Text

License Amendment Request for Reactor Protective System/Engineered Safeguards Protective System Digital Upgrade, Technical Specification Change (TSC) Number 2004-09
	ML050550470
Person / Time
Site:	Oconee
Issue date:	02/14/2005
From:	Rosalyn Jones; Duke Energy Corp, Duke Power Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML050550470 (196)
	v • d • e

Duke RON A. JONES

wPowere Vice President Oconee Nuclear Site A Duke Energy Company Duke Power ONOI VP / 7800 Rochester Highway Seneca, SC 29672 864 885 3158 864 885 3564 fax February 14, 2005 U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Document Control Desk

Subject:

Oconee Nuclear Station Docket Numbers 50-269, 270, and 287 License Amendment Request for Reactor Protective System/Engineered Safeguards Protective System Digital Upgrade, Technical Specification Change (TSC) Number 2004-09 Pursuant to Title 10, Code of Federal Regulations, Part 50, Section 90 (10 CFR 50.90), Duke Energy Corporation (Duke) proposes to amend Appendix A, Technical Specifications, for Facility Operating Licenses DPR-38, DPR-47 and DPR-55 for Oconee Nuclear Station (ONS), Units 1, 2, and 3. Duke plans to replace the current analog based Reactor Protective System (RPS) and Engineered Safeguards Protective System (ESPS) with a digital computer based RPS and ESPS, the Framatome Advanced Nuclear Power (FANP) TELEPERM XS (TXS) System.

This modification requires a Technical Specification (TS) change.

As such, Duke requests NRC to review and approve the modification and the associated TS change.

As part of the justification for this planned digital upgrade, Duke submitted a defense-in-depth and diversity (D-in-D&D) assessment in accordance with Standard Review Plan (SRP) Chapter 7, Appendix 7-A, Branch Technical Position (BTP) HICB-19 by letter dated March 20, 2003.

The TELEPERM XS system, as described in Siemens (FANP)

Topical Report EMF-2110 (NP), Revision 1, "TXS: A Digital Reactor Protection System" (Reference 2), will replace the present ONS RPS as described in ONS UFSAR Chapter 7.

In addition, the TXS platform will replace the ESPS as described in ONS UFSAR Chapter 7.

The data acquisition process, the signal validation, and the protection logic for these systems will now be performed by TXS.

By letter dated May 5, 2000, the NRC issued a safety evaluation report (SER) which found the TELEPERM XS System as described in Topical Report EMF-2110(NP), Revision 1, "TELEPERM XS: A Digital Reactor Protection System,"

acceptable for referencing in license applications to the extent specified in the topical report and NRC SER.

www.dukepower.comr

U. S. Nuclear Regulatory Commission February 14, 2005 Page 2 Installation prerequisites listed in Section 5.0 of the NRC SER have been met except as noted. A detailed description of the RPS/ESPS modification, including responses for the Plant-Specific Action Items of the SER, and the associated TS change is provided in Attachment 3.

The proposed TS revision will revise TS and TS Bases Sections 3.3.1, 3.3.3, 3.3.5, and 3.3.7.

The proposed change revises TS 3.3.3, 3.3.5, and 3.3.7 to accommodate the new design.

The change also requests the NRC to approve surveillance interval extensions based on TXS reliability.

The revised TS pages are included in Attachment 1. contains a markup of the current TS pages. contains the Technical Justification for the License Amendment Request. Attachments 4 and 5 contain the No Significant Hazards Consideration Evaluation and the Environmental Impact Analysis, respectively.

The Oconee Updated Final Safety Analysis Report has been reviewed.

Various sections will require revision due to the RPS/ESPS modification.

These revisions will be submitted per 10CFR50.71(e).

The proposed change has been reviewed and approved by the Plant Operations Review Committee and Nuclear Safety Review Board.

Implementation of these changes will not result in an undue risk to the health and safety of the public.

Pursuant to 10 CFR 50.91, a copy of this proposed amendment is being sent to the South Carolina Department of Health and Environmental Control for review and, as deemed necessary and appropriate, subsequent consultation with the NRC staff.

U. S. Nuclear Regulatory Commission February 14, 2005 Page 3 Duke plans to implement the RPS/ESPS digital upgrade in the fall 2006 refueling outage for Oconee Unit 1 with the other two Units to follow in the fall 2007 and 2008 outages.

Therefore, Duke requests NRC to review and approve the modification and the associated TS change by March 31, 2006.

If there are any questions regarding this submittal, please contact Boyd Shingleton at (864) 885-4716.

Ver t uly yours, R. A.J nes, Vice President Oconee uclear Site

U. S. Nuclear Regulatory Commission February 14, 2005 Page 4 cc:

Mr. L. N. Olshan, Project Manager Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Mail Stop 0-14 H25 Washington, D. C.

20555 Dr. W. D. Travers, Regional Administrator U. S. Nuclear Regulatory Commission -

Region II Atlanta Federal Center 61 Forsyth St., SW, Suite 23T85 Atlanta, Georgia 30303 Mr. M. C. Shannon Senior Resident Inspector Oconee Nuclear Station Mr. Henry Porter, Director Division of Radioactive Waste Management Bureau of Land and Waste Management Department of Health & Environmental Control 2600 Bull Street Columbia, SC 29201

U. S. Nuclear Regulatory Commission February 14, 2005 Page 5 R. A. Jones, being duly sworn, states that he is Vice President, Oconee Nuclear Site, Duke Energy Corporation, that he is authorized on the part of said Company to sign and file with the U. S. Nuclear Regulatory Commission this revision to the Renewed Facility Operating License Nos. DPR-38, DPR-47, DPR-55; and that all the statements and matters set forth herein 4tR\\true and correct to the best of his knowledge.

R. A.

Ocone, Subscribed Notary Publ and sworn to before me this Lk day of 2005

.ic My Commission Expires:

A//ZZ 12 /3 I

Z Z

Z

:

Z Z

U. S. Nuclear Regulatory Commission February 14, 2005 Page 6 bcc: w/attachments Robert E. Hall James T. Fuller Robert W. Cornett Douglas J. Repko Barbara M. Thomas Drew F Rohrer B. Graham Davenport T. P. Gillespie Robert L. Medlin Lisa F. Vaughn Paul M. Stovall David B. Coyle Regis T. Repko Robert L. Gill -

NAID Lee A Keller -

CNS Charles J. Thomas - MNS Gregg B. Swindlehurst NSRB, EC05N ELL, ECO50 File -

T.S. Working BWOG Tech Spec Committee (5)

ONS Document Management Reene' V. Gambrell I

4.'.

February 14, 2005 ATTACHMENT 1 TECHNICAL SPECIFICATION Remove Page Insert Page TS TOC i 1.1-2 1.1-3 1.1-4 1.1-5 3.3.1-2 3.3.1-3 3.3.3-1 3.3.3-2 3.3.5-1 3.3.5-2 3.3.5-3 TS TOC i 1.1-2 1.1-3 1.1-4 1.1-5 3.3.1-2 3.3.1-3 3.3.3-1 3.3.3-2 3.3.5-1 3.3.5-2 3.3.5-3 3.3.5-4 3.3.7-1 3.3.7-2 3.3.7-1 3.3.7-2 TECHNICAL SPECIFICATION BASES TS Bases, B 3.3.1-1 B 3.3.3-1 B 3.3.5-1 B 3.3.6-1 B 3.3.7-1 Vol 1 TOC i thru B 3.3.1-25 thru B 3.3.3-4 thru B 3.3.5-12 thru B 3.3.6-3 thru B 3.3.7-4 TS Bases, Vol 1 TOC i B 3.3.1 thru B 3.3.1-28 B 3.3.3-1 thru B 3.3.3-4 B 3.3.5-1 thru B 3.3.5-15 B 3.3.6-1 thru B 3.3.6-4 B 3.3.7-1 thru B 3.3.7-5

TABLE OF CONTENTS 1.0 USE AND APPLICATION.................................................

1.1-1 1.1 Definitions..................................................

1.1-1 1.2 Logical Connectors..................................................

1.2-1 1.3 Completion Times..................................................

1.3-1 1.4 Frequency.................................................

1.4-1 2.0 SAFETY LIMITS (SLs).................................................

2.0-1 2.1 SLs..................................................

2.0-1 2.2 SL Violations.................................................

2.0-1 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY.................. 3.0-1 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY................................. 3.0-4 3.1 REACTIVITY CONTROL SYSTEMS.................................................

3.1.1-1 3.1.1 SHUTDOWN MARGIN (SDM).................................................

3.1.1-1 3.1.2 Reactivity Balance.................................................

3.1.2-1 3.1.3 Moderator Temperature Coefficient (MTC)........................................ 3.1.3-1 3.1.4 CONTROL ROD Group Alignment Limits.......................................... 3.1.4-1 3.1.5 Safety Rod Position Limits.................................................

3.1.5-1 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits................ 3.1.6-1 3.1.7 Position Indicator Channels..................................................

3.1.7-1 3.1.8 PHYSICS TESTS Exceptions - MODE 2......................................... 3.1.8-1 3.2 POWER DISTRIBUTION LIMITS..................................................

3.2.1-1 3.2.1 Regulating Rod Position Limits..................................................

3.2.1-1 3.2.2 AXIAL POWER IMBALANCE Operating Limits................................. 3.2.2-1 3.2.3 QUADRANT POWER TILT (QPT)..................................................

3.2.3-1 3.3 INSTRUMENTATION..................................................

3.3.1-1 3.3.1 Reactor Protective System (RPS) Instrumentation............................ 3.3.1-1 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip...

3.3.2-1 3.3.3 Reactor Protective System (RPS) -

Reactor Trip Component (RTC)..........................

3.3.3-1 3.3.4 Control Rod Drive (CRD) Trip Devices..........................

3.3.4-1 3.3.5 Engineered Safeguards Protective System (ESPS)

Input Instrumentation...

3.3.5-1 3.3.6 Engineered Safeguards Protective System (ESPS)

Manual Initiation...

3.3.6-1 3.3.7 Engineered Safeguards Protective System (ESPS)

Automatic Actuation Output Logic Channels...

3.3.7-1 OCONEE UNITS 1, 2, & 3 i

Amendment Nos.

Definitions 1.1 1.1 Definitions CHANNEL CALIBRATION (continued)

CHANNEL CHECK CHANNEL FUNCTIONAL TEST The CHANNEL CALIBRATION may be performed by means of any series of sequential, overlapping, or total channel steps so that the entire channel is calibrated.

A CHANNEL CHECK shall be the qualitative assessment, by observation, of channel behavior during operation. This determination shall include, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter.

A CHANNEL FUNCTIONAL TEST shall be:

a. Analog and bistable channels - the injection of a simulated or actual signal into the channel as close to the sensor as practicable to verify OPERABILITY of all devices in the channel required for channel OPERABILITY,

b. Digital computer channels - the use of diagnostic programs to test digital computer hardware and the injection of simulated process data into the channel to verify channel OPERABILITY.

The CHANNEL FUNCTIONAL TEST may be performed by means of any series of sequential, overlapping, or total channel steps so that the entire channel is tested.

CONTROL RODS CORE ALTERATION CORE OPERATING LIMITS REPORT (COLR)

CONTROL RODS shall be all full length safety and regulating rods that are used to shut down the reactor and control power level during maneuvering operations.

CORE ALTERATION shall be the movement of any fuel, sources, or reactivity control components, within the reactor vessel with the vessel head removed and fuel in the vessel.

Suspension of CORE ALTERATIONS shall not preclude completion of movement of a component to a safe position.

The COLR is the unit specific document that provides cycle specific parameter limits for the current reload cycle. These cycle specific limits shall be determined for each reload cycle in accordance with Specification 5.6.5.

Plant operation within these limits is addressed in individual Specifications.

OCONEE UNITS 1, 2, & 3 1.1 -2 Amendment Nos.

I

Definitions 1.1 1.1 Definitions (continued)

DOSE EQUIVALENT 1-131 E -AVERAGE DISINTEGRATION ENERGY LEAKAGE DOSE EQUIVALENT 1-131 shall be that concentration of 1-131 (microcuries/gram) that alone would produce the same thyroid dose as the quantity and isotopic mixture of 1-131, 1-132,1-133, 1-134, and 1-135 actually present. The thyroid dose conversion factors used for this calculation shall be those listed in Table III of TID-14844, AEC, 1962, "Calculation of Distance Factors for Power and Test Reactor Sites."

E shall be the average (weighted in proportion to the concentration of each radionuclide in the reactor coolant at the time of sampling) of the sum of the average beta and gamma energies per disintegration (in MeV) for isotopes, other than iodines, with half lives > 30 minutes, making up at least 95% of the total noniodine activity in the coolant.

LEAKAGE shall be:

a.

Identified LEAKAGE

1.

LEAKAGE, such as that from pump seals or valve packing (except RCP seal water injection or leakoff), that is captured and conducted to collection systems or a sump or collecting tank;

2.

LEAKAGE into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary LEAKAGE; or

3.

Reactor Coolant System (RCS) LEAKAGE through a steam generator (SG) to the Secondary System;

b.

Unidentified LEAKAGE All LEAKAGE (except RCP seal water injection or leakoff) that is not identified LEAKAGE.

OCONEE UNITS 1, 2, & 3 1.1 -3 Amendment Nos.

I

Definitions 1.1 1.1 Definitions LEAKAGE (continued)

c.

Pressure Boundarv LEAKAGE LEAKAGE (except SG LEAKAGE) through a nonisolable fault in an RCS component body, pipe wall, or vessel wall.

MODE A MODE shall correspond to any one inclusive combination of core reactivity condition, power level, average reactor coolant temperature, and reactor vessel head closure bolt tensioning specified in Table 1.1-1 with fuel in the reactor vessel.

OPERABLE - OPERABILITY PHYSICS TESTS A system, subsystem, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing ts specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

PHYSICS TESTS shall be those tests performed to measure the fundamental nuclear characteristics of the reactor core and related instrumentation.

These tests are:

a.

Described in the UFSAR;

b.

Authorized under the provisions of 10 CFR 50.59; or

c.

Otherwise approved by the Nuclear Regulatory Commission.

QUADRANT POWER TILT (QPT)

QPT shall be defined by the following equation and is expressed as a percentage.

OPT = 100 ( Power in any Core Quadrant 1 )

Average Power of all Quadrants RATED THERMAL POWER (RTP)

RTP shall be a total reactor core heat transfer rate to the reactor coolant of 2568 MWt.

OCONEE UNITS 1, 2, & 3 1.1-4 Amendment Nos.

I

Definitions 1.1 1.1 Definitions (continued)

SHUTDOWN MARGIN (SDM)

SDM shall be the instantaneous amount of reactivity by which the reactor is subcritical or would be subcritical from its present condition assuming:

a.

All full length CONTROL RODS (safety and regulating) are fully inserted except for the single CONTROL ROD of highest reactivity worth, which is assumed to be fully withdrawn. With any CONTROL ROD not capable of being fully inserted, the reactivity worth of these CONTROL RODS must be accounted for in the determination of SDM;

b.

In MODES 1 and 2, the fuel and moderator temperatures are changed to the nominal zero power design level; and

c.

There is no change in APSR position.

STAGGERED TEST BASIS THERMAL POWER A STAGGERED TEST BASIS shall consist of the testing of one of the systems, subsystems, channels, or other designated components during the interval specified by the Surveillance Frequency, so that all systems, subsystems, channels, or other designated components are tested during n Surveillance Frequency intervals, where n is the total number of systems, subsystems, channels, or other designated components in the associated function.

THERMAL POWER shall be the total reactor core heat transfer rate to the reactor coolant.

OCONEE UNITS 1, 2, & 3 1.1 -5 Amendment Nos.

I

RPS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. As required by D.1 Open all CRD trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action B.1 breakers.

and referenced in Table 3.3.1-1.

E. As required by E.1 Reduce THERMAL 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action B.1 POWER < 30% RTP.

and referenced in Table 3.3.1-1.

F.

As required by F.1 Reduce THERMAL 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Required Action B.1 POWER < 2% RTP.

and referenced in Table 3.3.1-1.

SURVEILLANCE REQUIREMENTS

NOTE---------------------------------------------------------

Refer to Table 3.3.1-1 to determine which SRs apply to each RPS Function.

SURVEILLANCE FREQUENCY SR 3.3.1.1

NOTE---------------------------

Not applicable to Unit(s) with RPS digital upgrade complete.

Perform CHANNEL CHECK.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (continued)

OCONEE UNITS 1, 2, & 3 3.3.1 -2 Amendment Nos.

I

RPS Instrumentation 3.3.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.1.2

NOTE-------------------------

Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER is 2 15% RTP.

Compare results of calorimetric heat balance calculation to the power range channel output and adjust power range channel output if calorimetric exceeds power range channel output by 2 2% RTP.

24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months SR 3.3.1.3

NOTE---------------------------

Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER is 2 15% RTP.

Compare out of core measured AXIAL POWER IMBALANCE (APlo) to incore measured AXIAL POWER IMBALANCE (API1) as follows:

(RTP/TP)(APl 0 - (CS X API1)) = imbalance error where CS is CORRELATION SLOPE Adjust power range channel output if the absolute value of imbalance error is

Ž 2% RTP.

31 days SR 3.3.1.4

NOTE---------------------------

Not applicable to Unit(s) with RPS digital upgrade complete.

Perform CHANNEL FUNCTIONAL TEST.

45 days on a STAGGERED TEST BASIS (continued)

OCONEE UNITS 1, 2, & 3 3.3.1-3 Amendment Nos.

I

RPS - RTC l 3.3.3 3.3 INSTRUMENTATION 3.3.3 Reactor Protective System (RPS) - Reactor Trip Component (RTC)

LCO 3.3.3 APPLICABILITY:

Four RTCs shall be OPERABLE.

MODES 1 and 2, MODES 3, 4, and 5 with any control rod drive (CRD) trip breaker in the closed position and the CRD System capable of rod withdrawal.

I ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A.

One RTC inoperable.

A.1.1 Trip the associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months CRD trip breaker.

OR A.1.2 Remove power from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months the associated CRD trip breaker.

AND A.2 Physically remove the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable RTC.

(continued)

OCONEE UNITS 1, 2, & 3 3.3.3-1 Amendment Nos.

I

RPS - RTC l 3.3.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. Two or more RTCs B.1 Be in MODE 3.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months inoperable in MODE 1, 2, or 3.

AND OR B.2.1 Open all CRD trip 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months breakers.

Required Action and associated Completion OR Time not met in MODE 1, 2, or 3.

B.2.2 Remove power from all 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months CRD trip breakers.

C.

Two or more RTCs C.1 Open all CRD trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months inoperable in MODE 4 breakers.

or5.

OR OR C.2 Remove power from all 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action and CRD trip breakers.

associated Completion Time not met in MODE 4 or 5.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.3.1 Perform CHANNEL FUNCTIONAL TEST.

31 days for Unit(s) with the RPS digital upgrade not complete AND 18 months for Unit(s) with the RPS digital upgrade complete I

OCONEE UNITS 1, 2, & 3 3.3.3-2 Amendment Nos.

I

ESPS Input Instrumentation l 3.3.5 3.3 INSTRUMENTATION 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation I

LCO 3.3.5 APPLICABILITY:

Three channels of ESPS input instrumentation for each Parameter in Table 3.3.5-1 shall be OPERABLE.

According to Table 3.3.5-1.

I ACTIONS

IJ Il - - - - - - -- - - - - - - -- - - - - - - -- - - - - - -

Separate Condition entry is allowed for each Parameter.

CONDITION REQUIRED ACTION COMPLETION TIME A.

One or more A.1 Place channel in trip.

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Parameters with one channel inoperable.

B.

One or more B.1 Be in MODE 3.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Parameters with two or more channels AND inoperable.

B.2.1

NOTE-----------

OR Only required for RCS Pressure - Low.

Required Action and associated Completion Time not met.

Reduce RCS pressure 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months

< 1750 psig.

AND (continued)

OCONEE UNITS 1, 2, & 3 3.3.5-1 Amendment Nos.

I

ESPS Input Instrumentation l 3.3.5 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B.

(continued)

B.2.2

NOTE-----------

Only required for RCS Pressure - Low Low.

Reduce RCS pressure 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months

< 900 psig.

AND B.2.3

NOTE------------

Only required for Reactor Building Pressure - High and High High.

Be in MODE 5.

36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.5.1

NOTE---------------------------

Not applicable to Unit(s) with ESPS digital upgrade complete.

Perform CHANNEL CHECK.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months SR 3.3.5.2

NOTE---------------------------

Not applicable to Unit(s) with ESPS digital upgrade complete.

Perform CHANNEL FUNCTIONAL TEST.

92 days (continued)

OCONEE UNITS 1, 2, & 3 3.3.5-2 Amendment Nos.

I

ESPS Input Instrumentation l 3.3.5 SURVEILLANCE REQUIRMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.5.3 Perform CHANNEL CALIBRATION.

18 months OCONEE UNITS 1, 2, & 3 3.3.5-3 Amendment Nos.

ESPS Input Instrumentation l 3.3.5 Table 3.3.5-1 (page 1 of 1)

Engineered Safeguards Protective System Input Instrumentation I

APPLICABLE MODES OR OTHER SPECIFIED ALLOWABLE PARAMETER CONDITIONS VALUE

1.

Reactor Coolant System Pressure - Low 2 1750 psig 2 1590 psig

2.

Reactor Coolant System Pressure - Low Low 2 900 psig

> 500 psig

3.

Reactor Building (RB) Pressure - High 1,2,3,4

< 4 psig

4.

Reactor Building Pressure - High High 1,2,3,4 S 15 psig OCONEE UNITS 1, 2, & 3 3.3.5-4 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels I 3.3.7 3.3 INSTRUMENTATION 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels I

LCO 3.3.7 APPLICABILITY:

Eight ESPS Automatic Actuation Output Logic Channels shall be OPERABLE.

MODES 1 and 2, MODES 3 and 4 when associated engineered safeguard (ES) equipment is required to be OPERABLE.

I ACTIONS

--N Ij I---------_--____________________

Separate Condition entry is allowed for each automatic actuation logic channel.

CONDITION REQUIRED ACTION COMPLETION TIME A.

One or more automatic A.1 Place associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months actuation output logic component(s) in ES channels inoperable.

configuration.

OR A.2 Declare the associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months component(s) inoperable.

I OCONEE UNITS 1, 2, & 3 3.3.7-1 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels l 3.3.7 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.7.1 Perform automatic actuation output logic CHANNEL FUNCTIONAL TEST.

31 days for Unit(s) with the ESPS digital upgrade not complete AND 18 months for Unit(s) with the ESPS digital upgrade complete OCONEE UNITS 1, 2, & 3 3.3.7-2 Amendment Nos.

I

TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs)...................................................... B 2.1.1-1 B 2.1.1 Reactor Core SLs....................................................

B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL............................... B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY............ B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY........................... B 3.0-12 B 3.1 REACTIVITY CONTROL SYSTEMS................................................... B 3.1.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM)..................................................... B 3.1.1-1 B 3.1.2 Reactivity Balance.....................................................

B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC).................................. B 3.1.3-1 B 3.1.4 CONTROL ROD Group Alignment Limits.................................... B 3.1.4-1 B 3.1.5 Safety Rod Position Limits.....................................................

B 3.1.5-1 B 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits.......... B 3.1.6-1 B 3.1.7 Position Indicator Channels.....................................................

B 3.1.7-1 B 3.1.8 PHYSICS TESTS Exceptions-MODE 2.................................... B 3.1.8-1 B 3.2 POWER DISTRIBUTION LIMITS....................................................

B 3.2.1-1 B 3.2.1 Regulating Rod Position Limits.................................................... B 3.2.1-1 B 3.2.2 AXIAL POWER IMBALANCE Operating Limits........................... B 3.2.2-1 B 3.2.3 QUADRANT POWER TILT (QPT)............................................... B 3.2.3-1 B 3.3 INSTRUMENTATION....................................................

B 3.3.1-1 B 3.3.1 Reactor Protective System (RPS) Instrumentation...................... B 3.3.1-1 B 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip......

B 3.3.2-1 B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Component (RTC)...........................

B 3.3.3-1 B 3.3.4 Control Rod Drive (CRD) Trip Devices...........................

B 3.3.4-1 B 3.3.5 Engineered Safeguards Protective System (ESPS)

Input Instrumentation......

B 3.3.5-1 B 3.3.6 Engineered Safeguards Protective System (ESPS)

Manual Initiation....

B 3.3.6-1 B 3.3.7 Engineered Safeguards Protective System (ESPS)

Automatic Actuation Output Logic Channels.......................... B 3.3.7-1 B 3.3.8 Post Accident Monitoring (PAM) Instrumentation......................... B 3.3.8-1 B 3.3.9 Source Range Neutron Flux.............................................

B 3.3.9-1 B 3.3.10 Wide Range Neutron Flux.............................................

B 3.3.10-1 B 3.3.11 Automatic Feedwater Isolation System (AFIS) Instrumentation... B 3.3.11-1 B 3.3.12 Automatic Feedwater isolation System (AFIS) Manual Initiation..B 3.3.12-1 OCONEE UNITS 1, 2, & 3 i

Amendment I

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and turbine status.

Figures 7.1, 7.1.a, 7.1.b, and 7.1.c of UFSAR, Chapter 7 (Ref. 1), show the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and control rod drive (CRD) trip devices. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the bistable relay contacts (or processor output trip signals for Unit(s) with the RPS digital upgrade complete) in the trip string. LCO 3.3.2, "Reactor Protective System (RPS)

Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) -

Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD)

Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. If the setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, the Reactor Trip System (RTS) contains multiple CRD trip devices; two AC trip breakers, two DC trip breaker pairs, and eight electronic trip assembly (ETA) relays. The system has two separate paths (or channels), with each path having one AC breaker in series with a pair of DC breakers and functionally in series with four ETA relays in parallel.

Each path provides independent power to the CRDs. Either path can provide sufficient power to operate all CRDs. Two separate power paths to the CRDs ensure that a single failure that opens one path will not cause an unwanted reactor trip.

For Unit(s) with the CRDCS digital upgrade complete, the RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's.

Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

For Unit(s) with the RPS digital upgrade complete, the RPS consists of four independent protective channels (A, B, C, and D). Each RPS protective channel contains the sensor input modules; a protective channel set (computer), four hardwired (normally energized) reactor trip relays (RTRs)

(A, B, C, and D) and their associated (normally closed) 1 20VAC contacts.

Protective channel set A provides input signals to the channel A RTR and also sends this signal to the A RTR in channel sets B, C, and D. Likewise, channel set B provides input signals to the B RTR in channel sets A, C, and D. Channel sets C and D provide input signals to the respective RTR in each of the respective channel sets. Each RTR (A, B, C, and D) in each RPS channel set A, B, C, and D maintains two normally closed 120VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channel sets. This configuration results in a 2-out-of-4 coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channel sets) de-energize and open the respective contacts. The outputs from the RTR contacts provide the trip signal to the Control Rod Drive (CRD) trip devices.

For Unit(s) with the RPS digital upgrade complete, three of the four RPS protective channel set computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function.

Therefore, three of the four RPS protective channel sets calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

For Unit(s) with the RPS digital upgrade not complete, the RPS consists of four independent protective channels, each containing a reactor trip module (RTM). The RTM receives signals from its own measurement channels that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels.

Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

For Unit(s) with the CRDCS digital upgrade not complete, the reactor is tripped by opening circuit breakers and energizing ETA relays that interrupt the control power supply to the CRDs. Six breakers are installed to increase reliability and allow testing of the trip system. A one-out-of-two taken twice logic is used to interrupt power to the rods.

OCONEE UNITS 1,2, &3 B 3.3.1-3 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

For Units(s) with the CRDCS digital upgrade complete, the reactor is tripped by opening the reactor trip breakers.

For Unit(s) with the RPS digital upgrade not complete, there are three bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypass. Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS trip functions.

