potential for an unplanned unit transient if the Surveillance were performed with the reactor at power.

This testing is normally performed with all reactor coolant pumps operating to simulate a reactor trip under actual conditions.

REFERENCES 1. UFSAR, Section 3.1.

2. 10 CFR 50.46.
3. UFSAR, Chapter 15.
4. 10 CFR 50.36.
5. UFSAR, Section 15.7.3.

OCONEE UNITS 1, 2, & 3 B 3.1.4-9 BASES REVISION DATED 12/14/04 l

APSR Alignment Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits BASES BACKGROUND The OPERABILITY of the APSRs and APSR alignment are initial condition assumptions in the safety analysis that directly affect core power distributions. The applicable criteria for these power distribution design requirements are ONS Design Criteria (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2).

Mechanical or electrical failures may cause an APSR to become inoperable or to become misaligned from its group. APSR inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution. Therefore, APSR alignment and OPERABILITY are related to core operation within design power peaking limits.

Limits on APSR alignment and OPERABILITY have been established, and all APSR positions are monitored and controlled during power operation to ensure that the power distribution limits defined by the design peaking limits are preserved.

APSRs are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its rod 3/4 inch for one revolution of the roller nut assembly, I but at different rates (og and run) depending on the signal output from the Rod Control Drive System.

The APSRs are arranged into a group that is radially symmetric.

Therefore, movement of the APSRs does not introduce radial asymmetries in the core power distribution. The APSRs, which are used to assist in control of the axial power distribution, are positioned manually and do not trip.

APPLICABLE There are no explicit safety analyses associated with mis-aligned APSRs.

SAFETY ANALYSES However, alignment of the APSRs is required to prevent inducing a QUADRANT POWER TILT. The LCOs governing APSR misalignment are provided because the power distribution analysis supporting LCO 3.2.1, LCO 3.2.2, and LCO 3.2.3 assumes the rods are aligned.

During movement of an APSR group, one rod may stop moving while the other rods in the group continue. This condition may cause excessive OCONEE UNITS 1, 2, & 3 B 3.1.6-1 BASES REVISION DATED 12/14/04 l

APSR Alignment Limits B 3.1.6 BASES APPLICABLE power peaking. The reload safety evaluations define APSR alignment SAFETY ANALYSES limits that allow APSRs to be positioned anywhere within the operating I (continued) band and the increase in local LHR is within the design limits. The Required Actions provide a conservative approach to ensure that continued operation remains within the bounds of the safety analysis. No safety analyses take credit for movement of the APSRs.

The APSR alignment limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 3).

LCO The limits on CONTROL ROD group alignment, safety rod position, and APSR alignment, together with the limits on regulating rod position, AXIAL POWER IMBALANCE, and QPT, ensure the reactor will operate within the fuel design criteria. The Required Action in this LCO ensures deviations from the alignment limits will be adjusted so that excessive local LHRs will not occur.

The limit for individual APSR misalignment is 6.5% (9 inches) deviation from the group average position. This value is established based on the distance between reed switches, with additional allowances for uncertainty in the equipment used to determine this value.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors, and LHRs, which may constitute initial conditions inconsistent with the safety analysis.

APPLICABILITY The requirements on APSR OPERABILITY and alignment are applicable in MODES 1 and 2, when the APSRs are not fully withdrawn because these are the only MODES in which significant neutron (or fission) power is generated, and the OPERABILITY and alignment of APSRs have the potential to affect the safety of the unit. OPERABILITY and alignment of the APSRs are not required when they are fully withdrawn because they do not influence core power peaking. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the reactor is shut down and excessive local LHRs cannot occur from APSR misalignment.

ACTIONS A.1 The ACTIONS described below are required if one APSR is declared inoperable due to inoperable position indication or is misaligned. The unit is not allowed to operate with more than one inoperable or misaligned APSR. This would require the reactor to be placed in MODE 3, in accordance with LCO 3.0.3.

OCONEE UNITS 1, 2, & 3 B 3.1.6-2 BASES REVISION DATED 12/14/04 l

APSR Alignment Limits B 3.1.6 BASES ACTIONS A.1 (continued)

For Unit(s) with the CRDCS digital upgrade not complete, an alternative to realigning a single inoperable or misaligned APSR to the group average position is to align the remainder of the APSR group to the position of the inoperable or misaligned APSR. This restores the alignment requirements.

Deviations up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will not cause significant xenon redistribution to occur.

The reactor may continue in operation with the APSR inoperable or misaligned if the limits on AXIAL POWER IMBALANCE are surveilled within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to determine if the AXIAL POWER IMBALANCE is still within limits. Also, since any additional movement of the APSRs may result in additional imbalance, Required Action A.1 also requires the AXIAL POWER IMBALANCE surveillance to be performed again within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after each APSR movement. The required Completion Time of up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will not cause significant xenon redistribution to occur.

B.1 The unit must be brought to a MODE in which the LCO does not apply if the Required Actions and associated Completion Times cannot be met. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems. In MODE 3, APSR alignment limits are not required because the reactor is not generating significant THERMAL POWER and excessive local LHRs cannot occur from APSR misalignment.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS Verification at a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency that individual APSR positions are within 6.5% of the group average height limits allows the operator to detect an APSR beginning to deviate from its expected position. In addition, APSR position is continuously available to the operator in the control room so that during actual APSR motion, deviations can immediately be detected.

OCONEE UNITS 1, 2, & 3 B 3.1 .6-3 BASES REVISION DATED 12/14/04 l

APSR Alignment Limits B 3.1.6 BASES (continued)

REFERENCES 1. UFSAR, Section 3.1.

2. 10 CFR 50.46.
3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.1.6-4 BASES REVISION DATED 12/14/04 l

Position Indicator Channels B 3.1.7 B 3.1 REACTIVITY CONTROL B 3.1.7 Position Indicator Channels BASES BACKGROUND According to ONS Design Criteria (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the CONTROL ROD and APSR position indicators, and thereby ensure compliance with the CONTROL ROD alignment and position limits and APSR alignment limits.

The OPERABILITY of the CONTROL RODS is an initial condition assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment for the CONTROL RODS is assumed in the safety analysis, which directly affect core power distributions and assumptions of available SDM.

Mechanical or electrical failures may cause a CONTROL ROD or APSR to become misaligned from its group. CONTROL ROD or APSR misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CONTROL ROD worth for reactor shutdown. Therefore, CONTROL ROD and APSR alignment are related to core operation within design power peaking limits and the core design requirement of a minimum SDM. CONTROL ROD and APSR position indication is needed to assess rod OPERABILITY and alignment.

Limits on CONTROL ROD and APSR alignment and group position have been established, and all CONTROL ROD and APSR positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Two methods of CONTROL ROD and APSR position indication are provided in the Rod Drive Control System. The two means are by absolute and relative position indicator instrumentation. The absolute position indicator transducer consists of a series of magnetically operated reed switches mounted in a tube parallel to the control rod drive mechanism (CRDM) motor tube extension.

OCONEE UNITS 1, 2, & 3 B 3.1.7-1 BASES REVISON DATED 12/14/04 l

Position Indicator Channels B 3.1.7 BASES BACKGROUND Switch contacts close when a permanent magnet mounted on the (continued) upper end of each CONTROL ROD and APSR assembly (CRA) I leadscrew extension comes near. As the leadscrew and CONTROL ROD or APSR move, the switches operate sequentially, producing an analog voltage proportional to position. Other reed switches included in the same tube with the absolute position indicator matrix provide full in and full out limit indications, and absolute position indications at 0%, 25%,

50%, 75%, and 100% travel. This series of seven indicators are called zone reference indicators. For Unit(s) with CRDCS digital upgrade not complete, the relative position indicator transducer is a potentiometer, driven by a pulse stepping motor that produces a signal proportional to CONTROL ROD or APSR position, based on the electrical pulse steps that drive the CRDM. For Unit(s) with CRDCS digital upgrade complete, the relative position indication is processed by a Programmable Logic Controller (PLC) that produces a signal proportional to CONTROL ROD or APSR position, based on the electrical pulse steps that drive the CRDM.

The type R4C absolute position indicator design is used. The type R4C I (redundant four channel) absolute position indicator transducer has two parallel sets of voltage divider circuits made up of 36 resistors each, connected in series (channels A and B). One end of 36 reed switches is connected at a junction between each of the resistors of the two parallel circuits. The reed switches making up each circuit are offset, such that the switches for channel A are staggered with the switches for channel B. The type R4C is designed such that either two or three reed switches are closed in the vicinity of the magnet. By its design, the type R4C absolute position indicator provides redundancy, with the two - three sequence of I pickup and drop out of reed switches to enable a continuity of position signal when a single reed switch fails to close.

CONTROL ROD and APSR position indicating readout devices located in the control room consist of single rod position meters on a position indication panel. A selector switch permits either relative or absolute position indication to be displayed. Indicator lights are provided on the position indication panel to indicate when each CONTROL ROD or APSR is fully withdrawn, fully inserted, or enabled, and whether a rod position asymmetry alarm condition is present. Alternate indicators show full insertion, full withdrawal, and under control for each CONTROL ROD and APSR group.

OCONEE UNITS 1, 2, & 3 B 3.1.7-2 BASES REVISON DATED 12/14/04 l

Position Indicator Channels B 3.1.7 BASES (continued)

APPLICABLE CONTROL ROD and APSR position accuracy is essential during SAFETY ANALYSES power operation. Power peaking, ejected rod worth, or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2) with CONTROL RODS or APSRs operating outside their limits undetected. CONTROL ROD and APSR positions must be known in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Safety Rod Position Limits" and LCO 3.2.1, "Regulating Rod Position Limits").

CONTROL ROD and APSR positions must be known in order to verify the alignment limits are preserved (LCO 3.1.4, "CONTROL ROD Group Alignment Limits" and LCO 3.1.6, "AXIAL POWER SHAPING ROD (APSR)

Alignment Limits"). CONTROL ROD and APSR positions are continuously monitored to provide operators with information that ensures the unit is operating within the bounds of the accident analysis assumptions.

The CONTROL ROD and APSR position indicator channels satisfy Criterion 2 of 10 CFR 50.36 (Ref. 3).

LCO LCO 3.1.7 specifies that one position indicator channel be OPERABLE for each CONTROL ROD and APSR.

This requirement ensures that CONTROL ROD and APSR position indication during MODES 1 and 2 and PHYSICS TESTS is accurate, and that design assumptions are not challenged. OPERABILITY of the position indicator channel ensures that inoperable, misaligned, or mispositioned CONTROL RODS or APSRs can be detected. Therefore, power peaking and SDM can be controlled within acceptable limits.

APPLICABILITY In MODES 1 and 2, OPERABILITY of the position indicator channel is required, since the reactor is, or is capable of, generating THERMAL POWER in these MODES. In MODES 3, 4, 5, and 6, Applicability is not required because the reactor is shut down with the required minimum SDM and is not generating THERMAL POWER.

ACTIONS A.1 If the required position indicator channel is inoperable for one or more rods, the position of the CONTROL ROD or APSR is not known with certainty.

Therefore, each affected CONTROL ROD or APSR must be declared inoperable, and the limits of LCO 3.1.4 or LCO 3.1.6 apply. The required OCONEE UNITS 1, 2, & 3 B 3.1.7-3 BASES REVISON DATED 12/14/04 l

Position Indicator Channels B 3.1.7 BASES (continued)

ACTIONS A.1 (continued)

Completion Time for declaring the rod(s) inoperable is immediately.

Therefore, LCO 3.1.4 or LCO 3.1.6 is entered immediately, and the required Completion Times for the appropriate Required Actions in those LCOs apply without delay.

SURVEILLANCE SR 3.1.7.1 REQUIREMENTS A CHANNEL CHECK of the required position indication channel ensures that position indication for each CONTROL ROD and APSR remains OPERABLE and accurate. This CHANNEL CHECK will detect gross failures. The required Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is adequate for verifying that no degradation in system OPERABILITY has occurred.

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Chapter 15.
3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.1 .7-4 BASES REVISON DATED 12/14/04 l

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;
b. Fuel centerline melt shall not occur; and
c. The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE ~UNITS 1, 2, & 3 B 3.3.1 -1 BASES REVISION DATED 12/14/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump status, and turbine status.

