Text

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that fuel is adequately cooled in the event of a design basis accident or transient. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ECCS, as well as LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the Rreactor cCore Safety Limits or the and Reactor Coolant System (RCS) pPressure boundary sSafety lLimits during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).

10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that an SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEW ER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpoint, the term Nominal Trip Setpoint (NTSP) is preferred. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [LTSP] is not documented in a column in Table 3.3.5.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note d of Table 3.3.5.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left BW R/6 STS B 3.3.5.1-1 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [LTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

BASES BACKGROUND (continued)

The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an SL-LSSS (Ref. 1).

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." Use of the [LTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [LTSP] to account for further drift during the next surveillance interval.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. The Allowable Value specified in Table 3.3.5.1-1 is the BW R/6 STS B 3.3.5.1-2 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 least conservative value of the as-found setpoint that a channel can have during testing such that a channel is OPERABLE if the trip setpoint is found conservative with respect to the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to a value within the as-left tolerance of the [LTSP] and confirmed to be operating within the statistical allowances of the uncertainty terms assigned in the setpoint calculation. As such, the Allowable Value differs from the [LTSP]

by an amount equal to [or greater than] the as-found tolerance value. In this manner, the actual setting of the device ensures that an SL is not BASES BACKGROUND (continued) exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

For most anticipated operational occurrences (AOOs) and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates low pressure core spray (LPCS), low pressure coolant injection (LPCI), high pressure core spray (HPCS),

Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating."

Low Pressure Core Spray System The LPCS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel W ater Level -

Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by two redundant transmitters, which are, in turn, BW R/6 STS B 3.3.5.1-3 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 connected to two trip units. The outputs of the four trip units (two trip units from each of the two variables) are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. The high drywell pressure initiation signal is a sealed in signal and must be manually reset. The logic can also be initiated by use of a manual push button. Upon receipt of an initiation signal, the LPCS pump is started immediately after power is available.

The LPCS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a LPCS initiation signal to allow full system flow assumed in the accident analysis and maintains containment isolation in the event LPCS is not operating.

The LPCS pump discharge flow is monitored by a flow transmitter. W hen the pump is running and discharge flow is low enough that pump overheating may occur, the minimum flow return line valve is opened.

The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

BASES BACKGROUND (continued)

The LPCS System also monitors the pressure in the reactor vessel to ensure that, before the injection valve opens, the reactor pressure has fallen to a value below the LPCS System's maximum design pressure.

The variable is monitored by four redundant transmitters, which are, in turn, connected to trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection Subsystems The LPCI is an operating mode of the Residual Heat Removal (RHR)

System, with three LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel W ater Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by two redundant transmitters per Division, which are, in turn, connected to two trip units. The outputs of the four Division 2 LPCI (loops B and C) trip units (two trip units from each of the two variables) are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

The Division 1 LPCI (loop A) receives its initiation signal from the LPCS logic, which uses a similar one-out-of-two taken twice logic. The two Divisions can also be initiated by use of a manual push button (one per Division). Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, the LPCI Pump C is started immediately after power is available while LPCI A and LPCI B pumps are BW R/6 STS B 3.3.5.1-4 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 started after a 5 second delay, to limit the loading on the standby power sources.

Each LPCI subsystem's discharge flow is monitored by a flow transmitter.

W hen a pump is running and discharge flow is low enough that pump overheating may occur, the respective minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the analyses.

The RHR test line suppression pool cooling isolation and suppression pool spray isolation valves (which are also PCIVs) are closed on a LPCI initiation signal to allow full system flow assumed in the accident analysis and maintain containment isolated in the event LPCI is not operating.

BASES BACKGROUND (continued)

The LPCI subsystems monitor the pressure in the reactor vessel to ensure that, prior to an injection valve opening, the reactor pressure has fallen to a value below the LPCI subsystem's maximum design pressure.

The variable is monitored by four redundant transmitters per Division, which are, in turn, connected to four trip units. The outputs of the four Division 2 LPCI (loops B and C) trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. The Division 1 LPCI (loop A) receives its signal from the LPCS logic, which uses a similar one-out-of-two taken twice logic.

High Pressure Core Spray System The HPCS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel W ater Level -

Low Low, Level 2 or Drywell Pressure - High. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each variable. The HPCS System initiation signal is a sealed in signal and must be manually reset.