For Unit(s) with the RPS digital upgrade complete there are three bypasses: shutdown bypass, manual bypass, and test enable bypass. The shutdown bypass and the manual bypass are initiated by use of a key switch located on the respective RPS channel set cabinet. Test enable bypass is initiated when the test equipment is connected to the RPS cabinet inputs. The manual bypass allows putting a complete RPS channel set into BYPASS for maintenance activities. This includes the power-down of the RPS channel set computer for each RPS channel set. The shutdown bypass function is the same for both RPS designs.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c.

Redundant measurements with combinational trip logic outside of the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Range Nuclear Instrumentation (continued)

Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower - Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and

10.

Loss of Main Feedwater (LOMFW) Pumps (Hydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2.

RCS High Outlet Temperature; and

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by triple resistance temperature detection (RTD) elements in each hot leg, for a total of four. One temperature detector element is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant System Pressure (continued)

The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Building Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM) which monitors the electrical pump and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels. One channel for each pump is associated with each protective channel.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Main Turbine Automatic Stop Oil Pressure (continued)

Main Turbine Automatic Stop Oil Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine automatic stop oil pressure. An open indication will be provided to the RPS on a turbine trip. Contact buffers in each protective channel continuously monitor the status of the contact inputs and initiate an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine, connected in series with a switch on the other MFW pump turbine, is associated with each protective channel.

RPS Bypasses For Unit(s) with the RPS digital upgrade not complete, the RPS is designed with three types of bypasses: dummy bistable, channel bypass and shutdown bypass. For Unit(s) that have the RPS digital upgrade complete, the RPS is designed with three types of system bypasses:

shutdown bypass, manual bypass, and test enable bypass. Each bypass is discussed below.

For Unit(s) with the RPS digital upgrade not complete, the dummy bistable provides a method of placing one or more functions in a RPS protective channel in a bypassed condition, the channel bypass provides a method of placing all Functions in one RPS protective channel in a bypassed condition, and shutdown bypass provides a method of leaving the safety rods withdrawn during cooldown and depressurization of the RCS. Each bypass is discussed next.

OCONEE UNITS 1, 2, & 3 B 3.3.1-7 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Dummy Bistable (Not applicable to Unit(s) with RPS digital upgrade (continued) complete)

The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip. Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable. Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service. This is more conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string. The installation of these jumpers does not require the removal of the STAR processor module, therefore, the protective channel is not forced into a tripped condition.

Channel Bypass (Not applicable to Unit(s) with RPS digital upgrade complete)

A channel bypass provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trip relay energized regardless of the status of the instrumentation channel of the bistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarmsfindicator lights. This is administratively controlled by having only one manual bypass key available for each unit.

All RPS trips are reduced to a two-out-of-three logic in channel bypass.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are OCONEE UNITS 1, 2, & 3 B 3.3.1-8 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens when the operator closes the shutdown bypass key switch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete) prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to < 5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

Manual Bypass (applicable only to Unit(s) with RPS digital upgrade complete)

The RPS Manual Bypass allows putting the complete RPS channel into BYPASS for maintenance activities. Placing the RPS channel in bypass does not power-down the TXS computer. The Manual bypass switch may be used to power-down the TXS computer of the RPS channel.

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel TXS computer and in parallel as a hardwired signal from a switch contact in case the TXS computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a TXS gateway.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Manual Bypass (continued)

If the complete RPS cabinet is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "TRIP" and the manual bypass Unit Statalarm window will not illuminate.

Test Enable Bypass (applicable only to Unit(s) with RPS digital upgrade complete)

Test enable bypass is initiated when the test equipment is connected to the TXS cabinet inputs. The test enable bypass has two functions:

1)

Sets the analog input signals of the RPS channel in TEST to "FAILED" status. This excludes those analog input signals from Signal Online Validation in all remaining channels and allows injection of test signals using the TXS Test Machine.

2)

Sets the permissive for the reactor trip output circuit testing. This allows each of the four outputs used for the hardwired "2-out-of-4" logic implemented in each respective RPS channel to be de-energized.

Module Interlock and Test Trip Relay Each channel and each trip module is capable of being individually tested.

When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules.

Removal of a trip module will indicate a tripped channel in the remaining trip modules.

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to OCONEE UNITS 1,2, &3 B 3.3.1-10 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES BACKG ROU ND Trip Setpoints/Allowable Value (continued) account for all known uncertainties for each channel. The actual trip setpoint entered into the bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete) is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST.

One example of such a change in measurement error is drift during the Surveillance Frequency. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors dnd signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the bistables (or processor output trip signals for Unit(s) with the RPS digital upgrade complete) are set. Any bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete) is considered to be properly adjusted when the "as left' value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value, trip setpoints, and associated uncertainties is provided in Reference 4.

Setpoints in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not Violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1 -1 for Functions 1 through 8 and 1 1 are the LSSS.

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. Surveillances for the channels are specified in the SR section.

OCONEE UNITS 1, 2, & 3 OCNE UIS,2 &3B 3.3.1 -11 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES (continued)

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1 - 1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1 - 1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete) is performing as required. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function.

These uncertainties are defined in Reference 4.

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

OCONEE UNITS 1,2, &3 B 3.3.1-12 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE Certain RPS trips function to indirectly protect the SLs by detecting specific SAFETY ANALYSES, conditions that do not immediately challenge SLs but will eventually lead to LCO, and challenge if no action is taken. These trips function to minimize the unit APPLICABILITY transients caused by the specific conditions. The Allowable Value for these (continued)

Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1 - 1.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

OCONEE UNITS 1, 2, & 3 B 3.3.1-13 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a.

Nuclear Overpower -

High Setpoint The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint Prior to initiating shutdown bypass, the Nuclear Overpower - Low Setpoint trip must be reduced to < 5% RTP.

The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS Hiah Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint OCONEE UNITS 1, 2, & 3 B 3.3.1-14 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

2.

RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and Allowable Value is selected to ensure that a trip occurs before hot leg APPLICABILITY temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3.

RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-15 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

4.

RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor Buildinq Hiqh Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize-accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

OCONEE UNITS 1,2, &3 B 3.3.1-16 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY

6.

Reactor Buildina Hiah Pressure (continued)

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each RCP has an RCP Power Monitor (RCPPM) which monitors the electrical power and breaker status of each pump motor to determine if the pump is running.

Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating AND reactor power is greater than approximately 2% rated full power.

OCONEE UNITS 1, 2, & 3 B 3.3.1-17 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance SAFETY ANALYSES, LCO, and The Nuclear Overpower Flux/Flow Imbalance trip provides steady APPLICABILITY state protection for the power imbalance SLs. A reactor trip is (continued) initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power OCONEE UNITS 1, 2, & 3 B 3.3.1-18 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

9.

Main Turbine Trip (Hydraulic Fluid Pressure) (continued)

SAFETY ANALYSES, LCO, and levels, thereby limiting the range through which the Integrated APPLICABILITY Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel through buffers that continuously monitor the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure) bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 30% RTP. The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10.

Loss of Main Feedwater Pumps (Hydraulic Oil Pressure)

The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF. This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump turbine hydraulic oil pressure bistables (or processor output trip signals for Unit(s) with the RPS digital upgrade complete), the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 2% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

OCONEE UNITS 1, 2, & 3 B 3.3.1 -19 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 1

SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1.

Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1.a Nuclear Overpower - High Setpoint;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion SAFETY ANALYSES, LCO, and The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 8). In MODES 1 APPLICABILITY and 2, the following trips shall be OPERABLE because the reactor can be (continued) critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1 a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

Functions 1, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at 2 30% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at 2 2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

OCONEE UNITS 1, 2, & 3 B 3.3.1-21 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure APPLICABILITY and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistable (or processor output trip signals for Unit(s) with the RPS digital upgrade complete) is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

A.1 For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip. This Required Action places all RPS Functions in a one-out-of-two logic configuration. The "non-required" channel is placed in bypass when the required inoperable channel is placed in trip to prevent bypass of a second required channel. In this configuration, the RPS can still perform its safety functions in the presence of a random failure of any single Channel. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform Required Action A.1.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.1-23 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE The SRs for each RPS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital upgrade complete. The RPS digital control system provides continual online automatic monitoring of each of the input signals in each channel, performs software limit checking (signal online validation) against required acceptance criteria, and provides hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed. If any protective channel input signal is identified to be in the FAILURE status, this condition is alarmed on the Unit Statalarm and input to the plant operator aid computer (OAC).

Immediate notification of the FAILURE status is provided to the Operation staff. As such, a periodic CHANNEL CHECK is no longer necessary.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS The Frequency, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by 2 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is 2 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by 2 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

OCONEE UNITS 1, 2, & 3 B 3.3.1-25 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS

...(continued)

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is > 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is > 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensure that the value of the API0 is > API1.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that thte entire channel will perform the intended function.

Setpoints must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-1 01 67 (Ref. 7).

The Frequency of 45 days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 7 that indicate the RPS retains a high level of reliability for this test interval.

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST has been extended to 18 months based on design capabilities and reliability of the new RPS digital control system. Since the CHANNEL OCONEE UNITS 1, 2, & 3 B 3.3.1-26 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 (continued)

REQUIREMENTS FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not retained. The RPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable (or processor output trip signal for Unit(s) with the RPS digital upgrade complete) setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

OCONEE UNITS 1,2, &3 B 3.3.1-27 Amendment Nos.

I

RPS Instrumentation B 3.3.1 BASES REFERENCES (continued) 3.

4.

5.

10 CFR 50.49.

EDM-1 02, Instrument Setpoint/Uncertainty Calculations."

NUREG-0737, "Clarification of TM] Action Plan Requirements,"

November 1979.

Not used.

BAW-1 01 67, May 1986.

10 CFR 50.36.

6.

7.

8.

I OCONEE UNITS 1,2, &3 B 3.3.1-28 Amendment Nos.

I

RPS-RTC I B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) - Reactor Trip Component (RTC)

I BASES BACKGROUND The RPS consists of four independent protection channels, each containing an RTC. Figure 7.1, 7.1.a, 7.1.b, and 7.1.c of UFSAR, Chapter 7 (Ref. 1),

shows a typical RPS protection channel and the relationship of the RTC to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip devices. For Unit(s) with the RPS digital upgrade not complete, the RTC is a Reactor Trip Module (RTM). The RTM receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPS RTMs. For Unit(s) with the RPS digital upgrade complete, the RTC is a Reactor Trip Relay (RTR). The RTR receives a channel trip signal in its own channel and channel trip signals from the RTRs in the other three RPS channels. The RTC provides these signals to its own two-out-of-four trip logic and transmits its own channel trip signal to the two-out-of-four logic of the RTCs in the other three RPS channels.

Whenever any two RPS channels transmit channel trip signals, the RTC logic in each channel actuates to remove 120 VAC power from its associated CRD trip devices.

I I

The RPS trip scheme consists of series contacts that are operated by bistables for Unit(s) with the RPS digital upgrade not complete or processor output trip signals for Unit(s) with the RPS digital upgrade complete.

During normal unit operations, all contacts are closed and the RTC channel trip relay remains energized. However, if any trip parameter exceeds its setpoint, its associated contact opens, which de-energizes the channel trip relay.

When an RTC channel trip relay de-energizes, several things occur:

a.

Each of the four (4) output logic relays 'informs' its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;

b.

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts from the other RTCs. (This condition exists in each RPS - RTC. Each RPS - RTC controls power to a trip device.);

and

c.

The contact in parallel with the channel reset switch opens and the trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

I I

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 Amendment Nos.

RPS - RTC B 3.3.3 I BASES BACKGROUND (continued)

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

A minimum of two out of four RTCs must sense a trip condition to cause a reactor trip. Also, because the bistable relay contacts for each function for Unit(s) with the RPS digital upgrade not complete or processor output trip signals for each function for Unit(s) with the RPS digital upgrade complete are in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

APPLICABLE Transient and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

The RTCs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The RTC LCO requires all four RTCs to be OPERABLE. Failure of any RTC renders a portion of the RPS inoperable.

An OPERABLE RTC must be able to receive and interpret trip signals from its own and other OPERABLE RPS channels and to open its associated trip device.

The requirement of four RTCs to be OPERABLE ensures that a minimum of two RTCs will remain OPERABLE if a single failure has occurred in one RTC and if a second RTC is out of service. This two-out-of-four trip logic also ensures that a single RTC failure will not cause an unwanted reactor trip. Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

I I

OCONEE UNITS 1, 2, & 3 B 3.3.3-2 Amendment Nos.

I

RPS - RTC I B 3.3.3 BASES (continued)

APPLICABILITY The RTCs are required to be OPERABLE in MODES 1 and 2. They are also required to be OPERABLE in MODES 3, 4, and 5 if any CRD trip breakers are in the closed position and the CRD System is capable of rod withdrawal. The RTCs are designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the RTCs must be OPERABLE.

ACTIONS A.1.1, A.1.2, and A.2 When an RTC is inoperable, the associated CRD trip breaker must then be placed in a condition that is equivalent to a tripped condition for the RTC.

Required Action A.1.1 or Required Action A.1.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, tripping one RTC or removing power opens one set of CRD trip devices. For Unit(s) with the CRDCS digital upgrade complete, tripping one RTC or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies to the digital CRDCS. Power to hold CONTROL RODS in position is still provided via the parallel CRD trip device(s) (for Unit(s) with the CRDCS digital upgrade not complete) or CRD power supply (for Unit(s) with the CRDCS digital upgrade complete). Therefore, a reactor trip will not occur until a second protection channel trips.

To ensure the trip signal is registered in the other channels, Required Action A.2 requires that the inoperable RTC be removed from the cabinet.

This action causes the electrical interlocks to indicate a tripped channel in the remaining three RTCs. Operation in this condition is allowed indefinitely because the actions put the RPS into a one-out-of-three configuration. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required Actions.

B.1. B.2.1. and B.2.2 Condition B applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 Amendment Nos.

I

RPS - RTC B 3.3.3 BASES ACTIONS C.1 and C.2 (continued)

Condition C applies if two or more RTCs are inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS The SRs include performance of a CHANNEL FUNCTIONAL TEST every 31 days for Unit(s) with the RPS digital upgrade not complete and every 18 months for Unit(s) with the RPS digital upgrade complete. This test shall verify the OPERABILITY of the RTC and its ability to receive and properly respond to channel trip and reactor trip signals. For Unit(s) with the RPS digital upgrade complete, the digital processors shall be rebooted as part of the functional test.

The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

The Frequency of 18 months is based on the design capabilities and reliability of the new RPS digital control system. The RPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

Testing in accordance with this SR is normally performed on a rotational basis, with one RTC being tested each week. Testing one RTC each week reduces the likelihood of the same systematic test errors being introduced into each redundant RTC.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) Input Instrumentation BASES BACKGROUND The ESPS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and to mitigate accidents.

ESPS actuates the following systems:

High pressure injection (HPI);

Low pressure injection (LPI);

Reactor building (RB) cooling; Penetration room ventilation; RB Spray; RB Isolation; and Keowee Hydro Unit Emergency Start.

The ESPS operates in a distributed manner to initiate the appropriate systems. The ESPS does this by determining the need for actuation in each of three input channels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to automatic actuation output logic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all automatic actuation output logic channels take their signals from the same bistable (or processor output trip device for Unit(s) with the ESPS digital upgrade complete) in each channel for each Parameter.

Four Parameters are used for actuation:

Low Reactor Coolant System (RCS) Pressure; Low Low RCS Pressure; OCONEE UNITS 1, 2, & 3 B 3.3.5-1 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND High RB Pressure; and (continued)

High High RB Pressure.

LCO 3.3.5 covers only the input instrumentation channels that measure these Parameters. These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, bistable devices (or processor output trip devices for Unit(s) with the ESPS digital upgrade complete), operational bypass circuitry, and output relays (or voter input for Unit(s) with the ESPS digital upgrade complete). LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels,"

provide requirements on the manual initiation and automatic actuation output logic Functions.

For Unit(s) with the ESPS digital upgrade not complete, the ESPS contains three input channels. Each input channel provides input to output logic channels that initiate equipment with a two-out-of-three logic on each output logic channel. Each input channel includes inputs from one input instrumentation channel of Low RCS Pressure, Low Low RCS Pressure, High RB Pressure, and High High RB Pressure. Automatic actuation output logic channels combine the three input channel trips to actuate the individual Engineered Safeguards (ES) components needed to initiate each ES System. Figure 7.5, UFSAR, Chapter 7 (Ref. 1), illustrate how input instrumentation channel trips combine to cause output logic channel trips.

For Unit(s) with the ESPS digital upgrade complete, the ESPS contains three input channels. The ESPS Protective Channel Sets A, B and C are implemented on two independent systems - one system is installed in the ESPS cabinets, the other independent and redundant system is installed in the RPS cabinets, using the RPS protective channel sets (A, B, and C) computers. The ESPS analog signals are sent from ESPS protection sets A, B and C directly to the RPS processor. The ESPS outputs to the Unit control room Statalarm annunciators are implemented using a hardwired OR-gate in the ESPS cabinets. Each of these independent ESPS systems comprises three independent channels, each of them calculating all ESPS functions. All input signals are three times redundant, thus each ESPS channel has its own set of transmitters and contacts. The three ESPS channel set computers are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of setpoints. The ESPS output actuation signals are sent OCONEE UNITS 1, 2, & 3 B 3.3.5-2 Amendment Nos.

I

ESPS Input Instrumentation I B 3.3.5 BASES BACKGROUND (continued) from ESPS protection sets A, B and C to the ESPS actuation computers via fiber optic data links. Figure 7.5.a UFSAR, Chapter 7 (Ref. 1), illustrates how input instrumentation channel trips combine to cause digital output logic channel trips.

The following matrix identifies the input instrumentation (measurement) channels and the Automatic Actuation Output Logic Channels actuated by each.

Output Actuated RCS RCS RB RB Logic Channels Systems/

PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential X

X Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input 3 and 4 LPI and RB Essential x

X Isolation 5 and 6 RB Cooling, RB Essential X

isolation, and Penetration Room Vent.

7and8 RB Spray X

The ES equipment is generally divided between the two redundant actuation output logic channels. The division of the equipment between the two actuation output logic channels is based on the equipment redundancy and function and is accomplished in such a manner that the failure of one of the actuation output logic channels and the related safeguards equipment will not inhibit the overall ES Functions. Redundant ES pumps are controlled from separate and independent actuation output logic channels with the exception of HPI B pump which is actuated by both.

The actuation of ES equipment is also available by manual actuation switches located on the control room console.

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation output logic for each component to perform the actuation of the selected systems of LCO 3.3.7.

The ESPS digital upgrade is part of an overall RPS/ESPS digital upgrade that also includes the Reactor Protective System (RPS). For Unit(s) with the ESPS digital upgrade complete, the ESPS portion consists of two I

I I

I OCONEE UNITS 1, 2, & 3 B 3.3.5-3 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND independent systems each containing three separate redundant (continued) protective channels (A, B, and C) that monitors or receives input from plant parameters/devices. The RPS/ESPS digital control systems utilize the existing plant sensors, input signal, cables and setpoints.

Engineered Safeguards Protective System Bypasses For Unit(s) with the ESPS digital upgrade not complete, no provisions are made for maintenance bypass of ESPS instrumentation channels.

Operational bypass of certain channels is necessary to allow accident recovery actions to continue and, for some channels, to allow unit shutdown without spurious ESPS actuation.

For Unit(s) with the ESPS digital upgrade not complete, the ESPS RCS pressure instrumentation channels include permissive bistables that allow manual bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed. Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.

For Unit(s) with the ESPS digital upgrade complete, the duplicated ESPS channels and the duplicated ESPS Actuation Train (Voters) computers provides a '2 x 2-out-of-3" logic, which allows a Manual Bypass of one complete set of three ESPS channels and one half of the ESPS Actuation Train (Voters). In order to be able to conduct maintenance activities on the ESPS channels or the associated RPS/ES channels, without being in a "1 -out-of-2" situation, the associated Voter (Voter 1, odd or even or Voter 2, odd or even) must also be placed into Manual Bypass. Placing a channel in Manual Bypass is implemented by key switches located in the respective ESPS Actuation cabinets (Cabinet 5 for ODD or Cabinet 7 for EVEN). Two Manual Bypass key switches are provided for each of the ESPS Actuation cabinets (5 & 7), two for Voter 1 (driven by RPS/ES logic channels) and two for Voter 2 (driven by ESPS logic channels). If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions are disabled. However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass switch for the two ODD Voters or one of the two EVEN Voters is allowed to be in Manual Bypass at a time. Placing an ESPS channel in Manual Bypass is administratively controlled. The ESPS Manual Bypass key switch status information is sent to the Unit control room Statalarm panel and sent to the plant OAC via a digital control system gateway.

OCONEE UNITS 1, 2, & 3 B 3.3.5-4 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Coolant System Pressure (continued)

The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that feed the Reactor Protective System (RPS). Each of the pressure signals generated by these transmitters is monitored by four bistables (or processing output signals for Unit(s) with the ESPS digital upgrade complete) to provide two trip signals, at 2 1590 psig and 2 500 psig, and two bypass permissive signals, at

1750 psig and *900 psig.

For Unit(s) with the ESPS digital upgrade not complete, the outputs of the three bistables, associated with the low RCS pressure, 2 1590 psig, trip drive relays in two sets of identical and independent channels. These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three bistables associated with the Low Low RCS Pressure 500 psig trip drive relays in two sets of identical and independent channels. These two sets of LPI channels each use a two-out-of-three coincidence networks for LPI Actuation. The outputs of the three Low Low RCS Pressure bistables also trip the drive relays in the corresponding HPI Actuation channel as previously described.

For Unit(s) with the ESPS digital upgrade complete, the outputs of the three processor output trip signals associated with the low RCS pressure, 2 1590 psig, trip voters in two sets of identical and independent channels.

These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three processor output trip signals associated with the Low Low RCS Pressure 500 psig trip redundant voters in two sets of identical and independent channels.

These two sets of LPI channels each use a two-out-of-three coincidence logic for LPI Actuation. The outputs of the three Low Low RCS Pressure processor output trip signals also trip the redundant voters in the corresponding HPI Actuation channel as previously described.

Reactor Building Pressure For Unit(s) with the ESPS digital upgrade not complete, there are three Reactor Building pressure sensors. The output of each sensor terminates in an input isolation amplifier, which provides individually isolated outputs.

One isolated output of each pressure measurement goes to the unit computer for monitoring. One output of each pressure measurement goes to a bistable which initiates action when its high building pressure trip point is exceeded. Each input isolation amplifier module contains an analog meter for indicating the measured pressure. Each of the three bistables has contact outputs that are combined in series with the output of the High and Low Pressure Injection System bistables as previously described.

OCONEE UNITS 1, 2, & 3 B 3.3.5-5 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Reactor Building Pressure (continued)

For Unit(s) with the ESPS digital upgrade complete, there are three Reactor Building pressure sensors. The output of each sensor terminates in an input isolation module, which provides individually isolated outputs. One output of each pressure measurement goes to a processor input signal which initiates action when its high building pressure trip point is exceeded. The outputs of the three high Reactor Building processor output trip signals also trip the redundant voters to initiate HPI and LPI.

The outputs of the three bistables (or processor output trip signals for Unit(s) with the ESPS digital upgrade complete) are brought together in two identical two-out-of-three coincidence logics which provide two ESPS channels. Either of the two channels is independently capable of initiating the required protective action.

The ESPS channels of the Reactor Building Spray System are formed by two identical two-out-of-three logic networks with the active elements originating in six Reactor Building pressure sensing pressure switches.

Three independent pressure switches containing normally open contacts from one protective channel's two-out-of-three logic inputs. Three other identical pressure switches from the two-out-of-three logic inputs of the second protective channel. Either of the two protective channels is capable of initiating the required protective action Trip Setpoints and Allowable Values Trip setpoints are the nominal value at which the bistables (or processor output signals for Unit(s) with the ESPS digital upgrade complete) are set.

Any bistable (or processor output signal for Unit(s) with the ESPS digital upgrade complete) is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy.

The trip setpoints used in the bistables (or processor output signals for Unit(s) with the ESPS digital upgrade complete) are selected such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated OCONEE UNITS 1, 2, & 3 B 3.3.5-6 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES BACKGROUND Trip Setpoints and Allowable Values (continued) uncertainties is provided in the Reference 3. The actual nominal trip setpoint entered into the bistable (or processor output signal for Unit(s) with the ESPS digital upgrade complete) is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal may be injected in place of the field instrument signal.

APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.

High Pressure Injection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.

Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.

Reactor Building Sprav. Reactor Building Cooling, and Reactor Building Isolation The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.

Accident dose calculations have credited RB Isolation and RB Spray.

OCONEE UNITS 1,2, &3 B 3.3.5-7 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES APPLICABLE Penetration Room Ventilation Actuation SAFETY ANALYSES (continued)

The ESPS actuation of the penetration room ventilation system has been assumed for LOCAs. Accident dose calculations have credited penetration room ventilation.

Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 15 seconds later, or 53 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.

Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off sitedose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.

The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).

LCO The LCO requires three input channels of ESPS instrumentation for each Parameter in Table 3.3.5-1 to be OPERABLE in each ESPS automatic actuation output logic channel. Failure of any instrument renders the affected input channel(s) inoperable and reduces the reliability of the affected Functions. For Unit(s) with the ESPS digital upgrade complete, there are redundant sets of processors and only one set is required to be OPERABLE.

Only the Allowable Value is specified for each ESPS Function in the LCO.

Nominal trip setpoints are specified in the setpoint calculations. The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable (or processor output signal for Unit(s) with the ESPS digital OCONEE UNITS 1, 2, & 3 B 3.3.5-8 Amendment Nos.

ESPS Input Instrumentation I B 3.3.5 BASES LCO (continued) upgrade complete) is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter. These uncertainties are defined in Reference 3.

I The Allowable Values for bypass removal functions are stated in the Applicable MODES or Other Specified Condition column of Table 3.3.5-1.

Three ESPS input instrumentation channels shall be OPERABLE to ensure that a single failure in one input channel will not result in loss of the ability to automatically actuate the required safety systems.

The bases for the LCO on ESPS Parameters include the following.

Three input channels of RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High and RB Pressure-High High are required OPERABLE. Each input channel includes a sensor, trip bistable (or processor output trip signal for Unit(s) with the ESPS digital upgrade complete), bypass bistable (for Unit(s) with the ESPS digital upgrade notLCO (continued) complete), bypass relays, and output relays.

Failure of a bypass bistable or bypass circuitry, such that an input channel cannot be bypassed, does not render the input channel inoperable since the input channel is still capable of performing its safety function, i.e., this is not a safety related bypass function.

I APPLICABILITY Three input channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.

I

1.

Reactor Coolant Svstem Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.

OCONEE UNITS 1, 2, & 3 B 3.3.5-9 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY

1.

Reactor Coolant System Pressure -Low (continued)

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

2.

Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS OCONEE UNITS 1, 2, & 3 B 3.3.5-1 0 Amendment Nos.

ESPS Input Instrumentation B 3.3.5 BASES APPLICABILITY

2.

Reactor Coolant System Pressure - Low Low (continued) pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3, 4.

Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

ACTIONS Required Actions A and B apply to all ESPS input instrumentation Parameters listed in Table 3.3.5-1.

A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each Parameter.

If an input channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS bistable (or required processor output for Unit(s) with the ESPS digital upgrade complete) is found inoperable, then all affected functions provided by that input channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 1 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES ACTIONS A.1 (continued)

Condition A applies when one input channel becomes inoperable in one or more Parameters. If one ESPS input instrument channel is inoperable, placing it in a tripped condition leaves the system in a one-out-of-two condition for actuation. Thus, if another input channel were to fail, the ESPS instrumentation could still perform its actuation functions. For Unit(s) with the ESPS digital upgrade not complete, this action is completed when all of the affected output relays are tripped and can normally be accomplished by tripping the affected bistables. For Unit(s) with the ESPS digital upgrade complete, this can be accomplished by tripping processor outputs or tripping the individual parameters in the processor.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required Action.

B.1. B.2.1. B.2.2. and B.2.3 Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or more parameters have two or more inoperable input channels. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and, for the RCS Pressure-Low Parameter, to < 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION. The operational bypasses associated with each RCS Pressure ESPS instrumentation channel are also subject to these SRs to ensure OPERABILITY of the ESPS instrumentation channel.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 2 Amendment Nos.