Figure 7.1 and 7.1 .a, UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip module (RTM), and control rod drive (CRD) trip devices. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the bistable relay contacts in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Module (RTM)," and LCO 3.3.4, "control rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. If the setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, the Reactor Trip System (RTS) contains multiple CRD trip devices; two AC trip breakers, two DC trip breaker pairs, and eight electronic trip assembly (ETA) relays. The system has two separate paths (or channels), with each path having one AC breaker in series with a pair of DC breakers and functionally in series with four ETA relays in parallel.

Each path provides independent power to the CRDs. Either path can provide sufficient power to operate all CRDs. Two separate power paths to the CRDs ensure that a single failure that opens one path will not cause an unwanted reactor trip.

For Unit(s) with the CRDCS digital upgrade complete, the RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's.

Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four independent protective channels, each containing an RTM. The RTM receives signals from its own measurement channels that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

For Unit(s) with the CRDCS digital upgrade not complete, the reactor is tripped by opening circuit breakers and energizing ETA relays that interrupt the control power supply to the CRDs. Six breakers are installed to increase reliability and allow testing of the trip system. A one-out-of-two taken twice logic is used to interrupt power to the rods.

For Units(s) with the CRDCS digital upgrade complete, the reactor is tripped by opening the reactor trip breakers.

The RPS has three bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypass. Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS trip functions.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;
b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and
c. Redundant measurements with combinational trip logic outside of the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump trip instrumentation).

OCONEE UNITS 1, 2, & 3 B 3.3.1-3 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint;
b. Nuclear Overpower- Low Setpoint;
7. Reactor Coolant Pump to Power;
8. Nuclear Overpower Flux/Flow Imbalance;
9. Main Turbine Trip (Hydraulic Fluid Pressure); and
10. Loss of Main Feedwater (LOMFW) Pumps (Hydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top-half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant System Outlet Temperature (continued)

The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2. RCS High Outlet Temperature; and
5. RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance elements in each hot leg, for a total of four. One temperature detector is associated with each protective channel.

Reactor Coolant SVstem Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure; and
11. Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Building Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant Pump Power Monitoring (continued)

Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP, operating current, and voltage is measured by four current transformers and four potential transformers driving four underpower relays. Each power monitoring channel consists of an underpower relay. One channel for each pump is associated with each protective channel.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Automatic Stop Oil Pressure Main Turbine Automatic Stop Oil Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine automatic stop oil pressure. An open indication will be provided to the RPS on a turbine trip. Contact buffers in each protective channel continuously monitor the status of the contact inputs and initiate an RPS trip when a main turbine trip is indicated.

Feedwater Pump Hydraulic Oil Pressure Feedwater Pump Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10. Hydraulic Oil pressure is measured by four switches on each feedwater pump. One switch on each pump, connected in series with a switch on the other MFW pump, is associated with each protective channel.

  • OCONEE UNITS 1,2,&3 B 3.3.1-6 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Bypasses (continued)

The RPS is designed with three types of bypasses: dummy bistable, channel bypass and shutdown bypass.

The dummy bistable provides a method of placing one or more functions in a RPS protective channel in a bypassed condition, the channel bypass provides a method of placing all Functions in one RPS protective channel in a bypassed condition, and shutdown bypass provides a method of leaving the safety rods withdrawn during cooldown and depressurization of the RCS. Each bypass is discussed next.

Dummy Bistable The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip. Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable. Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service. This is more conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string. The installation of these jumpers does not require the removal of the STAR processor module, therefore, the protective channel is not forced into a tripped condition.

Channel BVpass A channel bypass provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trip relay energized regardless of the status of the instrumentation channel of the bistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarms/indicator lights. This is administratively controlled by having only one manual bypass key available for each unit.

All RPS trips are reduced to a two-out-of-three logic in channel bypass.

OCONEE UNITS 1, 2, & 3 B 3.3.1-7 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued)

During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens when the operator closes the shutdown bypass key switch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the bistable prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to < 5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

OCONEE UNITS 1, 2, & 3 B 3.3.1-8 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND Module Interlock and Test Trip Relay (continued)

Each channel and each trip module is capable of being individually tested.

When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules.

Removal of a trip module will indicate a tripped channel in the remaining trip modules.

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the Surveillance Frequency. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value, trip setpoints, and associated uncertainties is provided in Reference 4.

Setpoints in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued)

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. Surveillances for the channels are specified in the SR section.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, high RCS temperature, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1 - 1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1 - 1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more OCONEE UNITS 1, 2, & 3 B 3.3.1 -10 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE conservative than instrument uncertainties appropriate to the trip Function.

SAFETY ANALYSES, These uncertainties are defined in Reference 4.

LCO, and APPLICABILITY For most RPS Functions, the Allowable Value in conjunction with the (continued) nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1 - 1.

The safety analyses applicable to each RPS Function are discussed next.

1. Nuclear Overpower
a. Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

.OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE The Nuclear Overpower - High Setpoint trip also provides SAFETY ANALYSES, transient protection for rapid positive reactivity excursions LCO, and during power operations. These events include the rod APPLICABILITY withdrawal accident and the rod ejection accident. By (continued) providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b. Nuclear Overpower - Low Setpoint Prior to initiating shutdown bypass, the Nuclear Overpower - Low Setpoint trip must be reduced to < 5% RTP.

The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint OCONEE UNITS 1, 2, & 3 B 3.3.1-12 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 2. RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and Allowable Value is selected to ensure that a trip occurs before hot leg APPLICABILITY temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 3 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 4. RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced (continued) below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6. Reactor BuildinQ High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

OCONEE UNITS 1, 2, & 3 B 3.3.1-14 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 6. Reactor Building High Pressure (continued)

SAFETY ANALYSES, LCO, and The Allowable Value for RB High Pressure trip is set at the lowest APPLICABILITY value consistent with avoiding spurious trips during normal operation.

(continued) The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. RCP status is monitored by power transducers on each pump. These relays indicate a loss of an RCP on underpower. The underpower setpoint is selected to reliably trip on loss of voltage to the RCPs. Neither the reactor power nor the pump power setpoint account for instrumentation errors caused by harsh environments because the trip Function is not required to respond to events that could create harsh environments around the equipment.

8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

OCONEE UNITS 1, 2, & 3 B 3.3.1-15 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 8. Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and This trip supplements the protection provided by the Reactor Coolant APPLICABILITY Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9. Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel through buffers that continuously monitor the status of the contacts.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 6 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 9. Main Turbine Trip (Hydraulic Fluid Pressure) (continued)

SAFETY ANALYSES, LCO, and For the Main Turbine Trip (Hydraulic Fluid Pressure) bistable, the APPLICABILITY Allowable Value of 800 psig is selected to provide a trip whenever (continued) main turbine hydraulic fluid pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 30% RTP. The turbine trip is not required to protect against events that can create a harsh environment in the turbine building.

Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10. Loss of Main Feedwater Pumps (Hydraulic Oil Pressure)

The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF. This trip was added in accordance with NUREG-0737 (Ref. 5)following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump hydraulic oil pressure bistables, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump hydraulic oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 2% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip OCONEE UNITS 1, 2, & 3 B 3.3.1-17 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE 11. Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and requires that the neutron power trip setpoint be reduced to 5% of full APPLICABILITY power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1.a Nuclear Overpower - High Setpoint;

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure;
7. Reactor Coolant Pump to Power; and
8. Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 8 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion SAFETY ANALYSES, LCO, and The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 8). In MODES 1 APPLICABILITY and 2, the following trips shall be OPERABLE because the reactor can be (continued) critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a. Nuclear Overpower - High Setpoint;

2. RCS High Outlet Temperature;
3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure;
6. Reactor Building High Pressure;
7. Reactor Coolant Pump to Power; and
8. Nuclear Overpower Flux/Flow Imbalance.

Functions 1, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at Ž 30% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at Ž 2% RTP. Analyses presented in BAW-1 893 (Ref. 6) have shown that for operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 9 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure APPLICABILITY and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

A.1 For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip. This Required Action places all RPS Functions in a one-out-of-two logic configuration. The "non-required" channel is placed in bypass when the required inoperable channel is placed in trip to prevent bypass of a second required channel. In this configuration, the RPS can still perform its safety functions in the presence of a random failure of any single Channel. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to perform Required Action A.1.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.1-21 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE The SRs for each RPS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequency, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 REQUIREMENTS (continued) This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by 2 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is 2 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by Ž 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is 2 15% RTP. A Note clarifies that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is 2 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensure that the value of the APIQ is > API 1.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a OCONEE UNITS 1, 2, & 3 B 3.3.1-23 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE SR 3.3.1.3 (continued)

REQUIREMENTS difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can. also be detected at this interval.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function.

Setpoints must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-1 01 67 (Ref. 7).

The Frequency of 45 days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 7 that indicate the RPS retains a high level of reliability for this test interval.

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 BASES REVISION DATED 12/14/04 l

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE SR 3.3.1.5 (continued)

REQUIREMENTS A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD)sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES 1. UFSAR, Chapter 7.

2. UFSAR, Chapter 15.
3. 10 CFR 50.49.
4. EDM-1 02, "Instrument Setpoint/Uncertainty Calculations."
5. NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6. BAW-1 893, "Basis for Raising Arming Threshold for Anticipating Reactor Trip on Turbine Trip,' October 1985.
7. BAW-10167, May 1986.
8. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.1-25 BASES REVISION DATED 12/14/04 l

RPS Manual Reactor Trip B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip BASES BACKGROUND The RPS Manual Reactor Trip provides the operator with the capability to trip the reactor from the control room. Manual trip is provided by a trip push button on the main control board. This push button operates four electrically independent switch contacts, one for each train. This trip is independent of the automatic trip system. As shown in Figures 7.1 and 7.1 a, UFSAR, Chapter 7 (Ref. 1), power for the control rod drive (CRD) breaker undervoltage coils and contactor coils comes from the reactor trip modules (RTMs). The manual trip switch contacts are located between the RTM output and the breaker undervoltage coils. Opening of the trip switch I contacts opens the lines to the breakers, tripping them. The switch contacts also energize the breaker shunt trip mechanisms. There is a separate switch contact in series, with the output of each of the four RTMs.

All trip switch contacts are actuated through a mechanical linkage from a single push button.

APPLICABLE The Manual Reactor Trip ensures that the control room operator can SAFETY ANALYSES initiate a reactor trip at any time. The Manual Reactor Trip Function is required as a backup to the automatic trip functions and allows operators to shut down the reactor.

The Manual Reactor Trip Function satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The LCO on the RPS Manual Reactor Trip requires that the trip shall be OPERABLE whenever the reactor is critical or any time any control rod breaker is closed and rods are capable of being withdrawn, including shutdown bypass. This enables the operator to terminate any event that in the operator's judgment requires protective action, even if no automatic trip condition exists.

The Manual Reactor Trip Function is composed of four electrically independent trip switch contacts sharing a common mechanical push button.

OCONEE UNITS 1, 2, & 3 B 3.3.2-1 BASES REVISION DATED 12/14/04 l

RPS Manual Reactor Trip B 3.3.2 BASES (continued)

APPLICABILITY The Manual Reactor Trip Function is required to be OPERABLE in MODES 1 and 2. It is also required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breaker is in the closed position and if the CRD System is capable of rod withdrawal. The safety function of the RPS is to trip the CONTROL RODS; therefore, the Manual Reactor Trip Function is not needed in MODE 3, 4, or 5 if either the reactor trip breakers are open or if the CRD System is incapable of rod withdrawal. Similarly, the RPS Manual Reactor Trip is not needed in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

ACTIONS A.1 Condition A applies when the Manual Reactor Trip Function is found inoperable. One hour is allowed to restore Function to OPERABLE status.

The automatic functions and various alternative manual trip methods, such as removing power to the RTMs, are still available. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to correct minor problems.

B.1 and B.2 With the Required Action and associated Completion Time not met in MODE 1, 2, or 3, the unit must be placed in a MODE in which manual trip is not required. Required Action B.1 and Required Action B.2 place the unit in at least MODE 3 with all CRD trip breakers open within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

C.1 With the Required Action and associated Completion Time not met in MODE 4 or 5, the unit must be placed in a MODE in which manual trip is not required. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.2-2 BASES REVISION DATED 12/14/04 l

RPS Manual Reactor Trip B 3.3.2 BASES (continued)

SURVEILLANCE SR 3.3.2.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the Manual Reactor Trip Function. This test verifies the OPERABILITY of the Manual Reactor Trip by actuation of the CRD trip breakers. The Frequency shall be once prior to each reactor startup if not performed within the preceding 7 days to ensure the OPERABILITY of the Manual Reactor Trip Function prior to achieving criticality. The Frequency was developed in consideration that these Surveillances are only performed during a unit outage.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.2-3 BASES REVISION DATED 12/14/04 l

RPS - RTM B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Module (RTM)

BASES BACKGROUND The RPS consists of four independent protection channels, each containing an RTM. Figure 7.1, UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTM to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices. The RTM receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPS - RTMs.