The HPCS pump discharge flow is monitored by a flow transmitter. W hen the pump is running and discharge flow is low enough that pump overheating may occur, the minimum flow return line valve is opened.

The valve is automatically closed if flow is above the minimum flow setpoint to allow full system flow assumed in the accident analyses.

The HPCS test line isolation valve (which is also a PCIV) is closed on a HPCS initiation signal to allow full system flow assumed in the accident analyses and maintain containment isolated in the event HPCS is not operating.

The HPCS System also monitors the water levels in the condensate storage tank (CST) and the suppression pool, since these are the two sources of water for HPCS operation. Reactor grade water in the CST is BW R/6 STS B 3.3.5.1-5 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 the normal and preferred source. Upon receipt of a HPCS initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position), unless the suppression pool suction valve is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. Two level transmitters are used to detect low water level in the CST. Either transmitter and associated trip unit can cause the suppression pool suction valve to open and the CST suction valve to close. The suppression pool suction valve also automatically opens and the CST suction valve closes if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

BASES BACKGROUND (continued)

The HPCS System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip, at which time the HPCS injection valve closes. The HPCS pump will continue to run on minimum flow. The logic is two-out-of-two to provide high reliability of the HPCS System. The injection valve automatically reopens if a low low water level signal is subsequently received.

Automatic Depressurization System ADS may be initiated by either automatic or manual means. Automatic initiation occurs when signals indicating Reactor Vessel W ater Level -

Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Timer; confirmed Reactor Vessel W ater Level - Low, Level 3; and either LPCS or LPCI Pump Discharge Pressure - High are all present, and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel W ater Level - Low Low Low, Level 1 and Drywell Pressure - High, and one transmitter for confirmed Reactor Vessel W ater Level - Low, Level 3 in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

Each ADS trip system (trip system A and trip system B) includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The time delay chosen is long enough that the HPCS has time to operate to recover to a level above Level 1, yet not so long that the LPCI and LPCS systems are unable to adequately cool the fuel if the HPCS fails to maintain level. An alarm in the control room is annunciated when either of the timers is running. Resetting the ADS initiation signals resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the three LPCI pumps and the LPCS pump. Each ADS trip system includes two discharge pressure permissive transmitters from each of the two low pressure BW R/6 STS B 3.3.5.1-6 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 ECCS pumps in the associated Division (i.e., Division 1 ECCS inputs to ADS trip system A and Division 2 ECCS inputs to ADS trip system B).

The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the four low pressure pumps provides sufficient core coolant flow to permit automatic depressurization.

BW R/6 STS B 3.3.5.1-7 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)

The ADS logic in each trip system is arranged in two strings. One string has a contact from each of the following variables: Reactor Vessel W ater Level - Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Timer; Reactor Vessel W ater Level - Low, Level 3; ADS Initiation Timer; and two low pressure ECCS Discharge Pressure - High contacts. The other string has a contact from each of the following variables: Reactor Vessel W ater Level - Low Low Low, Level 1; Drywell Pressure - High; ADS Bypass Timer; and two low pressure ECCS Discharge Pressure -

High contacts. To initiate an ADS trip system, the following applicable contacts must close in the associated string: Reactor Vessel W ater Level

- Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Timer; Reactor Vessel W ater Level - Low, Level 3; ADS Initiation Timer; and one of the two low pressure ECCS Discharge Pressure - High contacts.

Either ADS trip system A or trip system B will cause all the ADS relief valves to open. Once the Drywell Pressure - High or ADS initiation signals are present, they are individually sealed in until manually reset.

Manual initiation is accomplished by operating the control switch for each safety/relief valve (S/RV) associated with the ADS. Manual inhibit switches are provided in the control room for ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Diesel Generators The Division 1, 2, and 3 DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel W ater Level - Low Low Low, Level 1 or Drywell Pressure - High for DGs 11 and 12, and Reactor Vessel W ater Level - Low Low, Level 2 or Drywell Pressure - High for DG 13. The DGs are also initiated upon loss of voltage signals. (Refer to Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) Each of these diverse variables is monitored by two redundant transmitters per DG, which are, in turn, connected to two trip units. The outputs of the four divisionalized trip units (two trip units from each of the two variables) are connected to relays whose contacts are connected to a one-out-of-two taken twice logic. The DGs receive their initiation signals from the associated Divisions' ECCS logic (i.e., DG 11 receives an initiation signal from Division 1 ECCS (LPCS and LPCI A); DG 12 receives an initiation signal from Division 2 ECCS (LPCI B and LPCI C); and DG 13 receives an initiation signal from Division 3 ECCS (HPCS)). The DGs can also be started manually from the control room and locally in the associated DG BW R/6 STS B 3.3.5.1-8 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of a LOCA initiation signal, each DG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature (ESF) buses if a loss of offsite power occurs.