I

ESPS Input Instrumentation I B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1 Performance of the CHANNEL CHECK every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that input instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two input instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious.

CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

I I

This SR is modified by a Note indicating that it is not applicable to Unit(s) with an ESPS digital upgrade complete. The ESPS digital control system provides continuous online automatic monitoring of each of the input signals in each channel, performs software limit checking (signal online validation) against required acceptance criteria, and provides hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed. If any protective channel input signal is identified to be in the FAILURE status, this condition is alarmed on the Unit Statalarm and input to the plant operator aid computer (OAC).

Immediate notification of the FAILURE status is provided to the Operation staff. As such, a periodic CHANNEL CHECK is no longer required.

Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

The Frequency, equivalent to every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 3 Amendment Nos.

I

ESPS Input Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 REQUIREMENTS (continued)

A CHANNEL FUNCTIONAL TEST is performed on each required ESPS input channel to ensure the entire channel, including the bypass function, will perform the intended functions. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific setpoint analysis.

The Frequency of 92 days is based on operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 92 day interval is a rare event.

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the ESPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST has been extended to 18 months and is included in the CHANNEL CALIBRATION. The ESPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

SR 3.3.5.3 CHANNEL CALIBRATION is a complete check of the input instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and bistable (or processor output trip signal for Unit(s) with the ESPS digital upgrade complete) setpoint errors are within the assumptions of the unit specific setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration.

This Frequency is justified by the assumption of an 18 month calibration interval to determhine the magnitude of equipment drift in the setpoint analysis.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 4 Amendment Nos.

I

ESPS Input Instrumentation I B 3.3.5 BASES (continued)

REFERENCES 1.

2.

3.

UFSAR, Chapter 7.

10 CFR 50.49.

EDM-102, Instrument SetpointlUncertainty Calculations."

UFSAR, Chapter 15.

10 CFR 50.36.

4.

5.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 5 Amendment Nos.

I

ESPS Manual Initiation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES BACKGROUND The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)

Functions.

LCO 3.3.6 covers only the system level manual initiation of these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS)

Input Instrumentation," and LCO 3.3.7, "Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels," provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.

The ESPS manual initiation Function relies on the OPERABILITY of the automatic actuation output logic channels (LCO 3.3.7) to perform the actuation of the systems. A manual trip push button is provided on the control room console for each of the automatic actuation output logic channels. Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.

The ESPS manual initiation channel is defined as the instrumentation between the console switch and the digital automatic actuation logic channel, which actuates the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

For Unit(s) with the ESPS digital upgrade complete, a manual actuation of the ESPS actuation functions shall be capable of being initiated from the main control board TRIP/RESET pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2), Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4),

Reactor Building Cooling, RB Essential Isolation, and Penetration Room Ventilation Actuation (Channels 5 and 6), and RB Spray (Channels 8 and 9). The manual actuation is independent of the ESPS automatic OCONEE UNITS 1, 2, & 3 B 3.3.6-1 Amendment Nos.

I

ESPS Manual Initiation B 3.3.6 BASES BACKGROUND (continued) actuation system and is capable of actuating all channel related actuation field components regardless of any failures of the automatic system.

Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.

For Unit(s) with the ESPS digital upgrade complete, the ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console TRIP/RESET switches and the RO relays which actuate the end devices. Other means of manual initiation/control, e.g., controls for individual devices, are available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

APPLICABLE SAFETY ANALYSES The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.

The ESPS manual initiation ensures that the control room operator can rapidly initiate ES Functions. The manual initiation trip Function is required as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.

The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.

OCONEE UNITS 1, 2, & 3 B 3.3.6-2 Amendment Nos.

I

ESPS Manual Initiation B 3.3.6 BASES LCO (continued)

The required Function is provided by two associated channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3&4 RB Cooling, RB Essential isolation, 5 & 6 and Penetration Room Vent.

RB Spray 7&8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.

A.1 Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A.1 must be taken to restore the channel to OPERABLE status within the next 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.

OCONEE UNITS 1, 2, & 3 B 3.3.6-3 Amendment Nos.

I

ESPS Manual Initiation B 3.3.6 BASES ACTIONS B.1 and B.2 (continued)

With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.6.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation. This test verifies that the initiating circuitry is OPERABLE and will actuate the automatic actuation output logic channels.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. This Frequency is demonstrated to be sufficient, based on operating experience, which shows these components usually pass the Surveillance when performed on the 18 month Frequency.

REFERENCES

1.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.6-4 Amendment Nos.

ESPS Automatic Actuation Output Logic Channels I B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective System (ESPS) Automatic Actuation Output Logic Channels BASES BACKGROUND For Unit(s) with the ESPS digital upgrade not complete, the automatic actuation output logic channels of ESPS are defined as the instrumentation from the buffers of the ESPS input instrument channels through the unit controllers that actuate ESPS equipment. For Unit(s) with the ESPS digital upgrade complete, the automatic actuation output logic channels are defined as the voters, and output relays and associated contacts. Each of the components actuated by the ESPS Functions is associated with one or more automatic actuation output logic channels. If two-out-of-three ESPS input instrumentation channels indicate a trip, or if channel level manual initiation occurs, the automatic actuation output logic channel is activated and the associated equipment is actuated. The purpose of requiring OPERABILITY of the ESPS automatic actuation output logic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLE automatic actuation output logic channels alone will not ensure that each Function can be activated; the input instrumentation channels and actuated equipment associated with each Function must also be OPERABLE to ensure that the Functions can be automatically initiated during an accident.

LCO 3.3.7 covers only the automatic actuation output logic channels that initiate these Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) Input Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation," provide requirements on the input instrumentation and manual initiation channels that feed into the automatic actuation output logic channels.

The ESPS digital upgrade is part of an overall RPS/ESPS digital upgrade that also includes the Reactor Protective System (RPS). For Unit(s) with the ESPS digital upgrade complete, the ESPS portion consist of two independent systems each containing three separate redundant protective channels (A, B, and C) that monitors or receives input from plant parameters/devices. The RPS/ESPS digital control systems utilize the existing plant sensors, input signal, cables and setpoints.

OCONEE UNITS 1, 2, & 3 B 3.3.7-1 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES BACKGROUND For Unit(s) with the ESPS digital upgrade complete, the ESPS Protective (continued)

Channel Sets (computers) A, B, and C are implemented on two independent and redundant systems. One system, containing channels A, B, and C is installed in the ESPS cabinets using the ESPS protective channel set computer. The other system, containing independent and redundant channels A, B, and C uses the RPS protective channel set computer which is installed in the RPS cabinets.

Each of the independent ESPS and ESPS/RPS protective channel function output signals are sent to two redundant digital actuation Voters each comprised of an ODD and EVEN Voter. One of the ODD and EVEN Voter sets (Voter 2) performs the "2-out-of-3" voting for the actuation signals coming from the ESPS protective channel sets; the other independent and redundant ODD and EVEN Voter sets (Voter 1) perform the "2-out-of-3" voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS systems. Maintenance Bypasses are provided so a Voter or a set of Voters can be removed from the actuation logic circuitry. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS system.

Unit(s) with the ESPS digital upgrade complete are equipped with a manual bypass. The duplicated ESPS channels and the duplicated ESPS Actuation Train (Voters) computers provides a "2 x 2-out-of-3" logic, which allows a Manual Bypass of one complete set of three ESPS channels and one half of the ESPS Actuation Train (Voters).

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident (LOCA) and main steam line break (MSLB) events.

The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of high pressure injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee Hydro Unit startup and loading, ECCS pump starts, and valve openings.

Similarly, the reactor building (RB) Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.

I OCONEE UNITS 1,2, &3 B 3.3.7-2 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels I B 3.3.7 BASES BACKGROUND (continued)

The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.

APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The automatic actuation output logic is an integral part of the ESPS.

The ESPS automatic actuation output logic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

I LCO The automatic actuation output logic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.

For Unit(s) with the ESPS digital upgrade complete, the ESPS output actuation channels are comprised of two independent and redundant subsystems. Only one of the independent subsystems is required to be OPERABLE.

The required Function is provided by two associated output channels as indicated in the following table:

I I

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI and RB Essential isolation 3 & 4 RB Cooling, RB Essential isolation, 5 & 6 and Penetration Room Vent.

RBSpray 7&8 OCONEE UNITS 1, 2, & 3 B 3.3.7-3 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels B 3.3.7 I

BASES (continued)

APPLICABILITY The automatic actuation output logic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.

I ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS automatic actuation output logic channel.

A.1 and A.2 When one or more automatic actuation output logic channels are inoperable, the associated component(s) can be placed in their engineered safeguard configuration. Required Action A.1 is equivalent to the automatic actuation output logic channel performing its safety function ahead of time.

In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration' include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.

Required Action A.2 requires declaring the associated components of the affected supported systems inoperable, since the true effect of automatic actuation output logic channel failure is inoperability of the supported system. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperable automatic actuation output logic channel.

I I

I OCONEE UNITS 1, 2, & 3 B 3.3.7-4 Amendment Nos.

I

ESPS Automatic Actuation Output Logic Channels B 3.3.7 BASES (continued)

SURVEILLANCE SR 3.3.7.1 REQUIREMENTS SR 3.3.7.1 is the performance of a CHANNEL FUNCTIONAL TEST on a 31 day Frequency for Unit(s) with the ESPS digital upgrade not complete and an 18 month Frequency for Unit(s) with the ESPS digital upgrade complete. The test demonstrates that each automatic actuation output logic channel successfully performs the two-out-of-three logic combinations. The test simulates the required one-out-of-three inputs to the logic circuit and verifies the successful operation of the automatic actuation output logic. For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the functional test.

The 31 day Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same interval.

The 18 month Frequency is based on the design capabilities and reliability of the new ESPS digital control system. The ESPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The digital control system also performs continual online hardware monitoring.

REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.7-5 Amendment Nos.

February 14, 2005 ATTACHMENT 2 TECHNICAL SPECIFICATION MARKUP

TABLE OF CONTENTS 1.0 USE AND APPLICATION......................................................

1.1-1 1.1 Definitions......................................................

1.1-1 1.2 Logical Connectors......................................................

1.2-1 1.3 Completion Times......................................................

1.3-1 1.4 Frequency......................................................

1.4-1 2.0 SAFETY LIMITS (SLs)......................................................

2.0-1 2.1 SLs......................................................

2.0-1 2.2 SL Violations......................................................

2.0-1 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY.................. 3.0-1 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY................................. 3.0-4 3.1 REACTIVITY CONTROL SYSTEMS......................................................

3.1.1-1 3.1.1 SHUTDOWN MARGIN (SDM)......................................................

3.1.1-1 3.1.2 Reactivity Balance......................................................

3.1.2-1 3.1.3 Moderator Temperature Coefficient (MTC)........................................ 3.1.3-1 3.1.4 CONTROL ROD Group Alignment Limits.......................................... 3.1.4-1 3.1.5 Safety Rod Position Limits......................................................

3.1.5-1 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits................ 3.1.6-1 3.1.7 Position Indicator Channels......................................................

3.1.7-1 3.1.8 PHYSICS TESTS Exceptions - MODE 2......................................... 3.1.8-1 3.2 POWER DISTRIBUTION LIMITS......................................................

3.2.1-1 3.2.1 Regulating Rod Position Limits......................................................

3.2.1-1 3.2.2 AXIAL POWER IMBALANCE Operating Limits................................. 3.2.2-1 3.2.3 QUADRANT POWER TILT (QPT)..................................................... 3.2.3-1 3.3 INSTRUMENTATION......................................................

3.3.1-1 3.3.1 Reactor Protective System (RPS) Instrumentation............................ 3.3.1-1 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip...

3.3.2-1 3.3.3 RecactoC Proteq iv System (RPS) -

Reactor Trip 3.3.4 Control Rod Drive (CRD) Trip Devices...........................

3.3.4-1 3.3.5 En gjered Safeguards Protective System (ESPS)

Instrumentation...

3.3.5-1 3.3.6 Engineered Safeguards Protective System (ESPS)

Manual Initiation...

3.3.6-1 3.3.7 Engineered Safeguards Protective System (ESPS) l igij alAutomatic Actuation ogic Channels...

3.3.7-1 1 Output I

I Component (RTC)

OCONEE UNITS 1, 2, & 3 i

Amendment Nos.[396, 39b, &TOl

Definitions 1.1 1.1 Definitions CHANNEL CALIBRATION (continued)

CHANNEL CHECK The CHANNEL CALIBRATION may be performed by means of any series of sequential, overlapping, or total channel steps so that the entire channel is calibrated.

A CHANNEL CHECK shall be the qualitative assessment, by observation, of channel behavior during operation. This determination shall include, where possible, comparison of the channel indication and status to other indications or status derived from independent instrument channels measuring the same parameter.

CHANNEL FUNCTIONAL TEST A CHANN L FUNCTIONAL T ST shall be the inj'ction of a simulat or actual signal intthe channel as cloe to the senso as practicable to ve y OPERABILITY, i luding req ed alarms, interlock,display, and trip functions.

CONTROL RODS CORE ALTERATION CORE OPERATING LIMITS REPORT (COLR)

DOSE EQUIVALENT 1-131 CONTROL RODS shall be all full length safety and regulating rods that are used to shut down the reactor and control power level during maneuvering operations.

CORE ALTERATION shall be the movement of any fuel, sources, or reactivity control components, within the reactor vessel with the vessel head removed and fuel in the vessel.

Suspension of CORE ALTERATIONS shall not preclude completion of movement of a component to a safe position.

The COLR is the unit specific document that provides cycle specific parameter limits for the current reload cycle. These cycle specific limits shall be determined for each reload cycle in accordance with Specification 5.6.5.

Plant operation within these limits is addressed in individual Specifications.

DOSE EQUIVALENT 1-131 shall be that concentration of 1-131 (microcuries/gram) that alone would produce the same thyroid dose as the quantity and isotopic mixture of 1-131, 1-132, 1-133, 1-134, and 1-135 actually present. The thyroid dose conversion factors used for this calculation shall be those listed in Table Ill of TID-14844, AEC, 1962, "Calculation of Distance Factors for Power and Test Reactor Sites.'

OCONEE UNITS 1, 2, & 3 1.1 -2 Amendment Nostf39, 30), & T30

INSERT A FOR 1.1-2 (page B 3.3.1-2)

A CHANNEL FUNCTIONAL TEST shall be:

a. Analog and bistable channels - the injection of a simulated or actual signal into the channel as close to the sensor as practicable to verify OPERABILITY of all devices in the channel required for channel OPERABILITY,

b. Digital computer channels - the use of diagnostic programs to test digital computer hardware and the injection of simulated process data into the channel to verify channel OPERABILITY.

The CHANNEL FUNCTIONAL TEST may be performed by means of any series of sequential, overlapping, or total channel steps so that the entire channel is tested.

RPS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. As required by D.1 Open all CRD trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action B.1 breakers.

and referenced in Table 3.3.1-1.

E. As required by E.1 Reduce THERMAL 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action B.1 POWER < 30% RTP.

and referenced in Table 3.3.1-1.

F. As required by F.1 Reduce THERMAL 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Required Action B.1 POWER < 2% RTP.

and referenced in Table 3.3.1-1.

SURVEILLANCE REQUIREMENTS

NOTE---------------------------

Refer to Table 3.3.1-1 to determine which SRs apply to each RPS Function.

SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months

/

(continued)

NOTE---------------------------

Not applicable to Unit(s) with RPS digital upgrade complete.

OCONEE UNITS 1, 2, & 3 3.3.1 -2 Amendment Nos. (30,0 30#, & 3700

RPS Instrumentation 3.3.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.1.2 NOTE-------------------------

Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER is 2 15% RTP.

Compare results of calorimetric heat balance 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months calculation to the power range channel output and adjust power range channel output if calorimetric exceeds power range channel output by 2 2% RTP.

SR 3.3.1.3

NOTE---------------------------

Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER is 2 15% RTP.

Compare out of core measured AXIAL POWER IMBALANCE (APIo) to incore measured AXIAL POWER IMBALANCE (API 1) as follows:

(RTPITP)(APlo - (CS X API,)) = imbalance error where CS is CORRELATION SLOPE Adjust power range channel output if the absolute value of imbalance error is 2 2% RTP.

31 days

/4/

SR 3.3.1.4 Perform CHANNEL FUNCTIONAL TEST.

45 days on a STAGGERED TEST BASIS

NOTE---------------------------

Not applicable to Unit(s) with RPS digital upgrade complete.

(continued)

OCONEE UNITS 1, 2, & 3 3.3.1 -3 Amendment Nos. [3I, 33/, & 3I81 l

RPS -

~3.3.3 lRTC l

3.3 INSTRUMENTATION 3.3.3 Reactor Protective System (RPS) - Reactor Trin M du R

LCO 3.3.3 FourT shall be OPERABLE.

APPLICABILITY:

MODES 1 and 2, MODES 3, 4, and 5 with any control rod drive (CRD) trip breaker in the closed position and the CRD System capable of rod withdrawal.

I ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A.

On inoperable.

A.1.1 Trip the associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months O

0 CRD trip breaker.

OR RTC A.1.2 Remove power from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months the associated CRD trip breaker.

AND A.2 Physically remove the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperablegY.

(continued)

Amendment Nos.[39&, 30, & O0 OCONEE UNITS 1, 2, & 3 3.3.3-1

RPSLi>

/3.3.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B.

Two or more EUD B.1 Be in MODE 3.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months inoperable in MODE 1, 2, or 3.

AND OR B.2.1 Open all CRD trip 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months breakers.

Required Action and associated Completion OR Time not met in MODE 1, 2, or 3.

B.2.2 Remove power from all 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months CRD trip breakers.

C.

Two or more I

C.1 Open all CRD trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months i

inoperable in MODE 4 breakers.

or5.

OR OR C.2 Remove power from all 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action and CRD trip breakers.

associated Completion Time not met in MODE 4 or 5.

for Unit(s) with the RPS digital upgrade not complete SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY 31 days §

/

SR 3.3.3.1 Perform CHANNEL FUNCTIONAL TEST.

AND 18 months for Unit(s) with the RPS digital upgrade complete OCONEE UNITS 1, 2, & 3 3.3.3-2 Amendment Nos.

ESPS a

nstrumentation 3.3.5 3.3 INSTRUMENTATION Input 3.3.5 Engineered Safeguards Protective System (ESPS) agstrumentation input LCO 3.3.5 Three channels of ESPS a

entation for each Parameter in Table 3.3.5-1 shall be 0 E.

APPLICABILITY:

According to Table 3.3.5-1.

ACTIONS NO-Separate Condition entry is allowed for each Para I -------------------------------

CONDITION REQUIRED ACTION COMPLETION TIME A.

One or more A.1 Place channel in trip.

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Parameters with one channel inoperable.

B.

One or more B.1 Be in MODE 3.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Parameters with two or more channels AND inoperable.

B.2.1

NOTE-----------

OR Only required for RCS Pressure - Low.

Required Action and associated Completion Time not met.

Reduce RCS pressure 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months

< 1750 psig.

AND (continued)

OCONEE UNITS 1,2, &3 3.3.5-1 Amendment Nos. [3Q6, 302, & 370f

ESPS Analog Instrumentation 3.3.5 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B.

(continued)

B.2.2

NOTE-----------

Only required for RCS Pressure - Low Low.

Reduce RCS pressure 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months

< 900 psig.

AND B.2.3

NOTE------------

Only required for Reactor Building Pressure - High and High High.

Be in MODE 5.

36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.5.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months SR 3.3.5.2 Perform CHANNEL FUNCTIONAL TEST.

92 days SR 3.3.5.3 Perform CHANNEL CALIBRATION.

18 months

NOTE---------------------------

Not applicable to Unit(s) with ESPS digital upgrade complete.

OCONEE UNITS 1, 2, & 3 3.3.5-2 Amendment Nos.[30, #1, & 722 l

ESPS Inal nstrumentation 3.3.5 Inout Table 3.3.5-1 (page 1 o

Engineered Safeguards Protective System al g nstrumentation APPLICABLE MODES OR OTHER SPECIFIED ALLOWABLE PARAMETER CONDITIONS VALUE

1.

Reactor Coolant System Pressure - Low

> 1750 psig

> 1590 psig

2.

Reactor Coolant System Pressure - Low Low

> 900 psig

> 500 psig

3.

Reactor Building (RB) Pressure - High 1,2,3,4 5 4 psig

4.

Reactor Building Pressure - High High 1,2,3,4 S 15 psig OCONEE UNITS 1, 2, & 3 3.3.5-3 Amendment Nos. 0

, 300/& 307

l output ESPS iAutomatic Actuatio#Logic Channels 3.3.7 3.3 INSTRUMENTATION 3.3.7 Engineered Safeguards Protective System (ESPS)f tAutomatic ActuationLogic Channels It output{

LCO 3.3.7 Eight ESP Automatic Actuatiorkogic Channels shall be OPERABL APPLICABILITY:

MODES 1 and 2, MODES 3 and 4 when associated engineered safeguard (ES) equipment is required to be OPERABLE.

ACTIONS

NOTE------------------------------

Separate Condition entry is allowed for each automatic actuation logic channel.

CONDITION REQUIRED ACTION COMPLETION TIME A.

One or more A.1 Place associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months automatic actuatio components) in ES logic channels

.configuration.

inoperable.

Lu~t PO A.2 Declare the associated 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months component(s) inoperable.

OCONEE UNITS 1, 2, & 3 3.3.7-1 Amendment Nos.130, 30,, & 3X0 0

I Output I

ESPS 3Automatic Actuatior#Logic Channels for Unit(s) witt upgrade not c SURVEILLANCE REQUIREMENTS SURVEILLANCE

%J. %.I i the ESPS digital Womplete>

FREQUENCYl 31 days SR 3.3.7.1 Perform i aautomatic actuatio logic CHANN g CTIONAL TEST.

AND 18 months for Unit(s) with the ESPS digital upgrade complete OCONEE UNITS 1, 2, & 3 3.3.7-2 Amendment Nos. [0A, 30p, & 3-W]

TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs)...................................................

B 2.1.1-1 B 2.1.1 Reactor Core SLs...................................................

B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL............................... B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY............ B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY........................... B 3.0-12 B 3.1 REACTIVITY CONTROL SYSTEMS................................................... B 3.1.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM)................................................... B 3.1.1-1 B 3.1.2 Reactivity Balance...................................................

B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC).................................. B 3.1.3-1 B 3.1.4 CONTROL ROD Group Alignment Limits.................................... B 3.1.4-1 B 3.1.5 Safety Rod Position Limits...................................................

B 3.1.5-1 B 3.1.6 AXIAL POWER SHAPING ROD (APSR) Alignment Limits.......... B 3.1.6-1 B 3.1.7 Position Indicator Channels...................................................

B 3.1.7-1 B 3.1.8 PHYSICS TESTS Exceptions-MODE 2.................................... B 3.1.8-1 B 3.2 POWER DISTRIBUTION LIMITS...................................................

B 3.2.1-1 B 3.2.1 Regulating Rod Position Limits................................................... B 3.2.1-1 B 3.2.2 AXIAL POWER IMBALANCE Operating Limits........................... B 3.2.2-1 B 3.2.3 QUADRANT POWER TILT (QPT)............................................... B 3.2.3-1 B 3.3 INSTRUMENTATION...................................................

B 3.3.1-1 B 3.3.1 Reactor Protective System (RPS) Instrumentation...................... B 3.3.1-1 B 3.3.2 Reactor Protective System (RPS) Manual Reactor Trip....

B 3.3.2-1 B 3.3.3 Re Irt Wet System (RPS) - Reactor Trip tgue(R* r)J....................................

B 3.3.3-1 I B 3.3.

4 Control Rod Drive (CRD) Trip Devices.B 3.3.4-1 l-B 3.3.5 EnEinperq Safeguards Protective System (ESPS)

Int Instrumentation....

B 3.3.5-1 B 3.3.6 Engineered Safeguards Protective System (ESPS)

Manual Initiation..........

B 3.3.6-1 B 3.3.7 Engineered Safeguards Protective System (ESPS)

I

[

l;igit l Automatic Actuatior4Logic Channels....

Output..B 3.3.7-1 B 3.3.8 Post Accident Monitoring (PAM) Instrumentation......................... B 3.3.8-1 B 3.3.9 Source Range Neutron Flux...................................

B 3.3.9-1 B 3.3.10 Wide Range Neutron Flux...................................

B 3.3.10-1 B 3.3.11 Automatic Feedwater Isolation System (AFIS) Instrumentation...B 3.3.11-1 B 3.3.12 Automatic Feedwater isolation System (AFIS) Manual Initiation.B 3.3.12-1 Reactor Trip Component (RTC)

OCONEE UNITS 1, 2, & 3 i

Amendment 329, 320. R0

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during anticipated transients.

Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 100 limits.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 BYES REVISION DATE 12/14/0!

I Amendment Nos.

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

RPS Overview (or processor output trip signals for Unit(s) with the RPS digital upgrade complete)

The RPS consists of four separate redundant protective channels that

[re receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, i

p status, reactor building (RB) pressure, main feedwater (MFW)

Fiures 71 pumrstatus, and turbine status.

7.1.a, 7.1.b, and 7.1.c of Reactor Trip Component (RTC)

[Fig fe 7.1/and 7 1.a, UFSAR, Chapter 7 (Ref. 1), show~the arrangement of a typical RP protective channel. A protective channel is composed of IJ measurement channels, a manual trip channel, b r/ac orfrip moole and control rod drive (CRD) trip devices. LCO 3.3.1 provides requirements for the individual measurement channels. These channels r

encompass all equipment and electronics from the point at which t measured parameter is sensed through the bistable relay contact in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor

,Jrip."

LCO 3.3.3, "Reactor Protective System (RPS) -Actor Mo ule

_I7" and LCO 3.3.4, "4ontrol,6d Drive (CRD) Trip Devices," discuss the rema~ning RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. If the setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, the Reactor Trip System (RTS) contains multiple L

CRD trip devices; two AC trip breakers, two DC trip breaker pairs, and eigh, electronic trip assembly (ETA) relays. The system has two separate paths (or channels), with each path having one AC breaker in series with a pair of DC breakers and functionally in series with four ETA relays in parallel.

Each path provides independent power to the CRDs. Either path can provide sufficient power to operate all CRDs. Two separate power paths to the CRDs ensure that a single failure that opens one path will not cause an unwanted reactor trip.

l For Unit(s) with the CRDCS digital upgrade complete, the RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's.

Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

1/

/

,/

./

OCONEE UNITS 1, 2, & 3 B 3.3.1-2

[ BES REVIJ/ON DATEpX12/14/q 4 l Amendment Nos.

INSERT A FOR BASES 3.3.1 (page B 3.3.1-2)

For Unit(s) with the RPS digital upgrade complete, the RPS consists of four independent protective channels (A, B, C, and D). Each RPS protective channel contains the sensor input modules; a protective channel set (computer), four hardwired (normally energized) reactor trip relays (RTRs)

(A, B, C, and D) and their associated (normally closed) 1 20VAC contacts. Protective channel set A provides input signals to the channel A RTR and also sends this signal to the A RTR in channel sets B, C, and D. Likewise, channel set B provides input signals to the B RTR in channel sets A, C, and D. Channel sets C and D provide input signals to the respective RTR in each of the respective channel sets. Each RTR (A, B, C, and D) in each RPS channel set A, B, C, and D maintains two normally closed 120VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channel sets. This configuration results in a 2-out-of-4 coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channel sets) de-energize and open the respective contacts. The outputs from the RTR contacts provide the trip signal to the Control Rod Drive (CRD) trip devices.

For Unit(s) with the RPS digital upgrade complete, three of the four RPS protective channel set computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channel sets calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

RPS Instrumentation a reactor trip B 3.3.1 module (RTM)

BASES BACKGROUND RPS Overview (continued)

For Unit(s) with the She RPSconsists of four independent protective channels, each containing RPS digital upgrade (R

he RTM receives signals from its own measurement channels not complete, that indicate a protective channel trip is required. The RTM transmits this signal to its own two-out-of-four trip logic and to the two-out-of-four logic of the RTMs in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, the RTM logic in each channel actuates to remove 120 VAC power from its associated CRD trip device.