The RTM provides these signals to its own two-out-of-four trip logic and transmits its own channel trip signal to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.

The RPS trip scheme consists of series contacts that are operated by bistables. During normal unit operations, all contacts are closed and the RTM channel trip relay remains energized. However, if any trip parameter exceeds its setpoint, its associated contact opens, which de-energizes the channel trip relay.

When an RTM channel trip relay de-energizes, several things occur:

a. Each of the four (4)output logic relays "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;
b. The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the other RTMs. (This condition exists in each RPS - RTM. Each RPS - RTM controls power to a trip device.);

and

c. The contact in parallel with the channel reset switch opens and the trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 BASES REVISION DATED 12/14/04 l

RPS- RTM B 3.3.3 BASES (continued)

BACKGROUND A minimum of two out of four RTMs must sense a trip condition to cause a (continued) reactor trip. Also, because the bistable relay contacts for each function are in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, NReactor Protective System (RPS) Instrumentation."

The RTMs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The RTM LCO requires all four RTMs to be OPERABLE. Failure of any RTM renders a portion of the RPS inoperable.

An OPERABLE RTM must be able to receive and interpret trip signals from its own and other OPERABLE RPS channels and to open its associated trip device.

The requirement of four RTMs to be OPERABLE ensures that a minimum of two RTMs will remain OPERABLE if a single failure has occurred in one RTM and if a second RTM is out of service. This two-out-of-four trip logic also ensures that a single RTM failure will not cause an unwanted reactor trip. Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

APPLICABILITY The RTMs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTMs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTMs must be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.3-2 BASES REVISION DATED 12/14/04 l

RPS- RTM B 3.3.3 BASES (continued)

ACTIONS A.1.1. A.1.2, and A.2 When an RTM is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTM.

Required Action A.1.1 or Required Action A.1.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, tripping one RTM or removing power opens one set of CRD trip devices. For Unit(s) with the CRDCS digital upgrade complete, tripping one RTM or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies to the digital CRDCS. Power to hold CONTROL RODS in position is still provided via the parallel CRD trip device(s) (for Unit(s) with the CRDCS digital upgrade not complete) or CRD power supply (for Unit(s) with the CRDCS digital upgrade complete). Therefore, a reactor trip will not occur until a second protection channel trips.

To ensure the trip signal is registered in the other channels, Required Action A.2 requires that the inoperable RTM be removed from the cabinet.

This action causes the electrical interlocks to indicate a tripped channel in the remaining three RTMs. Operation in this condition is allowed indefinitely because the actions put the RPS into a one-out-of-three configuration. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to perform the Required Actions.

B.1. B.2.1, and B.2.2 Condition B applies if two or more RTMs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 BASES REVISION DATED 12/14/04 l

RPS- RTM B 3.3.3 BASES ACTIONS C.1 and C.2 (continued)

Condition C applies if two or more RTMs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST every 31 days. This test shall verify the OPERABILITY of the RTM and its ability to receive and properly respond to channel trip and reactor trip signals.

The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

Testing in accordance with this SR is normally performed on a rotational basis, with one RTM being tested each week. Testing one RTM each week reduces the likelihood of the same systematic test errors being introduced into each redundant RTM.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).

The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.

Reactor Building Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.

The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Sprav System (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Building Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.

During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available I

during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.

APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the worst-case single active failure, resulting in one train of the Reactor Building Spray System and one train of the Reactor Building Cooling System being inoperable.

OCONEE UNITS 1, 2, & 3 B 3.6.5-2 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE The analysis and evaluation show that, under the worst-case scenario SAFETY ANALYSES (LOCA with worst-case single active failure), the highest peak containment (continued) pressure is 58.9 psig. The analysis shows that the peak containment temperature is 2850 F. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 11 0F and 16.2 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 100 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

For Unit 2, the Reactor Building Cooling System total delay time of 78 seconds includes signal delay, KHU startup (for loss of offsite power), low pressure service water pump startup and low pressure service water valve stroke times.

For Units 1 and 3, a Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

OCONEE UNITS 1, 2, & 3 B 3.6.5-3 BASES REVISION DATED 12114/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO Each reactor building spray train shall include a spray pump, spray (continued) headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. However, TS 3.3.8, Required Action F.1 requires the affected RBS train to be declared inoperable when the RBS flow instrument is inoperable. A license amendment is being processed to eliminate this requirement. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded.

If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.

Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Valve LPSW-108 shall be locked open to support system OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

OCONEE UNITS 1, 2, & 3 B 3.6.5-4 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Coolihg Systems B 3.6.5 BASES ACTIONS The risk assessment may use quantitative, qualitative, or blended (continued) approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. The risk assessment does not have to be documented.

There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments- attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.

The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.

OCONEE UNITS 1, 2, & 3 B 3.6.5-5 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS A.1 (continued)

With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring' during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action B.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE I or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time OCONEE UNITS 1, 2, & 3 B 3.6.5-6 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS C.1 (continued) takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.

D.1 If the Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.

F.1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.

G.1 If the Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3 B 3.6.5-7 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray flow path provides assurance that the proper flow paths will exist for Reactor Building Spray System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position.

SR 3.6.5.2 Operating each required reactor building cooling train fan unit for

> 15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The 31 day Frequency was developed considering the known reliability of the fan units and controls, the three train redundancy available, and the low 0OCONEE UNITS 1, 2, & 3 B 3.6.5-8 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.2 (continued)

REQUIREMENTS probability of a significant degradation of the reactor building cooling trains occurring between surveillances and has been shown to be acceptable through operating experience.

SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by Section Xl of the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)

Coolers and Reactor Building Cooling Units. The 18 month Frequency was developed considering the known reliability of the low pressure service water, reactor building spray and reactor building cooling systems and other testing performed at shorter intervals that is intended to identify the possible loss of heat removal capability.

SR 3.6.5.5 and SR 3.6.5.6 These SRs require verification that each automatic reactor building spray valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are OCONEE UNITS 1, 2, & 3 B 3.6.5-9 BASES REVISION DATED 12/14/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.5 and SR 3.6.5.6 (continued)

REQUIREMENTS locked, sealed, or otherwise secured in position under administrative controls. The 18 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillances were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillances when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The 18 month Frequency is based on engineering judgment and has been shown to be acceptable through operating experience. See SR 3.6.5.5 and SR 3.6.5.6, above, for further discussion of the basis for the 18 month Frequency.

SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers to verify the availability of the headers and spray nozzles. Performance of this Surveillance demonstrates that each spray nozzle is unobstructed and provides assurance that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzles, a test at 10 year. intervals is considered adequate to detect obstruction of the spray nozzles.

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Section 6.2.
3. 10 CFR 50.36.
4. ASME, Boiler and Pressure Vessel Code,Section XI.

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 0 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems - Operating BASES BACKGROUND The onsite AC, DC, and AC vital electrical power distribution systems are divided into redundant and independent AC, DC, and AC vital electrical power distribution buses and panelboards.

The electrical power distribution system consists of two 4.16 kV main feeder buses each connected to three 4.16 kV Engineered Safeguards (ES) power strings, and secondary 600 V load centers; and 600 V and 208 V motor control centers. Both main feeder buses can be connected to the offsite sources or the emergency power sources. Upon a loss of power to the normal unit auxiliary transformer, the main feeder buses are transferred to the startup transformer powered from either the offsite sources through the 230 kV switchyard or the overhead emergency power path. If power is not available from the startup transformer, the main feeder buses are transferred to the standby buses powered from either the underground emergency power path or a Lee combustion turbine using a 100 kV transmission line separated from the system grid and offsite loads. Control power for the 4.16 kV breakers is supplied from the 125 VDC Vital l&C batteries. Control power for the circuit breakers in the 230 kV switchyard is provided from the 230 kV Switchyard 125 VDC batteries. Additionally, power to grid voltage protection circuits are also provided from the 230 kV switchyard 125 VDC batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, 'AC Sources - Operating," and the Bases for LCO 3.8.3, *DC Sources - Operating."

The 120 VAC Vital Instrumentation panelboards are normally powered from the inverters. The alternate power supply for the vital panelboards is a regulated voltage source and its use is governed by LCO 3.8.6,

'Inverters - Operating." Each regulated voltage source is powered from a non-safety related non-load shed source.

There are four 125 VDC Vital l&C panelboards supplying power to DC loads. Each 125 VDC I&C panelboard is connected to two 125 VDC Vital l&C sources through isolating transfer diodes. Upon a loss of power from either source, power is supplied to the panelboard through the redundant source. There are two 230 kV switchyard 125 VDC sources each supplying power to three required DC panelboards.

OCONEE UNITS 1, 2, & 3 B 3.8.8-1 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 BASES (continued)

APPLICABLE The initial conditions of accidents and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ES systems are OPERABLE. The AC, DC, and AC vital electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ES systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded: These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and
b. A worst-case single failure.

The distribution systems satisfy Criterion 3 of the 10 CFR 50.36 (Ref. 4).

LCO The AC, DC, and AC vital electrical power distribution systems are required to be OPERABLE. To be considered OPERABLE the AC Distribution System must include two energized main feeder buses capable of being automatically powered by a Keowee Hydro Unit. Each main feeder bus is considered OPERABLE if it is energized and connected to at least two ES power strings. Each of the three ES power strings is required to be energized. The three ES power Strings consist of the following:

1A) Switchgear TC 1B) Switchgear TD 1C) Switchgear TE 2A) Load Center X8 2B) Load Center X9 2C) Load Center Xl 0 3A) 600V MCC XS1, 3B) 600V MCC XS2, 3C) 600V MCC XS3, XS4 (when and XS5 (when and XS6 (when supplying safety supplying safety supplying safety related loads), related loads) related loads) and 1, 2, 3XSF 4A) 208V MCC XS1 4B) 208V MCC XS2 4C) 208V MCC XS3 and 1,2, 3XSF OCONEE UNITS 1, 2, & 3 B 3.8.8-2 BASES REVISION DATED 12/14/04 1

Distribution Systems - Operating B 3.8.8 BASES LCO Each string is considered OPERABLE if it is energized by at least one (continued) main feeder bus except when MCC 1, 2, or 3XSF is powered from load center OXSF. These MCCs would not be available during a DBA when powered from load center OXSF and therefore are considered inoperable.

An OPERABLE 125 VDC Vital l&C Distribution System must include energized 125 VDC Vital l&C panelboards DIA, DIB, DIC, and DID.

Additionally, for Units 2 and 3 only, Vital I&C panelboards 1DIC and I DID shall be energized.

To be considered OPERABLE, 230 kV switchyard 125 VDC panelboards DYA, DYB, DYC, DYE, DYF, and DYG must be energized.

An OPERABLE 120 VAC Vital Instrumentation Distribution System must include energized 120 VAC Vital Instrumentation panelboards KVIA, KVIB, KVIC, and KVID.

These distribution systems ensure the availability of AC, DC, and AC vital electrical power for the systems required to shut down the reactor and maintain it in a safe condition after a transient or accident.

Maintaining the AC, DC, and AC vital electrical power distribution systems OPERABLE ensures that the redundancy incorporated into the design of ES is not defeated. Therefore, a single failure within any system or within the electrical power distribution systems will not prevent safe shutdown of the reactor.

An OPERABLE AC electrical power distribution system requires the associated buses, ES power strings, load centers, and motor control centers to be energized to their proper voltages. OPERABLE 125 VDC Vital l&C panelboards require the panelboards to be energized to their proper voltage from either a battery or charger. OPERABLE 120 VAC Vital Instrumentation panelboards require the panelboards to be energized to their proper voltage from the associated inverter via inverted DC voltage or alternate regulated voltage source.

APPLICABILITY The electrical power distribution systems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of accident or transients; and OCONEE UNITS 1, 2, & 3 B 3.8.8-3 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 BASES APPLICABILITY b. Adequate core cooling is provided, and containment (continued) OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Electrical power distribution system requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.9, "Distribution Systems - Shutdown."

ACTIONS The ACTIONS are modified by a Note indicating that the Completion Times for Required Actions A through F are reduced when in Condition L of LCO 3.8.1. Condition L limits the Completion Time for restoring inoperable power sources to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> when emergency power source(s) or offsite power source(s) are inoperable for extended time periods or for specific reasons.

