Text

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-1 Rev. 3.0, 03/31/04 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ECCS, as well as LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the Rreactor cCore Safety Limits and or the Reactor Coolant System (RCS) Ppressure boundary sSafety lLimits during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).

10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that an SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEW ER'S NOTE ----------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpoint, the term Nominal Trip Setpoint (NTSP) is preferred. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. Where the [LTSP] is not documented in a column in Table 3.3.5.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note f of Table 3.3.5.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-2 Rev. 3.0, 03/31/04 tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [LTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

BASES BACKGROUND (continued)

The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an SL-LSSS (Ref. 1).

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." Use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. The Allowable Value specified in Table 3.3.5.1-1 is the

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-3 Rev. 3.0, 03/31/04 least conservative value of the as-found setpoint that a channel can have during testing such that a channel is OPERABLE if the trip setpoint is found conservative with respect to the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to a value within the as-left tolerance of the [LTSP] and confirmed to be operating within the statistical allowances of the uncertainty terms assigned in the setpoint calculation. As such, the Allowable Value differs from the [LTSP]

by an amount equal to [or greater than] the as-found tolerance value. In this manner, the actual setting of the device ensures that an SL is not BASES BACKGROUND (continued) exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI),

Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating."

Core Spray System The CS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level -

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-4 Rev. 3.0, 03/31/04 Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the eight trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic (i.e., two trip systems) for each Function.

The high drywell pressure initiation signal is a sealed in signal and must be manually reset. The CS System can be reset if reactor water level has been restored, even if the high drywell pressure condition persists. The logic can also be initiated by use of a manual push button (one push button per subsystem). Upon receipt of an initiation signal, the CS pumps are started immediately after power is available.

The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.

The CS pump discharge flow is monitored by a flow transmitter. W hen the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened.

The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

BASES BACKGROUND (continued)

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)

System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel W ater Level - Low Low Low, Level 1, Drywell Pressure - High, or both. Each of these diverse variables is monitored by four redundant transmitters which, in turn, are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic (i.e., two trip systems) for each Function. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, the LPCI C pump starts after a O.5 second delay when power is available. The LPCI A, B, and D pumps

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-5 Rev. 3.0, 03/31/04 are started after a 10 second delay to limit the loading of the standby power sources.

Each LPCI subsystem's discharge flow is monitored by a flow transmitter.

W hen a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.

The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-6 Rev. 3.0, 03/31/04 BASES BACKGROUND (continued)

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low reactor water level in the shroud is detected by two additional instruments to automatically isolate other modes of RHR (e.g.,

suppression pool cooling) when LPCI is required. Manual overrides for these isolations are provided.

High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level -

Low Low, Level 2 or Drywell Pressure - High. Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow is monitored by a flow transmitter. W hen the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened.

The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The HPCI test line isolation valve (which is also a PCIV) is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis and maintain primary containment isolated in the event HPCI is not operating.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-7 Rev. 3.0, 03/31/04 BASES BACKGROUND (continued)

The HPCI System also monitors the water levels in the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel W ater Level - High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve and the injection valves to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low, Level 2 signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by either automatic or manual means.

Automatic initiation occurs when signals indicating Reactor Vessel W ater Level - Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Low Water Level Actuation Timer; confirmed Reactor Vessel W ater Level

- Low, Level 3; and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure - High, and one transmitter for confirmed Reactor Vessel Water Level - Low, Level 3 in each of the two ADS trip systems.

Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-8 Rev. 3.0, 03/31/04 BASES BACKGROUND (continued)

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive transmitters from both CS and from two LPCI pumps in the associated Division (i.e., Division 1 LPCI subsystems A and D input to ADS trip system A, and Division 2 LPCI subsystems B and C input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel W ater Level - Low Low Low, Level 1; Drywell Pressure - High; or Low Water Level Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level - Low, Level 3. All contacts in both logic strings must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure -

High signal, the ADS Low W ater Level Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Diesel Generators The DGs may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level -

Low Low Low, Level 1 or Drywell Pressure - High. The DGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) Each of these diverse variables is monitored by four

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-9 Rev. 3.0, 03/31/04 BASES BACKGROUND (continued) redundant transmitters, which are, in turn, connected to four trip units.