For Unit(s) with the CRDCS digital upgrade not complete, the reactor is tripped by opening circuit breakers and energizing ETA relays that interrupt /

the control power supply to the CRDs. Six breakers are installed to increase reliability and allow testing of the trip system. A one-out-of-two taken twice logic is used to interrupt power to the rods.

For Unit(s) with the For Units(s) with the CRDCS digital upgrade complete, the reactor is RPS digital upgrade tripped by opening the reactor trip breakers.

not complete, there are T

RPhasthree bypasses: a shutdown bypass, a dummy bistable and an RPS channel bypass. Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. The RPS Channel bypass allows one entire RPS channel to be taken out of service for maintenance and testing. Test circuits in the trip strings allow complete testing of all RPS trip functions.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c.

Redundant measurements with combinational trip logic outside of the protective channels and the combined output provided to each protective channel (e.g., main feedwater pu p trip instrumentation).

turbinesl OCONEE UNITS 1, 2, & 3 B 3.3.1-3 BOES REVI ON DATE/ 12/14/

l Amendment Nos.

INSERT B FOR BASES 3.3.1 (page B 3.3.1-3)

For Unit(s) with the RPS digital upgrade complete there are three bypasses: shutdown bypass, manual bypass, and test enable bypass. The shutdown bypass and the manual bypass are initiated by use of a key switch located on the respective RPS channel set cabinet. Test enable bypass is initiated when the test equipment is connected to the RPS cabinet inputs. The manual bypass allows putting a complete RPS channel set into BYPASS for maintenance activities. This includes the power-down of the RPS channel set computer for each RPS channel set. The shutdown bypass function is the same for both RPS designs.

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Ranae Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower - Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and

10.

Loss of Main Feedwater (LOMFW) Pumps (Hydraulic Oil Pressure).

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

OCONEE UNITS 1, 2, & 3 B3.3.1-4

[ BSES REVIS)6N DATE 12/14/0 l Amendment Nos.

RPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Reactor Coolant Svstem Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

9 Qr'Q Wirih Or, Mtot Timnornh trnm nnrl

.IItemperature detection (RTD)

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured byE~resistanc elements in each hot leg, for a total of four. One temperature detector s associated with each protective channel.

\\

I element I Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

Reactor Buildina Pressure The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

OCONEE UNITS 1,2, &3 B 3.3.1-5 E3BES REVIV(ON DATE/f12/14/cg l lAmendment Nos.

A

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Coolant Pump Power Monitoring (continued)

Reactor coolant pump power monitors are inputs to the Reactor Coolant Pum to Power trip, Function 7. Each RC.

eratina current. and,4oltaael has a RCP Power is m asured y four rr t trans rmers at four poteoial transf rmers Monior RCPP)

_.driingfou~lndr~vac/rlay-tach Dofer monitoring channel onsistof Monitor (RCPPM) which monitors the a under ower rdfav. I One channel for each pump is associated with each electrical pump and protective channel.

breaker status of each pump motor to determine if it is Reactor Coolant System Flow running. Each RCPPM provides inputs to all The Reactor Coolant System Flow measurements are an input to the four RPS channels.

Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor four_____channels.

coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Automatic Stop Oil Pressure Main Turbine Automatic Stop Oil Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine automatic stop oil pressure. An open indication will be provided to the RPS on a turbine trip. Contact buffers in each protective channel continuously monitor the status of the contact inputs and initiate an RPS trip when a main turbine trip is indicated.

a

§ Turbine Feedwater PumpAHvdraulic Oil Pressure turl Feedwater Pump ydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10. Hydraulic Oil /

pressure is measured by four switches on each feedwater num t One 0

switch on each pumps connected in series with a switch on the other MFW

/

pumps is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 BP6ES REVI,5(ON DATEJ 12/14/!l Amendment Nos.

RPS Instrumentation B 3.3.1 BASES

[For Unit(s) that have the RPS digital upgrade complete, the RPS is l

designed with three types of system bypasses: shutdown bypass, manual BACKGROUND RPS Bypasses bvrdass. and test enable hvnass. Each hvnass is discussed below.

(continued She RPS is designed with three types of bypasses: dummy bistable, For Unit(s) with the RPS channel bypass and shutdown bypass.

digital upgrade not comolete.

S'he dummy bistable provides a method of placing one or more functions in a RPS protective channel in a bypassed condition, the channel bypass provides a method of placing all Functions in one RPS protective channel in a bypassed condition, and shutdown bypass provides a method of leaving the safety rods withdrawn during cooldown and depressurization of the RCS. Each bypass is discussed next.

(Not applicable to Unit(s) with RPS Dummy Bistable digital upgrade complete)

The dummy bistable is used to bypass one or more functions (bistable trips) associated with one RPS Channel. A dummy bistable is used if a parameter in an RPS channel fails and causes that channel to trip. Dummy bistables may be used in only one RPS channel at a time. Also, if an RPS channel is bypassed, no other RPS channel may contain a dummy bistable. Inserting a dummy bistable in the place of a failed (tripped) bistable allows the RPS channels to be reset, thus allowing the remainder of the functions in that RPS channel to be returned to service. This is more conservative than manually bypassing the entire RPS channel. For an RPS channel with a dummy bistable installed, only the affected function(s) is inoperable. The installation of the STAR hardware in the nuclear overpower flux/flow imbalance trip string requires the use of jumpers to bypass the trip string. The installation of these jumpers does not require the removal of the STAR processor module, therefore, the protective channel is not forced into a tripped condition.

l (Not applicable to Unit(s) with RPS Channel Bypass i digital upgrade complete)

A channel bypass provision is provided to allow for maintenance and testing of the RPS. The use of channel bypass keeps the protective channel trip relay energized regardless of the status of the instrumentation channel of the bistable relay contacts. To place a protective channel in channel bypass, the other three channels must not be in channel bypass or otherwise inoperable (e.g., a dummy bistable installed). This can be verified by observing alarms/indicator lights. This is administratively controlled by having only one manual bypass key available for each unit.

All RPS trips are reduced to a two-out-of-three logic in channel bypass.

OCONEEUNITS1,2,&3 B3.3.1-7 BP ES REVIVON DATE 12114/

l Amendment Nos.

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued)

During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

In shutdown bypass, a normally closed contact opens when the operator closes the shutdown bypass key switch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip. The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, (or processor output with a trip setpoint of 1720 psig, the bistablPprevents operation at normal trip signal for Unit(s) system pressure, 2155 psig, with a portion of the RPS bypassed. The with the RPS digital second function is to ensure that the bypass is removed prior to normal upgrade complete) operation. When the RCS pressure is increased during a unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the high flux trip setpoint is administratively reduced to < 5% RTP prior to placing the RPS in shutdown bypass. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows low power physics testing while preventing the generation of any significant amount of power.

lINSERTC OCONEE UNITS 1, 2, & 3 B 3.3.1-8 BOES REVI1I/ON DATE 12/14/9 l

Amendment Nos.

INSERT C FOR BASES 3.3.1 (page B 3.3.1-8)

Manual Bypass (applicable only to Unit(s) with RPS digital upgrade complete)

The RPS Manual Bypass allows putting the complete RPS channel into BYPASS for maintenance activities. Placing the RPS channel in bypass does not power-down the TXS computer. The Manual bypass switch may be used to power-down the TXS computer of the RPS channel.

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel TXS computer and in parallel as a hardwired signal from a switch contact in case the TXS computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a TXS gateway.

If the complete RPS cabinet is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to 'TRIP" and the manual bypass Unit Statalarm window will not illuminate.

Test Enable Bypass (applicable only to Unit(s) with RPS digital upgrade complete)

Test enable bypass is initiated when the test equipment is connected to the TXS cabinet inputs. The test enable bypass has two functions:

1 ) Sets the analog input signals of the RPS channel in TEST to UFAILED" status. This excludes those analog input signals from Signal Online Validation in all remaining channels and allows injection of test signals using the TXS Test Machine.

2) Sets the permissive for the reactor trip output circuit testing. This allows each of the four outputs used for the hardwired "2-out-of-4" logic implemented in each respective RPS channel to be de-energized.

RPS Instrumentation B 3.3.1 BASES BACKGROUND Module Interlock and Test Trip Relay (continued)

Each channel and each trip module is capable of being individually tested.

When a module is placed into the test mode, it causes the test trip relay to open and to indicate an RPS channel trip. Under normal conditions, the channel to be tested is placed in bypass before a module is tested. Each trip module is electrically interlocked to the other three trip modules.

Removal of a trip module will indicate a tripped channel in the remaining trip modules.

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the (or processor output accompanying LCO are conservative with respect to the analytical limits to trip signal for Unit(s) account for all known uncertainties for each channel. The actual trip with the RPS digital setpoint entered into the bistableks more conservative than that specified upgrade complete) by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of

\\ such a change in measurement error is drift during the Surveillance A channel is ioperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing (or processor output equipment for these channels are assumed to operate within th trip signals for Unit(s) allowances of these uncertainty magnitudes. The trip setpoi are the with the RPS digital nominal values at which the bistablesiare set. Any bistable considered to upgrade complete) be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value, trip setpoints, and associated uncertainties is provided in Reference 4.

Setpoints in accordance with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 BOSES REVI ON DATE6 12114/ 4 l Amendment Nos.

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued)

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. Surveillances for the channels are specified in the SR section.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, higfi R ter perat re turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1 - 1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1 - 1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by (or processor output CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if trip signals for the bistable is performing as required. A trip setpoint found less Unit(s) with the RPS conservative than the nominal trip setpoint, but within its Allowable Value, is digital upgrade considered OPERABLE with respect to the uncertainty allowances complete) assumed for the applicable surveillance interval provided that operation, testing and subsequent calibration are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more OCONEE UNITS 1, 2, & 3 B 3.3.1-10 BYSES REVI ON DATE 12/14/9/4 lAmendment Nos.

RPS Instrumentation B 3.3.1 BASES APPLICABLE conservative than instrument uncertainties appropriate to the trip Function.

SAFETY ANALYSES, These uncertainties are defined in Reference 4.

LCO, and APPLICABILITY For most RPS Functions, the Allowable Value in conjunction with the (continued) nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The Allowable Values for bypass removal Functions are stated in the Applicable MODE or Other Specified Condition column of Table 3.3.1 - 1.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower -

High Setpoint The Nuclear Overpower - High Setpoint trip provides-protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

OCONEE UNITS 1, 2, & 3 B 3.3.1 -11 BOESREVIS NDATE/ 12/14/0fl lAmendment Nos.

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint Prior to initiating shutdown bypass, the Nuclear Overpower - Low Setpoint trip must be reduced to < 5% RTP.

The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint OCONEE UNITS 1, 2, & 3 B 3.3.1-12 l BOES REVISJ6N DATE'1 2/1 4/0/ )I IAmendment Nos. K

RPS Instrumentation B 3.3.1 BASES APPLICABLE

2.

RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and Allowable Value is selected to ensure that a trip occurs before hot leg APPLICABILITY temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3.

RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

OCONEE UNITS 1, 2, & 3 B 3.3.1-13

[BOES REVIS61N DATE 12/14/0y ll IAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES APPLICABLE

4.

RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced (continued) below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

OCONEE UNITS 1,2, & 3 B 3.3.1-14

[ BA9ES REVISj 6 N D.ATEV1 2/14/0¢ 1 lAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

6.

Reactor Building High Pressure (continued)

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, the determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

Each reactor coolant pump has an RCP Power Monitor (RCPPM) which monitors the electrical power and breaker status of each pump motor to determine if the pump is running.

Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating AND reactor power is greater than approximately 2% rated full power.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent npma po-prtinlnsa least three RCPs are operatingI RCP/status is Mnitored ba powwrs rasucs on each 6pu'p These leays indicte alo~ss 9tan R fP on un e power. The urierpower sto'nt is seleted o eliably rip on los/fvlaet e Cs ehr the r ractcor powe nor Me pump ower setpoi account forinstrumen tion error caus by har environmen because t trip Func on is not r quired o re.ond to event that could c eate harsh environm ts aro nd the Euipment.

///

/

8.

Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

OCONEE UNITS 1, 2, & 3 B 3.3.1-15

[~ BOES REVJS) 6NDATEP6 2114/0/ ]I IAmendmentNos.

RPS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and This trip supplements the protection provided by the Reactor Coolant APPLICABILITY Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel through buffers that continuously monitor the status of the contacts.

OCONEE UNITS 1, 2, & 3 B 3.3.1-16 BASES REVIS)6N D ATEP 12/14/0/

Amendment Nos.

(or processor output trip signal for Unit(s) with the RPS digital upgrade complete)

RPS Instriumentation B 3.3.1 BASES APPLICABLE

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

(continued)

SAFETY ANALYSES, LCO, and For the Main Turbine Trip (Hydraulic Fluid Pressure) bistabla the APPLICABILITY Allowable Value of 800 psig is selected to provide a trip whenever (continued) main turbine hydraulic fluid pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 30% RTP. The turbine trip is not required to protect against events that can create a harsh environment in-the turbine building.

Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

10.

Loss of Main Feedwater Pumps (Hydraulic Oil Pressure)

The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MFW pumps are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF. This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

turbine or the feedwater pump_

ydraulic oil pressure bistablesa the Allowable Value of 75 psig is selected to provide a trip w ver deewater pum ydraulic oil pressure drops below the normal operating range. To ensure that the trip is enabled as required by the LCO, the reactor power bypass is set with an Allowable Value of 2% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

(or processor output trip signals for Unit(s) with the RPS digital upgrade

11.

Shutdown Bypass RCS High Pressure complete)

The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip OCONEE UNITS 1, 2, & 3 B3.3.1-17 l B ES REVIS NDITE 12/14/0 lAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES APPLICABLE

11.

Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and requires that the neutron power trip setpoint be reduced to 5% of full APPLICABILITY power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1.a Nuclear Overpower - High Setpoint;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

OCONEE UNITS 1, 2, & 3 B 3.3.1-18 I BA4ES REVISj 6 N lATE5)/12/14/0! ]l lAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion SAFETY ANALYSES, LCO, and The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 8). In MODES 1 APPLICABILITY and 2, the following trips shall be OPERABLE because the reactor can be (continued) critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

Functions 1, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at 2 30% RTP. The Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 t Ž2% RTP. Ana ses esent in BA -1893 (Re./6) ha e sho n that,or operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

OCONEE UNITS 1, 2, & 3 B 3.3.1-19 (B

ES REVIS)&

DATE 12114/0 lAmendment Nos.

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure APPLICABILITY and Nuclear Overpower-Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS (or processor output trip signal for Unit(s) with the RPS digital upgrade complete)

Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or bistabl4s found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

A.1 For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip. This Required Action places all RPS Functions in a one-out-of-two logic configuration. The "non-required" channel is placed in bypass when the required inoperable channel is placed in trip to prevent bypass of a second required channel. In this configuration, the RPS can still perform its safety functions in the presence of a random failure of any single Channel. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform Required Action A.1.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20

[ BAES REVISj6N QATEV12/14/01 ]l lAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.1-21

[BAXES REVIS6N DATE (12/14/0 Amendment Nos.

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE REQUIREMENTS The SRs for each RPS Function are identified by the SRs column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL INSERT D CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Frequency, equivalent to once every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 l BAES REVISJ6 N QATEI/12/14/o/ ]l lAmendment Nos.

l

INSERT D FOR BASES 3.3.1 (page B 3.3.1-22)

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital upgrade complete. The RPS digital control system provides continual online automatic monitoring of each of the input signals in each channel, performs software limit checking (signal online validation) against required acceptance criteria, and provides hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed. If any protective channel input signal is identified to be in the FAILURE status, this condition is alarmed on the Unit Statalarm and input to the plant operator aid computer (OAC). Immediate notification of the FAILURE status is provided to the Operation staff. As such, a periodic CHANNEL CHECK is no longer necessary.

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by 2 2%

RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is 2 15% RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by 2 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is adequate, based on unit operating experience, which demonstrates the change in the difference between the power range indication and the calorimetric results rarely exceeds a small fraction of 2% in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. Furthermore, the control room operators monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed at a 31 day Frequency when reactor power is 2 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is 2 2% RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary. The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensure that the value of the APIO is > API1.

The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a OCONEE UNITS 1, 2, & 3 B 3.3.1-23 l B ES REVISAN DATEV12/14/240 lAmendment Nos.

l

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE SR 3.3.1.3 (continued)

REQUIREMENTS difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation. The 31 day Frequency is adequate, considering that long term drift of the excore linear amplifiers is small and burnup of the detectors is slow. Also, the excore readings are a strong function of the power produced in the peripheral fuel bundles, and do not represent an integrated reading across the core. The slow changes in neutron flux during the fuel cycle can also be detected at this interval.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required RPS channel to ensure that the entire channel will perform the intended function.

Setpoints must be found within the Allowable Values specified in Table 3.3.1-1. Any setpoint adjustment shall be consistent with the assumptions of the current setpoint analysis.

The as found and as left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in BAW-10167 (Ref. 7).

The Frequency of 45 days on a STAGGERED TEST BASIS is consistent with the calculations of Reference 7 that indicate the RPS retains a high level of reliability for this test interval.

INSERT E R

SR 3.3.1.5 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 B

ES REVIS 6N D\\ ATE 12/1410 Amendment Nos.

INSERT E FOR BASES 3.3.1 (page B 3.3.1-24)

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the RPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST has been extended to 18 months based on design capabilities and reliability of the new RPS digital control system. Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not retained. The RPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

(or processor output trip signal for Unit(s) with the RPS digital upgrade complete)

RPS Instrumentation B 3.3.1 BASES (continued)

SURVEILLANCE REQUIREMENTS For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration.

SR 3.3.1.5 (continued)

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable~setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD ensors is add accomplished by an inplace cross calibration that compares the other blank sensing elements with the recently installed sensing element.

space The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.49.

4.

EDM-102, "Instrument SetpointlUncertainty Calculations."

5.

NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6.

BAW/893, "Bas$ for Raisi g Arming /hresholQ/for Antici ating Rejtor Trip or)urbine T 4p," Octobe 1985. /

/

I

7.

BAW-1 01 67, May 1986.

8.

10 CFR 50.36.

I Not used.

I OCONEE UNITS 1, 2, & 3 B 3.3.1-25

[BAXES REVISION DATE /12/14/06f lAmendment Nos.

B 3.3.3 l Reactor Trip Component (RTC)

B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) -[ Re/'ctor TriModu/(RTI$ I I 7.1.a, 7.1.b, and 7.1.c of I RASFS BACH For Unit(s) V digital upgre complete, t1 Reactor Trir (RTM)

For Unit(s) v digital upgra complete, th Reactor Trip (RTR). The receives a cl signal in its c and channel from the RTI other three F channels.

(GROUND The RPS consi s of f ur independent protection channels, each containing Figur7.1 UFSAR, Chapter 7 (Ref. 1).shows a typical RPS IRTOI protection channel and the relationship of the

/ to the RPS instrumentation, manual trip, and CONTROL ROD drive (CRD) trip with the RPS devices. -The RTM receives bistable trip signals from the functions in its own channel and channel trip signals from the other three RPSEjRTMs.

ie RTC

The rovides these signals to its own two-out-of-four trip logic and Me R Is ad transmits its own channel trip signal to the two-out-of-four logic of the DModule l

in the other three RPS channels. Whenever any two RPS channels transmit channel trip signals, thefRTM-7 II-qic in each channel actuates to

/remove 120 VAC power from its associated CRD trip devices.

-R vith the RPS de hteRPS trip scheme consists of series contacts that are operated by e RTC is a b

During normal unit operations, all contacts are closed and the Relay U6Lb hannel trip relay remains energized. However, if any trip parameter RTR exceeds its setpoint, its associated contact opens, which de-energizes the iannel trip channel trip relay.

for Unit(s) with the RPS digital upgrade not complete or processor output own channel trip signals for Unit(s) with the RPS digital upgrade complete.

trip signals When an chanel trip relay de-energizes, several tnings occur:

Rs in the IPS

a.

/~ach of the four (4) output logic relays "informs" its associated RPS channel that a reactor trip signal has occurred in the tripped RPS channel;

b.

The contacts in the trip device circuitry, powered by the tripped channel, open, but the trip device remains energized through the closed contacts trom the otij3 (This condition exists in each RPS -

. Each RPS cools power to a trip device.);

-4rl

c.

The contact in parallel with the channel reset switch opens and the trip is sealed in. To re-energize the channel trip relay, the channel reset switch must be depressed after the trip condition has cleared.

When the second RPS channel senses a reactor trip condition, the output logic relays for the second channel de-energize and open contacts that supply power to the trip devices. With contacts opened by two separate RPS channels, power to the trip devices is interrupted and the CONTROL RODS fall into the core.

OCONEE UNITS 1, 2, & 3 B 3.3.3-1 I

BASX'REVISI/N DATED/*114/04] I I~enment NosA

for Unit(s) with the RPS digital upgrade not RPS-il complete or processor output trip signals for each function for Unit(s) with the RPS digital I RTC l

3.3.3 RTC uDarade comolete.

BASES (continued)

BACKGROUND (continued)

A minimum of two o f ou s must sense a trip condition toca reactor trip. Also, because t able relay contacts for each functio re in series with the channel trip relays, two channel trips caused by different trip functions can result in a reactor trip.

APPLICABLE Transient'and accident analyses rely on a reactor trip for protection of SAFETY ANALYSES reactor core integrity, reactor coolant pressure boundary integrity, and reactor building OPERABILITY. A reactor trip must occur when needed to prevent accident conditions from exceeding those calculated in the accident analyses. More detailed descriptions of the applicable accident analyses are found in the bases for each of the RPS trip Functions in LCO 3.3.1, "Reactor Protective System (RPS) Instrumentation."

/

satisfy Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO The(ElLCO requires all four l so be OPERABLE. Failure of any

" renders a portion of themS inoperable.

zAn OPERABLef~

mus e able to receive and interpret trip signals from its own and other OPER LE RPS channels and to open its associated trip device.

The requirermtentiof four NTAlO to be OPERABLE ensures that a minimum of two Swill remain OPERABLE if a single failure has occurred in one ais out of service. This two-out-of-four trip logic oensures that i

ailure will not cause an unwanted reactor trip. Violation of this LCO could result in a trip signal not causing a reactor trip when needed.

APPLICABILITY Th T

are required to be OPERABLE in MODES 1 and 2. They are so required to be OPERABLE in MODES 3,4, and 5 if any CRD trip breakers are in te ed position and the CRD System is capable of rod withdrawal. Th ff sare designed to ensure a reactor trip would occur, if needed. This condition can exist in all of these MODES; therefore, the T

must be OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.3-2

[BAS6 REVISI'N DATED 121/4104 1 Amendment Nos.

K

RPS -i RTC6 3.3.3 BASES (continued)

ACTIONS A.1.1, A.1.2, and A.2 RTC When an tMis inoperable, the associated CRD trip breaker must then b placed in a condition that is equivalent to a tripped condition for the Required Action A.1.1 or Required Action A.1.2 requires this either by tripping the CRD trip breaker or by removing power to the CRD trip device.

For Unit(s) with the Control Rod Drive Control System (CRDCS) digital upgrade not complete, tripping on&eMor removing power opens one set of CRD trip de ices. For Unit(s) with the CRDCS digital upgrade complete, tripping on or removing power opens one of the CRD trip devices, which will result in the loss of one of the parallel power supplies to the digital CRDCS. Power to hold CONTROL RODS in position is still provided via the parallel CRD trip device(s) (for Unit(s) with the CRDCS digital upgrade not complete) or CRD power supply (for Unit(s) with the CRDCS digital upgrade complete). Therefore, a reactor trip will not occur until a second protection channel trips.

To ensure the trip signal is registered in the other channels, Required Action A.2 requires that the inoperabr be removed from the cabinet.

This action causes the electrical interlocks to indicate a tripped channel in RTCs the remaining threeflW. Operation in this condition is allowed i efinitely because the actions put the RPS into a one-out-of-three configuration. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Reurenctos.

B.1, B.2.1. and B.2.2 Condition B applies if two or morel sare inoperable or if the Required Action and associated Completion ime of Condition A are not met in MODE 1, 2, or 3. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 with all CRD trip breakers open or with power from all CRD trip breakers removed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.3.3-3 1BAXS REVISIO/DATED 12/14/04] l IAmendment Nos.

RPS --W J

LRTil 3.3.3 BASES ACTIONS (continued)

C.1 and C.2 R

s Condition C applies if two or more sare inoperable or if the Required Action and associated Completion Time of Condition A are not met in MODE 4 or 5. In this case, the unit must be placed in a MODE in which the LCO does not apply. This is done by opening all CRD trip breakers or removing power from all CRD trip breakers. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open all CRD trip breakers or remove power from all CRD trip breakers without challenging unit systems.

SURVEILLANCE REQUIREMENTS SR 3.3.3.1 lfor Unit(s) with the RPS digital upgrade not complete and every SR 3.3.1 18 months for Unit(s) with the RPS digital upgrade complete.

The SR include performance of a CHANNEL FUNCTIOMA4I TEST ever 31 days. This test shall verify the OPERABILITY of thel and its ability \\

to receive and properly respond to channel trip and reactor trip signals. t

\\

For Unit(s) with the RPS digital upgrade complete, the digital processors shall be rebooted as part of the functional test.

The Frequency of 31 days is based on operating experience, which has demonstrated that failure of more than one channel of a given function in any 31 day interval is a rare event.

Testing in acco th this SR is normally performed on a rotational basis, with one l being tested each week. Testing one@

week reduces the likelihood of the same systematic test errors being introduced into each redundantTj REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.36.

1 fI The Frequency of 18 months is based on the design capabilities and reliability of the new RPS digital control system. The RPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

OCONEE UNITS 1, 2, & 3 B 3.3.3-4 IBASYS REVISIO$N'DATED 12/(4/04 1 I Amendment Nos.

ESPIlnstrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safeguards Protective System (ESPS) al gInstrumentation BASES BACKGROUND The ESPS initiates necessary safety systems, based on the values of selected unit Parameters, to protect against violating core design limits and to mitigate accidents.

ESPS actuates the following systems:

High pressure injection (HPI);

Low pressure injection (LPI);

Reactor building (RB) cooling; Penetration room ventilation; RB Spray; RB Isolation; and u

0 Keowee Hydro Unit Emergency Start.

The S operates in a distributed manner to initiate the appropriate systems.

ESPS does this by determining the need for actuation in each of three a g channels monitoring each actuation Parameter. Once the need for actuation is determined, the condition is transmitted to a

utomatic actuatior ogic channels, which perform the two-out-of-three logic to determine the actuation of each end device. Each end device has its own automatic actuation logic, although all itaautomatic actuation logic channels take their signals from the same bistable' 2 each channel for l

output r

each Parameter.\\

(or processor output trip Four Parameters are used for actuation:

device for Unit(s) with the ESPS digital upgrade Low Reactor Coolant System (RCS) Pressure; complete)

Low Low RCS Pressure; High RB Pressure; and High High RB Pressure.

OCONEE UNITS 1, 2, & 3 B 3.3.5-1 Amendment Nos.[396, 30, & 3 0

(or voter input for Unit(s) with the ESPS digital upgrade complete) 1 ESP Instrumentation 7

B 3.3.5 X

n3u1 (or processor output trip devices for Unit(s)

BASES with the ESPS digital upgrade complete) -

BACKGROUND (continued)

LCO 3.3.5 covers only the

!iginstrumentation channels that measure these Parameters. These channels include all intervening equipment necessary to produce actuation before the measured process Parameter exceeds the limits assumed by the accident analysis. This includes sensors, bistable deviceig'operational bypass circuitry, and output relays T LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation" nd 3.3.7. WEngineered Safeauards Protective System (ESPS igial Automatic ActuatiorfLogic ChannelsX,'provide requirements on the manual initiation andf

)automatic actuation logic Functions.

h SPS contains three al es. Eachalchannel provides input t I lo ic channel initiate e i me two-out-of-three I

chanel. Each al g channel includes inputs from one a

srumentation channel of Low RCS Pressure, Low Low RCS Pressure, ih RB Pressure, and High High RB Pressure.

igiI

' Atomafic actuationflogic channels combine the three al tri s to actuate the individual Engineered Safeguards (ES) components neede to initiate each ES System. Figure 7.5, UFSAR, Chapter 7 (Ref. 1),

illustrates how ala gstrumentation channel trips combine to cause l Aij~llogic channel trips.