(Refer to Bases for LCO 3.3.8.1.)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY References 1, 2, and 3. The ECCS is initiated to preserve the integrity of ANALYSES, LCO, the fuel cladding by limiting the post LOCA peak cladding temperature to and APPLICABILITY less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

Trip Setpoints that directly protect against violating the Rreactor Ccore Safety Limits or the Reactor Coolant System (RCS) pPressure boundary Safety Limits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). Permissive and interlock setpoints allow bypass of trips when they are not required by the Safety Analysis. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventative or mitigating actions occur . Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e. the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO). Therefore permissives and interlocks are not considered to be SL-LSSS.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints withinconservative with respect to the specified Allowable Valuesset within the setting tolerance of the [LTSP], where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each ECCS subsystem must also respond within its assumed response time.

Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, ECCS - Shutdown. Footnote (b) is added to BW R/6 STS B 3.3.5.1-9 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 show that certain ECCS instrumentation Functions also perform DG initiation and actuation of other Technical Specifications (TS) equipment.

Allowable Values are specified for each ECCS Function specified in the table. [Limiting Trip Setpoints] are specified [in a document controlled under 10 CFR 50.59] Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceedremain conservative with respect to the as-found tolerance band Allowable Value between CHANNEL CALIBRATIONS.

After each calibration the trip setpoint should be reset to within the as-left band around the [LTSP].Operation with a trip setpoint less conservative than the nominal trip setpoint, but withinconservative with respect to its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not withinconservative with respect to its required Allowable Value.

The Allowable Value specified in Table 3.3.5.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION.

As such, the Allowable Value differs from the [LTSP] by an amount

[greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device ([LTSP]) will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

BW R/6 STS B 3.3.5.1-10 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 Trip setpoints[LTSPs] are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the BW R/6 STS B 3.3.5.1-11 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analyticanalytical limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analyticanalytical limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints[LTSPs]

are then determined, accounting for the remaining instrument errors (e.g.,

drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis accident or transient. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Low Pressure Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel W ater Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel W ater Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel W ater Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel W ater Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel W ater Level - Low Low Low, Level 1 Allowable Value is BW R/6 STS B 3.3.5.1-12 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.

BW R/6 STS B 3.3.5.1-13 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two channels of Reactor Vessel W ater Level - Low Low Low, Level 1 Function per associated Division are only required to be OPERABLE when the associated ECCS is required to be OPERABLE, to ensure that no single instrument failure can preclude ECCS initiation. (Two channels input to LPCS and LPCI A, while the other two channels input to LPCI B and LPCI C.) Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources -

Operating," and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the DGs.

1.b, 2.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

Negative barometric fluctuations are accounted for in the Allowable Value.

The Drywell Pressure - High Function is required to be OPERABLE when the associated ECCS and DGs are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the LPCS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS initiation. (Two channels input to LPCS and LPCI A, while the other two channels input to LPCI B and LPCI C.) In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure -

High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

BW R/6 STS B 3.3.5.1-14 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.c, 2.c. Low Pressure Coolant Injection Pump A and Pump B Start -

Time Delay Relay The purpose of this time delay is to stagger the start of the two ECCS pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power sources (DG). However, since the time delay does not degrade ECCS operation, it remains in the pump start logic at all times. The LPCI Pump Start -

Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analysis assumes that the pumps will initiate when required and excess loading will not cause failure of the power sources.

There are two LPCI Pump Start - Time Delay Relays, one in each of the RHR "A" and RHR "B" pump start logic circuits. W hile each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start - Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered from the same ESF bus, to perform their intended function within the assumed ECCS RESPONSE TIMES (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves two of the four low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Value for the LPCI Pump Start - Time Delay Relay is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded.

Each LPCI Pump Start - Time Delay Relay Function is only required to be OPERABLE when the associated LPCI subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

BW R/6 STS B 3.3.5.1-15 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 1.d, 2.d. Reactor Steam Dome Pressure - Low (Injection Permissive)

Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The four pressure transmitters each drive a master and slave trip unit (for a total of eight trip units).