The outputs of the four trip units are connected to relays whose contacts are connected to a one-out-of-two taken twice logic to initiate all three DGs (2A, 1B, and 2C). The DGs receive their initiation signals from the CS System initiation logic. The DGs can also be started manually from the control room and locally from the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic.

Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 12 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY References 1, 2, and 3. The ECCS is initiated to preserve the integrity of ANALYSES, LCO, the fuel cladding by limiting the post LOCA peak cladding temperature to and APPLICABILITY less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

Trip Setpoints that directly protect against violating the Rreactor cCore Safety Limits or the Reactor Coolant System (RCS) pPressure boundary Safety Limits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). Permissive and interlock setpoints allow bypass of trips when they are not required by the Safety Analysis. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventative or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e. the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO). Therefore permissives and interlocks are not considered to be SL-LSSS.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints set within the setting tolerance ofconservative with respect towithin the specified LTSPs, Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-10 Rev. 3.0, 03/31/04 ECCS subsystem must also respond within its assumed response time.

Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, ECCS - Shutdown. Footnote (b) is added to show that certain ECCS instrumentation Functions also perform DG initiation and actuation of other Technical Specifications (TS) equipment.

Allowable Values are specified for each ECCS Function specified in the Ttable 3.3.5-1. [Nominal Limiting Ttrip sSetpoints] are specified [in a document controlled under 10 CFR 50.59] in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints remain conservative with respect to thedo not exceed the Allowable Value as-found tolerance band between CHANNEL CALIBRATIONS. After each calibration the trip setpoint should be reset to within the as-left band around the [LTSP].

BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Allowable Value specified in Table 3.3.5.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION.

As such, the Allowable Value differs from the [LTSP] by an amount

[greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device ([LTSP]) will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-11 Rev. 3.0, 03/31/04 required by 10 CFR 50.36 when automatic protective devices do not function as required.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but conservative with respect towithin its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not conservative with respect towithin its required Allowable Value.

[Limiting Trip sSetpoints] are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analyticanalytical limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analyticanalytical limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints[LTSPs]

are then determined, accounting for the remaining instrument errors (e.g.,

drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel W ater Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-12 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Vessel W ater Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel W ater Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.

Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources -

Operating," and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the DGs.

1.b, 2.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure -

High Function, along with the Reactor W ater Level - Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure - High Function is required to be OPERABLE when the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation. In MODES 4

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-13 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) and 5, the Drywell Pressure - High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

1.c, 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive)

Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

Four channels of Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-14 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.d, 2.g. Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)

The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and CS Pump Discharge Flow - Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow transmitter per ECCS pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each transmitter causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow - Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

Each channel of Pump Discharge Flow - Low Function (two CS channels and four LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.e, 2.h. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-15 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Each channel of the Manual Initiation Function (one channel per subsystem) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

2.d. Reactor Steam Dome Pressure - Low (Recirculation Discharge Valve Permissive)

Low reactor steam dome pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

Four channels of the Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. W ith the valve(s) closed, the function instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-16 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 2.e. Reactor Vessel Shroud Level - Level 0 The Level 0 Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level - Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 2) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0.

Reactor Vessel Shroud Level - Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level - Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

Two channels of the Reactor Vessel Shroud Level - Level 0 Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves that this Function isolates (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

2.f. Low Pressure Coolant Injection Pump Start - Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power sources (DG). However, since the time delay does not degrade ECCS operation, it remains in the pump start logic at all times. The LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-17 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

There are four LPCI Pump Start - Time Delay Relays, one in each of the RHR pump start logic circuits. While each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start - Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered for the same ESF bus, to perform their intended function within the assumed ECCS RESPONSE TIME (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves four of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e.,

loss of one instrument does not preclude ECCS initiation). The Allowable Value for the LPCI Pump Start - Time Delay Relays is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded.