The following matrix identifies the al ginstrumentation (measurement) channels and thelgtJAutomatic Actuatio ogic Channels actuated by each.

LI Actuated RCS SCS RB RB Logic Channels Systems/

PRESS PRESS PRESS PRESS Functions LOW LOW HIGH HIGH LOW HIGH 1 and 2 HPI and RB Non-Essential x

x Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input.

and Keowee Standby Bus Feeder Breaker Input 3 and 4 LPI and RB Essential x

X Isolation 5 and 6 RB Cooling, RB Essential x

isolation, and Penetration Room Vent.

7 and 8 RB Spray x

The ES equipment is generally divided between the two redundant l

a nogic channels. The division of the equipment between the two output I o

gactuati logic channels is based on the equipment redundancy and OCONEE UNITS 1, 2, & 3 B 3.3.5-2 Amendment Nos. 30,< 30, & 396

INSERT A for B 3.3.5 (page B 3.3.5-2)

For Unit(s) with the ESPS digital upgrade complete, the ESPS contains three input channels.

The ESPS Protective Channel Sets A, B and C are implemented on two independent systems -

one system is installed in the ESPS cabinets, the other independent and redundant system is installed in the RPS cabinets, using the RPS protective channel sets (A, B, and C) computers.

The ESPS analog signals are sent from ESPS protection sets A, B and C directly to the RPS processor. The ESPS outputs to the Unit control room Statalarm annunciators are implemented using a hardwired OR-gate in the ESPS cabinets. Each of these independent ESPS systems comprises three independent channels, each of them calculating all ESPS functions. All input signals are three times redundant, thus each ESPS channel has its own set of transmitters and contacts. The three ESPS channel set computers are interconnected via fiber optic data links, in a way that enables the exchange of data and signal online validation, before the calculation of setpoints. The ESPS output actuation signals are sent from ESPS protection sets A, B and C to the ESPS actuation computers via fiber optic data links. Figure 7.5.a UFSAR, Chapter 7 (Ref.

1), illustrates how input instrumentation channel trips combine to cause digital output logic channel trips.

ESPS al nstrumentation B 3.3.5 BASES Input E1ACKGROUND function and is accomplished in such a manner that the failure of one of the (continued)

,actuatior logic channels and the related safeguards equipment will in h e overall ES Functions. Redundant ES pumps are controlled output rom separate and independent a~ictuationvlogic channels with the exception of HPI B pump which is actuated by both.

The actuation of ES equipment is also available by manual actuation switches located on the control room console RrSha ijl The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically the loss of coolant accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actua3ionfogic for each

\\ component to perform the actuation of the selected FsyStems of LCO 3.3.7.

r INSERT B 1

Enaineered Safeciuards Protective Svstem Bypasses

--o-,do provisions are made for maintenance bypass of ESPS instrumentation channels. Operational bypass of certain channels is necessary to allow For Unit(s) with accident recovery actions to continue and, for some channels, to allow unit the ESPS digital shutdown without spurious ESPS actuation.

upgrade not

/(he ESPS RCS pressure instrumentation channels include permissive

complete, bistables that allow manual bypass when reactor pressure is below the point at which the low and low low pressure trips are required to be OPERABLE. Once permissive conditions are sensed, the RCS pressure trips may be manually bypassed. Bypasses are automatically removed when bypass permissive conditions are exceeded. This bypass provides an operational provision only outside the Applicability for this parameter, and provides no safety function.

R INSERTCC S

Reactor Coolant Svstern Pressure The RCS pressure is monitored by three independent pressure transmitters located in the RB. These transmitters are separate from the transmitters that feed the Reactor Protective System (RPS). Each of the pressure signals generated by these transmitters is monitored by four bistables to provide two trip signals, at 2 1590 psig and 2 500 psig, and two bypass permissive signals, at < 1750 psig and < 900 psig.

OCONEE UNITS 1, 2, & 3 B 3.3.5-3 Amendment Nos. 39, 30, & 3T 0

INSERT B for B 3.3.5 (page B 3.3.5-3)

The ESPS digital upgrade is part of an overall RPS/ESPS digital upgrade that also includes the Reactor Protective System (RPS). For Unit(s) with the ESPS digital upgrade complete, the ESPS portion consists of two independent systems each containing three separate redundant protective channels (A, B, and C) that monitors or receives input from plant parameters/devices.

The RPS/ESPS digital control systems utilize the existing plant sensors, input signal, cables and setpoints.

INSERT C for B 3.3.5 (page B 3.3.5-3)

For Unit(s) with the ESPS digital upgrade complete, the duplicated ESPS channels and the duplicated ESPS Actuation Train (Voters) computers provides a "2 x 2-out-of-3" logic, which allows a Manual Bypass of one complete set of three ESPS channels and one half of the ESPS Actuation Train (Voters). In order to be able to conduct maintenance activities on the ESPS channels or the associated RPS/ES channels, without being in a "1 -out-of-2" situation, the associated Voter (Voter 1, odd or even or Voter 2, odd or even) must also be placed into Manual Bypass. Placing a channel in Manual Bypass is implemented by key switches located in the respective ESPS Actuation cabinets (Cabinet 5 for ODD or Cabinet 7 for EVEN). Two Manual Bypass key switches are provided for each of the ESPS Actuation cabinets (5 & 7), two for Voter 1 (driven by RPS/ES logic channels) and two for Voter 2 (driven by ESPS logic channels). If an ESPS Voter is placed in Manual Bypass, all automatic ESPS actuation functions are disabled.

However, a manual ESPS trip is still available for Operator action to initiate the ESPS safety actuation functions. Only one Manual Bypass switch for the two ODD Voters or one of the two EVEN Voters is allowed to be in Manual Bypass at a time. Placing an ESPS channel in Manual Bypass is administratively controlled. The ESPS Manual Bypass key switch status information is sent to the Unit control room Statalarm panel and sent to the plant OAC via a digital control system gateway.

ESPS a nstrumentation

/o B 3.3.5 BASES lInu' BACKGROUND Reactor Coolant System Pressure (continued) lAhe outputs of the three bistables, associated with the low RCS pressure, >

1590 psig, trip drive relays in two sets of identical and independent channels. These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three bistables associated with the Low Low RCS Pressure 500 psig trip drive relays in two sets of identical and independent channels. These two sets of LPI channels each use a two-out-of-three coincidence networks for LPI Actuation. The outputs of the three Low Low RCS Pressure bistables also trip the drive relays in the corresponding HPI Actuation channel as previously described.

Rc INSERTBD Pressure

/

Reactor Building Pressure For Unit(s) with the ESPS digital upgrade not complete here are three Reactor Building pressure sensors. The output of each sensor terminates in an input isolation amplifier, which provides individually isolated outputs. One isolated output of each pressure measurement goes to the unit computer for monitoring. One output of each pressure measurement goes to a bistable+vhich initiates action when its high building pressure trip point is exceeded. Each input isolation amplifier module contains an analog meter for indicating the measured pressure.

Each of the three bistables has contact outputs that are combined in series with the output of the High and Low Pressure Injection System bistables as previously described.

(or processor output trip signals for Unit(s) with the ESPS digital upgrade complete)

I I

The outputs of the three bistables're brought together in two identical two-I INSERT E I

out-of-three coincidence logics which provide two ESPS channels. Either of the two channels is independently capable of initiating the required protective action.

The ESPS channels of the Reactor Building Spray System are formed by two identical two-out-of-three logic networks with the active elements originating in six Reactor Building pressure sensing pressure switches.

Three independent pressure switches containing normally open contacts from one protective channel's two-out-of-three logic inputs. Three other identical pressure switches from the two-out-of-three logic inputs of the second protective channel. Either of the two protective channels is capable of initiating the required protective action.

OCONEE UNITS 1,2, &3 B 3.3.5-4 Amendment Nos.39d, 30, & 30 0

INSERT D for B 3.3.5 (page B 3.3.5-4)

For Unit(s) with the ESPS digital upgrade complete, the outputs of the three processor output trip signals associated with the low RCS pressure, 2 1590 psig, trip voters in two sets of identical and independent channels. These two sets of HPI channels each use a two-out-of-three coincidence network for HPI Actuation. The outputs of the three processor output trip signals associated with the Low Low RCS Pressure 500 psig trip redundant voters in two sets of identical and independent channels. These two sets of LPI channels each use a two-out-of-three coincidence logic for LPI Actuation. The outputs of the three Low Low RCS Pressure processor output trip signals also trip the redundant voters in the corresponding HPI Actuation channel as previously described.

INSERT E for B 3.3.5 (page B 3.3.5-4)

For Unit(s) with the ESPS digital upgrade complete, there are three Reactor Building pressure sensors. The output of each sensor terminates in an input isolation module, which provides individually isolated outputs. One output of each pressure measurement goes to a processor input signal which initiates action when its high building pressure trip point is exceeded. The outputs of the three high Reactor Building processor output trip signals also trip the redundant voters to initiate HPI and LPI.

(or processor output trip signals ESPS haqinstrumentation for Unit(s) with the ESPS digital AxB 3.3.5 BSSupgrade complete)

\\Input BACKGROUND Trip Setpoints and Allowable Values (continued)

Trip setpoints are the nominal value at which the bistables are set. Any (or processor bistabi is considered to be properly adjusted when the "as left" value is output trip within the band for CHANNEL CALIBRATION accuracy.

signal for Unit(s) with the The trip setpoints used in the bistable are selected such that adequate ESPS digital protection is provided when all sensor and processing time delays are upgrade taken into account. To allow for calibration tolerances, instrumentation complete) uncertainties, instrument drift, and severe environment induced errors for those ESPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 2), the Allowable Values specified in Table 3.3.5-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints and associated uncertainties is A4 provided in the Reference 3. The actual nominal trip setpoint entered intoo the bistabld is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Setpoints, in accordance with the Allowable Values, ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and the equipment functions as designed.

Each channel can be tested online to verify that the setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal may be injected in place of the field instrument signal.

APPLICABLE The following ESPS Functions have been assumed within the accident SAFETY ANALYSES analyses.

High Pressure Iniection The ESPS actuation of HPI has been assumed for core cooling in the LOCA analysis and is credited with boron addition in the MSLB analysis.

Low Pressure Iniection The ESPS actuation of LPI has been assumed for large break LOCAs.

OCONEE UNITS 1, 2, & 3 B 3.3.5-5

[ BAREREVISl DATED,ff02/99 l Amendment Nos.

I

ESPS 8alg Instrumentation B 3.3.5 lnpu.

BASES APPLICABLE Reactor Building Spray, Reactor Building Cooling, and SAFETY ANALYSES Reactor Building Isolation (continued)

The ESPS actuation of the RB coolers and RB Spray have been credited in RB analysis for LOCAs, both for RB performance and equipment environmental qualification pressure and temperature envelope definition.

Accident dose calculations have credited RB Isolation and RB Spray.

Penetration Room Ventilation Actuation The ESPS actuation of the penetration room ventilation system has been assumed for LOCAs. Accident dose calculations have credited penetration room ventilation.

Keowee Hydro Unit Emergency Start The ESPS initiated Keowee Hydro Unit Emergency Start has been included in the design to ensure that emergency power is available throughout the limiting LOCA scenarios.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of HPI and LPI in UFSAR, Chapter 15 (Ref. 4). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 15 seconds later, or 53 seconds total (Ref. 4). This delay time includes allowances for Keowee Hydro Unit starting, Emergency Core Cooling Systems (ECCS) pump starts, and valve openings. Similarly, the RB Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system analyzed.

Accident analyses rely on automatic ESPS actuation for protection of the core temperature and containment pressure limits and for limiting off site dose levels following an accident. These include LOCA, and MSLB events that result in RCS inventory reduction or severe loss of RCS cooling.

The ESPS channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 5).

LCO The LCO requires three a

channels of ESPS instrumentation for each Parameter in Table 3.3.

1 to be OPERABLE in each ESPS D

output automatic actuationviogic chan el. Failure of any instrument renders the affected a l hhannel(s) inop rable and reduces the reliability of the affected FunctionsR Inu Input OCONEE UNITS 1. 2. & 3 B 3.3.5-6

[BA REVISIXDATED 0X27/99 For Unit(s) with the ESPS digital upgrade complete, there are redundant sets of processors and only one Amendment Nos.

/

set is required to be OPERABLE.

ESPS al nstrumentation B 3.3.5 BASES Input LCO (continued)

(or processor output trip signal for Unit(s) with the ESPS digital upgrade complete)

Only the Allowable Value is specified for each ESPS Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal trip setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistableis performing as required.' Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis to account for instrument uncertainties appropriate to the trip Parameter.

These uncertainties are defined in Reference 3.

The Allowable Values for bypass removal functions are stated in the (or Applicable MODES or Other Specified Condition column of Table processor 3.3.5-1.

output trip signal for Ta instrumentation channels shall be OPERABLE to Unit(s) ensure that a single failure in one alg channel will not result in loss o with the the ability to automatically actuat e required safety systems.

ESPS digital The bases for the LCO on ESPS Parameters include the following.

upgrade complete)

Threer aZg1channels of'RCS Pressure-Low, RCS Pressure-Low Low, RB Pressure-High pnl E Pressure-High High are required ABLE. Eac f ag channel includes a sensor, trip bistabl b

bistabl byass rela s, and outp gelds. Failure of a bypass bistable or bypass circuitry,s nat aag channel cannot be

\\

assed, does not render the a

g channel inoperable since the a

channel is still capable o perorming its safety function, i.e., this is

\\ nota safety related bypass function.

Threef

channels of ESPS instrumentation for each of the following APPLICABILITY Three4;f~g]channels of ESPS instrumentation for each of the following Parameters shall be OPERABLE.

1.

Reactor Coolant System Pressure - Low The RCS Pressure - Low actuation Parameter shall be OPERABLE during operation at or above 1750 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 1750 psig, the low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety systems actuations are not required.

OCONEE UNITS 1, 2, & 3 B 3.3.5-7 Amendment Nos.[396, 30,e, & 370 l

ESPS al nstrumentation B 3.3.5 BASES I

APPLICABILITY

1.

Reactor Coolant System Pressure - Low (continued)

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

2.

Reactor Coolant System Pressure - Low Low The RCS Pressure - Low Low actuation Parameter shall be OPERABLE during operation above 900 psig. This requirement ensures the capability to automatically actuate safety systems and components during conditions indicative of a LOCA or secondary unit overcooling. Below 900 psig, the low low RCS Pressure actuation Parameter can be bypassed to avoid actuation during normal unit cooldowns when safety system actuations are not required.

The allowance for the bypass is consistent with the transition of the unit to a lower energy state, providing greater margins to safety limits. The unit response to any event, given that the reactor is already tripped, will be less severe and allows sufficient time for operator action to provide manual safety system actuations. This is even more appropriate during unit heatups when the primary system and core energy content is low, prior to power operation.

In MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the OCONEE UNITS 1, 2, & 3 B 3.3.5-8 Amendment Nos.[396, 30,, & 3TO0

ESPSa Instrumentation B 3.3.5 Input BASES APPLICABILITY

2.

Reactor Coolant System Pressure - Low Low (continued) consequences of an abnormal condition or accident. RCS pressure and temperature are very low, and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

3, 4.

Reactor Building Pressure - High and Reactor Building Pressure -High High The RB Pressure - High and RB Pressure - High High actuation Functions of ESPS shall be OPERABLE in MODES 1, 2, 3, and 4 when the potential for a HELB exists. In MODES 5 and 6, the unit conditions are such that there is insufficient energy in the primary and secondary systems to raise the containment pressure to either the RB Pressure - High or RB Pressure - High High actuation setpoints. Furthermore, in MODES 5 and 6, there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

RCS pressure and temperature are very low and many ES components are administratively controlled or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

ACTIONS Required Actions A and B apply to all ESPS instrumentation Parameters listed in Table 3.3.5-1.

/

input A Note has been added to the ACTIONS indicating separate Condition

\\Gntr is allowed for each Parameter.

If an a

channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or ESPS bistabletis found inoperable, then all affected functions provided by thIat~fial6c channel should be declared inoperable and the unit must enter the Conditions for the particular protective Parameter affected.

(or required processor output for Unit(s) with the ESPS digital upgrade complete)

OCONEE UNITS 1, 2, & 3 B 3.3.5-9 Amendment Nos. 3

, 30, & 3#0

For Unit(s) with the ESPS digital upgrade not complete, ElP Instrumentation B 3.3.5 BASES

\\ACTIONS A-1.

ut

\\(ontinued)

/\\

Condition A applies when one al chann becomes inoperable in one or more Parameters. If one ESPS a g instrument channel is inoperable, placing it in a tripped condition eaves the s stem in a one-out-of-two condition for actuation. Thus, if anothera annel were lhe ESPS instrumentation could still perform its actuation funct~ions his action is completed when all of the affected output relays are trippec.d~

can normally be accomplished by tripping the For Unit(s) with the ESPS affected and digital upgrade complete, The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient time to perform the Required this can be accomplished Action.

by tripping processor outputs or tripping the individual parameters in B.1, B.2.1, B.2.2. and B.2.3 the processor.

Condition B applies when the Required Action and associated Completion Time of Condition A are not met or when one or parameters have two or more inoperable nels. If Condition B applies, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and, for the RCS Pressure-Low Parameter, to

< 1750 psig, for the RCS Pressure-Low Low Parameter, to < 900 psig, and for the RB Pressure-High Parameter and RB Pressure-High High Parameter, to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE The ESPS Parameters listed in Table 3.3.5-1 are subject to REQUIREMENTS CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION. The operational bypasses associated with each RCS Pressure ESPS instrumentation channel are also subject to these SRs to ensure OPERABILITY of the ESPS instrumentation channel.

SR 3.3.5.1 Performance of the CHANNEL CHECK every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that OCONEE UNITS 1, 2, & 3 B 3.3.5-10 Amendment Nos. [39, 30y, & 3#0

ESPS a!

nstrumentation B 3.3.5 BASES SURVEILLANCE REQUIREMENTS SR 3.3.5.1 (continued) instrument channels monitoring the same parameter should read apprimately the same value. Significant deviations between the two aJ instrument channels could be an indication of excessive mnatri mmnt drift in nna of than nhnnnal nr nf Qnmrthinn ivon mrnr serious. CHANNEL CHECK will detect gross channel failure; therefore, i is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

INSERTF Agreement criteria are determined, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication thE the transmitter or the signal processing equipment has drifted outside its limit.

The Frequency, equivalent to every shift, is based on operating experience that demonstrates channel failure is rare. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel operability during normal operational use of the displays associated with the LCO's required channels.

SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed on each required ESPS channel to ensure the entire channel, including the bypass tion, will perform the intended functions. Any setpoint adjustment shall be consistent with the assumptions of the current unit specific setpoint analysis.

it it The Frequency of 92 days is based on operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 92 day interval is a rare -r event.

4 l INSERTG OCONEE UNITS 1, 2, & 3 B 3.3.5-1 1 Amendment Nos.[3;i, 32X, &

2 I

INSERT F for B 3.3.5 (page B 3.3.5-11)

This SR is modified by a Note indicating that it is not applicable to Unit(s) with an ESPS digital upgrade complete. The ESPS digital control system provides continuous online automatic monitoring of each of the input signals in each channel, performs software limit checking (signal online validation) against required acceptance criteria, and provides hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed. If any protective channel input signal is identified to be in the FAILURE status, this condition is alarmed on the Unit Statalarm and input to the plant operator aid computer (OAC). Immediate notification of the FAILURE status is provided to the Operation staff. As such, a periodic CHANNEL CHECK is no longer required.

INSERT G for B 3.3.5 (page B 3.3.5-11)

The SR is modified by a Note indicating that it is not applicable to Unit(s) with the ESPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST has been extended to 18 months and is included in the CHANNEL CALIBRATION. The ESPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

ESPS2 Instrumentation B 3.3.5 BnpS BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.3 input CHANNEL CALIBRATION is a complete check of the a instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION assures that measurement errors and bistableisetpoint errors are within the assumptions of the unit specific setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

+

This Frequency is justified by the assumption of an 18 month calibration interval to determine the magnitude of equipment drift in the setpoint analysis.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the calibration.

REFERENCES

1.

UFSAR, Chapter 7.

2.

10 CFR 50.49.

3.

EDM-102, "Instrument Setpoint/Uncertainty Calculations."

4.

UFSAR, Chapter 15.

5.

10 CFR 50.36.

(or processor output trip signal for Unit(s) with the ESPS digital upgrade complete)

OCONEE UNITS 1, 2, & 3 B 3.3.5-12 Amendment Nos. [3p' 30~,Q & 370/0

ESPS Manual Initiation B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Engineered Safeguards Protective System (ESPS) Manual Initiation BASES BACKGROUND The ESPS manual initiation capability allows the operator to actuate ESPS Functions from the main control room in the absence of any other initiation condition. This ESPS manual initiation capability is provided in the event the operator determines that an ESPS Function is needed and has not been automatically actuated. Furthermore, the ESPS manual initiation capability allows operators to rapidly initiate Engineered Safeguards (ES)

Functions.

O IOutput I

I[Anput LCO 3.3.6 covers only the system level manual initiation of these I

Functions. LCO 3.3.5, "Engineered Safeguards Protective System (ESPS) 3 Instrumentation," and LCO 3.3.7, "Engineered Protective System (ESPS)l[igillAutomatic Actuation ogic Channels,"

provide requirements on the portions of the ESPS that automatically initiate the Functions described earlier.

hit The ESPS manual initiation Function relies on the OPERABILITY of the

[di&l automatic actuatiorflogic channels (LCO 3.3.7) to perform the output actuation of the systems. A manual trip push button is provided control room console for each of the Ea automatic actuatlo logic channels. Operation of the push button energizes relays whose contacts perform a logical "OR" function with the automatic actuation.

The ESPS manual initiation channel is defined as the instrumentation between the console switch and therii1utomatic actuatio logic channel, which actuates the end devices. Other means of manual initiation, such as controls for individual ES devices, may be available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

IINSERT A I

APPLICABLE SAFETY ANALYSES The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant accident and steam line break events.

OCONEE UNITS 1, 2, & 3 B 3.3.6-1 Amendment Nos.30&d, 300/&2j3

INSERT A for B 3.3.6 (page B 3.3.6-1)

For Unit(s) with the ESPS digital upgrade complete, a manual actuation of the ESPS actuation functions shall be capable of being initiated from the main control board TRIP/RESET pushbutton switches. Individual pushbuttons are provided for High Pressure Injection and Reactor Building (RB) Non-Essential Isolation (Channels 1 and 2), Low Pressure Injection and Low Pressure Service Water Actuation (Channels 3 and 4), Reactor Building Cooling, RB Essential Isolation, and Penetration Room Ventilation Actuation (Channels 5 and 6), and RB Spray (Channels 8 and 9). The manual actuation is independent of the ESPS automatic actuation system and is capable of actuating all channel related actuation field components regardless of any failures of the automatic system. Initiation of the manual actuation portion of ESPS will also input an actuation signal to the automatic system to provide input to the automatic system indicating that a manual actuation has occurred.

For Unit(s) with the ESPS digital upgrade complete, the ESPS manual initiation portion of the ESPS system is defined as the instrumentation between the control console TRIP/RESET switches and the RO relays which actuate the end devices. Other means of manual initiation/control, e.g., controls for individual devices, are available in the control room and other unit locations. These alternative means are not required by this LCO, nor may they be credited to fulfill the requirements of this LCO.

ESPS Manual Initiation B 3.3.6 BASES APPLICABLE The ESPS manual initiation ensures that the control room operator can SAFETY ANALYSES rapidly initiate ES Functions. The manual initiation trip Function is required (continued) as a backup to automatic trip functions and allows operators to initiate ESPS whenever any parameter is rapidly trending toward its trip setpoint.

The ESPS manual initiation functions satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO Two ESPS manual initiation channels of each ESPS Function shall be OPERABLE whenever conditions exist that could require ES protection of the reactor or RB. Two OPERABLE channels ensure that no single random failure will prevent system level manual initiation of any ESPS Function. The ESPS manual initiation Function allows the operator to initiate protective action prior to automatic initiation or in the event the automatic initiation does not occur.

The required Function is provided by two associated channels as indicated in the following table:

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI 3&4 RB Cooling, RB Essential isolation, 5 & 6 and Penetration Room Vent.

RB Spray 7 & 8 APPLICABILITY The ESPS manual initiation Functions shall be OPERABLE in MODES 1 and 2, and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE. The manual initiation channels are required because ES Functions are designed to provide protection in these MODES. ESPS initiates systems that are either reconfigured for decay heat removal operation or disabled while in MODES 5 and 6.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and to respond by manually operating the ES components, if required.

OCONEE UNITS 1, 2, & 3 B 3.3.6-2 Amendment Nos.[32X, 329/

ESPS Manual Initiation B 3.3.6 BASES (continued)

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPS manual initiation Function.

A.1 Condition A applies when one manual initiation channel of one or more ESPS Functions becomes inoperable. Required Action A.1 must be taken to restore the channel to OPERABLE status within the next 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on operating experience and administrative controls, which provide alternative means of ESPS Function initiation via individual component controls. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is generally consistent with the allowed outage time for the safety systems actuated by ESPS.

B.1 and B.2 With the Required Action and associated Completion Time not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODES from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.6.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the ESPS manual initiation. This test verifies that thp inititing 6iitrIs output OPERABLE and will actuate the automatic actuatiorlogic channels. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. This Frequency is demonstrated to be sufficient, based on operating experience, which shows these components usually pass the Surveillance when performed on the 18 month Frequency.

REFERENCES

1.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.6-3 Amendment Nos. 0OC9, 300,A 3:00f

I Output l

ESPS Automatic al Actuatio For Unit(s) with the ESPS digital

\\ 3upgrade not complete,

\\B 3.3 INSTRUMENTATION B 3.3.7 Engineered Safeguards Protective ystem (ESPS) p Automatic Actuatio ogic Channels BASES I output I

nAogic Channels B 3.3.7 For Unit(s) with the ESPS digital upgrade complete, the digital automatic actuation output logic channels of ESPS are defined as the voters, and output relays and associated contacts.

BACKGROUND the 6i5automatic actuation logic channels of ESP ae d instrumentation from the buffers of the ESPS strument channels through the unit controllers that actuate ESPS equipment.0Each o the components actuated by thelESPS Functions is associated with one or moreliautomatic actuation ogic channels. If two-out-of-three ESPS out ut l instrumentation channels indicate a trip, or if channel level manual outpu initiation occurs, the ptlutomatic actuation ogic channel is activated and the associated equipment is actuated. The ur ose of requiring OPERABILITY of the ESPS aautomatic actuationogic channels is to ensure that the Functions of the ESPS can be automatically initiated in the event of an accident. Automatic actuation of some Functions is necessary to prevent the unit from exceeding the Emergency Core Cooling Systems (ECCS) limits in 10 CFR 50.46 (Ref. 1). It should be noted that OPERABLEEal automatic actuatio2_ogic channels alone will not ensure hat each Function can be activated; the a

s rumentation channels and actuated equipment associated with each Function must also be

\\ OPERABLE to ensure that the Functions can be automatically initiated during an accident.l LCO 3.3.7 covers only the itl Automatic actuation logic channels that initiates these Functions. LCO 3.3.5, "Engineered Safeguards Protective Inpt Se Instrumentation," and LCO 3.3.6, "Engineered Safeguards Protective System (ESPS) Manual Initiation." provide I

feed int requirements on the Riaft strumentation and manual initiation channels feed into th uohe lid Iutomatic actuationfogic channels.

The ESPS, in conjunction with the actuated equipment, provides protective functions necessary to mitigate accidents, specifically, the loss of coolant INSERT A accident (LOCA) and main steam line break (MSLB) events. The ESPS relies on the OPERABILITY of the automatic actuation logic for each component to perform the actuation of the selected systems.