The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

Three channels of Reactor Steam Dome Pressure - Low Function per associated Division are only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. (Three channels are required for LPCS and LPCI A, while three other channels are required for LPCI B and LPCI C.) Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.e, 1.f, 2.e. Low Pressure Coolant Injection and Low Pressure Core Spray Pump Discharge Flow - Low (Bypass)

The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and LPCS Pump Discharge Flow - Low Functions are assumed to be BW R/6 STS B 3.3.5.1-16 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow transmitter per ECCS pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each transmitter causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode (for RHR A and RHR B). The Pump Discharge Flow - Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

Each channel of Pump Discharge Flow - Low Function (one LPCS channel and three LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE, to ensure that no single instrument failure can preclude the ECCS function. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.g, 2.f. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one push button for each of the two Divisions of low pressure ECCS (i.e., Division 1 ECCS, LPCS and LPCI A; Division 2 ECCS, LPCI B and LPCI C).

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRC in the plant licensing basis.

BW R/6 STS B 3.3.5.1-17 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Each channel of the Manual Initiation Function (one channel per Division) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

High Pressure Core Spray System 3.a. Reactor Vessel W ater Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCS System and associated DG is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel W ater Level - Low Low, Level 2 is one of the Functions assumed to be OPERABLE and capable of initiating HPCS during the transients analyzed in References 1 and 3. The Reactor Vessel W ater Level - Low Low, Level 2 Function associated with HPCS is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel W ater Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel W ater Level - Low Low, Level 2 Allowable Value is chosen such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCS assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel W ater Level - Low Low Low, Level 1.

Four channels of Reactor Vessel W ater Level - Low Low, Level 2 Function are only required to be OPERABLE when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.

BW R/6 STS B 3.3.5.1-18 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCS System and associated DG are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function is not assumed in the analysis of the recirculation line break (Ref. 2); that is, HPCS is assumed to be initiated on Reactor W ater Level - Low Low, Level 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure - High Function is required to be OPERABLE when HPCS is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the HPCS Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3, to ensure that no single instrument failure can preclude ECCS initiation. In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure - High Function's setpoint. Refer to LCO 3.5.1 for the Applicability Bases for the HPCS System.

3.c. Reactor Vessel W ater Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.

Therefore, the Level 8 signal is used to close the HPCS injection valve to prevent overflow into the main steam lines (MSLs). The Reactor Vessel W ater Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk. Reactor Vessel W ater Level - High, Level 8 signals for HPCS are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both Level 8 signals are required in order to close the HPCS injection valve. This ensures that no single instrument failure can preclude HPCS initiation. The Reactor Vessel W ater Level - High, Level 8 Allowable Value is chosen to isolate flow from the HPCS System prior to water overflowing into the MSLs.

BW R/6 STS B 3.3.5.1-19 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two channels of Reactor Vessel W ater Level - High, Level 8 Function are only required to be OPERABLE when HPCS is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.

3.d. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCS and the CST are open and, upon receiving a HPCS initiation signal, water for HPCS injection would be taken from the CST.

However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCS pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCS) since the analyses assume that the HPCS suction source is the suppression pool.

Condensate Storage Tank Level - Low signals are initiated from two level transmitters. The logic is arranged such that either transmitter and associated trip unit can cause the suppression pool suction valve to open and the CST suction valve to close. The Condensate Storage Tank Level

- Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level - Low Function are only required to be OPERABLE when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS swap to suppression pool source. Thus, the Function is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the Function is required to be OPERABLE only when HPCS is required to be OPERABLE to fulfill the requirements of LCO 3.5.2, HPCS is aligned to the CST, and the CST water level is not within the limits of SR 3.5.2.2.

W ith CST water level within limits, a sufficient supply of water exists for injection to minimize the consequences of a vessel draindown event.

Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.

BW R/6 STS B 3.3.5.1-20 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 3.e. Suppression Pool W ater Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the S/RVs. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCS from the CST to the suppression pool to eliminate the possibility of HPCS continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes. This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCS) since the analyses assume that the HPCS suction source is the suppression pool.

Suppression Pool W ater Level - High signals are initiated from two level transmitters. The logic is arranged such that either transmitter and associated trip unit can cause the suppression pool suction valve to open and the CST suction valve to close. The Allowable Value for the Suppression Pool W ater Level - High Function is chosen to ensure that HPCS will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.

