ML072120145

From kanterella
Jump to navigation Jump to search

NRC Response to 4/16/2007 Submittal of TSTF-493, Revision 2, Clarify Application of Setpoint Methodology for LSSS Functions, Enclosure 5a - CEOG_3.3.01a_B for TSTF-493R2eITSB
ML072120145
Person / Time
Site: Technical Specifications Task Force
Issue date: 07/25/2007
From: Kobetz T
NRC/NRR/ADRO/DIRS/ITSB
To:
Technical Specifications Task Force
Schulten C. S., NRR/DIRS, 415-1192
Shared Package
ML072070202 List:
References
TAC MD5249, TSTF-493, Rev 2
Download: ML072120145 (44)
v  d  e


Text

RPS Instrumentation - Operating (Analog)

B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating (Analog)

BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the Rreactor Ccore Safety Limits and or the Reactor Coolant System (RCS) Ppressure boundary Ssafety Llimits during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." 10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded. The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that an SLa SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In CEOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 this manner, the trip setpoint plays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint meets the definition of an LSSS (Ref. 1) and could be used to meet the requirement that they be contained in the Technical Specifications.

REVIEW ER'S NOTE ------------------------------------

CEOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpointLTSP, the term Nominal Trip Setpoint (NTSP) is preferred. The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [LTSP] is not included in Table 3.3.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note b of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [LTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

The [Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [LTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[LTSP] ensures that SLs are not exceeded. As such, the [LTSP] meets the definition of an SLa SL-LSSS (Ref. 1).

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the trip setpoint[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as -found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports CEOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as -found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint to account for further drift during the next surveillance interval.

Use of the trip setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that a channel can have during testing such that a channel is OPERABLE if the trip setpoint is found conservative with respect to the Allowable Value during the The Allowable Valuable specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the [LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that an SLa SL is not exceeded at any given point of time as long as the device has CEOG STS B 3.3.1-4 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued) not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint shouldmust be left adjusted to a value within the established trip setpoint calibration as-left tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned. (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling,
  • Fuel centerline melting shall not occur, and

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 100 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable CEOG STS B 3.3.1-5 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 fraction of 10 CFR 100 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values the acceptable dose limit for an accident category and their associated

[LTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

The RPS is segmented into four interconnected modules. These modules are:

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued)

  • Bistable trip units,

This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal feature for those trips with operating bypasses. The RPS Logic and RTCBs are addressed in LCO 3.3.3, "Reactor Protective System (RPS) Logic and Trip Initiation."

The role of each of these modules in the RPS, including those associated with the logic and RTCBs, is discussed below.

Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

The excore nuclear instrumentation and the analog core protection calculators (CPCs) are considered components in the measurement channels. The wide range nuclear instruments (NIs) provide a Power Rate of Change - High Trip. Three RPS trips use a power level designated as Q power as an input. Q power is the higher of NI power and primary calorimetric power ( T power) based on RCS hot leg and cold leg temperatures. Trips using Q power as an input include the Variable High Power Trip (VHPT) - High, Thermal Margin/Low Pressure (TM/LP),

and the Axial Power Distribution (APD) - High trips.

The analog CPCs provide the complex signal processing necessary to calculate the TM/LP trip setpoint, APD trip setpoint, VHPT trip setpoint, and Q power calculation.

The excore NIs (wide range and power range) and the analog CPCs (TM/LP and APD calculators) are mounted in the RPS cabinet, with one channel of each in each of the four RPS bays.

CEOG STS B 3.3.1-7 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES BACKGROUND (continued)

Four identical measurement channels, designated channels A through D, with electrical and physical separation are provided for each parameter used in the direct generation of trip signals. These are designated channels A through D. Measurement channels provide input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the control room. Measurement channels used as an input to the RPS are never used for control functions.

W hen a channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping two or more channels of bistables monitoring the same parameter de-energizes Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all eight RTCBs to open, interrupting power to the control element assemblies (CEAs), allowing them to fall into the core.

Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of GDC 21 in 10 CFR 50, Appendix A (Ref. 2). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring.

Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4).

Many of the RPS trips are generated by comparing a single measurement to a fixed bistable setpoint.[LTSP]. Certain Functions, however, make use of more than one measurement to provide a trip. The following trips use multiple measurement channel inputs:

BASES BACKGROUND (continued)

RPS Instrumentation - Operating (Analog)

B 3.3.1 This trip uses the lower of the two steam generator pressures as an input to a common bistable.