Each LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

HPCI System 3.a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel W ater Level - Low Low, Level 2 is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References 1 and 3. Additionally, the Reactor Vessel Water Level - Low Low, Level 2 Function associated with HPCI is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel W ater Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-18 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel W ater Level - Low Low Low, Level 1.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor W ater Level - Low Low, Level 2 Function, is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure - High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.

Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel W ater Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-19 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Vessel W ater Level - High, Level 8 signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both Level 8 signals are required in order to close the HPCI injection valve. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level -

High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Two channels of Reactor Vessel W ater Level - High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE.

Refer to LCO 3.5.1 and LCO 3.5.2 for HPCI Applicability Bases.

3.d. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST.

However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level - Low signals are initiated from two level switches. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level - Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-20 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.e. Suppression Pool W ater Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Suppression Pool W ater Level - High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool W ater Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.

Two channels of Suppression Pool W ater Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.f. High Pressure Coolant Injection Pump Discharge Flow - Low (Bypass)

The minimum flow instruments are provided to protect the HPCI pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow - Low Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-21 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

One flow transmitter is used to detect the HPCI System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded.

The High Pressure Coolant Injection Pump Discharge Flow - Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.g. Manual Initiation The Manual Initiation push button channel introduces signals into the HPCI logic to provide manual initiation capability and is redundant to the automatic protective instrumentation. There is one push button for the HPCI System.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCI function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.

One channel of the Manual Initiation Function is required to be OPERABLE only when the HPCI System is required to be OPERABLE.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel W ater Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-22 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Vessel W ater Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel W ater Level - Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel W ater Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b, 5.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB.

Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure - High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-23 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 4.c, 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently.

The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 2 that require ECCS initiation and assume failure of the HPCI System.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 5.d. Reactor Vessel Water Level - Low, Level 3 The Reactor Vessel W ater Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel W ater Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel W ater Level - Low, Level 3 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-24 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two channels of Reactor Vessel W ater Level - Low, Level 3 Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 2 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions.

This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure transmitters, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and D are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and C are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-25 Rev. 3.0, 03/31/04 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 4.g, 5.g. Automatic Depressurization System Low Water Level Actuation Timer One of the signals required for ADS initiation is Drywell Pressure - High.

However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Low W ater Level Actuation Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System Low W ater Level Actuation Timer Function is not assumed in any accident analysis. The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a DBA.

There are four Automatic Depressurization System Low Water Level Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Four channels of the Automatic Depressurization System Low Water Level Actuation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.h, 5.h. Manual Initiation The Manual Initiation push button channels introduce signals into the ADS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There are two push buttons for each ADS trip system for a total of four.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS functions as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Four channels of the Manual Initiation Function (two channels per trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-26 Rev. 3.0, 03/31/04 BASES ACTIONS

REVIEW ERS NOTE-----------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use the times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS).

The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two Function 1.a channels are inoperable and untripped in the same trip system, (b) two Function 2.a channels are inoperable and untripped in the same trip system, (c) two Function 1.b channels are inoperable and untripped in the same system, or (d) two Function 2.b channels are inoperable and untripped in the same trip system. For low pressure

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-27 Rev. 3.0, 03/31/04 BASES ACTIONS (continued)

ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and DGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed, since the LPCI subsystems remain capable of performing their intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-28 Rev. 3.0, 03/31/04 BASES ACTIONS (continued) system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action C.1 features would be those that are initiated by Functions 1.c, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two Function 1.c channels are inoperable in the same trip system, (b) two Function 2.c channels are inoperable in the same trip system, (c) two Function 2.d channels are inoperable in the same trip system, or (d) two or more Function 2.f channels are inoperable. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Since each inoperable channel would have Required Action C.1 applied separately (refer to

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-29 Rev. 3.0, 03/31/04 BASES ACTIONS (continued)

ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Functions 1.e, 2.h, and 3.g (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-30 Rev. 3.0, 03/31/04 BASES ACTIONS (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-31 Rev. 3.0, 03/31/04 BASES ACTIONS (continued) inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water.

Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low Bypass Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two Function 1.d channels are inoperable or (b) one or more Function 2.g channels associated with pumps in LPCI subsystem A and one or more Function 2.g channels associated with pumps in LPCI subsystem B are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action E.1),

Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-32 Rev. 3.0, 03/31/04 BASES ACTIONS (continued) during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-33 Rev. 3.0, 03/31/04 BASES ACTIONS (continued)

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped, (b) one Function 4.b channel and one Function 5.b channel are inoperable and untripped, or (c) one Function 4.d channel and one Function 5.d channel are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-34 Rev. 3.0, 03/31/04 BASES ACTIONS (continued) inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.

Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.e, 4.f, 5.e, and 5.f channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable, or (c) one or more Function 4.g channels and one or more Function 5.g channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability. The Note to Required Action G.1 states that Required Action G.1 is only applicable for Functions 4.c, 4.e, 4.f, 4.g, 5.c, 5.e, 5.f, and 5.g. Required Action G.1 is not applicable to Functions 4.h and 5.h (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 days (as allowed by Required Action G.2) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-35 Rev. 3.0, 03/31/04 BASES ACTIONS (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 W ith any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE

REVIEW ERS NOTE-----------------------------------

REQUIREMENTS Certain Frequencies are based on approved topical reports. In order for a licensee to use these Frequencies, the licensee must justify the Frequencies as required by the staff SER for the topical report.

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.5.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table.

REVIEW ERS NOTE ------------------------------------

Notes 1 and 2 are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-36 Rev. 3.0, 03/31/04 1.

Notes 1 and 2 are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits (the latter are not explicitly modeled in the accident analysis). Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Note 1 requires a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. While it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement results would not provide an indication of the channel or component performance.

2.

Notes 1 and 2 are not applied to Technical Specifications associated with mechanically operated safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.

3.

Notes 1 and 2 are may not apply ied to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, such as actuation logic circuits and associated relays, there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

An evaluation of the potential SL-LSSS Functions resulted in Notes 1 and 2 being applied to the Functions shown in the TS markups. Each licensee proposing to fully adopt this TSTF must review the the potential SL-LSSS Functions to identify which of the identified functions are SL-LSSS according to the definition of SL-LSSS and their plant specific safety analysis. The two TSTF Notes are not required to be applied to any of the listed Functions which meet any of the exclusion criteria or are not SL-LSSS based on the plant specific design and analysis.

As noted in the beginning of the SRs, the SRs for each ECCS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c, 3.f, and 3.g; and (b) for Functions other than 3.c, 3.f, and 3.g provided the associated Function or redundant Function maintains ECCS initiation capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-37 Rev. 3.0, 03/31/04 BASES SURVEILLANCE REQUIREMENTS (continued) allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-38 Rev. 3.0, 03/31/04 BASES SURVEILLANCE REQUIREMENTS (continued)

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 5.

SR 3.3.5.1.3 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond conservative with respect to the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 5.

SR 3.3.5.1.3 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.5.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-39 Rev. 3.0, 03/31/04 SR 3.3.5.1.4 and SR 3.3.5.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.5.1.5 is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.5 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.5.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-40 Rev. 3.0, 03/31/04 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.5.1.7 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis.

Response time testing acceptance criteria are included in Reference 4.

ECCS RESPONSE TIME may be verified by actual response time measurements in any series of sequential, overlapping, or total channel measurements.

REVIEW ERS NOTE-----------------------------------

[The following Bases are applicable for plants adopting NEDO-32291-A.

However, the measurement of instrument loop response times may be excluded if the conditions of Reference 6 are satisfied.]

ECCS RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. The 18 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

ECCS Instrumentation B 3.3.5.1 BW R/4 STS B 3.3.5.1-41 Rev. 3.0, 03/31/04 BASES REFERENCES 1.

FSAR, Section [5.2].

2.

FSAR, Section [6.3].

3.

FSAR, Chapter [15].

4.

NEDC-31376-P, "Edwin I. Hatch Nuclear Power Plant, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis,"

December 1986.

5.

NEDC-30936-P-A, "BW R Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"

December 1988.

[6.

NEDO-32291-A, "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1995.]