Two channels of Suppression Pool W ater Level - High Function are only required to be OPERABLE in MODES 1, 2, and 3 when HPCS is required to be OPERABLE to ensure that no single instrument failure can preclude HPCS swap to suppression pool source. In MODES 4 and 5, the Function is not required to be OPERABLE since the reactor is depressurized and vessel blowdown, which could cause the design values of the containment to be exceeded, cannot occur. Refer to LCO 3.5.1 for HPCS Applicability Bases.

3.f, 3.g. HPCS Pump Discharge Pressure - High (Bypass) and HPCS System Flow Rate - Low (Bypass)

The minimum flow instruments are provided to protect the HPCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow and high pump discharge pressure are sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump or the discharge pressure is low (indicating the HPCS pump is not BW R/6 STS B 3.3.5.1-21 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) operating). The HPCS System Flow Rate - Low and HPCS Pump Discharge Pressure - High Functions are assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow transmitter is used to detect the HPCS System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open, provided the HPCS pump discharge pressure, sensed by another transmitter, is high enough (indicating the pump is operating).

The logic will close the minimum flow valve once the closure setpoint is exceeded. (The valve will also close upon HPCS pump discharge pressure decreasing below the setpoint.)

The HPCS System Flow Rate - Low and HPCS Pump Discharge Pressure - High Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. The HPCS Pump Discharge Pressure - High Allowable Value is set high enough to ensure that the valve will not be open when the pump is not operating.

One channel of each Function is required to be OPERABLE when the HPCS is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.

3.h. Manual Initiation The Manual Initiation push button channel introduces a signal into the HPCS logic to provide manual initiation capability and is redundant to the automatic protective instrumentation. There is one push button for the HPCS System.

The Manual Initiation Function is not assumed in any accident or transient analysis in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCS function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.

One channel of the Manual Initiation Function is only required to be OPERABLE when the HPCS System is required to be OPERABLE.

Refer to LCO 3.5.1 and LCO 3.5.2 for HPCS Applicability Bases.

BW R/6 STS B 3.3.5.1-22 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Automatic Depressurization System 4.a, 5.a. Reactor Vessel W ater Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel W ater Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel W ater Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel W ater Level - Low Low Low, Level 1 Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (Two channels input to ADS trip system A while the other two channels input to ADS trip system B). Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel W ater Level - Low Low Low, Level 1 Allowable Value is high enough to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b, 5.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB.

Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

BW R/6 STS B 3.3.5.1-23 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels of Drywell Pressure - High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (Two channels input to ADS trip system A while the other two channels input to ADS trip system B.) Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c, 5.c. ADS Initiation Timer The purpose of the ADS Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCS System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCS System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The ADS Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 2 that require ECCS initiation and assume failure of the HPCS System.

There are two ADS Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the ADS Initiation Timer is chosen to be short enough so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the ADS Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A while the other channel inputs to ADS trip system B.) Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 5.d. Reactor Vessel W ater Level - Low, Level 3 The Reactor Vessel W ater Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel W ater Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

BW R/6 STS B 3.3.5.1-24 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Vessel W ater Level - Low, Level 3 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel W ater Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for Bases discussion of this Function.

Two channels of Reactor Vessel W ater Level - Low, Level 3 Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A while the other channel inputs to ADS trip system B.) Refer to LCO 3.5.1 for ADS Applicability Bases.

4.e, 4.f, 5.e. Low Pressure Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the LPCS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 2 and 3 with an assumed HPCS failure. For these events, the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from eight pressure transmitters, two on the discharge side of each of the four low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode, and high enough to avoid any condition that results in a discharge pressure permissive when the LPCS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this Function is not assumed in any transient or accident analysis.

BW R/6 STS B 3.3.5.1-25 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Eight channels of LPCS and LPCI Pump Discharge Pressure - High Function (two LPCS and two LPCI A channels input to ADS trip system A, while two LPCI B and two LPCI C channels input to ADS trip system B) are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.g, 5.f. ADS Bypass Timer (High Drywell Pressure)

One of the signals required for ADS initiation is Drywell Pressure - High.

However, if the event requiring ADS initiation occurs outside the drywell (for example, main steam line break outside primary containment), a high drywell pressure signal may never be present. Therefore, the ADS Bypass Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed. Operation of the ADS Bypass Timer Function is not assumed in any accident or transient analysis. The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a DBA.