  • Variable High Power Trip (VHPT) - High The VHPT uses Q power as its only input. Q power is the higher of NI power and T power. It has a trip setpoint that tracks power levels downward so that it is always within a fixed increment above current power, subject to a minimum value.

On power increases, the trip setpoint [Limiting Trip Setpoint] remains fixed unless manually reset, at which point it increases to the new setpoint, a fixed increment above Q power at the time of reset, subject to a maximum value. Thus, during power escalation, the trip setpoint must be repeatedly reset to avoid a reactor trip.

  • Thermal Margin/Low Pressure (TM/LP) and Steam Generator Pressure Difference Q power is only one of several inputs to the TM/LP trip. Other inputs include internal ASI and cold leg temperature based on the higher of two cold leg resistance temperature detectors. The TM/LP trip setpoint is a complex function of these inputs and represents a minimum acceptable RCS pressure to be compared to actual RCS pressure in the TM/LP trip unit.

Steam generator pressure is also an indirect input to the TM/LP trip via the Steam Generator Pressure Difference. This Function provides a reactor trip when the secondary pressure in either steam generator exceeds that of the other generator by greater than a fixed amount. The trip is implemented by biasing the TM/LP trip setpoint upward so as to ensure TM/LP trip if an asymmetric steam generator transient is detected.

  • Axial Power Distribution (APD) - High Q Power and ASI are inputs to the APD trip. The APD trip setpoint is a function of Q power, being more restrictive at higher power levels.

It provides a reactor trip if actual ASI exceeds the APD trip setpoint.

BASES BACKGROUND (continued)

Bistable Trip Units Bistable trip units, mounted in the RPS cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

CEOG STS B 3.3.1-9 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 There are four channels of bistable trip units, designated A through D, for each RPS Function, one for each measurement channel. Bistable output relays de-energize when a trip occurs.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. The Matrix Logic will generate a reactor trip (two-out-of-four logic), if If bistables monitoring the same parameter in at least two channels trip,. the Matrix Logic will generate a reactor trip (two-out-of-four logic).

Some of the RPS measurement channels provide contact outputs to the RPS, so the comparison of an analog input to a trip setpoint is not necessary. In these cases, the bistable trip unit is replaced with an auxiliary trip unit. The auxiliary trip units provide contact multiplication so the single input contact opening can provide multiple contact outputs to the coincidence logic as well as trip indication and annunciation.

Trips employing auxiliary trip units include the Loss of Load trip and the APD - High trip. The Loss of Load trip is a contact input from the Electro Hydraulic Control System control oil pressure on each of the four high pressure stop valves.

The APD trip, described above, is a complex function in which the actual trip comparison is performed within the CPC. Therefore the APD - High trip unit employs a contact input from the CPC.

All RPS trips, with the exception of the Loss of Load trip, generate a pretrip alarm as the trip setpoint is approached.

The trip setpoints used in the bistable trip units are based on the analytical limits stated in Reference 5. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors - for those RPS channels that must function in harsh environments, as defined by 10 CFR 50.49 (Ref. 6) - Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are BASES BACKGROUND (continued) conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). The nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value, to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST.

One example of such a change in measurement error is drift during the CEOG STS B 3.3.1-10 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 interval between surveillances. A channel is inoperable if its actual as-found setpoint is not withinconservative with respect to its required Allowable Value.

Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0 are not violated during AOOs and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

[LTSPs] in accordance with the Allowable Value will ensure that SLs of Chapter 2.0 are not violated during AOOs and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS.least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION or CHANNEL FUNCTIONAL TEST, such that a channel is operable if the as-found setpoint is conservative with respect to the Allowable Value.

RPS Logic The RPS Logic, addressed in LCO 3.3.3, consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two out of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. This logic and the RTCB configuration are shown in Figure B 3.3.1-1.

Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. W hen a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths.

Each trip path provides power to one of the four normally energized RTCB control relays (K1, K2, K3, and K4). The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition.

BASES BACKGROUND (continued)

CEOG STS B 3.3.1-11 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 Each trip path is responsible for opening one set of two of the eight RTCBs. The RTCB control relays (K-relays), when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the two breakers. Actuation of either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs).