A.1 and B.1 With one Main Feeder bus inoperable or not connected to two ES power strings or one ES power string inoperable, the remaining portion of the AC electrical power distribution system is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining portion of the power distribution systems could result in the minimum required ES functions not being supported. Therefore, the required AC buses, ES power strings, load centers, and motor control centers must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Condition A and B's worst scenario is one main feeder bus and one ES power string without AC power. In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining bus or ES power strings by stabilizing the unit, and on restoring power to the affected bus or ES power string.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train to the actions associated with taking the unit to shutdown within this time limit; and
b. The potential for an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8.8-4 BASES REVISION DATED 12/14/04 l.

Distribution Systems - Operating B 3.8.8 BASES ACTIONS C.1 (continued)

With one of the unit's 125 VDC Vital l&C panelboard inoperable, the remaining 125 VDC Vital I&C panelboards are capable of supporting the minimum safety functions necessary to shutdown the reactor and maintain it in a safe shutdown condition, assuming no additional failure.

The overall reliability is reduced, however, because an additional failure in the remaining 125 VDC Vital l&C panelboards could result in the minimum required ES functions not being supported. Therefore, the 125 VDC Vital l&C panelboard must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> by powering the bus from a battery or charger.

Condition C represents one of the unit's 125 VDC Vital l&C panelboard without adequate 125 VDC Vital I&C power; potentially with both the batteries significantly degraded and the associated chargers nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all 125 VDC Vital I&C power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining panelboard(s) and restoring power to the affected panelboard(s).

This 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit is longer than Completion Times allowed for some of the components that are without power. Utilizing the LCO 3.0.6 exception to LCO 3.0.2 for-components without adequate 125 VDC Vital I&C power, which would have Required Action Completion Times shorter than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;
b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions to restore power to the affected panelboard(s); and
c. The potential for an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8. BASES REVISION DATED 12114/04 1

Distribution Systems - Operating B 3.8.8 BASES ACTIONS D.1 (continued)

If a required 230 kV switchyard 125 VDC panelboard or combination of required panelboards which are not redundant to each other are inoperable, the required panelboard(s) shall be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Loss of the remaining distribution center or a redundant panelboard could result in failure of the overhead emergency power path. In addition, in the event of grid degradation, the station and onsite emergency power sources could fail to separate from the grid.

Condition D is modified by two Notes. Note 1 indicates that Separate Condition entry is allowed for each 230 kV switchyard 125 VDC power panelboard. Note 2 indicates that Condition D is not applicable to the following loss of function combinations: DYA and DYE, DYB and DYF, and DYC and DYG.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is based on engineering judgement taking into consideration the time to complete the required action, the redundancy available in the 230 kV switchyard 125 VDC system, the redundancy available in the emergency power paths, and the infrequency of an actual grid system degradation.

E.1 With either panelboard 1DIC inoperable or panelboard 1DID inoperable, a single failure of the remaining panelboard would result in failure of control power for the S, SK, and SL breakers, standby bus protective relaying, and retransfer to startup logic. Within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after such a condition arises, the inoperable panelboard shall be restored. The Completion Time is based on engineering judgement taking into consideration the time to complete the required action and the redundancy available in the Vital l&C DC System and AC electrical power system.

This Condition is modified by a Note indicating that it is only applicable to Units 2 and 3. For Unit 1 the appropriate action is specified in ACTION C.

OCONEE UNITS 1, 2, & 3 B 3.8.8-6 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 BASES ACTIONS F.1 and F.2 (continued)

With one 120 VAC Vital Instrumentation power panelboard inoperable, the remaining three OPERABLE 120 VAC Vital Instrumentation power panelboards are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required functions not being supported. Therefore, the inoperable 120 VAC Vital Instrumentation power panelboard must be restored to OPERABLE status within 4 or 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> dependent upon which panelboard is inoperable. The Completion Time for restoring panelboard KVIA or KVIB is limited to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> since these panelboards power the digital Engineered Safeguards Protective System (ESPS) channels and they cannot actuate without power. The Completion Time for restoring KVIC or KVID is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Condition F represents one 120 VAC Vital Instrumentation panelboard without power; potentially both the 125 VDC Vital l&C source and the alternate AC source are nonfunctioning. In this situation the unit is significantly more vulnerable to a complete loss of all 120 VAC Vital Instrumentation panelboards. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining 120 VAC Vital Instrumentation panelboards and restoring power to the affected 120 VAC Vital Instrumentation panelboard.

The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limits are longer than Completion Times allowed for some of the components that are without adequate vital AC power.

Utilizing the LCO 3.0.6 exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;
b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and
c. The potential for an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8.8-7 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 BASES ACTIONS F.1 and F.2 (continued)

The digital ESPS channels are powered from KVIA and KVIB, and cannot actuate without power. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the importance to safety of restoring the 120 VAC Vital Instrumentation panelboards to OPERABLE status, the redundant capability afforded by the other OPERABLE 120 VAC Vital Instrumentation panelboards, and the low probability of an accident occurring during this period.

Panelboards KVIC and KVID supply some loads which trip upon loss of power. For example, RPS channels and ES analog channels go to a tripped state upon loss of power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the importance to safety of restoring the 120 VAC Vital Instrumentation panelboards to OPERABLE status, the redundant capability afforded by the other OPERABLE 120 VAC Vital Instrumentation panelboards, and the low probability of an accident occurring during this period.

G.1 and G.2 If the Required Action and associated Completion Time are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 5 within 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 Condition H corresponds to a level of degradation in the electrical distribution system that causes a required safety function to be lost.

When more than one Condition is entered, and this results in the loss of a required safety function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

OCONEE UNITS 1, 2, &3 B 3.8.8-8 BASES REVISION DATED 12/14/04 l

Distribution Systems - Operating B 3.8.8 BASES (continued)

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the main feeder buses are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital electrical power distribution systems, and other indications available in the control room that alert the operator to system malfunctions.

SR 3.8.8.2 This Surveillance verifies that the required AC, DC, and AC vital electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each ES power string and panelboard.

The verification of voltage availability on the ES power strings, and panelboards ensures that voltage is readily available for motive as well as control functions for critical system loads connected to the ES power strings, and panelboards. Verification of voltage availability may be accomplished by observing alarm conditions, status lights or by confirming proper operation of a component supplied from each ES power string or panelboard. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital electrical power distribution systems, and other indications available in the control room that alert the operator to system malfunctions.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.
3. Regulatory Guide 1.93, December 1974.
4. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.8.8-9 BASES REVISION DATED 12/14/04 l CONTROL ROD Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 CONTROL ROD Group Alignment Limits BASES BACKGROUND The OPERABILITY (e.g., trippability) of the CONTROL RODS is an initial condition assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial condition assumption in the safety analysis that directly affects core power distributions and assumptions of SDM. An inoperable CONTROL ROD that is unable to respond to positioning signals from the Rod Drive Control System may still meet its SDM capabilities if it is capable of responding to a valid trip signal (i.e., inoperable but trippable). It would, however, have the potential to adversely affect core power distribution due to its inability to maintain itself within the group average. An inoperable CONTROL ROD which is not

'trippable" would satisfy neither the capacity to supply SDM requirements nor the ability to maintain itself in alignment with the group to assure acceptable core power distribution.

The applicable criteria for these design requirements are ONS Design Criteria (Ref. 1) and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants" (Ref. 2).

Mechanical or electrical failures may cause a CONTROL ROD to become inoperable or to become misaligned from its group. CONTROL ROD inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CONTROL ROD worth for reactor shutdown. Therefore, CONTROL ROD alignment and OPERABILITY are related to core operation within design power peaking limits and the core design requirement of a minimum SDM.

Limits on CONTROL ROD alignment and OPERABILITY have been established, and all CONTROL ROD positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Iroller nut assembly CONTROL RODS are moved by their control rod drive mechanisms I (CRDMs). Each CRDM moves its rod 3/4 inch for one revolution of the la crw but at different rates 6og and run) depending on the signal output from the Rod Drive Control System (RDCS).

OCONEE UNITS 1, 2, & 3 B 3.1.4-1 (A ndm Nos. 3,0, 300Q 30 IBASES REVISION DATED XX/XX/04 I

CONTROL ROD Group Alignment Limits ltransducer (absolute position or relative position is L - B 3.1.4 BASES selectable for display on one position indication meter)

BACKGROUND The CONTROL RODS are arranged into rod groups that are radially (continued) symmetric. Therefore, movement of the CONTROL RODS does not introduce radial asymmetries in the core power distribution. The CONTROL RODS provide required negative reactivity worth for immediate For Unit(s) with reactor shutdown upon a reactor trip. The regulating rods provide reactivity CRDCS digital control during normal operation and transients, and their movement is upgrade not normally governed by the Integrated Control System.

complete, The axial position of CONTROL RODS is indicated by two separate and

\ independent systems, which are the relative position indicator transducers (for Unit(s) with and the absolute position indicator transducers (see LCO 3.1.7, 'Position CRDCS digital Indicator Channels').

upgrade not complete, when the relative position indicator transducer is a potentiom aligned to the pulse stepping motor that is driven b the RDCS.

same power T 4rp is one relative osition d r or each CONTROL ROD drive.

supply), Individual rods in a group w n all igne o t sa e p er pply, r rur UnnMI) WILmI

receive the same signal to move; therefore, the counters for all rods in a group should normally indicate the same position. The Relative Position CRDCS digital upgrade Indicator S stem is considered highly precise (one rotation of the complete, the- l~a-d~c-r;W's13V4 inch in rod motion). However, if a rod does not move for relative position each demand pulse, the counteftill still count the pulse and incorrectly indication is reflect the position of th o processed by a Programmable Logic Controller The Absolute Position Indicator System provides an accurate indication of (PLC) which actual CONTROL ROD position, but at a lower precision than the relative counts sequential position indicators. This system is based on id tivk nalog signals from electrical pulses a series of reed switches. I roller nut assembly will result in l sent to the CRD I motor stator.

APPLICABLE CONTROL ROD misalignment and inoperability are analyzed in the I

SAFETY ANALYSES safety analysis (Ref. 3). The criteria for addressing CONTROL ROD inoperability or misalignment are that: I If- I In;#1r%.. ith rlrre tlul VillikQ1 VVIL& %JFu;%>

Hinit -1 --

U11yILUl ujJ91auW Fac 4 I complete) or PLC (for Unit(s) with CRDCS

a. There shall be no violations of: digital upgrade complete)
1. specified acceptable fuel design limits, or
2. Reactor Coolant System (RCS) pressure boundary damage; and
b. The core must remain subcritical after accident transients, except for a main steam line break (MSLB). The analysis results for a MSLB with a coincident failure of the most reactive rod to insert results in a return to criticality.

OCONEE UNITS 1, 2, & 3 B 3.1.4-2 IBA,$l5REY1!§ION DP9?ED 70/00O I IBASES REVISION DATED XX/XX/04 j

CONTROL ROD Group Alignment Limits B 3.1.4 BASES APPLICABLE Two types of misalignment are distinguished. During movement of a SAFETY ANALYSES CONTROL ROD group, one rod may stop moving, while the other rods in (continued) the group continue. This condition may cause excessive power peaking.

The second type of misalignment occurs when one CONTROL ROD drops partially or fully into the reactor core. With [CS in manual, this event causes an initial power reduction followed by a return towards the original power due to positive reactivity feedback from the negative moderator temperature coefficient. Increased peaking during the power increase may result in excessive local linear heat rates (LHRs).

The accident analysis and reload safety evaluations define regulating rod position limits that ensure the required SDM can always be achieved if the maximum worth CONTROL ROD is stuck fully withdrawn (Ref. 3). If a CONTROL ROD is stuck in or dropped in, continued operation is permitted.

The Required Action statements in the LCOs provide conservative reductions in THERMAL POWER and verification of SDM to ensure continued operation remains within the bounds of the safety analysis (Ref. 3).

The CONTROL ROD group alignment limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 4).

LCO The limits on CONTROL ROD group alignment, safety rod position, and APSR alignment, together with the limits on regulating rod position, AXIAL POWER IMBALANCE, and QPT, ensure the reactor will operate within the fuel design criteria. The Required Actions in these LCOs ensure that deviations from the alignment limits will either be corrected or that THERMAL POWER will be adjusted, so that excessive local LHRs will not occur and the requirements on SDM and ejected rod worth are preserved.