There are four ADS Bypass Timer relays, two in each of the two ADS trip systems. The Allowable Value for the ADS Timer is chosen to be short enough that so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Four channels of the ADS Bypass Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.h, 5.g. Manual Initiation The Manual Initiation push button channels introduce signals into the ADS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There are two push buttons for each ADS trip system (total of four).

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS function as required by the NRC in the plant licensing basis.

BW R/6 STS B 3.3.5.1-26 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push buttons.

Four channels of the Manual Initiation Function (two channels per ADS trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS -----------------------------------REVIEW ERS NOTE-----------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use the times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function (or in some cases, within the same variable) result in redundant automatic initiation capability being lost for the feature(s).

Required Action B.1 features would be those that are initiated by BW R/6 STS B 3.3.5.1-27 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

Functions 1.a, l.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 feature would be HPCS. For Required Action B.1, redundant automatic initiation capability is lost if either (a) one or more Function 1.a channels and one or more Function 2.a channels are inoperable and untripped, or (b) one or more Function 1.b channels and one or more Function 2.b channels are inoperable and untripped.

For Divisions 1 and 2, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated Division of low pressure ECCS and DG to be declared inoperable. However, since channels in both Divisions are inoperable and untripped, and the Completion Times started concurrently for the channels in both Divisions, this results in the affected portions in both Divisions of ECCS and DG being concurrently declared inoperable.

For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action B.1 and Required Action B.2), the two Required Actions are only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. Notes are also provided (Note 2 to Required Action B.1 and Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in both Divisions (e.g., any Division 1 ECCS and Division 2 ECCS) cannot be automatically initiated due to inoperable, untripped channels within the same variable as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the BW R/6 STS B 3.3.5.1-28 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

HPCS System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function (or in some cases, within the same variable) result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, l.d, 2.c, and 2.d (i.e., low pressure ECCS). For Functions 1.c and 2.c, redundant automatic initiation capability is lost if the Function 1.c and Function 2.c channels are inoperable. For Functions 1.d and 2.d, redundant automatic initiation capability is lost if two Function 1.d channels in the same trip system and two Function 2.d channels in the same trip system (but not necessarily the same trip system as the Function 1.d channels) are inoperable. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated Division to be declared inoperable. However, since channels in both Divisions are inoperable, and the Completion Times started concurrently for the channels in both Divisions, this results in the affected portions in both Divisions being concurrently declared inoperable. For Functions 1.c and 2.c, the affected portions of the Division are LPCI A and LPCI B, respectively. For Functions 1.d and 2.d, the affected portions of the Division are the low pressure ECCS pumps (Divisions 1 and 2, respectively).

BW R/6 STS B 3.3.5.1-29 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1), the Required Action is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 2.c, and 2.d. The Required Action is not applicable to Functions 1.g, 2.f, and 3.h (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 4 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both Divisions (e.g., any Division 1 ECCS and Division 2 ECCS) cannot be automatically initiated due to inoperable channels within the same variable as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or would not necessarily result in a safe state for the channel in all events.

BW R/6 STS B 3.3.5.1-30 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCS System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCS System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of HPCS initiation capability. As noted, the Required Action is only applicable if the HPCS pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCS System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or Required Action D.2.2 is performed, measures should be taken to ensure that the HPCS System piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCS suction piping), Condition H must be entered and its Required Action taken.

BW R/6 STS B 3.3.5.1-31 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the LPCS and LPCI Pump Discharge Flow - Low (Bypass) Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.e, 1.f, and 2.e (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if three of the four channels associated with Functions 1.e, 1.f, and 2.e are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the feature(s) associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of initiation capability for feature(s) in both Divisions. As noted (Note 1 to Required Action E.1),

Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCS Functions 3.f and 3.g since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 4 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that three channels of the variable (Pump Discharge Flow - Low) cannot be automatically initiated due to inoperable channels. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

BW R/6 STS B 3.3.5.1-32 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

If the instrumentation that controls the pump minimum flow valve is inoperable such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor injection path, causing insufficient core cooling.

These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) more than one Function 4.a channel and one Function 5.a channel are inoperable and untripped, (b) one Function 4.b channel and one Function 5.b channel are inoperable and untripped, or (c) one Function 4.d channel and one Function 5.d channel are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability in both trip systems.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip BW R/6 STS B 3.3.5.1-33 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status if both HPCS and RCIC are OPERABLE. If either HPCS or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCS or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCS or RCIC inoperability. However, total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCS or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.

Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) one or more Function 4.e channels and one or more Function 5.e channels are inoperable, (c) one or more Function 4.f channels and one or more Function 5.e channels are inoperable, or (d) one or more Function 4.g channels and one or more Function 5.f channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability in both trip systems. The Note to Required Action G.1 states that Required Action G.1 is only BW R/6 STS B 3.3.5.1-34 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) applicable for Functions 4.c, 4.e, 4.f, 4.g, 5.c, 5.e, and 5.f. Required Action G.1 is not applicable to Functions 4.h and 5.g (which also require entry into this Condition if a channel in these Functions is inoperable),

since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 days (as allowed by Required Action G.2) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions, as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status if both HPCS and RCIC are OPERABLE (Required Action G.2). If either HPCS or RCIC is inoperable, the time is reduced to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HCPS or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCS or RCIC inoperability. However, total time for an inoperable channel cannot exceed 8 days. If the status of HPCS or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

BW R/6 STS B 3.3.5.1-35 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued)

H.1 W ith any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function and the supported feature(s) associated with the inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE -----------------------------------REVIEW ERS NOTE-----------------------------------

REQUIREMENTS Certain Frequencies are based on approved topical reports. In order for a licensee to use these Frequencies, the licensee must justify the Frequencies as required by the staff SER for the topical report.

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.5.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table.

REVIEW ERS NOTE ------------------------------------

Notes 1 and 2 are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

1. Notes 1 and 2 are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits (the latter are not explicitly modeled in the accident analysis). Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Note 1 requires a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. W hile it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement results would not provide an indication of the channel or component performance.

2. Notes 1 and 2 are not applied to Technical Specifications associated with mechanically operated safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.

BW R/6 STS B 3.3.5.1-36 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1

3. Notes 1 and may 2 are not applied y to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, such as actuation logic circuits and associated relays, there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

An evaluation of the potential SL-LSSS Functions resulted in Notes 1 and 2 being applied to the Functions shown in the TS markups. Each licensee proposing to fully adopt this TSTF must review the the potential SL-LSSS Functions to identify which of the identified functions are SL-LSSS according to the definition of SL-LSSS and their plant specific safety analysis. The two TSTF Notes are not required to be applied to any of the listed Functions which meet any of the exclusion criteria or are not SL-LSSS based on the plant specific design and analysis.

As noted at the beginning of the SRs, the SRs for each ECCS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c, 3.f, 3.g, and 3.h; and (b) for Functions other than 3.c, 3.f, 3.g, and 3.h provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

BW R/6 STS B 3.3.5.1-37 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 4.

SR 3.3.5.1.3 The calibration of trip units provides a check of the actual trip setpoints.

The channel must be declared inoperable if the trip setting is discovered to be not within its required Allowable Value specified in Table 3.3.5.1-1.

If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 4.

BW R/6 STS B 3.3.5.1-38 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 SR 3.3.5.1.3 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.5.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety setpoint methodology analysis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP]. W here a setpoint more conservative than the

[LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the

[LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1.4 and SR 3.3.5.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.5.1.5 is based upon the assumption of an [18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.5 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.5.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to BW R/6 STS B 3.3.5.1-39 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety function.

The [18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for unplanned transients if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the [18] month Frequency.

SR 3.3.5.1.7 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis.

Response time testing acceptance criteria are included in Reference 5.

ECCS RESPONSE TIME may be verified by actual response time measurements in any series of sequential, overlapping, or total channel measurements.

BW R/6 STS B 3.3.5.1-40 Rev. 3.0, 03/31/04

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

[-----------------------------------REVIEW ERS NOTE----------------------------------

The following Bases are applicable for plants adopting NEDO-32291-A.

However, the measurement of instrument loop response times may be excluded if the conditions of Reference 6 are satisfied.]

ECCS RESPONSE TIME tests are conducted on an [18] month STAGGERED TEST BASIS. The [18] month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent.

REFERENCES 1. FSAR, Section [5.2].

2. FSAR, Section [6.3].

3. FSAR, Chapter [15].

4. NEDC-30936-P-A, "BW R Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"

December 1988.

5. FSAR, Section [6.3], Table [6.3-2].

[6. NEDO-32291-A, "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1995.]

BW R/6 STS B 3.3.5.1-41 Rev. 3.0, 03/31/04