W hen a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four RTCB control relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all eight RTCBs, tripping them open.

Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable and auxiliary trip units, up to but not including the matrix relays. Contacts in the bistable and auxiliary trip units are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel.

The Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, and solid state (auxiliary) relays through the K-relay contacts in the RTCB control circuitry.

It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing.

BASES BACKGROUND (continued)

For those plants that have demonstrated sufficient channel to channel independence, two-out-of-three logic is the minimum that is required to provide adequate plant protection, since a failure of one channel still ensures a reactor trip would be generated by the two remaining OPERABLE channels. Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a trip condition.

CEOG STS B 3.3.1-12 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. Some of these bypasses are enabled manually, others automatically, in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied. Trips with operating bypasses include Power Rate of Change - High, Reactor Coolant Flow - Low, Steam Generator Pressure - Low, APD - High, TM/LP, and Steam Generator Pressure Difference. [The Loss of Load trip, Power Rate of Change - High, and APD - High operating bypasses are automatically enabled and disabled.]

Reactor Trip Circuit Breakers (RTCBs)

The reactor trip switchgear, addressed in LCO 3.3.3 and shown in Figure B 3.3.1-1, consists of eight RTCBs, which are operated in four sets of two breakers (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that the loss of either MG set does not de-energize the CEDMs.

There are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant paths (trip legs). Trip legs 1A and 1B supply power to CEDM bus 1. Trip legs 2A and 2B supply power to CEDM bus 2. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses.

Each of the four trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits.

The eight RTCBs are operated as four sets of two breakers (four channels). For example, if a breaker receives an open signal in trip leg A (for CEDM bus 1), an identical breaker in trip leg B (for CEDM bus 2) will also receive an open signal. This arrangement ensures that power is interrupted to both CEDM buses, thus preventing trip of only half of the CEAs (a half trip). Any one inoperable breaker in a channel will make the entire channel inoperable.

BASES BACKGROUND (continued)

Each set of RTCBs is operated by either a Manual Trip push button or an RPS actuated K-relay. There are four Manual Trip push buttons, arranged in two sets of two, as shown in Figure B 3.3.1-1. Depressing both push buttons in either set will result in a reactor trip.

W hen a Manual Trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS.

Manual Trip circuitry includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip CEOG STS B 3.3.1-13 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 attachments but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic.

Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis.

FSAR, Section [7.2] (Ref. 8), explains RPS testing in more detail.

APPLICABLE Each of the analyzed accidents and transients can be detected by one SAFETY or more RPS Functions. The accident analysis contained in Reference 5 ANALYSES takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis are part of the NRC approved licensing basis for the plant. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance.

Other Functions, such as the Loss of Load trip, are purely equipment protective, and their use minimizes the potential for equipment damage.

Trip Setpoints that directly protect against violating the Rreactor Ccore Safety Limits or the Reactor Coolant System (RCS) pPressure boundary Safety Limits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). Permissive and interlock setpoints allow bypass of trips when they are not required by the Safety Analysis. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventative or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e. the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO). Therefore permissives and interlocks are not considered to be SL-LSSS.

The specific safety analyses applicable to each protective Function are identified below:

1. Variable High Power Trip (VHPT) - High The VHPT provides reactor core protection against positive reactivity excursions that are too rapid for a Pressurizer Pressure - High or TM/LP trip to protect against. The following events require VHPT protection:
  • Uncontrolled CEA withdrawal event,
  • Excess load, BASES APPLICABLE SAFETY ANALYSES (continued)

RPS Instrumentation - Operating (Analog)

B 3.3.1

  • CEA ejection event, and

The first three events are AOOs, and fuel integrity is maintained. The fourth and fifth are accidents, and limited fuel damage may occur.

2. Power Rate of Change - High The Power Rate of Change - High trip is used to trip the reactor when excore [logarithmic] power indicates an excessive rate of change.

The Power Rate of Change - High Function minimizes transients for events such as a continuous CEA withdrawal or a boron dilution event from low power levels. The trip may be bypassed when THERMAL POW ER is < 1E-4% RTP, when poor counting statistics may lead to erroneous indication. It is also bypassed at > 15% RTP, where moderator temperature coefficient and fuel temperature coefficient make high rate of change of power unlikely. W ith the RTCBs open, the Power Rate of Change - High trip is not required to be OPERABLE; however, the indication and alarm Functions of at least two channels are required by LCO 3.3.13, "[Logarithmic] Power Monitoring Channels," to be OPERABLE. LCO 3.3.13 ensures the

[logarithmic] channels are available to detect and alert the operator to a boron dilution event.

3. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip provides protection during the following events:
  • Loss of RCS flow,
  • Loss of nonemergency AC power,
  • RCP sheared shaft, and
  • Certain MSLB events.

The loss of RCS flow and of nonemergency AC power events are AOOs where fuel integrity is maintained. The RCP seized shaft, sheared shaft, and MSLBs are accidents where fuel damage may result.

BASES APPLICABLE SAFETY ANALYSES (continued)

4. Pressurizer Pressure - High CEOG STS B 3.3.1-15 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 The Pressurizer Pressure - High trip, in conjunction with pressurizer safety valves and main steam safety valves (MSSVs), provides protection against overpressure conditions in the RCS during the following events:

  • Isolation of turbine at 102% power,
  • CEA withdrawal, and
5. Containment Pressure - High The Containment Pressure - High trip prevents exceeding the containment design pressure during certain loss of coolant accidents (LOCAs) or feedwater line break accidents. It ensures a reactor trip prior to, or concurrent with, a LOCA, thus assisting the ESFAS in the event of a LOCA or MSLB. Since these are accidents, SLs may be violated. However, the consequences of the accident will be acceptable.
6. Steam Generator Pressure - Low The Steam Generator Pressure - Low trip provides protection against an excessive rate of heat extraction from the steam generators, which would result in a rapid uncontrolled cooldown of the RCS. This trip is needed to shut down the reactor and assist the ESFAS in the event of an MSLB. Since these are accidents, SLs may be violated.

However, the consequences of the accident will be acceptable.

BASES APPLICABLE SAFETY ANALYSES (continued) 7.a, 7.b. Steam Generator A and B Level - LowThe Steam Generator A Level - Low and Steam Generator B Level - Low trips are required for the following events:

  • Steam System piping failures,

RPS Instrumentation - Operating (Analog)

B 3.3.1

The Steam Generator Level - Low trip ensures that low DNBR, high local power density, and the RCS pressure SLs are maintained during normal operation and AOOs, and, in conjunction with the ESFAS, the consequences of the Feedwater System pipe break accident will be acceptable.

8. Axial Power Distribution (APD) - High The APD - High trip ensures that excessive axial peaking, such as that due to axial xenon oscillations, will not cause fuel damage. It ensures that neither a DNBR less than the SL nor a peak linear heat rate that corresponds to the temperature for fuel centerline melting will occur. This trip is the primary protection against fuel centerline melting.
9. Thermal Margin
a. Thermal Margin/Low Pressure (TM/LP)

The TM/LP trip prevents exceeding the DNBR SL during AOOs and aids the ESFAS during certain accidents. The following events require TM/LP protection:

CEOG STS B 3.3.1-17 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

  • RCS depressurization (inadvertent safety or power operated relief valves (PORVs) opening),

The first two events are AOOs, and fuel integrity is maintained.

The third and fourth are accidents, and limited fuel damage may occur although only the LOCA is expected to result in fuel damage. The trip is initiated whenever the RCS pressure signal drops below a minimum value (P min) or a computed value (P var) as described below, whichever is higher. The computed value is a Function Q power, ASI, as determined from the axially split excore detectors, reactor inlet (cold leg) temperature, and the number of RCPs operating.

The minimum value of reactor coolant flow rate, the maximum T Q , and the maximum CEA deviation permitted for continuous operation are assumed in the generation of this trip Function. In addition, CEA group sequencing in accordance with LCO 3.1.6, "Regulating Control Element Assembly (CEA) Insertion Limits,"

is assumed. Finally, the maximum insertion of CEA banks that can occur during any AOO prior to a VHPT is assumed.

b. Steam Generator Pressure Difference The Steam Generator Pressure Difference provides protection for those AOOs associated with secondary system malfunctions that result in asymmetric primary coolant temperatures. The most limiting event is closure of a single main steam isolation valve. Steam Generator Pressure Difference is provided by comparing the secondary pressure in both steam generators in the TM/LP calculator. If the pressure in either exceeds that in the other by the trip setpoint, a TM/LP trip will result.