The limit for individual CONTROL ROD misalignment is 6.5% (9 inches) deviation from the group average position. This value is established, based on the distance between reed switches, with additional allowances for uncertainty in the equipment used to determine this value. For the purpose of complying with this LCO, the position of a misaligned rod is not included in the calculation of the rod group average position.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDM or ejected rod worth, all of which may constitute initial conditions inconsistent with the safety analysis.

OCONEE UNITS 1, 2, & 3 B 3.1.4-3 A ndP nNos. 3 300. 00 IBASES REVISION DATED XX/XX/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES (continued)

APPLICABILITY The requirements on CONTROL ROD OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in which significant neutron (or fission) power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the unit. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the reactor is shut down and resultant local power peaking would not exceed fuel design limits. In MODES 3, 4, 5 and 6, the OPERABILITY of the CONTROL RODS has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES 3, 4, and 5, and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during MODE 6.

ACTIONS A.1 For Unit(s) with the CRDCS digital upgrade not complete,.

Alignment of the inoperable or misaligned CONTROL ROD may be accomplished by either moving the single CONTROL ROD to the group average position, or by moving the remainder of the group to the position of For Unit(s) with CRDCS the single inoperable or misaligned CONTROL ROD. Either action can be digital upgrade used to restore the CONTROL RODS to a radially symmetric pattern. e complete, alignment of the inoperable or However, this must be done without violating the CONTROL ROD group misaligned CONTROL sequence, overlap, and position limits of LCO 3.2.1, "Regulating Rod ROD must be Position Limits," given in the COLR. THERMAL POWER must also be accomplished by restricted, as necessary, to the value allowed by the position limits of moving the single LCO 3.2.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is acceptable because CONTROL ROD to the local xenon redistribution dunn this short interval will no group average position to restore the significant increase in LHR. lion of inserting the group to the CONTROL RODS to a position of the misaligned rod is not available if a safety rod is misaligned, radially symmetric since the limits of LCO 3.1.5, "Safety Rod Position Limits," would be pattem. violated.

A.2.1.1 Compliance with Required Actions of Condition A allows for continued power operation with one CONTROL ROD declared inoperable due to inoperable position indication but trippable, or misaligned from its group average position. These Required Actions comprise the final alternate for Condition A.

I If realignment of the CONTROL ROD to the roup average or alignment of the group to the misaligned CONTROL RO Ds not completed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1 not met), the rod shall be considered inoperable.

Since the rod may be inserted farther than the group average position for a (for Unit(s) with CRDCS digital upgrade not complete)

OCONEE UNITS 1, 2, & 3 B 3.1.4-4 I Amd'idmeR(Nos. 30C(300.AOO I lBASES REVISION DATED XX/XX/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS A.2.1.1 (continued) long time, SDM must be evaluated. Ensuring the SDM meets the minimum requirement specified in the COLR within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter is adequate to determine that SDM requirements are met.

A.2.1.2 Restoration of the required SDM requires increasing the RCS boron concentration, since the CONTROL ROD may remain misaligned and not be providing its normal negative reactivity on tripping. RCS boration must occur as described in Bases Section 3.1.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to initiate boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time for aligning the required valves and starting the boric acid pumps. Boration will continue until the required SDM is restored.

A.2.2 Reduction of THERMAL POWER to < 60% ALLOWABLE THERMAL POWER ensures that local LHR increases, due to a misaligned rod, will not cause the core design criteria to be exceeded. The required Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allows the operator sufficient time for reducing THERMAL POWER.

A.2.3 Reduction of the nuclear overpower trip setpoints, based on flux and flux/flow imbalance, to < 65.5% ALLOWABLE THERMAL POWER, after THERMAL POWER has been reduced to 60% ALLOWABLE THERMAL POWER, maintains both core protection and an operating margin at reduced power similar to that at RTP. The required Completion Time of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> allows the operator 8 additional hours after completion of the THERMAL POWER reduction in Required Action A.2.2.1 to adjust the trip setpoints.

OCONEE UNITS 1, 2, & 3 B 3.1.4-5 A ndme Nos. 3 300.700 l BASES REVISION DATED XX/XX/04 ]

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS A.2.4 (continued)

The existing CONTROL ROD configuration must not cause an ejected rod to exceed the limit of 0.18% Ak/k at RTP, 0.36% Ak/k at 80% RTP, or 0.7% Ak/k at zero power. This evaluation may require a computer calculation of the maximum ejected rod worth based on nonstandard configurations of the CONTROL ROD groups. The evaluation must determine the ejected rod worth for the duration of time that operation is expected to continue with a misaligned rod. Should fuel cycle conditions at some later time become more bounding than those at the time of the rod misalignment, additional evaluation will be required to verify the continued acceptability of operation. The required Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is acceptable because LHRs are limited by the THERMAL POWER reduction and sufficient time is provided to perform the required evaluation.

B.1 If the Required Actions and associated Completion Times for Condition A are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems.

C.1.1 More than one trippable CONTROL ROD becoming inoperable or misaligned, or both inoperable but trippable and misaligned from their group average position, is not expected and may violate the minimum SDM requirement. Therefore, SDM must be evaluated. Ensuring the SDM meets the minimum requirement within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows the operator adequate time to determine the SDM.

C.1.2 If the SDM is less than the limit, then the restoration of the required SDM requires increasing the RCS boron concentration to provide negative reactivity. RCS boration must occur as described in Bases Section 3.1.1.

The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to OCONEE UNITS 1, 2, & 3 B 3.1.4-6 Arndme s os. 31313, /313 BASES REVISION DATED XX/XX/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS C.1.2 (continued) complete the action. This allows the operator sufficient time for aligning the required valves and starting the boric acid pumps. Boration will continue until the required SDM is restored. If more than one trippable CONTROL ROD is inoperable or misaligned from their group average position, continued operation of the reactor may cause the misalignment to increase, as the regulating rods insert or withdraw to control reactivity. If the CONTROL ROD misalignment increases, local power peaking may also increase, and local LHRs will also increase if the reactor continues operation at THERMAL POWER. The SDM is decreased when one or more CONTROL RODS become inoperable at a given THERMAL POWER level, or if one or more CONTROL RODS become misaligned by insertion from the group average position.

Therefore, it is prudent to place the reactor in MODE 3. LCO 3.1.4 does not apply in MODE 3 since excessive power peaking cannot occur. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems.

D.1.1 and D.1.2 When one or more rods are untrippable, the SDM may be adversely affected. Under these conditions, it is important to determine the SDM and, if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is adequate for determining SDM and, if necessary, for initiating emergency boration to restore SDM.

In this situation, SDM verification must include the worth of the untrippable rod as well as a rod of maximum worth.

D.2 If the untrippable rod(s) cannot be restored to OPERABLE status, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

OCONEE UNITS 1, 2, & 3 B 3.1.4-7 Am, dme m os. 30 300, 300 I BASES REVISION DATED XX/XX/04

CONTROL ROD Group Alignment Limits B 3.1.4 BASES ACTIONS D.2 (continued)

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.4.1 REQUIREMENTS Verification that individual CONTROL RODS are aligned within 6.5% of their group average height limits at a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency allows the operator to detect a rod that is beginning to deviate from its expected position. The specified Frequency takes into account other CONTROL ROD position information that is continuously available to the operator in the control room, so that during actual CONTROL ROD motion, deviations can immediately be detected.

SR 3.1.4.2 Verifying each CONTROL ROD is OPERABLE would require that each rod be tripped. However, in MODES 1 and 2, tripping each CONTROL ROD could result in radial tilts. Exercising each individual CONTROL ROD every 92 days provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each CONTROL ROD by an amount in an mechanical direction sufficient to demonstrate the absence of Et will not cause radial or axial power tilts, or oscillations, to occur. The 92 day Frequency takes into consideration other information available to the operator in the control room and SR 3.1.4.1, which is performed more frequently and adds to the determination of OPERABILITY of the rods.

Between required performances of SR 3.1.4.2 (determination of CONTROL ROD OPERABILITY by movement), if a CONTROL ROD(S) is discovered to be immovable, but is determined to be trippable and aligned, the CONTROL ROD(S) is considered to be OPERABLE. At any time, if a CONTROL ROD(S) is immovable, a determination of the trippability (OPERABILITY) of the CONTROL ROD(S) must be made, and appropriate action taken.

SR 3.1.4.3 Verification of CONTROL ROD drop time allows the operator to determine that the maximum CONTROL ROD drop time permitted is consistent with the assumed CONTROL ROD drop time used in the safety analysis. The OCONEE UNITS 1, 2, & 3 B 3.1.4-8 (Aredineros. 30, 3009, 300 BASES REVISION DATED XXIXX/04--I

CONTROL ROD Group Alignment Limits B 3.1.4 BASES SURVEILLANCE SR 3.1.4.3 (continued)

REQUIREMENTS (continued) rod drop time given in the safety analysis is 1.66 seconds at reactor coolant 1*-

full flow conditions and

  • 1.40 seconds at no flow conditions to 33/44 insertion (for Unit(s) with CRDCS (Ref. 5). The zone reference light-Fwill activate at 3/4 insertion to give an digital upgrade not indication of the CONTROL ROD drop time and CONTROL ROD location.

complete) or zone Measuring CONTROL ROD drop times, prior to reactor criticality after reference switch (for Unit(s) with CRDCS reactor vessel head removal, ensures that the reactor internals and CRDM digital upgrade complete) will not interfere with CONTROL ROD motion or CONTROL ROD drop

. time. This Surveillance is performed during a unit outage, due to the unit conditions needed to perform the SR and the potential for an unplanned unit transient if the Surveillance were performed with the reactor at power.

This testing is normally performed with all reactor coolant pumps operating to simulate a reactor trip under actual conditions.

REFERENCES 1. UFSAR, Section 3.1.

2. 10 CFR 50.46.
3. UFSAR, Chapter 15.
4. 10 CFR 50.36.
5. UFSAR, Section 15.7.3.

OCONEE UNITS 1, 2, & 3 B 3.1.4-9 I Ar~pelidmeptlros. 30Y,/300,,e3001 BASES REVISION DATED XXIXX04 I

APSR Alignment Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits BASES BACKGROUND The OPERABILITY of the APSRs and APSR alignment are initial condition assumptions in the safety analysis that directly affect core power distributions. The applicable criteria for these power distribution design requirements are ONS Design Criteria (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2).

Mechanical or electrical failures may cause an APSR to become inoperable or to become misaligned from its group. APSR inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution. Therefore, APSR alignment and OPERABILITY are related to core operation within design power peaking limits.

Limits on APSR alignment and OPERABILITY have been established, and all APSR positions are monitored and controlled during power operation to ensure that the power distribution limits defined by the design peaking limits are preserved.

roller nut

] APSRs are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its rod 3/4 inch for one revolution of theagcr fbut at assembly different rates (og and run) depending on the signal outp the Rod Control Drive System.

The APSRs are arranged into a group that is radially symmetric.

Therefore, movement of the APSRs does not introduce radial asymmetries in the core power distribution. The APSRs, which are used to assist in control of the axial power distribution, are positioned manually and do not trip.

APPLICABLE There are no explicit safety analyses associated with mis-aligned APSRs.

SAFETY ANALYSES However, alignment of the APSRs is required to prevent inducing a QUADRANT POWER TILT. The LCOs governing APSR misalignment are provided because the power distribution analysis supporting LCO 3.2.1, LCO 3.2.2, and LCO 3.2.3 assumes the rods are aligned.

During movement of an APSR group, one rod may stop moving while the other rods in the group continue. This condition may cause excessive power peaking. The reload safety evaluations define APSR alignment OCONEE UNITS 1, 2, & 3 B 3.1.6-1 Ape dmepf os. 30z2, 300,X 300 IBASES REVISION DATED XXIX

APSR Alignment Limits B 3.1.6 BASES APPLICABLE Dimits that allow APSRs to be positioned anywhere within the operating SAFETY ANALYSES band and the increase in local LHR is within the design limits. The (continued) Required Actions provide a conservative approach to ensure that continued operation remains within the bounds of the safety analysis. No safety analyses take credit for movement of the APSRs.

The APSR alignment limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 3).

LCO The limits on CONTROL ROD group alignment, safety rod position, and APSR alignment, together with the limits on regulating rod position, AXIAL POWER IMBALANCE, and QPT, ensure the reactor will operate within the fuel design criteria. The Required Action in this LCO ensures deviations from the alignment limits will be adjusted so that excessive local LHRs will not occur.