The small break LOCA analyses assume a conservative 48 second delay time for the actuation of high pressure injection (HPI) in UFSAR, Chapter 15 (Ref. 2). The large break LOCA analyses assume LPI flow starts in 38 seconds while full LPI flow does not occur until 36 seconds later, or 74 seconds total (Ref. 2). This delay time includes allowances for Keowee OCONEE UNITS 1, 2, & 3

INSERT A for B 3.3.7 (page B 3.3.7-1)

The ESPS digital upgrade is part of an overall RPS/ESPS digital upgrade that also includes the Reactor Protective System (RPS). For Unit(s) with the ESPS digital upgrade complete, the ESPS portion consists of two independent systems each containing three separate redundant protective channels (A, B, and C) that monitors or receives input from plant parameters/devices.

The RPS/ESPS digital control systems utilize the existing plant sensors, input signal, cables and setpoints.

For Unit(s) with the ESPS digital upgrade complete, the ESPS Protective Channel Sets (computers) A, B, and C are implemented on two independent and redundant systems. One system, containing channels A, B, and C is installed in the ESPS cabinets using the ESPS protective channel set computer. The other system, containing independent and redundant channels A, B, and C uses the RPS protective channel set computer which is installed in the RPS cabinets.

Each of the independent ESPS and ESPS/RPS protective channel function output signals are sent to two redundant digital actuation Voters each comprised of an ODD and EVEN Voter.

One of the ODD and EVEN Voter sets (Voter 2) performs the "2-out-of-3" voting for the actuation signals coming from the ESPS protective channel sets; the other independent and redundant ODD and EVEN Voter sets (Voter 1) perform the "2-out-of-3" voting for the actuation signals coming from the ESPS/RPS sets. The independent and redundant ESPS protective safety actuation functions are duplicated in the ESPS and ESPS/RPS systems. Maintenance Bypasses are provided so a Voter or a set of Voters can be removed from the actuation logic circuitry. While one Voter or a set of Voters are bypassed, the ESPS function is provided by the redundant ESPS system.

Unit(s) with the ESPS digital upgrade complete are equipped with a manual bypass. The duplicated ESPS channels and the duplicated ESPS Actuation Train (Voters) computers provides a "2 x 2-out-of-3" logic, which allows a Manual Bypass of one complete set of three ESPS channels and one half of the ESPS Actuation Train (Voters).

ESPS AutomatiiActuatio Logic Channels B 3.3.7 Output BASES BACKGROUND Hydro Unit startup and loading, ECCS pump starts, and valve openings.

(continued)

Similarly, the reactor building (RB) Cooling, RB Isolation, and RB Spray have been analyzed with delays appropriate for the entire system.

The ESPS automatic initiation of Engineered Safeguards (ES) Functions to mitigate accident conditions is assumed in the accident analysis and is required to ensure that consequences of analyzed events do not exceed the accident analysis predictions. Automatically actuated features include HPI, LPI, RB Cooling, RB Spray, and RB Isolation.

APPLICABLE Accident analyses rely on automatic ESPS actuation for protection of the SAFETY ANALYSES core and RB and for limiting off site dose levels following an accident. The fitglautomatic actuatio logic is an integral part of the ESPS.

The ESPS[Q^jjlutomatc tuatioqogic channels satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

ou pu

-1 LCO Thewi}

automatic actuationlogic channels are required to be OPERABLE whenever conditions exist that could require ES protection of the reactor or the RB. This ensures automatic initiation of the ES required to mitigate the consequences of accidents.

The required Function is provided by two associatedi Ihannels as indicated in the following table:

For Unit(s) with the ESPS digital upgrade complete, the ESPS output actuation channels are comprised of two independent and redundant subsystems.

Only one of the independent subsystems is required to be OPERABLE.

Function Associated Channels HPI and RB Non-Essential 1 & 2 Isolation, Keowee Emergency Start, Load Shed and Standby Breaker Input, and Keowee Standby Bus Feeder Breaker Input LPI and RB Essential isolation 3 & 4 RB Cooling, RB Essential isolation, 5 & 6 and Penetration Room Vent.

RB Spray 7&8 OCONEE UNITS 1, 2, & 3

ESPS Automatic Actuatio Logic Channels u

IB 3.3.7 output BASES (continued)

APPLICABILITY The automatic actuatio\\ogic channels shall be OPERABLE in MODES 1 and 2 and in MODES 3 and 4 when the associated engineered safeguard equipment is required to be OPERABLE, because ES Functions are designed to provide protection in these MODES. Automatic actuation in MODE 5 or 6 is not required because the systems initiated by the ESPS are either reconfigured for decay heat removal operation or disabled.

Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. Adequate time is available to evaluate unit conditions and respond by manually operating the ES components, if required.

ACTIONS A Note has been added to the ACTIONS indicating separate Condition entry is allowed for each ESPSflutomatic actuation logic channel.

A.1 and A.2 ou When one or moreEtROutomatic actuatio logic channels are inoperable, the associated component(s) can be placed in their en gineered safeguard configuration. Required Action A.1 is equivalent to the 4J~it automatic actuation ogic channel performing its safety function ahedf time.

loutput In some cases, placing the component in its engineered safeguard configuration would violate unit safety or operational considerations. In these cases, the component status should not be changed, but the supported system component must be declared inoperable. Conditions which would preclude the placing of a component in its engineered safeguard configuration include, but are not limited to, violation of system separation, activation of fluid systems that could lead to thermal shock, or isolation of fluid systems that are normally functioning. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component.

Required Action A.2 requires declaring the associated components of the affected suported systems inoperable, since the true effect of jitil output automatic actuationtogic channel failure is inoperability of the supported system. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and reflects the urgency associated with the inoperability of a safety system component. A combination of Required Actions A.1 and A.2 may be used for different components associated with an inoperablelgi utomatic t

ogic channel.

OCONEE UNITS 1,2, &3 B 3.3.7-3

[BAS/S REVIS10I DATED 04/6/03 JI IAmendment Nos.

ESPS Automatic jActuatio Logic Channels I

OB 3.3.7 Output BASES (continued)

SURVEILLANCE M~nl 11DMFACKITrC for Unit(s) with the ESPS digital upgrade not complete and an 18 month SR 3.3.7.1 Frequency for Unit(s) with the ESPS digital upgrade complete.

SR 3.3.7.1 is the performance/of a CHANNEL FUNCTIONAL TEST on a 31 day Frequenc.

The test demonstrates that eachditd butomatic actuatio ogic channel successfully performs the two-out-of-three logic output combinations avqdy 31Aays The test simulates the required one-out-of-three inputs to the logic circuit and verifies the succe9sfL l 31 dayl operation of the automatic actuation ogic.

he' Frequency is based on operating experience that demonstrates the rity of more than one channel failing within the samel dK yrinterval.

REEFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.36.

For Unit(s) with the ESPS digital upgrade complete, the digital processors shall be rebooted as part of the functional test.

The 18 month Frequency is based on the design capabilities and reliability of the new ESPS digital control system. The ESPS digital control system software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The control system also performs continual online hardware monitoring.

OCONEE UNITS 1,2, & 3 B 3.3.7-4 4 BASSS REVISIO$ DATED 04/6/03]!

IAmendment Nos.

February 14, 2005 ATTACHMENT 3 TECHNICAL JUSTIFICATION Table of Contents Introduction 1

A. Background 1

B. Modification Description 3

C. Modification Design 8

D. Failure Modes and Effects Analysis 10 E. Modification Equipment 11 F. Instrument Changes 14 G. Mechanical Changes 14 H. Civil Changes 15 I. Design Criteria 15 J. Functional Criteria 15 K. Probabilistic Risk Assessment (PRA) 17 L. Updated Final Safety Analyses Report Summary 17 M. Topical Report EMF-21 10(NP) 18 N. Description of Technical Specification Change 30 February 14, 2005 Page 1 Technical Justification Introduction This proposed modification, which installs a Reactor Protective System (RPS) and Engineered Safeguards Protective System (ESPS) with a TELEPERM XS (TXS) digital control system in place of the existing RPS and ESPS with Bailey Controls, is a significant improvement. The new system replaces equipment that is technically obsolete in relation to current technologies and resolves obsolescence issues associated with the existing equipment. The new system is needed to assure continued reliable station operations. The TXS system will provide on-line self-testing and diagnostic functions to improve the availability of the system and/or reduce maintenance burdens. Installation of the TXS system will result in an improvement in RPS and ESPS reliability. With this new integrated system, enhancements to operate the plant more safely and economically are possible. All functions currently performed by RPS and ESPS will be maintained. The new equipment will meet or exceed the design requirements of the existing equipment. A detailed description of the proposed modification is provided in Sections A through L below. The plant specific actions of the NRC Safety Evaluation for the TXS platform are addressed in Section M. The description and justification for the proposed Technical Specification changes are provided in Section N. Table 1 of this attachment provides a list of NRC commitments related to this submittal.

A.

Background

The proposed modification replaces the RPS and ESPS, manufactured by Bailey Controls, currently installed in Oconee Nuclear Station (ONS). Bailey Controls has ceased production of these systems and all related replacement modules and components. This presents ONS with a significant maintenance issue due to the lack of spare parts. The replacement of the RPS and ESPS ensures the reliability and extended life of Oconee Nuclear Station, with minimal maintenance intervention.

The Reactor Protection System's primary function is to trip the Control Rod Drive (CRD) breakers to shut down the reactor, when any one of the monitored parameters exceeds a predetermined value. The specific existing Reactor Trips are:

Reactor power trip (Flux trip);

Reactor outlet temperature trip; February 14, 2005 Page 2 Reactor coolant pressure trip; Pressure/temperature trip; RC Pump power monitor trip; Reactor Building pressure trip; Flux/Flow/Imbalance trip; Two Main Feedwater pump trip; Turbine trip.

Nuclear Instrumentation (NI) provides neutron level information inputs to the RPS for safe operation and control of the plant. NI indications are also required for monitoring plant start-up and shutdown. NI's are separated by function. Four channels of Source Range are used for shutdown monitoring, fuel movement, providing personnel reactor building evacuation alarm, and initial startup neutron indication and rate of increase. Four channels of Wide Range level and rate indication are used for startup, Control Rod Drive out inhibit on high startup rate, power escalation until the power range is on scale, and post-accident monitoring.

Four channels of NI Power Range provide inputs to the RPS Flux/Flow/Imbalance and High Flux reactor trip functions.

The RPS function is to protect the reactor from damage. This system is classified as QA Condition 1, Nuclear Safety Related, Class IE and is designed to meet or exceed IEEE 279-1971 standards. The system is essentially the same today as when it was originally installed. The major exceptions are:

The installation of the anticipatory trip equipment used to monitor the loss of Feedwater Pumps and Turbine trips. This was installed as one of the corrective actions identified following the Three Mile Island (TMI) accident.

The installation of Gamma-Metrics NI's to replace the Bailey Source and Intermediate Range nuclear instrumentation; The recent upgrade of the Flux/Imbalance/Flow trip string using Framatome Technologies, Inc., STAR hardware.

The ESPS monitors selected plant parameters, which are indicative of the occurrence of a major loss-of-coolant-accident (LOCA). These parameters are Reactor Coolant System (RCS) pressure and Reactor Building (RB) pressure.

Whenever the ESPS setpoints for RCS pressure or RB pressure are exceeded, the ESPS initiates operation of selected plant equipment to perform the following functions:

Provide protection for the nuclear fuel cladding by injection of reactor coolant as required during abnormally low RCS pressures.

February 14, 2005 Page 3 Maintain integrity of the RB through initiation of building isolation and cooling of the building atmosphere during accident conditions.

The ESPS, in conjunction with the RPS, is relied upon to initiate functions that assure the following:

The integrity of the RCS pressure boundary.

The capability to shut down the reactor and maintain it in a safe shutdown condition.

The capability to prevent or mitigate the consequences of accidents, which may result in off-site exposures comparable to 10CFR100 guidelines.

Because of the safety significance of the ESPS, it is classified as QA Condition 1, Nuclear Safety Related, Class 1E. It was designed to meet IEEE Standard 279-1971, "IEEE Standard Criteria for Protection Systems for Nuclear Power Generating Stations," and is essentially the same today as when it was installed in the early 1970s.

B.

Modification Description The Teleperm XS (TXS) system, as described in Siemens (FANP) Topical Report EMF-21 10 (NP), Revision 1, 'TXS: A Digital Reactor Protection System" will replace the present ONS RPS that is described in ONS UFSAR Chapter 7. In addition, the TXS platform will replace the Engineered Safeguards Protective System (ESPS) as described in ONS UFSAR Chapters 6 and 7. The data acquisition process, the signal validation, the protection logic and the voting for these systems will now be performed by TXS.

1. Reactor Protective System A TXS based Reactor Protective System (RPS) will be installed by this modification. All of the existing RPS cabinets and the components currently located in RPS cabinets 1-9 will be replaced with the exception of the Source Range and Wide Range Nuclear Instrumentation. These components will be retained. In addition, the nuclear instrumentation recorders (SR, WR, and PR) located on control board UBI will be replaced with new recorders on Unit(s) I and 2. New recorders have already been installed on Unit 3.

February 14, 2005 Page 4 The selected replacement RPS/ESPS will be built on the TXS platform. The selected option implements a combined RPS/ESPS architecture to achieve extended ESPS redundancy.

All functions currently performed by the existing RPS will be maintained. This includes all existing inputs and outputs to the Operator Aid Computer (OAC),

Control Room indicators, alarms and all other interfaces. The input signals for the TXS sets are grouped exactly like the existing Process Protection Sets. They are connected to the TXS automation system via Signal Conditioning Modules.

The TXS sets exchange their process data via point-to-point fiber-optic data links. Each of four TXS sets has a complete set of all connected safety related process values. By comparison (Data Validation) between the redundant values, outlying signals are rejected and the optimum representative signal is selected.

The TXS plant protection functions will be carried out in each of the four protective channels. Therefore, for each RPS actuation, four validated input signals are now available. A functional diagram of the TXS based RPS/ESPS is provided in Figure 1 at the end of Attachment 3.

The outputs of the four digital TXS Protection Sets are voted by relay, "2-out-of-4" configurations, in each of the channel sets, before actuating the Trip contacts.

For each relay an additional contact is wired to the TXS Protection Sets as a relay check-back signal. This is used for test and monitoring purposes. Refer to Figure 2 at the end of Attachment 3.

The following enhancements to the existing RPS will be made:

a) Modification of the existing RPS Shutdown (S/D) Bypass function/operation utilizing both hardware and software design solutions.

The modification involves the addition of a S/D Bypass selector switch for each of the four (4) RPS Protective Channel Sets. The channel-related selector switch will allow Operations staff to select between "Normal" and "S/D Bypass". The setpoints/actions for the various S/D Bypass functions will not be changed, although the implementation of the action will now be performed with TXS software solutions. In the Normal position the RPS High Flux reactor trip setpoint will be set at 104.75% reactor thermal power (RTP). While in the S/D Bypass position, the following RPS trip functions are affected: Function 1, RPS High Flux reactor trip setpoint will be set to approximately 4%; Function 3, High Flux/Flow/Imbalance Trip will be bypassed; Function 4, High Reactor Coolant System (RCS) Pressure Trip February 14, 2005 Page 5 setpoint will be lowered from > 2345 psig to approximately 1720 psig; Function 5, The Low RCS pressure trip will be bypassed; Function 6, The Variable Low RCS pressure trip will be bypassed; Functions 7 through 10 do not change in S/D Bypass, and Function 1l, The Reactor Coolant Pump/Power trip will be bypassed. This operating configuration is required to allow the Control Rod Drive (CRD) Breakers to remain energized during start up and shut down operations which would initiate a reactor trip under normal (at power) operation conditions, e.g., RCS pressure is low and the number of RCS pumps running may be less than the required for unit power operation. The S/D Bypass is also used during Zero Power Physics Testing, where each group of control rods is withdrawn individually before start up following a refueling outage to verify the predicted rod worth for the new/modified core.

b) The new RPS system will provide online continuous self-testing and diagnostic functions to improve the availability of the system and/or reduce the maintenance burden. These functions are performed within the TXS system and are classified as safety related.

c) The new RPS system will enhance the RPS/Operator Aid Computer (OAC) interface. The TELEPERM-OAC gateway will make additional information available to the OAC on RPS process variables and equipment status.

The new RPS will be qualified as a QA Condition 1, Nuclear Safety Related, Class 1E system.

2. Engineered Safeguards Protective Systenm A TXS based ESPS will be installed by this modification. ESPS cabinets 1-7 and all components currently located in those cabinets will be replaced. ESPS cabinets 8 and 9 will be retained but the components will be replaced. In addition, the existing RZ modules located on VB2 in the control room will be replaced with discrete status indication elements. Location for replacement controls and indication elements will be verified to be in compliance with current human factors considerations.

The selected replacement system will be built on the TXS platform and will implement a combined RPS/ESPS architecture to achieve extended redundancy in the ESPS.

February 14, 2005 Page 6 The new system will be qualified as a QA Condition 1, Nuclear Safety Related, Class IE system.

All functions currently performed by the existing ESPS will be maintained. This includes all existing inputs and outputs to the OAC, Control Room indicators, alarms and all other interfaces. The input signals for the TXS sets are grouped exactly like the existing Process Protection Sets. They are connected to the TXS automation system via signal conditioning modules. In addition, the signals are sent from the signal conditioning module via an isolation amplifier to the corresponding RPS Protection Set (i.e., from ESPS Set I to RPS Set A). The three TXS ESPS sets exchange their process data via point-to-point fiber-optic data links. Each TXS set has a complete set of all connected safety related process values. By comparison (Data Validation) between the redundant values, outlying signals are rejected and the optimum representative signal is selected.

These three TXS RPS sets exchange their ES related process data via point-to-point fiber-optic data links. These are the same point-to-point data links used for RPS functions. Each of these TXS sets has a complete set of all connected safety related process values. By comparison (Data Validation) between the redundant values, outlying signals are rejected and the optimum representative signal is selected. The complete ESPS protection functions, for both digital channels, will be carried out in each of the six sets. Therefore for each different ESPS actuation, six actuation signals are now available.

The actuation signals are connected to TXS digital actuation voters, which are assigned to either digital channel, voting "2-out-of-3", from each of the redundant actuation signals from the six TXS channel sets. The TXS digital actuation voter is formed by a computer configuration consisting of two Master/Checker pairs. They are connected to the TXS channel sets via fiber optic point-to-point data links. One of the Master/Checker pairs performs the "2-out-of-3" voting for the actuation signals coming from the RPS sets; the other Master/Checker pair performs the "2-out-of-3" voting for the actuation signals coming from the ESPS sets. The binary outputs of the two Master/Checker pairs are OR gated by diodes. Master and Checker compute the same application function and compare the results at the end of the cycle. In case of a disagreement, the complete Master/Checker pair shuts down. Only the other Master/Checker pair now handles the outputs of the respective ESPS actuation channel.

The output signals of the voters are connected to interposing relays, which provide direct access to the actuators. Each relay actuates a separate circuit.

February 14, 2005 Page 7 Each contact replaces the final output contact of the existing ESPS System.

The following enhancements/options were selected to improve performance of the system.

a) Enhancement of the ESPS/Control Room Operator (CRO) interface.

The remote operation (RZ) modules on vertical control board VB2 will be eliminated. Indication that all devices have transferred to their Engineered Safeguards (ES) state will be provided by discrete status indication elements located on the vertical control board VB2. For those components that currently can only be controlled from the RZ station, replacement control switches and indication will be provided. A select group of controls has been identified by operations for relocation to an area on UB2. The remaining controls will be located on the vertical board. The Auto/Manual function selection currently available at the component level on the RZ modules will be transferred to a channel level Auto/Manual selection. The channel level Auto/Manual controls will be located to UB2.

b) Enhancement of the ESPS/OAC interface.

The TELEPERM-OAC gateway will make additional information (e.g., TXS software and signal error messages) available to the OAC on ESPS process variables and equipment status. The existing hard-wired connections to the OAC will be retired and a Local Area Network (LAN) communication link will be established. The TELEPERM-OAC gateway and the LAN communication link is non-safety related.

c) The new ESPS system will provide continuous online self-testing and diagnostic functions to improve the availability of the system and/or reduce the maintenance burden.

d) The new ESPS system will be built with spare capability to handle planned modifications and future upgrades. A reserve power supply capacity for DC converters and spare capability for 110 modules, reserve CPU (memory and cycle time) capacity and communication capability, and spare slots for any TXS components will be provided to allow for future expansion or modifications.

February 14, 2005 Page 8 C.

Modification Design:

1.

System Response Time The design basis response times for both the RPS and ESPS functions are identified in the ONS UFSAR Chapter 15, Accident Analyses. These design basis requirements, including system response times of the new TXS RPS and ESPS systems, have been specified in the RPS and ESPS Replacement Project Specifications (Equipment Specifications) and will be verified during the performance of the design change process in the vendor Factory Acceptance Test (FAT) and/or the ONS Site Acceptance Test (SAT).

2.

Human Factors Review ONS Operations staff approved the location for replacement ESPS controls, annunciator windows and script, and indication elements of the controls.

Duke will verify the location complies with current human factors considerations as part of the final design change process.

3.

Design Bases Considerations RPS and ESPS design basis documents, which specify the ONS Design Basis Accident, Design Basis Events, Scoping Events, and other events applicable to the RPS and ESPS systems, and the ONS Updated Final Safety Analysis Report, Chapter 15 Accident Analyses will be reviewed and updated as required as part of the design change process. The lists provided below are not considered all inclusive.

a.

Design Basis Accident - RPS and ESPS Large Break Loss of Cooling Accident with concurrent Loss of Offsite Power

b.

Design Basis and Scoping Events

1. RPS a)

Cold Water Accident b)

Loss Of Coolant Flow c)

Loss Of Offsite Power February 14, 2005 Page 9 d)

Locked Rotor/Sheared Shaft e)

Moderator Dilution Accidents f)

Steam Line Break Accidents g)

Rod Ejection Accident h)

Rod Withdrawal Accident at Power i)

Steam Generator Tube Rupture j)

Startup Accident k)

Turbine Trip Accident I)

Small Break Loss of Coolant Accident m) Large Break Loss of Coolant Accident with coincident Loss of Offsite Power

2. ESPS a)

Steam Line Break Accidents b)

Rod Ejection Accidents c)

Steam Generator Tube Rupture d)

Small Break Loss of Coolant Accident e)

Large Break Loss of Coolant Accident with coincident Loss of Offsite Power

3. Other ONS Licensing Basis and Regulatory Programs a) Regulatory Guide 1.152, Criteria for Programmable Digital Computer System Software in Safety Related Systems of Nuclear Power Plants b) Regulatory Guide 1.53, Application of the Single-Failure Criteria to Nuclear Power Plant Protection Systems c) Regulatory Guide 1.97, Instrumentation for Light-WlVater-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following An Accident d) IOCFR50, Appendix A, General Design Criteria e) IOCFR50.48, Fire Protection, Generic Letter 86-10, Implementation of Fire Protection Requirements and Interpretations ofAppendix R f) 10CFR50.49, Environnmental Qualification of Electrical Equipment Important to Safety for Nuclear Power Plants g) 10CFR50.62, Requirenmentsfor Reduction of Riskfroin Anticipated Transients WYithout Scram (A TWIAS) Eventsfor Light-Water-Cooled Nuclear Power Plants February 14, 2005 Page 10 h) IOCFR50.63, Loss of All Alternating Current Power (Station Blackout) i)

I0CFR50.65, Requirenmentsfor Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Maintenance Rule) j) EPRI TR-102323-R 1, Guidelinesfor Electromagnetic Interference Testing in Power Plants k/) EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLCfor Safety-Related Application in Nuclear Power Plants

1) USNRC Standard Review Plan, Branch Technical Position HICB-19, Guidance for E valuation of Defense-in-Depth and Diversity in Digital Computer Based Instnunentation and Control Systems

17) USNRC NUREGICR-6303, Methodfor Performing Diversity and Defense-in-Depth Analysis of Reactor Protection Systems n) Natural Phenomena Criteria/Events, includes external flood and groundwater, snow, ice, tornado, and seismic.

D.

Failure Modes and Effects Analysis The Failure Modes and Effects Analysis (FMEA) evaluates the equipment identified in the scope of the design change and determines how it may fail (mode of failure),

and what effect the failure has on the system (failure effect). The FMEA will identify, document and assess the impact of a failure of the TXS digital control systems which includes I/O Modules, isolation devices, fiber optic cable links, Protective Sets (CPUs), output actuation modules (Voter CPUs), communication modules, signal modules, relays, power supplies, etc.

The FMEA will be prepared in accordance with IEEE Standard 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Powver Generating Station Safety Systems" and IEEE Standard 577-1976, "IEEE Standard Requiremnents for Reliability Analysis in the Design and Operation of Safety Systems for Nuclear Power Generating Stations." The FMEA will be used to demonstrate that the single failure requirements for the RPS/ESPS design meets IEEE-603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations, " as amplified by IEEE-379-2000, "IEEE Standard Application of the Single-Failure Criteria to Nuclear Power Generating Station Safety Systems." Regulatory Guide 1.53, "Application of the Single-Failure Criteria to Nuclear Power Plant Protection Systems" states that IEEE-379-2000 provides methods acceptable to the NRC staff for satisfying the NRC's regulations with respect to the application of the single-February 14, 2005 Page 11 failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems.

The FMEA(s) will identify all significant failure modes for the new TXS digital control upgrade equipment including the design solutions for the Nuclear Instrumentation Power Range equipment and the Reactor Coolant System Pump Power Monitor. The replacement RPS will not be allowed to introduce hardware failures that inhibit a CRD trip when required. The replacement ESPS will not be allowed to introduce hardware failures that inhibit proper operation of Engineered Safeguards equipment. The natural phenomena events including fire, flood or earthquakes, are addressed as part of the ONS nuclear modification design change process. These events occur outside the RPSJESPS systems. These design considerations are not included in the project FMEA(s). The ONS plant specific input elements (sensors, transmitters, switches, and associated circuitry up to the RPS and ESPS systems, etc.) and output actuation elements (relays, contacts, actuators, valves, and associated circuitry, etc.) are not part of this scope. The failure modes and effects of non-safety elements including: annunciators, the event recorder, OAC, Integrated Control System (ICS), test points, Maintenance Service Units, etc., are not part of the scope of the FMEA(s), however, credit is taken for these devices when analyzing the failure effects of a safety input.

E.

Modification Equipment The existing RPS cabinets 1-9 and ESPS cabinets 1-7 will be replaced. ESPS cabinets 8 and 9 will be retained but the components will be replaced. The new TXS systems will be located in the footprint of the existing cabinets of the RPS and ESPS as follows:

Protective Channels Sets for the ESPS functions:

PPSCA0009 ESPS-1 (ESPS Channel Set "A")

PPSCAOO10 ESPS-2 (ESPS Channel Set "B")

PPSCAOO11 ESPS-3 (ESPS Channel Set "C")

Protective Channels Sets for the RPS functions and the duplicated ESPS functions (only three ESPS channel sets):

PPSCAOOO1 RPS-AI (RPS/ESPS Channel Set "A")

PPSCA0002 RPS-A2 (RPS/ESPS Channel Set "A")

PPSCA0003 RPS-BI (RPS/ESPS Channel Set "B")

PPSCA0004 RPS-B2 (RPS/ESPS Channel Set "B")

PPSCA0005 RPS-C1 (RPS/ESPS Channel Set "C")

PPSCA0006 RPS-C2 (RPS/ESPS Channel Set "C")

February 14, 2005 Page 12 PPSCA0007 RPS-DI (RPS Channel Set "D")

PPSCA0008 RPS-D2 (RPS Channel Set "D")

Actuation / Manual Control of the ESPS components:

PPSCA0012 ESPS-4 ("odd" ESPS Actuation Channels)

PPSCA0013 ESPS-5 ("odd" ESPS Actuation Channels)

PPSCA0014 ESPS-6 ("even" ESPS Actuation Channels)

PPSCA0015 ESPS-7 ("even" ESPS Actuation Channels)

Check-back of the status information of the ESPS components PPSCA0017 ESPS-8 ("odd" ESPS Actuation Channels)

PPSCA0018 ESPS-9 ("even" ESPS Actuation Channels)

RPS Channel E, TXS Monitoring and Service Interface (MSI)

PPSCA0016 RPS-E Approximately 200 cables, the majority of which are OAC cables, will be deleted.