The limit for individual APSR misalignment is 6.5% (9 inches) deviation from the group average position. This value is established based on the distance between reed switches, with additional allowances for uncertainty in the equipment used to determine this value.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors, and LHRs, which may constitute initial conditions inconsistent with the safety analysis.

APPLICABILITY The requirements on APSR OPERABILITY and alignment are applicable in MODES 1 and 2, when the APSRs are not fully withdrawn because these are the only MODES in which significant neutron (or fission) power is generated, and the OPERABILITY and alignment of APSRs have the potential to affect the safety of the unit. OPERABILITY and alignment of the APSRs are not required when they are fully withdrawn because they do not influence core power peaking. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the reactor is shut down and excessive local LHRs cannot occur from APSR misalignment.

ACTIONS A.1 The ACTIONS described below are required if one APSR is declared inoperable due to inoperable position indication or is misaligned. The unit is not allowed to operate with more than one inoperable or misaligned APSR. This would require the reactor to be placed in MODE 3, in accordance with LCO 3.0.3.

OCONEE UNITS 1, 2, & 3 B 3.1.6-2 [A dme fos. 30 , 300, 300 lBASES REVISION DATED XX/XX/04 r

APSR Alignment Limits B 3.1.6 BASES ACTIONS A.1 (continued)

For Unit(s) with the *Xnalternative to realigning a single inoperable or misaligned APSR to the CRDCS digital upgrade group average position is to align the remainder of the APSR group to the not complete, position of the inoperable or misaligned APSR. This restores the alignment requirements. Deviations up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will not cause significant xenon redistribution to occur.

The reactor may continue in operation with the APSR inoperable or misaligned if the limits on AXIAL POWER IMBALANCE are surveilled within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to determine if the AXIAL POWER IMBALANCE is still within limits. Also, since any additional movement of the APSRs may result in additional imbalance, Required Action A.1 also requires the AXIAL POWER IMBALANCE surveillance to be performed again within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after each APSR movement. The required Completion Time of up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will not cause significant xenon redistribution to occur.

B.1 The unit must be brought to a MODE in which the LCO does not apply if the Required Actions and associated Completion Times cannot be met. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from RTP in an orderly manner and without challenging unit systems. In MODE 3, APSR alignment limits are not required because the reactor is not generating significant THERMAL POWER and excessive local LHRs cannot occur from APSR misalignment.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS Verification at a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency that individual APSR positions are within 6.5% of the group average height limits allows the operator to detect an APSR beginning to deviate from its expected position. In addition, APSR position is continuously available to the operator in the control room so that during actual APSR motion, deviations can immediately be detected.

OCONEE UNITS 1, 2, & 3 B 3.1.6-3 A ndme os. 30 ,300, 300 BASES REVISION DATED XX/XX/04

APSR Alignment Limits B 3.1.6 BASES (continued)

REFERENCES 1. UFSAR, Section 3.1.

2. 10 CFR 50.46.
3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B3.1.6-4 A ndme 300, Wos.3, 300 lBASES REVISION DATED XX/XX/04 I/

Position Indicator Channels B 3.1.7 B 3.1 REACTIVITY CONTROL B 3.1.7 Position Indicator Channels BASES BACKGROUND According to ONS Design Criteria (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the CONTROL ROD and APSR position indicators, and thereby ensure compliance with the CONTROL ROD alignment and position limits and APSR alignment limits.

The OPERABILITY of the CONTROL RODS is an initial condition assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment for the CONTROL RODS is assumed in the safety analysis, which directly affect core power distributions and assumptions of available SDM.

Mechanical or electrical failures may cause a CONTROL ROD or APSR to become misaligned from its group. CONTROL ROD or APSR misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CONTROL ROD worth for reactor shutdown. Therefore, CONTROL ROD and APSR alignment are related to core operation within design power peaking limits and the core design requirement of a minimum SDM. CONTROL ROD and APSR position indication is needed to assess rod OPERABILITY and alignment.

Limits on CONTROL ROD and APSR alignment and group position have been established, and all CONTROL ROD and APSR positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Two methods of CONTROL ROD and APSR position indication are provided in the Rod Drive Control System. The two means are by absolute position indicator and relative position indicator transducers. The absolute position indicator transducer consists of a series of magnetically operated reed switches mounted in a tube parallel to the control rod drive mechanism (CRDM) motor tube extension.

OCONEE UNITS 1, 2, & 3 B 3.1.7-1 BUSES RAISONAATEI/06/2 02 ]I BASES REVISION DATED xx/xx/04

Position Indicator Channels B 3.1.7 eac BASES BACKGROL JND Switch contacts close when a permanent magnet mounted on the (continued) )upperen CONTROL ROD and APSR assembly (CRA) leadscrew extension comes near. As the leadscrew and CONTROL ROD or APSR For Unit(s) move, the switches operate sequentially, producing an analog voltage with CRDCS proportional to position. Other reed switches included in the same tube digital upgrade with the absolute position indicator matrix provide full in and full out limit not complete, indications, and absolute position indications at 0%, 25%, 50%, 75%,

and 100% travel. This series of seven indicators are called zone reference indicators.-rWhe relative position indicator transducer is a potentiometer, driven by a pulse stepping motor that produces a signal proportional to For Unit(s) with CONTROL ROD or APSR position, based on the electrical pulse steps that CRDCS digital drive the CRDM. t I The jI upgrade complete I The relative position indicatiorI is processed by aI Programmable l divid~er Tcjftuit made Of ofh48 riesistgrrs of equaV61lu conrJted i eis Logic Controller l ne e, of 48 ree~sice isionected aya junto etee a f (PLC) that l heistors, so~tita the man'et mountyd ontelzdsrwMv, produces a signalI proportional to The type R4C (redundant four channel) absolute position indicator CONTROL ROD or transducer has two parallel sets of voltage divider circuits made up of APSR position, 36 resistors each, connected in series (channels A and B). One end of based on the 36 reed switches is connected at a junction between each of the resistors electrical pulse of the two parallel circuits. The reed switches making up each circuit are steps that drive tlie offset, such that the switches for channel A are staggered with the switches CRDM. for channel B. The type R4C is designed such that either two or three reed switches are closed in the vicinity of the magnet. By its design, the type R4C absolute position indicator provides redundancy, with the two three sequence of pickup and drop out of reed switches to enable a continuity of position signal when a single reed switch fails to close. Lug CONTROL ROD and APSR position indicating readout devices located in the control room consist of single rod position meters on a position indication panel. A selector switch permits either relative or absolute position indication to be displayed. Indicator lights are provided on the position indication panel to indicate when each CONTROL ROD or APSR is fully withdrawn, fully inserted, or enabled, and whether a rod position asymmetry alarm condition is present. Alternate indicators show full insertion, full withdrawal, and under control for each CONTROL ROD and APSR group.

OCONEE UNITS 1, 2, & 3 B 3.1.7-2 IB/AES R1lSONAATE!/06/2Rf2II BASES REVISION DATED xx/xxI04

Position Indicator Channels B 3.1.7 BASES (continued)

APPLICABLE CONTROL ROD and APSR position accuracy is essential during SAFETY ANALYSES power operation. Power peaking, ejected rod worth, or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2) with CONTROL RODS or APSRs operating outside their limits undetected. CONTROL ROD and APSR positions must be known in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Safety Rod Position Limits" and LCO 3.2.1, "Regulating Rod Position Limits").

CONTROL ROD and APSR positions must be known in order to verify the alignment limits are preserved (LCO 3.1.4, "CONTROL ROD Group Alignment Limits" and LCO 3.1.6, 'AXIAL POWER SHAPING ROD (APSR)

Alignment Limits"). CONTROL ROD and APSR positions are continuously monitored to provide operators with information that ensures the unit is operating within the bounds of the accident analysis assumptions.

The CONTROL ROD and APSR position indicator channels satisfy Criterion 2 of 10 CFR 50.36 (Ref. 3).

LCO LCO 3.1.7 specifies that one position indicator channel be OPERABLE for each CONTROL ROD and APSR.

This requirement ensures that CONTROL ROD and APSR position indication during MODES 1 and 2 and PHYSICS TESTS is accurate, and that design assumptions are not challenged. OPERABILITY of the position indicator channel ensures that inoperable, misaligned, or mispositioned CONTROL RODS or APSRs can be detected. Therefore, power peaking and SDM can be controlled within acceptable limits.

APPLICABILITY In MODES 1 and 2, OPERABILITY of the position indicator channel is required, since the reactor is, or is capable of, generating THERMAL POWER in these MODES. In MODES 3, 4, 5, and 6, Applicability is not required because the reactor is shut down with the required minimum SDM and is not generating THERMAL POWER.

ACTIONS A.1 If the required position indicator channel is inoperable for one or more rods, the position of the CONTROL ROD or APSR is not known with certainty.

Therefore, each affected CONTROL ROD or APSR must be declared inoperable, and the limits of LCO 3.1.4 or LCO 3.1.6 apply. The required OCONEE UNITS 1, 2, & 3 B 3.1.7-3 tBUSES ,ROISONAATED?06/25/021' l BASES REVISION DATED xxlxx/04

Position Indicator Channels B 3.1.7 BASES (continued)

ACTIONS A.1 (continued)

Completion Time for declaring the rod(s) inoperable is immediately.

Therefore, LCO 3.1.4 or LCO 3.1.6 is entered immediately, and the required Completion Times for the appropriate Required Actions in those LCOs apply without delay.

SURVEILLANCE SR 3.1.7.1 REQUIREMENTS A CHANNEL CHECK of the required position indication channel ensures that position indication for each CONTROL ROD and APSR remains OPERABLE and accurate. This CHANNEL CHECK will detect gross failures. The required Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is adequate for verifying that no degradation in system OPERABILITY has occurred.

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Chapter 15.
3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.1.7-4 [ BJES RyOISON1ATE9V06/2V02 ]I I BASES REVISION DATED xx/xx/O4 l

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;
b. Fuel centerline melt shall not occur; and
c. The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 (B9dES RE/ISION ATE 01/1 04 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump status, and turbine status.

and 7.1.a Figure 7."; UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip module (RTM), and control rod drive (CRD) trip devices. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the bistable relay contacts in the trip string. LCO 3.3.2, 'Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Module (RTM)," and LCO 3.3.4, "control rod Drive (CRD) Trip Devices." discuss the remaining RPS elements. For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, , I The RPS instrumentation me sures critical unit parameters and compares these to predetermined setpoints. If the setpoint is exceeded, a channel For Unit(s) with the CRDCS trip signal is generated. The generation of any two trip signals in any of the digital upgrade complete, four RPS channels will result in the trip of the reactor.

the RTS consists of four AC Trip Breakers arranged in two parallel combinations of 4the Reactor Trip System (RTS) contains multiple CRD trip devices; two AC two breakers each. Each' trip breakers, two DC trip breaker pairs, and eight electronic trip assembly path provides independent (ETA) relays. The system has two separate paths (or channels), with each power to the CRD motors. path having one AC breaker in series with a pair of DC breakers and Either path can provide sufficient power to operate functionally in series with four ETA relays in parallel. Each path provides all CRD's. Two separate independent power to the CRDs. Either path can provide sufficient power power paths to the CRD's to operate all CRDs. Two separate power paths to the CRDs ensure that a ensure that a single failure single failure that opens one path will not cause an unwanted reactor trip.

that opens one path will not -0 cause an unwanted reactor The RPS consists of four independent protective channels, each containing tap.

an RTM. The RTM receives signals from its own measurement channels that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 IBASS REVISi DATED 09/14/0411 I BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued) For Unit(s) with the CRDCS digital upgrade not complete, 4-f.

For Units(s) with the ghe reactor is tripped by opening circuit breakers an TA relays that CRDCS digital upgrade interrupt the control power supply to the CRDs. Six breakers are installed complete, the reactor is to increase reliability and allow testing of the trip system. A one-out-of-two tripped by opening the taken twice logic is used to interrupt power to the rods. energizing reactor trip breakers.

The RPS has three bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypass. Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS tripFunctions.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;
b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and
c. Redundant measurements with combinational trip logic outside of the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Ranqe Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1. Nuclear Overpower OCONEE UNITS 1, 2, & 3 B 3.3.1-3 IBAS/S REVIS,* DATED 0//14I04]i I BASES REVISION DATED xx/xx/04 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Range Nuclear Instrumentation (continued)

a. Nuclear Overpower - High Setpoint;
b. Nuclear Overpower -Low Setpoint;
7. Reactor Coolant Pump to Power;
8. Nuclear Overpower Flux/Flow Imbalance;
9. Main Turbine Trip (Hydraulic Fluid Pressure); and
10. Loss of Main Feedwater (LOMFW) Pumps (Hydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2. RCS High Outlet Temperature; and
5. RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance elements in each hot leg, for a total of four. One temperature detector is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 BASA'S REVIS*IP DATED O//14I04j l I BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant System Pressure (continued)

The Reactor Coolant System Pressure provides input to the following Functions:

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure; and
11. Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Buildinq Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP, operating current, and voltage is measured by four current transformers and four potential transformers driving four underpower relays. Each power monitoring channel consists of an underpower relay. One channel for each pump is associated with each protective channel.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 BAS S REVISI DATED 0 /14/04 BASES REVISION DATED xx'xx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND Main Turbine Automatic Stop Oil Pressure (continued)

Main Turbine Automatic Stop Oil Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine automatic stop oil pressure. An open indication will be provided to the RPS on a turbine trip. Contact buffers in each protective channel continuously monitor the status of the contact inputs and initiate an RPS trip when a main turbine trip is indicated.

Feedwater Pump Hydraulic Oil Pressure Feedwater Pump Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10. Hydraulic Oil pressure is measured by four switches on each feedwater pump. One switch on each pump, connected in series with a switch on the other MFW pump, is associated with each protective channel.

RPS Bypasses The RPS is designed with three types of bypasses: dummy bistable, channel bypass and shutdown bypass.

The dummy bistable provides a method of placing one or more functions in a RPS protective channel in a bypassed condition, the channel bypass provides a method of placing all Functions in one RPS protective channel in a bypassed condition, and shutdown bypass provides a method of leaving the safety rods withdrawn during cooldown and depressurization of the RCS. Each bypass is discussed next.

Dummy Bistable The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip. Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable. Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service. This is more OCONEE UNITS 1, 2, & 3 B 3.3.1-6 BAS/S REVISI0 DATED 0/14/04 BASES REVISION DATED xxlxx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND Dummy Bistable (continued) conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string. The installation of these jumpers does not require the removal of the STAR processor module, therefore, the protective channel is not forced into a tripped condition.

Channel Bypass A channel bypass provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trip relay energized regardless of the status of the instrumentation channel of the bistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarms/indicator lights. This is administratively controlled by having only one manual bypass key available for each unit.

All RPS trips are reduced to a two-out-of-three logic in channel bypass.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens when the operator closes the shutdown bypass key switch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, OCONEE UNITS 1, 2, & 3 B 3.3.1-7 [ B eES REVIS N DATED 091/14/04 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the bistable prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to < 5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

Module Interlock and Test Trip Relay Each channel and each trip module is capable of being individually tested.

When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules.

Removal of a trip module will indicate a tripped channel in the remaining trip modules.

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 OCONEE UNITS 1, 2, & 3 B 3.3.1-8 BA S REVI 1N DATED /14/04 l BASES REVISION DATED xx/xx/04 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued)

(Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the Surveillance Frequency. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the 'as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value, trip setpoints, and associated uncertainties is provided in Reference 4.

Setpoints in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. Surveillances for the channels are specified in the SR section.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, high RCS temperature, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 BAS REVISI DATED 0,14/04 I BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE The LCO requires all instrumentation performing an RPS Function to be SAFETY ANALYSES, OPERABLE. Failure of any instrument renders the affected channel(s)

LCO, and inoperable and reduces the reliability of the affected Functions. The three APPLICABILITY channels of each Function in Table 3.3.1 - 1 of the RPS instrumentation (continued) shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1 - 1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function.

These uncertainties are defined in Reference 4.

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1 - 1.

The safety analyses applicable to each RPS Function are discussed next.

OCONEE UNITS 1, 2, & 3 B 3.3.1-10 l BA S REVIS[N DATED /14/04l l BASES REVISION DATED xx/xx/04 /

RPS Instrumentation B 3.3.1 BASES APPLICABLE 1. Nuclear Overpower SAFETY ANALYSES, LCO, and a. Nuclear Overpower - High Setpoint APPLICABILITY (continued) The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

OCONEE UNITS 1, 2, & 3 B 3.3.1-11 BANS REVIS)6N DATED/1/1 4/04l BASES REVISION DATED xxfxx/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE b. Nuclear Overpower - Low Setpoint SAFETY ANALYSES, LCO, and Prior to initiating shutdown bypass, the Nuclear APPLICABILITY Overpower - Low Setpoint trip must be reduced to < 5% RTP.

(continued) The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2. RCS Hiqh Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

OCONEE UNITS 1, 2, & 3 B 3.3.1-12 BAXS REVISeN DATEDX/14/04 l BASES REVISION DATED xx/xx04

RPS Instrumentation B 3.3.1 BASES APPLICABLE 3. RCS HIGH PRESSURE (continued)

SAFETY ANALYSES, LCO, and The RCS High Pressure trip has been credited in the transient APPLICABILITY analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4. RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

OCONEE UNITS 1, 2, & 3 B 3.3.1-13 [BAWS REVIS N DATED 9/14/04 1 I BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE 5. RCS Variable Low Pressure SAFETY ANALYSES, LCO, and The RCS Variable Low Pressure trip, in conjunction with the RCS APPLICABILITY High Outlet Temperature and RCS Low Pressure trips, provides (continued) protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

OCONEE UNITS 1, 2, & 3 B 3.3.1-14 I BAS, REVISJON DATED 94/14104I l lBASES REVISION DATED xx/xxf04

RPS Instrumentation B 3.3.1 BASES APPLICABLE 7. Reactor Coolant Pump to Power SAFETY ANALYSES, LCO, and The Reactor Coolant Pump to Power trip provides protection for APPLICABILITY changes in the reactor coolant flow due to the loss of multiple RCPs.

(continued) Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. RCP status is monitored by power transducers on each pump. These relays indicate a loss of an RCP on underpower. The underpower setpoint is selected to reliably trip on loss of voltage to the RCPs. Neither the reactor power nor the pump power setpoint account for instrumentation errors caused by harsh environments because the trip Function is not required to respond to events that could create harsh environments around the equipment.

8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

OCONEE UNITS 1, 2, & 3 B 3.3.1-15 BA S REVISdN DATED /14/04 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE 8. Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and The Allowable Value is selected to ensure that a trip occurs when the APPLICABILITY core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9. Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel through buffers that continuously monitor the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure) bistable, the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 30% RTP. The turbine trip is not required to protect against events that can create a harsh environment in the turbine building.

Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

OCONEE UNITS 1,2, & 3 B 3.3.1-16 ( BA>S REVISON DATED /14/04 1 I BASES REVISION DATEDxx/xx/04 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 10. Loss of Main Feedwater Pumps (Hydraulic Oil Pressure)

SAFETY ANALYSES, LCO, and The Loss of Main Feedwater Pumps (Hydraulic Oil APPLICABILITY Pressure) trip provides a reactor trip at high power (continued) levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF. This trip was added in accordance with NUREG-0737 (Ref.

5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump hydraulic oil pressure bistables, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump hydraulic oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 2% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

OCONEE UNITS 1,2, & 3 B 3.3.1-17 l BAA'S REVISjeN DATED 94'/14/04 Il I BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES APPLICABLE 11. Shutdown BVpass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and During shutdown bypass operation with the Shutdown Bypass RCS APPLICABILITY High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

l.a Nuclear Overpower - High Setpoint;

3. RCS High Pressure;
4. RCS Low Pressure;
5. RCS Variable Low Pressure;
7. Reactor Coolant Pump to Power; and
8. Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 8). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a. Nuclear Overpower - High Setpoint;

2. RCS High Outlet Temperature;
3. RCS High Pressure;
4. RCS Low Pressure; OCONEE UNITS 1, 2, & 3 B 3.3.1-1 8 BA>S REVISAN DATED 9/14104 I IBASES REVISION DATED xx/xx/0

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and 5. RCS Variable Low Pressure; APPLICABILITY

6. Reactor Building High Pressure;
7. Reactor Coolant Pump to Power; and
8. Nuclear Overpower Flux/Flow Imbalance.

Functions 1, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at 2 30% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at 2 2% RTP. Analyses presented in BAW-1 893 (Ref. 6) have shown that for operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3,4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

OCONEE UNITS 1, 2, & 3 B 3.3.1-19 [3BAS REVISJdN DATED 94104 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES ACTIONS When an RPS channel is manually tripped, the functions that were (continued) inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

A.1 For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip. This Required Action places all RPS Functions in a one-out-of-two logic configuration. The "non-required" channel is placed in bypass when the required inoperable channel is placed in trip to prevent bypass of a second required channel. In this configuration, the RPS can still perform its safety functions in the presence of a random failure of any single Channel. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to perform Required Action A.1.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3 B 3.3.1-20 l BA S REVIS N DATED /14/04 l lBASES REVISION DATED xxfxxI04

RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a OCONEE UNITS 1, 2, & 3 B 3.3.1-21 BA§S REVISJON DATED 9/14/04l BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. Ifthe channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequency, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System'(NIS) channel output by 2 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS OCONEE UNITS 1, 2, & 3 B 3.3.1-22 BA S REVIS N DATED /14/04l BASES REVISION DATED xx/xx04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is 2 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by 2 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is 2 15% RTP. A Note clarifies that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is 2 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensure that the value of the APIO is > APIA.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

OCONEE UNITS 1, 2, & 3 B 3.3.1-23 Am dment N 337,337 338 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function.

Setpoints must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-1 01 67 (Ref. 7).

The Frequency of 45 days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 7 that indicate the RPS retains a high level of reliability for this test interval.

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD)sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 Am dment NX.337, 337 338 BASES REVISION DATED xx/xx/04

RPS Instrumentation B 3.3.1 BASES (continued)

REFERENCES 1. UFSAR, Chapter 7.

2. UFSAR, Chapter 15.
3. 10 CFR 50.49.
4. EDM-102, "Instrument Setpoint/Uncertainty Calculations."
5. NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6. BAW-1 893, MBasis for Raising Arming Threshold for Anticipating Reactor Trip on Turbine Trip," October 1985.
7. BAW-1 01 67, May 1986.
8. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.1-25 Ar ndment *s. 337, 33/ 3381 IBASES REVISION DATED xx/xx/04

RPS Manual Reactor Trip B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip BASES BACKGROUND The RPS Manual Reactor Trip provides the operator with the capability to trip the reactor from the control room. Manual trip is provided by a trip push button on the main control board. This push button operates four electrically independent switch contacts, one for each train. This tri independent of the automatic trip system. As shown in Figure 7. UFSAR, Chapter 7 (Ref. 1), power for the control rod drive (CRD) breaker undervoltage coils and contactor coils comes from the reactor trip modules (RTMs). The manual trip switch contacts are located between the RTM output and the breaker undervoltage coils. Opening of the switch contacts opens the lines to the breakers, tripping them. The switch contacts also energize the breaker shunt trip mechanisms. There is a separate switch tr contact in series, with the output of each of the four RTMs. Al witc contacts are actuated through a mechanical linkage from a single push button.

APPLICABLE The Manual Reactor Trip ensures that the control room operator can SAFETY ANALYSES initiate a reactor trip at any time. The Manual Reactor Trip Function is required as a backup to the automatic trip functions and allows operators to shut down the reactor.

The Manual Reactor Trip Function satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The LCO on the RPS Manual Reactor Trip requires that the trip shall be OPERABLE whenever the reactor is critical or any time any control rod breaker is closed and rods are capable of being withdrawn, including shutdown bypass. This enables the operator to terminate any event that in the operator's judgment requires protective action, even if no automatic trip condition exists.

The Manual Reactor Trip Function is composed of four electrically independent trip switch contacts sharing a common mechanical push button.

OCONEE UNITS 1, 2, 8K3 B 3.3.2-1 ym dr nt s. 0, 0, 30 lBASES REVISION DATED xx/xxf04

RPS Manual Reactor Trip B 3.3.2 BASES (continued)

APPLICABILITY The Manual Reactor Trip Function is required to be OPERABLE in MODES 1 and 2. It is also required to be OPERABLE in MODES 3,4, and 5 if any CRD trip breaker is in the closed position and if the CRD System is capable of rod withdrawal. The safety function of the RPS is to trip the CONTROL RODS; therefore, the Manual Reactor Trip Function is not needed in MODE 3, 4, or 5 if either the reactor trip breakers are open or if the CRD System is incapable of rod withdrawal. Similarly, the RPS Manual Reactor Trip is not needed in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

ACTIONS A.1 Condition A applies when the Manual Reactor Trip Function is found inoperable. One hour is allowed to restore Function to OPERABLE status.