Approximately 53 new control/instrument cables and approximately 44 new fiber optic cables will be added. Existing cables/routings will be utilized to the extent practical. New installations will meet ONS design requirements.

A new non-safety related TXS RPS/ESPS communication data link to the OAC via a communication bridge called "TXS Gateway" will be installed. The non-safety related TXS Gateway is a computer which is connected via a fiber-optic data link to the Monitoring and Service Interface (MSI) that will be located in Cabinet RPS-E.

The existing hardwired connections of the RPS/ESPS to the OAC will be retired.

The new TXS System MSI sends commands to and from the Service Unit and the Channel Set and Voter computers containing information and maintenance commands.

Additionally, a TXS Service Unit is provided for engineering, maintenance, and diagnostic purposes. The Service Unit interfaces through the MSI computer. The Service Unit contains the Specification and Coding Environment (SPACE) software tools for performing engineering/configuration, maintenance, and diagnostics of the TXS RPS/ESPS including the Protective Channel Sets and ESPS Voters and all logic/function circuitry. The Service Unit is utilized for the following functions:

Monitoring of the TXS RPS/ESPS functions Fault detection and failure diagnosis Modification of function block parameters Support of periodic surveillance tests, and February 14, 2005 Page 13 Software download The new TXS components will be installed into new RPS cabinets 1-9 and ESPS cabinets 1-7. The new cabinets will be located in the same footprint as the existing RPS/ESPS cabinets. The existing RPS/ESPS sensors, transmitters, and signal input field cables will be maintained and re-terminated to new terminal blocks located in the new TXS cabinets. The only exception is in the ESPS Status cabinets 8/9, where the existing ESPS terminal blocks for the checkback signals to the ESPS will be maintained. Existing field equipment and cabling will be maintained (when possible). New external cables and internal cabinet wiring will be required for the following installations:

Reactor Coolant Pump Power Monitoring (RCPPM) equipment (located in the Cable Spreading Room) will be modified to provide redundant watt transducers for each RC Pump Power circuit.

Integration of the additional internal and external cabinet wiring due to the duplication of the ESPS Protective Channel functions in the RPS Protective Channel Set computers Integration of the new hardwired interface to facilitate replacement of the ESPS RZ control station to the control board for manual/auto switchover of ESPS components from a per component basis to a per channel basis The new TXS System will maintain the existing control room equipment with the exceptions listed here:

Implementation of new NI Power Range equipment, installed in the RPS cabinets in the control room, including the Power Range Test Module, upper and lower core Power Range Amplifiers, and the Bipolar and Detector Power supplies and Power Range recorder Implementation of new control board equipment for manual/auto switchover of ESPS components on a per channel basis Elimination of the existing RZ stations which includes replacement and relocation of some ESPS equipment manual controls, status indications, and annunicators.

February 14, 2005 Page 14 F.

Instrument Changes Existing RPS/ESPS system sensors, transmitters, and signal input field cables will be maintained with the exception of the RPS Reactor Coolant (RC) System Outlet Temperature monitoring transmitters. The existing RC temperature sensors (Weed RTDs) and the sensor input signal cabling up to the RPS System cabinet will be retained. Due to obsolescence issues with the temperature transmitters they will be replaced with new compatible temperature transmitters. All RPS/ESPS setpoints will remain unchanged.

The design basis response times for the RPS/ESPS functions, as identified in the ONS UFSAR Chapter 15, Accident Analyses, will be verified during the performance of the design change process in the vendor Factory Acceptance Test (FAT) and/or the ONS Site Acceptance Test (SAT). The RPS/ESPS System Instrument Setpoint Calculations, and Instrument Accuracy Uncertainty Calculations will be updated and validated.

G.

Mechanical Changes The mechanical modification scope includes the requirement that the installation of the new TXS systems, including all supporting electrical components, does not create any adverse impacts to the control room and cable room habitability envelopes and to ensure that mechanical systems which are required to meet single failure criteria are not adversely impacted.

The new TXS electronic equipment is designed to have no adverse impact on the control room or cable room heat loads. Changes to the control room and cable room heat load will be verified either through testing or by analytical methods, to ensure existing heat load analyses remains bounding.

The TXS based RPS and ESPS is designed to have a more favorable impact on the control room heat load than the existing systems. Changes to RPS and ESPS equipment located in the cable room are projected to have minimal impact on cable room heat load. Impact to the control room and cable room heat load will be verified either through testing or by analytical methods. The replacement TXS RPS and ESPS equipment are projected to require less electric load than the existing systems resulting in a post installation condition that is bounded by the existing heat load analyses for the control room.

February 14, 2005 Page 15 Duke will evaluate and confirm that the modification does not impact the Station Blackout Analysis for Oconee.

H.

Civil Changes The portions of the new TXS systems installed by this modification are required to operate, without loss of function, following a design basis earthquake and are required for safe shutdown, without loss of function, following a safe shutdown earthquake. As such, the new components and attending support structures are required to be seismically qualified.

The civil design scope includes those design activities, which will verify and document that the new components meet applicable seismic requirements. Specific structures, systems and components (SSCs) associated with this modification requiring seismic qualification include:

ESPS and RPS cabinets and internal components.

ESPS and RPS cabinet floor mounting.

Cable trays including supports and hangers.

Control boards and controls such as operating switches, indicating lights, recorders, and ESPS status panels.

I.

Design Criteria The design criteria in the UFSAR were reviewed with respect to the RPS and ESPS.

Criterion 1,2,3,4,5,6,7, 11, 12, 14, 15, 19,20,21,22,23,24,25,26,28,29,31, and 38 are applicable. UFSAR design criteria applicable to the RPS and ESPS will continue to be applicable after the digital upgrade is complete.

J.

Functional Criteria TXS is designed to meet all safety related I&C requirements for nuclear power plants. Typical applications include the RPS and ESPS functions. TXS is a distributed, redundant digital system. TXS can be configured for 1/2, 2/3, or 2/4 independent coincidence applications or data-processing paths (channels), each with two or three "layers" of operation and running asynchronous with respect to each other. The signal acquisition and processing is performed within one protective February 14, 2005 Page 16 channel. The TXS protective system functions include signal acquisition, data-processing, and actuation signal voting. The communication (links) between redundant channels uses fiber optic cables. The signal acquisition function in each channel acquires analog and binary signals from sensors in the plant. Each protective channel distributes its acquired and preprocessed input signals to the output actuation functions. Thus, each protective channel is provided with the same set of input information. The protective channels perform signal processing for RPS and ESPS plant protective functions such as signal online validation and input signal limit value monitoring.

The input signal online validation uses a 2dminimum or 2 maximum principle.

Each protective channel uses the 2nd lowest measurement to compare the low set point value and then determines the partial trip status of that channel for a "low trip" parameter. Similarly, it uses the 2nd highest measurement to compare the high set point value and then determines the partial trip status of that channel for a "high trip" parameter. This TXS function will reject the outlying signal in the process measurement and thereby minimize inadvertent trips. The TXS software automatically marks the invalid signal with the ERROR status flag. Signals marked with ERROR status flag are excluded from further processing by the system input function blocks. This condition is communicated to the TXS Service Unit and annunciated on the main control board alarm. The safety function can be postulated to be lost only if all of the incoming data is classified as ERROR status. Based upon operation with loss of input signals, the RPS and ESPS protective system safety functions will be executed correctly based on a reduced set of available input signals.

The actuation output signals are then routed to the various RPS voter logic relays and actuation devices (Control Rod Drive Trip Devices) or for the ESPS protective system to the digital actuation voter computer units. The ESPS actuation channel logic contains two independent voter computer trains or subsystems. In the ESPS actuation voter computers, the outputs of the data-processing computers of redundant channels are processed together. Each voter computer (train) controls a set of actuators. Each ESPS digital voter uses a pair of Master/Checker computer units in the voting logic to ensure there are no spurious actuations of safety related plant equipment. Each Master/Checker set consists of redundant processors that process the same input signals. The results of the data-processing are compared, and any differences are flagged as possible errors in the processing that developed the voter input signal or in one of the processors that performed the voting function.

Since the Master/Checker redundant processors must use the same input data, the processors run synchronously, unlike the asynchronous processor operations between any two of the input channels of the safety functions. If the February 14, 2005 Page 17 Master/Checker processor outputs do not agree, the Master/Checker pair selects the default state, and automatically disables outputs to the output modules, and shuts down the power supply of the output modules. The ESPS protective system actuation function will still be completely operable, because the other redundant voter train or subsystem still operates to provide the actuation output signal.

K.

Probabilistic Risk Assessment (PRA)

The digital upgrade of the RPS and ESPS will not have a significant impact on the Oconee PRA results. The response of these systems to design basis accidents does not change as a result of this upgrade. The expected high reliability of the digital actuation systems should improve availability of these systems.

L.

Updated Final Safety Analysis Report (UFSAR) Summary Changes to the UFSAR will be required to support this modification. The following sections will potentially be affected and changes will be pursued under 10CFR 50.71(e):

(1)

UFSAR Chapter 1, "Introduction and General Description of Plant" (2)

UFSAR Chapter 3, "Design of Structures, Components, Equipment, and Systems."

(3)

UFSAR Chapter 6, "Engineered Safeguards."

(4)

UFSAR Chapter 7, Section 7.1, "Instrumentation and Control - Introduction."

(5)

UFSAR Chapter 7, Section 7.2, "Reactor Protective System."

(6)

UFSAR Chapter 7, Section 7.3, "Engineered Safeguards Protective System."

(7)

UFSAR Chapter 7, Section 7.4, Systems Required for Safe Shutdown."

(8) UFSAR Chapter 7, Section 7.5, Display Instrumentation (9)

UFSAR Table 7-1, "Reactor Trip Summary" (10) UFSAR Figure 7-1, "Reactor Protection System" (11) UFSAR Figure 7-3, "Typical Power Imbalance Boundaries" (12) UFSAR Figure 7-6, "Nuclear Instrumentation System" (13) UFSAR Figure 7-7, "Nuclear Instrumentation Flux Range" (14) UFSAR Chapter 8.3.2.1.4, "120 VAC Vital Power Buses."

(15) UFSAR Chapter 9.5.1.4.3," Electric Cable Construction, Cable Tray and Cable Penetrations" (16) UFSAR Chapter 15, "Accident Analysis".

February 14, 2005 Page 18 M.

Topical Report EMF-2110(NP)

By letter dated May 5, 2000, the NRC issued a safety evaluation report (SER) which found the TXS System as described in Topical Report EMF-21 10 (NP), Revision 1, "TELEPERM XS: A Digital Reactor Protection System," acceptable for referencing in license applications to the extent specified in the topical report and NRC SER.

Digital upgrades to protection systems using the TXS hardware described herein require review of several matters to ensure safe implementation. Installation prerequisites listed in Section 5.0, Summary of Regulatory Compliance Evaluations, of the NRC SER will be met.

The SER requires the following actions to be performed by an applicant when requesting NRC approval for installation of a Siemens (FANP) TXS system (numbering coincides with Section 6.0 Plant-Specific Action Items of the NRC SER for TELEPERM XS platform dated May 5, 2000).

1.

The licensee must demonstrate that the generic qualification bounds the plant specific condition (i.e., temperature, humidity, seismic, and electromagnetic compatibility) for the locations(s) in which the TXS equipment is to be installed. The generic qualification data must comply with EPRI qualification requirements specified in EPRI TR-107330 and TR-102323-RI (see SER Sections 2.1.2.1, 2.1.2.2, and 2.1.2.3).

Duke Response:

The TXS system being installed at the Oconee Nuclear Station (ONS) is an identical functional design to the TXS system platform described in the Framatome ANP Topical Report, which was approved by the NRC in their Safety Evaluation Report (SER) of the TXS platform, dated May 5, 2000.

The analysis provided below discusses the TXS equipment environmental qualification including seismic and electromagnetic interference (EMI)/radiofrequency interference (RFI) effort as reported in a Siemens (FANP) supplemental report. There are some minor differences between the generically approved TXS and the TXS system being installed at ONS that do not affect the safety conclusions reached in the SER. There is only one major design difference between the two. The CPU module was upgraded to an improved microprocessor manufactured by a different company (AMD).

The original SVEI used an Intel 486 whereas the new SVE2 uses an AMD K-6.

February 14, 2005 Page 19 The communication modules, installed as part of the ONS design, are upgrades (SCP2 vs. SCPI) to the ones approved by the NRC. The communication processors are different and have been upgraded to the SVE2 as discussed for the main processing module. Likewise, the digital and analog input and output modules are identical to the ones reviewed and approved by the NRC. A supplemental qualification report (TXS Supplemental EQ Summary Test Report, DOC ID 66-5015893-00) details the effort undertaken to qualify this new CPU and concludes that the new replacement does not cause a variance in the NRC approval of the original TXS system. In summary, the ONS TXS system is enveloped by the TXS system detailed in the Siemens (FANP) Topical Report and approved by the NRC SER. The TXS system, including the SVE2 microprocessor, meets the qualification guidance presented in EPRI TRs-107330 and 102323-RI.

The TXS system, as described in Siemens (FANP) Topical Report EMF-2110 (NP), Revision 1, " TXS: A Digital Reactor Protection System," will replace the present ONS RPS. In addition, the TXS platform will replace the ESPS as depicted in ONS UFSAR Chapter 7. The data acquisition process, the signal validation, the protection logic and the voting for these systems will now be performed by TXS.

TXS hardware basically consists of four types of components: the subracks, function processors, communication modules, and input/output (110) modules. These basic components were configured to constitute a digital safety I&C system to replace the existing ONS analog safety I&C system.

The new configured digital safety I&C system is located in the same place as the existing cabinets and uses the existing field cables for input and output signals. Channel separation will be maintained. These configuration concepts were all discussed as options in the Topical Report and approved by the NRC in their SER for the TXS platform.

The generic TXS design features four types of subracks. All of these are suitable for placement in a 19-inch rack. The subrack (SBG2) chosen for the ONS application is one of these four and contains the electronic printed-circuit boards (PCBs), the K32 backplane bus, the internal power supplies, cooling fans, and subrack component monitoring capabilities. TXS cabinet/subrack cooling fan operation is monitored and fan failures that could result in an internal cabinet temperature increase are alarmed. The cooling fans are designed to cool the TXS hardware mounted in the subracks. The individual subracks arc integral to the design and function of the TXS digital systems as described in the Siemens (FANP) Topical Report February 14, 2005 Page 20 EMF-21 10(NP), Revision 1, "TXS: A Digital Reactor Protection System,"

and approved by the NRC in their Safety Evaluation Report (SER) dated May 5, 2000.

There are additional details regarding equipment transition and point-to-point connections that were not available for the generic approval. The maintenance of existing wiring and the minimization of the need for and extent of new cable pulls are also not discussed. These actual installation details do not affect the previous NRC approval or the TXS generic qualification effort. However, independence and separation matters are considered and kept in accordance with existing guidance and regulations.

The original equipment qualification was performed through type testing according to German safety standard KTA-3503, Type Testing of Electrical Modules for the Reactor Protection System. The hardware type tests began in 1993 and ended for the first set of hardware modules in 1996. The results of the type tests were documented by certificates and associated evaluation reports. Each qualified component has its own certification and its own evaluation report.

However, this type testing did not completely cover all of the environmental, seismic, and EMI/RFI levels that EPRI TR-107330 discussed. As a result, supplemental testing was performed to establish qualification criteria for temperature and humidity limits, seismic levels, EMI/RFI levels, surge withstand capability limits and electrostatic discharge (ESD) levels in accordance with the EPRI guidance. All aspects of this supplemental testing are summarized in Siemens (FANP) Report, 66-5015893, "TXS Supplemental Equipment Qualification, Summary Test Report." Detailed supplemental qualification reports for all aspects of the TXS system are also available.

This supplemental testing for temperature and humidity levels met the guidance criteria provided in Section 4.3, Section 5.3 and Figure 4-4 of EPRI TR-107330. The TXS equipment was tested without cabinet enclosure to the following temperature/ humidity profiles:

February 14, 2005 Page 21 Normal/Abnormal Operation:

1240F (510C) ambient temperature at 90% humidity for 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months Environmental Withstand Operation 1400F (600C) ambient temperature at 90% humidity for 48 hrs 400F (40C) ambient temperature down to 15% humidity (lowest achievable) for 8 hrs The normal temperature limit was established at 60 to 1040F with relative humidity of 40 to 95% non-condensing, the abnormal environment at 40 to 1240F with a relative humidity of 10 to 95% non-condensing, and the environmental withstand at 1400F.

ESD supplemental testing was performed and met the guidance provided in EPRI TR-102323, Appendix B, Section 3.5, which duplicates IEC 801-2.

During this test, the equipment test racks were closed with aluminum foil with the exception of the front.

The supplemental test to meet EPRI seismic criteria was also performed.

Using the guidance provided in EPRI TR-107330, Section 4.3.9 and Figure 4-5 and the guidance provided in IEEE Standard 344-1975, testing criteria was established and results were obtained. These results showed that the TXS was qualified and met the EPRI guidance and the IEEE guidance for seismic events. Five Operating Basis Earthquakes (OBEs) and one safe shutdown earthquake (SSE) with 5% damping and three orthogonal directions were used for the test. The TXS operated as intended for the specified level of vibrations. All connections in the TXS remained intact, all modules remained fully inserted and no functional or non-functional parts were disabled for the specified levels.

EMI/RFI testing was included as part of the supplemental testing. The results of the Radiated Susceptibility, Conducted Susceptibility, Radiated Emissions, and Conducted Emissions testing showed that the TXS system is fully qualified to EPRI TR-107330 /EPRI TR-102323-R1 susceptibility and emission levels. In addition, supplemental surge withstand capability testing was performed in accordance with EPRI TR-107330 and 102323R-1 levels, IEC 801-5 levels, and IEEE C62.41-1991 guidance. The TXS system is fully qualified in this area.

Reactor Coolant Pump to Power (RCPPM) and power range NI equipment are being addressed separately and are not a part of this TXS LAR submittal.

February 14, 2005 Page 22 As stated above, the CPU has been upgraded for the ONS TXS system. The SVE2 is based on the AMD K6 processor, which operates at 266MHz. This is a second-generation processor for the TXS system and features advanced performance over the SVE1 CPU. This change does not alter in any manner the operating software, the platform software, or the application software.

The software and its design techniques that have been approved by the NRC have not changed. However, there is a change in the equipment qualification for the SVE2 since a new component is being used. It was placed under a supplemental equipment qualification program that tested it for EMI/RFI, temperature, pressure, humidity, surge withstand, electrostatic discharge (ESD), and seismic qualification in the same manner that the SVE1 was tested. The detailed test results and further information regarding the SVE2 tests are documented in TUV test report, 968/K 109.00/02 dated September 13, 2002. The results from this program yielded satisfactory results that fell within the stringent equipment qualification boundaries set by the NRC using EPRI TR-107330 and TR0102323-R1 guidance.

The TXS system to be installed at Oconee is enveloped by the system description in the NRC SER and is completely qualified for its intended application as the RPS and ESPS I&C systems at ONS. The discussion above highlights key design elements for the ONS TXS system that are identical and the one design area that is different between the installed TXS and the generically approved TXS system. The equipment qualification criteria have been verified as part of the supplemental qualification programs since the generic approval was granted by the NRC. The ONS TXS configuration meets all of the applicable equipment qualification criteria including seismic, EMIJRFI, temperature and humidity, surge withstand capability and ESD. The TXS hardware used at ONS and generically has been tested such that the equipment qualification criteria of EPRI TR-107330 and 102323, Revision 1 have been met. Furthermore, analyses show that the TXS equipment qualification criteria bound the plant specific qualification levels for the applicable locations at ONS.

2.

The licensee's plant-specific software development V&V activities and configuration management procedures must be equivalent to industry standards and practices endorsed by the NRC (as referenced in SRP BTP HICB-14, "Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems") (see SER Sections 4.4, 2.2.3, 2.2.4).

February 14, 2005 Page 23 Duke Response:

Verification and Validation Activities The TXS application software verification and validation (V&V) for Oconee has been established such that the guidance contained in Regulatory Guide 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," and in IEEE Standards 1012, "IEEE Standard for Software Verification and Validation Plans," and 1028, "IEEE Standard for Software Reviews and Audits," has been followed. Document 51-5024087-00, "Oconee Nuclear Station, Unit 3 RPS/ESF Controls Upgrade, Software V&V Plan," defines the method used to evaluate the software design process for TXS application of the ONS RPS/ESPS upgrade. This document provides an overview of the V&V organization, the schedule, the integrity levels, resources, software responsibilities and the tools techniques and methodologies. The V&V process is delegated and discussed in accordance with the appropriate HICB-BTP-14 life cycle phases. The reporting processes follow the life cycle phases and present the phase identification, task information, discrepancies, quality assurance assessment and recommendations. Discrepancies including open items and deviations are all resolved through a formal process using layered sign-offs.

The V&V process has provided adequate confidence that the requirements are correctly implemented and has prevented the potential for errors or anomalies that may result from the application software development process. The verification, validation, reviews and audit processes were not only consistent with the Regulatory Guide and the IEEE Standards; they also meet all other applicable regulatory requirements and guidance.

Configuration Management The TXS software configuration management program for the ONS application software will be established such that the guidance contained in the RG 1.169, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," and in IEEE Standards 828, "IEEE Standard for Software Configuration Management Plans," and 1042, "IEEE Guide to Software Configuration Management,"

will be followed.

February 14, 2005 Page 24 The SCM program for the ONS application software will be completed successfully. The ONS application software configuration management plan will not only be consistent with the Regulatory Guide and the IEEE Standards; it will also meet the regulatory requirements of 50.55(a)(1),

50.55a(h), and Criterion 1 of the General Design Criteria. Furthermore, the applicable requirements of Appendix B will be met by the use of this application software configuration management program (CMP) for the ONS TXS system. The digital upgrade design change modification will be developed, installed, tested, and maintained in accordance with the ONS change control procedures and CMP.

SER Action Items 3-8 are not applicable to this application of TXS.

9.

If the licensee installs a TXS reactor protection system, the licensee must provide confirmation that the TXS is diverse from the system for reducing the risk from anticipated transients without scram (ATWS), as required by 10 CFR 50.62. If the licensee installs a TXS ESFAS, the licensee must provide confirmation that the diversity requirements for plant systems (feedwater, auxiliary feedwater, turbine controls, etc.) are maintained (see SER Section 5.0)

Duke Response:

The ATWS Mitigation System is composed of two parts, the ATWS Mitigating System Actuation Circuitry (AMSAC) and the Diverse SCRAM System (DSS). AMSAC was installed in compliance with 10 CFR 50.62 requirements to improve the capability to mitigate an anticipated transient without scram (ATWS) event. The DSS was installed in compliance with 10 CFR 50.62 requirements to improve the capability to mitigate a primary system overpressure event, such as an ATWS event. These systems consist of two Programmable Logic Controllers (PLCs) for the logic control circuits and two Uninterruptible Power Sources (UPS). Inputs from the field sensors are wired to the PLCs and outputs to the final actuation devices are wired using interfacing relays. The PLCs are manufactured by Square D (Schneider Electric) and are SY/MAX Model 400 PLCs. The AMSAC and DSS is an independent and diverse block from the TXS I&C System and will continue to meet all requirements of the ATWS Rule. In accordance with the ATWS Rule, these systems are not affected by a common mode failure (hardware or software) to the RPS/ESPS.

February 14, 2005 Page 25 The Oconee AMSAC and DSS systems' attributes have been evaluated for diversity between them and the TXS based RPS/ESPS for the categories of Design Diversity, Human Diversity, Equipment Diversity, Software Diversity, Functional Diversity, and Signal Diversity.

The following are the major differences between the TXS and the ONS AMSAC and DSS:

The design architectures are completely different.

The design organization, management, designers, programmers, and testing engineers are different.

The CPU modules, input/output circuit boards and bus structure are different.

The power supplies are different.

The software operating systems are different.

The software development tools are different.

The software validation tools are different.

The software algorithms, logic, program architecture, timing, and order of execution are different.

The application programs are functionally diverse.

The design architecture diversity attribute is a very powerful type of diversity because this forces different configurations and functionality with different compilers, linkers, and other auxiliary programs to be used. Organizational diversity also has a significant effect on diversity because management controls the resources applied and the corporate culture under which designers and programmers work. The ONS design for the ATWS systems, which consist of non-safety related digital equipment, is clearly diverse and independent from the TXS platform. As such, the ONS ATWS design continues to meet the ATWS Rule with a TXS I&C based RPS/ESPS. If ATWS systems are modified in the future then the diversity arguments presented in this report will be applied and re-evaluated.

The second part of this SER generic open item deals with the requirements for plant control systems such as feedwater, emergency feedwater, turbine controls, etc. to maintain diversity from the ESFAS. The ONS plant control systems are not part of this digital modification and will not be TXS based.

As a result, the diversity between the control systems and ESFAS will be ensured. The design architectures and the design organizations for the plant control systems are completely different from ESFAS. If plant control February 14, 2005 Page 26 systems are modified in the future then the diversity arguments presented will be applied and re-evaluated.

The diversity aspects are discussed in more detail in the ONS report "Defense in Depth Assessment Associated with the Digital Upgrade of Oconee's Reactor Protective System and Engineered Safeguards Protective System," that was submitted to the NRC by letter dated March 20, 2003.

10.

Setpoints will be evaluated on a plant-specific basis. The licensee must ensure that, when the TXS system is installed, overly conservative setpoints that may occur due to the elimination of analog system drift are not retained, as this would increase the possibility that the TXS equipment may be performing outside the vendor specifications. The licensee must provide the staff with a revised setpoint analysis that is applicable to the installed TXS system(s) (see SER Section 4.0).

Duke Response:

The existing RPS/ESPS system sensors, transmitters, and signal input field cables will be maintained. All RPS/ESPS system setpoints will remain unchanged. The RPS/ESPS System Instrument Setpoint Calculations and Instrument Accuracy Uncertainty Calculations will be updated and validated.

Duke will make the updated calculations available for NRC review.

11.

The licensee must evaluate plant-specific accident analyses to confirm that a TXS reactor trip system (RTS) includes the provision to detect accident conditions and anticipated operational occurrences in order to initiate reactor shutdown (safety analysis confirmation for accuracy and time response) consistent with the accident analysis presented in Chapter 15 of the plant safety analysis report (see SER Section 4.3).

Duke Response:

Duke will evaluate plant-specific accident analyses to confirm that the TXS reactor trip system (RTS) includes the provision to detect accident conditions and anticipated operational occurrences in order to initiate reactor shutdown.

The design basis response times for the RPS/ESPS functions, as identified in the ONS UFSAR Chapter 15, Accident Analyses, will be verified during the performance of the design change process in the vendor Factory Acceptance Test (FAT) and/or the ONS Site Acceptance Test (SAT). The RPS/ESPS February 14, 2005 Page 27 System Instrument Setpoint Calculations and Instrument Accuracy Uncertainty Calculations will be updated and validated.

12.

The staff requires that each licensee ensure that the plant-specific TXS application complies with the criteria of defense against common-mode failures in digital instrumentation and control systems (see SER Section 4.1).

Duke response:

Duke provided a Defense-in-Depth & Diversity (D-in-D&D) assessment by letter dated March 20, 2003. Duke presented the results of the D-in-D&D assessment in a July 1, 2003, meeting with NRC. Duke provided additional information requested by the NRC by letter dated September 23, 2004. The assessment determined that a diverse Low Pressure Injection (LPI) actuation system would be required to mitigate the LBLOCA or justification would be required to address this specific vulnerability. Duke justified eliminating this specific vulnerability by crediting leakage detection systems and pre-defined operating procedures that together enable operators to detect small leaks and take corrective action before a large break occurs. BTP HICB 19 cited this as an approach that has been accepted in the past by the NRC.