The automatic functions and various alternative manual trip methods, such as removing power to the RTMs, are still available. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to correct minor problems.

B.1 and B.2 With the Required Action and associated Completion Time not met in MODE 1, 2, or 3, the unit must be placed in a MODE in which manual trip is not required. Required Action B.1 and Required Action B.2 place the unit in at least MODE 3 with all CRD trip breakers open within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

C.1 With the Required Action and associated Completion Time not met in MODE 4 or 5, the unit must be placed in a MODE in which manual trip is not required. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.2-2 nmrngdment os. 300/300, /3001 IBASES REVISION DATED xxlxxl04 /

RPS Manual Reactor Trip B 3.3.2 BASES (continued)

SURVEILLANCE SR 3.3.2.1 REQUI REMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the Manual Reactor Trip Function. This test verifies the OPERABILITY of the Manual Reactor Trip by actuation of the CRD trip breakers. The Frequency shall be once prior to each reactor startup if not performed within the preceding 7 days to ensure the OPERABILITY of the Manual Reactor Trip Function prior to achieving criticality. The Frequency was developed in consideration that these Surveillances are only performed during a unit outage.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.2-3 Srndmen(Nos. -0, 30,/& 30 lBASES REVISION DATED xx/xx/04

RPS - RTM B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Module (RTM)

BASES BACKGROUND The RPS consists of four independent protection channels, each containing an RTM. Figure 7.1, UFSAR, Chapter 7 (Ref. 1), shows a typical RPS protection channel and the relationship of the RTM to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices. The RTM receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPS - RTMs.

The RTM provides these signals to its own two-out-of-four trip logic and transmits its own channel trip signal to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.

The RPS trip scheme consists of series contacts that are operated by bistables. During normal unit operations, all contacts are closed and the RTM channel trip relay remains energized. However, if any trip parameter exceeds its setpoint, its associated contact opens, which de-energizes the channel trip relay.

When an RTM channel trip relay de-energizes, several things occur:

a. Each of the four (4) output logic relays "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;
b. The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the other RTMs. (This condition exists in each RPS - RTM. Each RPS - RTM controls power to a trip device.);

and

c. The contact in parallel with the channel reset switch opens and the trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 I /mendn/ 2 nt Nos/300, 3/0, & 6o I IBASES REVISION DATED xxxx/O4

RPS- RTM B 3.3.3 BASES BACKGROUND A minimum of two out of four RTMs must sense a trip condition to cause a (continued) reactor trip. Also, because the bistable relay contacts for each function are in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The RTMs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The RTM LCO requires all four RTMs to be OPERABLE. Failure of any RTM renders a portion of the RPS inoperable.

An OPERABLE RTM must be able to receive and interpret trip signals from its own and other OPERABLE RPS channels and to open its associated trip device.

The requirement of four RTMs to be OPERABLE ensures that a minimum of two RTMs will remain OPERABLE if a single failure has occurred in one RTM and if a second RTM is out of service. This two-out-of-four trip logic also ensures that a single RTM failure will not cause an unwanted reactor trip. Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

APPLICABILITY The RTMs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3,4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTMs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTMs must be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.3-2 [ I" end m1t NosQO., 396, & 3/0 ]

lBASES REVISION DATED xx/xx/04

/ RPS - RTM

/ = B3.3.3 BASES (continued)d/

For Unit(s) with the Control Rod Drive Control ACTIONS z A .1 A.1 .2, and A.2 System (CRDCS) digital upgrade not complete, For Unit(s) with the CRDCS digital upgrade When an RTM is inoperable, the associated CRD trip breaker must then be complete, tripping one placed in a condition that is equivalent to a tripped condition for the RTM.

RTM or removing power Required Action A.1.1 or Required Action A.1.2 requires this either by opens one of the CRD trip tripping the CRD trip breaker or by removing power to the CRD trip device.

devices, which will result ripping one RTM or removing power opens one set of CRD trip devices.

in the loss of one of the Power to hold RCONTROL ROD *s still provided via the parallel CRD parallel power supplies to tip device(s~ Therefore, a reactor trip2 will not occur until a second the digital C RIDCS./rpdvc~s ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

thedigital ___ _ / protection channel trips. (for Unit(s) with the CRDCS digital upgrade not complete) or CRD power supply (for Unit(s) with the CRDCS digital upgrade complete) inposition To ensure the trip signal is registered in tne otner channels, Hequired Action A.2 requires that the inoperable RTM be removed from the cabinet.

This action causes the electrical interlocks to indicate a tripped channel in the remaining three RTMs. Operation in this condition is allowed indefinitely because the actions put the RPS into a one-out-of-three configuration. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient time to perform the Required Actions.

B.1. B.2.1, and B.2.2 Condition B applies if two or more RTMs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

C. and C.2 Condition C applies if two or more RTMs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 endm t Nos./00, 39, & 3 0 BASES REVISION DATED xx/xx/04

RPS - RTM B 3.3.3 BASES (continued)

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST every 31 days. This test shall verify the OPERABILITY of the RTM and its ability to receive and properly respond to channel trip and reactor trip signals.

The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

Testing in accordance with this SR is normally performed on a rotational basis, with one RTM being tested each week. Testing one RTM each week reduces the likelihood of the same systematic test errors being introduced into each redundant RTM.

REFERENCES 1. UFSAR, Chapter 7.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 I /P'mendrint Nos/3002 &i/00 060, I BASES REVISION DATED xx/xxI04 I

Distribution Systems - Operating B 3.8.8 BASES (continued)

APPLICABLE The initial conditions of accidents and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ES systems are OPERABLE. The AC, DC, and AC vital electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ES systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and
b. A worst-case single failure.

The distribution systems satisfy Criterion 3 of the 10 CFR 50.36 (Ref. 4).

LCO The AC, DC, and AC vital electrical power distribution systems are required to be OPERABLE. To be considered OPERABLE the AC Distribution System must include two energized main feeder buses capable of being automatically powered by a Keowee Hydro Unit. Each main feeder bus is considered OPERABLE if it is energized and connected to at least two ES power strings. Each of the three ES power strings is required to be energized. The three ES power Strings consist of the following:

1A) SwitchgearTC 1B) Switchgear TD 1C) Switchgear TE 2A) Load Center X8 2B) Load Center X9 2C) Load Center Xl 0 3A) 600V MCC XS1 3B) 600V MCC XS2 3C) 600V MCC XS3 XS4 its & and XS5 (Linis f/l and XS6 ni 1 Rorwhen when 2on when supplying safety supplying safety supplying safety related loads), related loads) related loads) and 1, 2, 3XSF 4A) 208V MCC XS1 4B) 208V MCC XS2 4C) 208V MCC XS3 and 1,2, 3XSF OCONEE UNITS 1, 2, & 3 B 3.8.8-2 BASES REVISION DATED l I2/00

Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Spray System (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Building Cooling System unit The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor. l Dusn norma operatio two reactor building cooling trains with two fans Ilow speed or I operating aigh speed, serve to cool the containment atmosphere. Low speed cooling fan operation is availab q auring periods of iower containment heat load. The third unit i on standby. [Fq Uniw 1, 2/and7, upon receipt of an emergency signal, the operating cooling fans running at an high speed will automatically trip, then restart in low speed after a 3 minute any ~dela a5n-Mi idle unit is energized in low speed after a 3 minute delav.

For Units jaf nly, the o ting cooling fa)running at 19Wffspeed

-Avi ititmtin 4r-irnon r?? ont siqnaj:nndi thpn genmry~e srasrin low apgd after ;ad minute elayj The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere. C APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the worst-case single active failure, resulting in one train of the Reactor Building Spray System and one train of the Reactor Building Cooling System being inoperable.

OCNEUIS12 ..- BAE ESa AE /114 OCONEE UNITS 1, 2, & 3 B 3.6.5-2 PAES RE,VISION LATED 0//14/y4] I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE The analysis and evaluation show that, under the worst-case scenario SAFETY ANALYSES (LOCA with worst-case single active failure), the highest peak containment (continued) pressure is 58.9 psig. The analysis shows that the peak containment temperature is 2850F. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 11 0F and 16.2 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 100 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

[For Ur 2, the geactoruilding ooling stem totdelay tie of 78 s96 onds inclu es sign Kdelay, tHU sta up (for Is of offsid power), ow pressure se ce watepump tartu ad low rssure servIce water alve strob times.

The F Units 1And 3, eactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

BAES RE/SION TED 0/1141/4 j I 1,2, &

OCONEE UNITS 1,2, &33 B 3.6.5-3 B 3.6.5-3 [ B6ES REYfSION !4ATED 0//141^Xy l

Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).

The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.

Reactor Buildinq Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.

The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 BASES REVISION DATED xx/xx/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Spray Sstem (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Buildinq Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.

During unit normal operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.

APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the worst-case single active failure, resulting in one train of the Reactor Building Spray System and one train of the Reactor Building Cooling System being inoperable.

OCONEE UNITS 1, 2, & 3 B 3.6.5-2 BASES REVISION DATED xx/xx/04 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE The analysis and evaluation show that, under the worst-case scenario SAFETY ANALYSES (LOCA with worst-case single active failure), the highest peak containment (continued) pressure is 58.9 psig. The analysis shows that the peak containment temperature is 285 0F. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 11 0F and 16.2 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 100 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

The Reactor Building Cooling System total delay time of 3 minutes includes I KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started.

This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

OCONEE UNITS 1, 2, & 3 B 3.6.5-3 BASES REVISION DATED xxlxx/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO Each reactor building spray train shall include a spray pump, spray (continued) headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. However, TS 3.3.8, Required Action F.1 requires the affected RBS train to be declared inoperable when the RBS flow instrument is inoperable. A license amendment is being processed to eliminate this requirement. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded.

If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.

Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Valve LPSW-108 shall be locked open to support system OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

OCONEE UNITS 1, 2, & 3 B 3.6.5-4 BASES REVISION DATED xxlxx/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS The risk assessment may use quantitative, qualitative, or blended (continued) approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. The risk assessment does not have to be documented.

There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments- attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.

The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.

OCONEE UNITS 1,2, &3 B 3.6.5-5 BASES REVISION DATED xx/xx/04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS A.1 (continued)

With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action B.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time OCONEE UNITS 1, 2, & 3 B 3.6.5-6 BASES REVISION DATED xx/xxI04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS C.1 (continued) takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.

D.1 If the Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.

F.1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.

G.1 If the Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3 B 3.6.5-7 BASES REVISION DATED xxlxx104 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray flow path provides assurance that the proper flow paths will exist for Reactor Building Spray System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position.

SR 3.6.5.2 Operating each required reactor building cooling train fan unit for

> 15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The 31 day Frequency was developed considering the known reliability of the fan units and controls, the three train redundancy available, and the low OCONEE UNITS 1, 2, & 3 B 3.6.5-8 BASES REVISION DATED xx/xxf04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.2 (continued)

REQUIREMENTS probability of a significant degradation of the reactor building cooling trains occurring between surveillances and has been shown to be acceptable through operating experience.

SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed.

head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by Section Xl of the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)

Coolers and Reactor Building Cooling Units. The 18 month Frequency was developed considering the known reliability of the low pressure service water, reactor building spray and reactor building cooling systems and other testing performed at shorter intervals that is intended to identify the possible loss of heat removal capability.

SR 3.6.5.5 and SR 3.6.5.6 These SRs require verification that each automatic reactor building spray valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are OCONEE UNITS 1, 2, & 3 B 3.6.5-9 BASES REVISION DATED xx/xxI04 l

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE SR 3.6.5.5 and SR 3.6.5.6 (continued)

REQUIREMENTS locked, sealed, or otherwise secured in position under administrative controls. The 18 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillances were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillances when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The 18 month Frequency is based on engineering judgment and has been shown to be acceptable through operating experience. See SR 3.6.5.5 and SR 3.6.5.6, above, for further discussion of the basis for the 18 month Frequency.

SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers to verify the availability of the headers and spray nozzles. Performance of this Surveillance demonstrates that each spray nozzle is unobstructed and provides assurance that spray coverage of the containment during an accident is not degraded. Due to the passive nature of the design of the nozzles, a test at 10 year intervals is considered adequate to detect obstruction of the spray nozzles.

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Section 6.2.
3. 10 CFR 50.36.
4. ASME, Boiler and Pressure Vessel Code,Section XI.

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 0 BASES REVISION DATED xx/xx/04 l