However, the NRC advised Duke on October 5, 2004, that they would not accept crediting leakage detection systems for this specific application.

Based on this decision, Duke presented design requirements for a diverse LPI actuation system in a meeting with the NRC on November 17, 2004.

During that meeting, the NRC agreed that the design requirements presented were acceptable for meeting BTP HICB 19 guidance.

As discussed in the November 17, 2004, meeting, Duke is following the EPRI risk informed D-in-D&D effort and plans to submit a plant specific risk informed D-in-D&D assessment to justify eliminating the need to install the diverse LPI actuation in early 2005.

13.

The licensee should propose plant-specific Technical Specifications including periodic test intervals (see SER Section 4.2)

Duke Response:

See Section N of this Attachment.

February 14, 2005 Page 28

14.

The licensee should demonstrate that the power supply to the TXS system complies with EPRI TR-107330 requirements (see SER Section 2.1.2.4).

Duke Response:

For the ONS TXS application, the instrument racks will be provided with a 120 VAC power source (existing). The TXS system will utilize a 24 VDC power supply, which will be provided by a rack-internal 120 VAC/24 VDC power supply converter in a 2x2 redundant configuration. The power supplies will be commercially dedicated and qualified by Framatome ANP for this ONS safety related, Quality Condition I application. The power supplies will be tested in accordance with environmental, seismic and EMI/RFI qualification tests of EPRI TR-107330, "Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants."

15.

The licensee should demonstrate that the qualification of the isolation devices was performed in accordance with EPRI TR-107330 requirements (see SER Section 2.1.3).

Duke Response:

In the ONS TXS system design, signals interacting between redundant Class-1E channels use end-to-end fiber-optic cables that were found acceptable by the NRC (Section 2.1.3 of the TXS Generic SER). The TXS communication from the safety I&C system to the non-safety plant information system is done via the Monitoring and Service Interface (MSI). The MSI serves as a means of isolation within the TXS architecture. However, isolation devices external to the TXS architecture between the TXS safety I&C system and non-safety systems were not identified at the time of the NRC generic review. The qualification of these isolation devices in accordance with EPRI TR-107330 was identified as a plant specific action item.

Class lE/non-lE isolation testing was part of both the baseline TXS qualification testing described in the TXS topical report and was done in accordance with EPRI TR-107330 guidance. The supplemental testing program provided for acceptable qualification of analog isolation devices and mechanical and solid state relays to provide adequate coil-to-contact isolation.

February 14, 2005 Page 29 In summary, the isolation devices utilized for the ONS TXS system, will meet the isolation guidance provided in EPRI TR-107330; SRP HICB BTP-1 1, "Guidance on Application and Qualification of Isolation Devices,"

and IEEE Std 384-1981, "Standard Criteria for Independence of Class IE Equipment and Circuits," and the applicable isolation requirements provided in IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."

16.

The licensee should demonstrate that Siemens (FANP) TXP (control systems) or other manufacturer's control systems satisfy the acceptance guidance set forth in Section 4.1 of this safety evaluation (see SER Section 4.1).

Duke Response:

Not applicable. Duke is not installing a new control system.

17.

The licensee should address the need for a requirement traceability matrix (RTM) for enumerating and tracking each system requirement throughout its life cycle, particularly as part of making future modifications (see SER Section 4.4).

Duke Response:

The TELEPERM XS vendor will develop a Requirements Traceability Matrix (RTM) as part of the vendor's project Software V&V Plan. This RTM will be contained in the FANP RPS/ESPS Software Requirements Review Report. The RTM will contain the requirements identified in the Function Requirements Specification (FRS), the Software Requirements Specification (SRS), and other project design input documents. The RTM is a living document which will be maintained throughout the life cycle of the ONS TELEPERM XS software development process and will be turned over to Duke Power, as part of the engineering design change documentation process. At that point ONS will control the requirements utilizing the Duke design change modification and configuration control processes.

Specifically, Nuclear Station Directive (NSD) 800, "Software and Data Quality Assurance (SDQA) Program," fulfills the requirements of the Duke Energy Corporation Topical Report, Quality Assurance Program related to the development, procurement, operation, and maintenance of software and February 14, 2005 Page 30 data. It also describes the Quality Assurance requirements for nuclear safety related (QA Condition 1) software and data. It provides direction for development, maintenance, management and Configuration Management of software, data, firmware and associated hardware.

N.

Description of the Technical Specification Change The proposed Technical Specification (TS) change revises TS 1.1, 3.3.1, 3.3.3, 3.3.5, and 3.3.7 and their associated Bases. The TS Bases for 3.3.6 is also revised to reflect changes associated with the digital upgrade. Since Oconee Nuclear Station (ONS) TSs are common to three Oconee Units, notes and qualifiers are used where appropriate to distinguish between requirements of Unit(s) with the RPS/ESPS digital upgrade complete and Unit(s) with the RPS/ESPS digital upgrade not complete. Attachment 1 provides the proposed TS pages. Attachment 2 provides a mark-up of the applicable TS pages. The proposed changes to the TS for ONS are described and justified below.

1. TS 1.1 Definitions The definition of CHANNEL FUNCTIONAL TEST (CFT) is revised to provide a separate definition for digital computer channels. The revised definition is consistent with the Combustion Engineering Owners Group (CEOG) Standard Technical Specification (STS) definition for CFT and is appropriate for Oconee's plant specific application. The revised definition is as follows:

"A CHANNEL FUNCTIONAL TEST shall be:

a. Analog and bistable channels - the injection of a sinulated or actual signal into tire channel as close to the sensor as practicable to verify OPERABILITY of all devices in the channel requiredfor channel OPERABILITY,

b. Digital comrpriter cilainels - the itse of diagirostic programs to test digital computer hardware and the injection of simulated process data into the channel to verify channel OPERABILITY.

The CHANNEL FUNCTIONAL TEST nay be perfonned by means of any series of sequential overlapping, or total channel steps so that tire entire channel is tested."

February 14, 2005 Page 31 The TXS SER from the NRC, dated May 5, 2000, section 4.2 "Surveillance Testing of the TXS System," provides the measures for the TXS implementation of the testing. As referenced in the TXS SER, Report EMF-2341 (P), "Generic Strategy for Periodic Surveillance Testing of TELEPERM XS Systems in U.S.

Nuclear Generating Stations," dated 12/28/1999, NRC:99:056, provides the methods for performing the various surveillance testing by TXS. Table 1.1 of EMF-2341 (P) provides a listing of the various surveillance testing and how TXS performs those tests. Functional tests are accomplished by three tests:

1) Continuous self monitoring (section 2 of EMF-2341 (P)), 2) Periodic input channel tests (section 5 of EMF-2341 (P)), and 3) Periodic output channel tests (section 6 of EMF-2341 (P)). Logic System Functional Tests are accomplished by continuous self monitoring (section 2 of EMF-2341 (P)).

Section 4.1 of EMF-2341 (P) describes the periodic functional tests that must be performed for a TXS during a refueling outage. The continuous self monitoring, section 2 of EMF-2341 (P) provides the details of the TXS. In addition to the continuous self monitoring described in section 2 of EMF-2341 (P), section 3 describes the start-up self tests. The periodic functional test that must be performed are the continuous self-monitoring (section 2 of EMF-2341 (P)),

start-up self tests (section 3 of EMF-2341 (P)), manual verification of the correct version of the software installed in the individual CPUs by reading the CRC-sums, and manual verification of the changeable parameters stored in the EEPROM.

2. TS 3.3.1, Reactor Protective System (RPS) Instrumentation A note is added to SR 3.3.1.1 to indicate that SR 3.3.1.1 is not applicable to Unit(s) with the RPS digital upgrade complete. The Bases for elimination of the CHANNEL CHECK is provided below. A note is added to SR 3.3.1.4 (CHANNEL FUNCTIONAL TEST) to indicate that SR 3.3.1.4 is not applicable to Unit(s) with the RPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST is a subset of the CHANNEL CALIBRATION required by SR 3.3.1.5, which has an 18 month frequency. The Bases for extending the CHANNEL FUNCTIONAL TEST frequency to 18 months is provided below.

TS Bases 3.3.1 is revised to reflect the above changes and to distinguish where necessary the design differences between Unit(s) with the RPS digital upgrade complete and Unit(s) with the RPS digital upgrade not complete.

February 14, 2005 Page 32

3. TS 3.3.3, Reactor Protective System (RPS) - Reactor Trip Module (RTM)

The title is change to "Reactor Protective System (RPS) - Reactor Trip Component (RTC)" to accommodate the Reactor Trip Module (RTM) of the existing design and the Reactor Trip Relay (RTR) of the new digital control system. The only change to the TS is an SR frequency change. An 18 month Frequency is added to SR 3.3.3.1 indicating this frequency is applicable to Unit(s) with the RPS digital upgrade complete. A qualifier is added to the 31 day Frequency to indicate this frequency is applicable to Unit(s) with the RPS digital upgrade not complete. The Bases for extending the CHANNEL FUNCTIONAL TEST frequency to 18 months is provided below. TS Bases 3.3.3 is revised to reflect the above changes and to distinguish where necessary the design differences between Unit(s) with the RPS digital upgrade complete and Unit(s) with the RPS digital upgrade not complete.

4. TS 3.3.5, Engineered Safeguards Protective System (ESPS) Analog Instrumentation The TS Title is changed to "Engineered Safeguards Protective System (ESPS)

Input Instrumentation," and the term "analog" is replaced with "input" throughout to accommodate the old and new ESPS design. A note is added to SR 3.3.5.1 to indicate that SR 3.3.5.1 is not applicable to Unit(s) with the ESPS digital upgrade complete. The Bases for elimination of the CHANNEL CHECK is provided below. A note is added to SR 3.3.5.2 to indicate that SR 3.3.5.2 (CHANNEL FUNCTIONAL TEST) is not applicable to Unit(s) with the ESPS digital upgrade complete. The CHANNEL FUNCTIONAL TEST is a subset of the CHANNEL CALIBRATION required by SR 3.3.5.3, which has an 18 month frequency. The Bases for extending the CHANNEL FUNCTIONAL TEST frequency to 18 months is provided below. TS Bases 3.3.5 is revised to reflect the above changes and to distinguish where necessary the design differences between Unit(s) with the ESPS digital upgrade complete and Unit(s) with the ESPS digital upgrade not complete.

5. TS 3.3.7, Engineered Safeguards Protective System (ESPS) Digital Automatic Actuation Logic Channels The TS Title is changed to "Engineered Safeguards Protective System (ESPS)

Output Logic Channels," and the term "digital automatic actuation logic channels" is replaced with "automatic actuation output logic channels" throughout to accommodate the old and new ESPS design. An 18 month Frequency is added to SR 3.3.7.1 indicating this frequency is applicable to February 14, 2005 Page 33 Unit(s) with the ESPS digital upgrade complete. A qualifier is added to the 31 day Frequency to indicate this frequency is applicable to Unit(s) with the ESPS digital upgrade not complete. The Bases for extending the CHANNEL FUNCTIONAL TEST frequency to 18 months is provided below. TS Bases 3.3.7 is revised to reflect the above changes and to distinguish where necessary the design differences between Unit(s) with the ESPS digital upgrade complete and Unit(s) with the ESPS digital upgrade not complete.

6. Justification for Eliminating CHANNE L CHECKS This TS change proposes to eliminate the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months CHANNEL CHECKS of SR 3.3.1.1 and SR 3.3.5.1. The TXS RPS/ESPS digital control systems provide continuous online automatic monitoring of each of the input signals in each channel, performs software limit checking (Signal Online Validation) against required acceptance criteria, and hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed.

The TXS network architecture separates the task of acquiring and distributing the signals from the task of processing the safety function. The task of processing the safety function itself is separated from the "2-out-of-4" (2/4) or "2-out-of-3" (2/3) output voting. The TXS software function blocks utilize the 2 dmaximum (2.Max), 2nd minimum (2.Min) signal value selection process and a "2/4 - 2/3" coincidence logic to implement the separation of those tasks.

Each of the four RPS channels and the duplicated ESPS channels has their own set of input signals. After the TXS software in the respective channel protective set computer has acquired the signals, the signals are conditioned and convened into engineering units. The signals are then distributed to the other RPS/ESPS channel sets. The distribution is implemented, using fiber optic data links in order to fulfill channel isolation requirements. Therefore, each RPS channel set will receive the input signals from all four channels and each ESPS channel set will receive the input signals from all three channels.

Channel Check requirements are met automatically by the signal validation and signal comparison functions performed continuously by the Teleperm TXS RPS/ESPS:

Range Monitoring of Analog Input Signals

Consistency Checks of Redundant Channels February 14, 2005 Page 34

a. Range Monitoring of Analog Input Signals (Analog Signal Failure Detection)

The TXS system will continuously monitor analog signals for signals that are below a signal range that is electrically possible (automatic "failed low" detection of sensors or signals). Lower Limit setpoints will be defined to identify these analog sensor/signal failures. If a failure in the signal conditioning or in the signal acquisition modules occurs, the signal is marked as faulty by the TXS system software using the status flag "Failure." The input signal function blocks, 2.MAX, 2.MIN, or 2/4 - 2/3 will constantly screen their input signals and exclude faulty signals from further calculation.

The TXS system will continue the safety function logic process by selecting the 2.MIN or the 2.MAX from the remaining valid signals. If any protective channel input signal is identified as in the FAILURE status this condition is alarmed on the Unit Statalarm and input to the plant OAC.

b. Consistency Checks of Redundant Channels (Analog Signal Comparisons)

Equivalent analog signals of different measuring channels (i.e., redundant channels) will continuously be compared with each other to detect and monitor channel signal deviations. This includes the entire instrument chain consisting of sensor, transducer, input signal module and the associated equipment for signal transfer.

Consistency checks comprise monitoring values of redundantly measured analog signals. If the signals are not within a pre-defined tolerance range, this condition is alarmed on the Unit Statalarm and input to the plant OAC.

Channel deviations are not excluded from processing in the safety calculations, 2.MAX, 2.MIN, or 2/4 - 2/3 processing, but are alarmed on the Unit Statalarm and input to the plant OAC. A channel comparison tolerance will be established for each specific process parameter based on the licensing basis, channel loop accuracy, and other appropriate documents. This will ensure that the TXS RPS/ESPS automatic channel comparison functions meet or exceed the performance of the existing manual Channel Checks.

7. Justification for Extending the Frequency of CHANNEL FUNCTIONAL TESTS The proposed TS change extends the frequency for performing the following CHANNEL FUNCTIONAL TESTS February 14, 2005 Page 35

RPS Instrumentation SR 3.3.1.4 - From 45 days on a STAGGERED TEST BASIS to 18 months

RPS Reactor Trip Module (relay) SR 3.3.3.1 - From 31 days to 18 months

ESPS (Analog) Instrumentation SR 3.3.5.2 - From 92 days to 18 months

ESPS Automatic Actuation Output Logic SR 3.3.7.1 - From 31 days to 18 months The TXS analog signal failure monitoring and channel comparisons ensure the analog signal functions are operable, as described above under "Justification for Eliminating CHANNEL CHECK." In addition, the TXS Watchdog performs a continual online hardware monitoring of the TXS system.

The TXS Run Time Environment (RTE) online software application, providing continuous self monitoring functions for signal error detection, is working on a cyclic basis. The TXS System response time depends on the calculation response cycle time. The TXS system response cycle time for the RPS is estimated as < 90 ms and the ESPS response cycle time is estimated to be

< 180 ms. The RTE includes a timer that monitors the internal counter of the cyclic self monitoring task, which is incremented once in every complete cycle of the cyclic self monitoring. The timer is triggered by the self monitoring task when the cycle is started. If the counter has not been incremented within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (3600s), the RTE issues an error message. The complete cycle is typically carried out in 300 to 600 seconds.

a. Watchdog Monitoring of RTE Cycle Task Watchdog is a TXS hardware monitoring feature triggered by the RTE software. Watchdog monitors the cyclic processing of the RTE. At the beginning of each computing cycle, the Watchdog timer is set to Tcyc+1 10ms. If the Watchdog is not triggered by the RTE in time, it times out and activates the Exception Handler software through a Non-Maskable Interrupt, which cannot be blocked by any communications functions. The Exception Handler blocks the outputs and initiates a reset of the CPU.

Actuation of the Exception Handler condition is alarmed on the Unit control room Statalarm and a signal is sent to the plant OAC.

The reactor trip function and engineered safeguards system actuation will be tested at the same surveillance test interval as the input sensor calibrations (18 months). The CHANNEL FUNCTIONAL TESTS will test all required February 14, 2005 Page 36 logic components of each logic path, from as close to the sensor as practicable up to, but not including, the actuated device, to verify operability.

Plant parameter input sensors/signals will be verified to be within the required accuracy and the operability of each safety related actuation component will be verified.

TXS function block signal values (set points) are predefined and programmable (as required) and will remain constant. No online adjustments can be performed to the function blocks. Digital design electronic equipment is not subject to drift. Values remain constant and infinitely repeatable unless changed (re-programmed).

b. TELEPERM TXS Software and Hardware Reliability The TXS Reliability Analysis will provide a quantitative study of the expected reliability of the RPSJESPS TXS system (software and hardware) and document the TXS's system susceptibility to various types of faults.

Both qualitative analysis and quantitative analysis is utilized to identify the possible failure modes, methods for eliminating or reducing the frequency or consequences of the postulated failures, and calculating the probabilities of failures and estimates of reliability and availability. The TXS Reliability Analysis will provide proof that the proposed ONS TXS RPS/ESPS system reliability/availability is greater than those values assumed in the ONS Probability Risk Assessment and accident analysis of the existing systems.

Software is not susceptible to transient, random, aging or environmental related faults. Software does not "fail" in the conventional sense the way a hardware component will fail. Thus, it can be reasonably expected to exhibit no degradation from these factors and no analysis can provide a qualitative analysis (in a numerical sense) of the probability of failure. However, a quality study of the reliability for the TXS software will be documented in the TXS FMEA. The TXS design utilizes various software fault avoidance strategies to ensure that the system can perform its intended safety function.

The scope/bounds of the RPSIESPS system hardware is defined as the input sensor/signal termination points (terminal blocks), the protective channel sets (input signal function modules and isolation modules), the protective channel set computers, the ESPS actuation computers (Voters), the output function modules, the RPS reactor trip relay sets and associated contacts, and the ESPS interposing relays and associated contacts.

February 14, 2005 Page 37 A CHANNEL CHECK of the input sensor signals is performed continuously online by the TXS RTE software as described in the above discussion of the TXS functional operational design capabilities. Therefore, Duke proposes to eliminate the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months CHANNEL CHECK for the ONS Unit(s) that have implemented the TXS digital control system upgrades. Periodic verification (during refueling outages) of the accuracy and time responses of the analog input modules will be performed. The TXS protective system provides continuous self monitoring and online diagnostics to verify proper functioning of the digital protective system and to ensure the integrity of the installed application (hardware) and operating software.

TXS system online continuous monitoring feature for input signal validation coupled with TXS reliability data for the remaining portion fulfills the CHANNEL FUNCTIONAL TEST requirement. Any input signal deviations from a pre-defined value, signal failures, or hardware failures resulting in loss of signal will be detected and immediately alarmed providing for prompt Operations staff response. The online, continuous self monitoring features of the TXS system monitor the TXS RPS/ESPS systems from the sensor inputs to the output function modules. Additionally, the reliability analysis for the RPS reactor trip relays and contacts and the ESPS interposing relays and contacts establishes the technical basis for a CHANNEL FUNCTIONAL TEST frequency of 18 months.

The TXS functional operational design capabilities described above demonstrate that the CHANNEL FUNCTIONAL TESTS of the complete RPS/ESPS protective system is being performed continuously online by the TXS RTE software. Those portions of the system not within the bounds of this online continuous monitoring have a reliability and availability factor which supports the proposed Surveillance Requirement frequency. Therefore, for the ONS Units that have implemented the TXS digital control system upgrades, the Surveillance Requirement frequency extension to 18 months is justified. Any input signal deviations from a pre-defined value, signal failures, or hardware failures resulting in loss of signal will be detected and immediately alarmed providing for prompt Operations staff response.

The continuous online monitoring performed by the TXS protective systems are described in the Siemens (FANP) report EMF-21 I0(NP), Revision 1, "TELEPERM XS: A Digital Reactor Protection System." By letter dated May 5, 2000, the NRC found the TXS System acceptable and found the Topical Report EMF-21 10(NP), Revision 1, acceptable for referencing in license applications to the extent specified in the topical report and NRC Safety Evaluation.

February 14, 2005 Page 38 Figure 1 TELEPERM XS RPSIESPS System Network Architecture (without MSI network)

ESFAS ESFAS ESFAS RPS RPS RPS RPS Inputs Inputs Inputs Inputs Inputs Inputs Inputs Channel Channel Channel Channel Channel Channel Channel At B:

C

~

SeA etC_ C e

~Vokt isler V~oter, l

Voter, H V~ot~er II

{St*8)ts (Odd)

(Odd)

(Even)

Status vte+

I ESF Outputs ESF Outputs o-- Fb tic Odd Channels Even Channels SINEC12 2daba Ik The TELEPERM XS RPS/ESPS system consists of (refer to Figures 1 and 2):

Four RPS Protective Channel Sets implementing the Reactor Trip Functions. Note: Three of the RPS Protective Channel Sets (A, B, and C) perform the redundant ESPS functions of the ESPS Protective System.

Three ESPS Protective Channel Sets, implementing the ESPS trip functions.

Two trains of ESPS Actuation Computers (Voters), each consisting of redundant subsystems, implementing the ESPS component actuation based on voted inputs from the three ESPS protective channel sets and redundant inputs from the three ESPS functions being performed in the RPS protective channel set computers.

Two ESPS Status Computers, acquiring the status check back information from the ESF components.

One RPS computer ("RPS-E") providing information to the control board and the Integrated Control System (ICS) and implementing the functions of the TXS Monitoring and Service Interface (MSI).

One non-safety related (NIE) Communication Bridge ("TXS Gateway") to the plant Operator Aid Computer (OAC).

One NIE TXS Service Unit.

February 14, 2005 Page 39 Figure 2 TELEPERM XS RPS/ESPS System Network Architecture (with MSI network shown)

The MSI gathers status information from all TXS subsystems and evaluates the condition of the system. Each TXS subsystem is connected with the MSI via SINEC-L2 fiber-optic data links.

The MSI also establishes the connection to the TXS gateway and the TXS Service Unit, using a SINEC HI hardwire data link.

For maintenance and diagnostic purposes, one TELEPERM Service Unit with the Specification and Coding Environment (SPACE) tool set will be provided per ONS unit. The Service Unit is connected to the MSI computer and to the Test Machine.

The Test Machine provides a means for performing periodic surveillance testing. It includes equipment to inject signals into the input circuitry of the Channel Sets. The Test Machine is connected to the input circuitry via a plug connector. The Test Machine is connected to the Service Unit, in order to receive information about the acquired signal values.

February 14, 2005 Page 40 Table I List of NRC Commitments

1. Duke will evaluate and confirm that the modification does not impact the Station Blackout Analysis for Oconee. (pg. 15 - Section G)

2. If ATWS systems are modified in the future then the diversity arguments presented in this report will be applied and re-evaluated. (pg. 25 - Section M.9)

3. If plant control systems are modified in the future then the diversity arguments presented will be applied and re-evaluated. (pg. 25 & 26 - Section M.9)

4. Duke will make updated RPS/ESPS System Instrument Setpoint Calculations and Instrument Accuracy Uncertainty Calculations available for NRC review. (pg. 26 -

Section M.10)

February 14, 2005 Page 1 No Significant Hazards Determination Pursuant to 10 CFR 50.91, Duke Power Company (Duke) has made the determination that this amendment request involves a No Significant Hazards Consideration by applying the standards established by the NRC regulations in 10 CFR 50.92. This ensures that operation of the facility in accordance with the proposed amendment would not:

(1)

Involve a significant increase in the probability or consequences of an accident previously evaluated:

No. The analog based RPS/ESPS currently described in the Updated Final Safety Analysis Report is being replaced with a digital based RPS/ESPS. The proposed Technical Specification (TS) change eliminates CHANNEL CHECKS (CCs) and extends the surveillance interval (SI) for CHANNEL FUNCTIONAL TESTS (CFI's). The replacement RPS/ESPS performs the same functions that are currently performed by the existing systems and has additional capabilities that justify elimination of the CCs and extension of the SI for CFTs. The TXS RPS/ESPS digital control systems provide continuous online automatic monitoring of each of the input signals in each channel, performs software limit checking (Signal Online Validation) against required acceptance criteria, and hardware functional validation so that the CHANNEL CHECK requirement is continuously being performed. The TXS functional operational design capabilities demonstrate that the CHANNEL FUNCTIONAL TESTS of the complete RPS/ESPS protective system is being performed continuously online by the TXS run time environment (RTE) software.

Those portions of the system not within the bounds of this online continuous monitoring have a reliability and availability factor which support CFT SI extensions. Safety features have been designed into RPS/ESPS to prevent spurious actuation. Reactor protection is by four channels with 2/4 coincidence, and engineered safeguards features are by three channels with 2/3 coincidence. This design provides redundancy against the affects of single failures that could cause spurious actuation. The RPS and ESPS are used to mitigate an accident; therefore, there is no significant increase in the probability of an accident. Since the replacement RPS/ESPS performs the same functions that are currently performed by the existing systems, the proposed modification does not result in a significant increase in the consequences of an accident previously evaluated. Therefore, the installation of RPS/ESPS digital modification does not involve a significant increase in the probability or consequences of an accident previously evaluated.

February 14, 2005 Page 2 (2)

Create the possibility of a new or different kind of accident from any kind of accident previously evaluated:

No. The analog based RPS/ESPS is being replaced by a digital based RPS/ESPS with additional capabilities that justify elimination of CCs and extension of CFT SIs. The replacement RPS/ESPS performs the same functions that are currently performed by the existing systems. Safety features have been designed into RPS/ESPS to prevent spurious actuation. Reactor protection is by four channels with 2/4 coincidence, and engineered safeguards features are by three channels with 2/3 coincidence. This design provides redundancy against the affects of single failures that could cause spurious actuation. All Protection System functions are implemented by redundant sensors, instrument strings, logic, and actuation devices that combine to form the protection channels. There are no postulated failures such as loss of power that differ from those assumed for an analog control system that would prevent proper system actuation. Therefore, the replacement RPS does not introduce hardware failures that inhibit a CRD trip when required and the replacement ESPS does not introduce hardware failures that inhibit proper operation of Engineered Safeguards equipment. As such, the proposed modification does not create the possibility of a new or different kind of accident from any kind previously evaluated.

(3)

Involve a significant reduction in a margin of safety.

No. The proposed change does not adversely affect any plant safety limits, set points, or design parameters. The change also does not adversely affect the fuel, fuel cladding, Reactor Coolant System, or containment integrity. The analog based RPS/ESPS currently described in the Updated Final Safety Analysis Report is being replaced with a digital based RPS/ESPS. The replacement RPS/ESPS performs the same functions that are currently performed by the existing systems. The additional capabilities of the TXS system justify elimination of CCs and extension of CFT SIs.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Duke has concluded, based on the above, that there are no significant hazards considerations involved in this amendment request.

February 14, 2005 Page 1 ATTACHMENT 5 Environmental Assessment Pursuant to 10 CFR 51.22(b), an evaluation of the license amendment request (LAR) has been performed to determine whether or not it meets the criteria for categorical exclusion set forth in 10 CFR 51.22(c)9 of the regulations. The LAR does not involve:

1)

A significant hazards consideration.

This conclusion is supported by the determination of no significant hazards contained in Attachment 4.

2)

A significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

This LAR will not change the types or amounts of any effluents that may be released offsite.

3)

A significant increase in the individual or cumulative occupational radiation exposure.

This LAR will not increase the individual or cumulative occupational radiation exposure.

In summary, this LAR meets the criteria set forth in 10 CFR 51.22 (c)9 of the regulations for categorical exclusion from an environmental impact statement.

ML050550470

Text

Subject:

Background

Navigation menu

Search