CEOG STS B 3.3.1-18 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

10. Loss of Load The Loss of Load (turbine stop valve (TSV) control oil pressure) trip is anticipatory for the loss of heat removal capabilities of the secondary system following a turbine trip. The Loss of Load trip prevents lifting the pressurizer safety valves, PORVs, and MSSVs in the event of a turbine generator trip. Thus, the trip minimizes the pressure and temperature transients on the reactor by initiating a trip well before reaching the Pressurizer Pressure - High trip and pressurizer safety valve setpoints. The four RPS Loss of Load reactor trip channels receive their input from sensors mounted on the high pressure TSV actuators. Since there are four high pressure TSVs, one actuator per valve and one sensor per actuator, each sensor sends its signal to a different RPS channel. W hen the turbine trips, control oil is dumped from the high pressure TSVs. W hen the control oil pressure drops to the appropriate setpoint, a reactor trip signal is generated.

Interlocks/Bypasses The bypasses and their Allowable Values are addressed in footnotes to Table 3.3.1-1. They are not otherwise addressed as specific Table entries.

The automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The RPS operating bypasses are:

Zero power mode bypass (ZPMB) removal on the TM/LP, Steam Generator Pressure Difference, and reactor coolant low flow trips when THERMAL POW ER is < 1E-4% RTP. This bypass is manually enabled below the specified setpoint to permit low power testing. The wide range NI Level 1 bistable in the wide range drawer permits manual bypassing below the setpoint and removes the bypass above the setpoint.

Power rate of change bypass removal. The Power Rate of Change - High trip is automatically bypassed at < 1E-4% RTP, as sensed by the wide range NI Level 2 bistable, and at > 12% RTP by the power range NI Level 1 bistable, mounted in their respective NI drawers. Automatic bypass removal is also effected by these bistables when conditions are no longer satisfied.

BASES APPLICABLE SAFETY ANALYSES (continued)

CEOG STS B 3.3.1-19 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 Loss of Load and APD - High bypass removal. The Loss of Load and APD - High trips are automatically bypassed when at < 15% RTP as sensed by the power range NI Level 1 bistable. The bypass is automatically removed by this bistable above the setpoint. This same bistable is used to bypass the Power Rate of Change - High trip.

Steam Generator Pressure - Low bypass removal. The Steam Generator Pressure - Low trip is manually enabled below the pretrip setpoint. The permissive is removed, and the bypass automatically removed, when the Steam Generator Pressure - Low pretrip clears.

The RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The specific criteria for determining channel OPERABILITY differ slightly between Functions. These criteria are discussed on a Function by Function basis below.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. Plants are restricted to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> in a trip channel bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic). At plants where adequate channel to channel independence has been demonstrated, specific exceptions may be approved by the NRC staff to permit one of the two-out-of-four channels to be bypassed for an extended period of time.

Only the Allowable Values are specified for each RPS trip Function in the LCO. The [LTSP] and the methodologies for calculation of the as-left and as-found tolerances are described in [a document controlled under 10 CFR 50.59]. The [LTSPs] are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7). As such, the Allowable Value differs from the

[LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

CEOG STS B 3.3.1-20 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the channel device would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations.[Limiting Trip Setpoints and the methodologies to calculate the as-left and as-found tolerances are specified in [a document controlled under 10 CFR 50.59]. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the are conservative with respect to the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, Limiting Trip Setpoint but withinconservative with respect to its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 7).

CEOG STS B 3.3.1-21 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

The following Bases for each trip Function identify the above RPS trip Function criteria items that are applicable to establish the trip Function OPERABILITY.

1. Variable High Power Trip (VHPT) - High This LCO requires all four channels of the VHPT to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor VHPT - High trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.

The VHPT setpoint is operator adjustable and can be set at a fixed increment above the indicated THERMAL POW ER level. Operator action is required to increase the trip setpoint as THERMAL POW ER is increased. The trip setpoint is automatically decreased as THERMAL POW ER decreases. The trip setpoint[LTSP] has a maximum and a minimum setpoint.

Adding to this maximum value the possible variation in trip setpoint[LTSP] due to calibration and instrument errors, the maximum actual steady state THERMAL POW ER level at which a trip would be actuated is 112% RTP, which is the value used in the safety analyses.

To account for these errors, the safety analysis minimum value is 40% RTP. The 10% step is a maximum value assumed in the safety analysis. There is no uncertainty applied to the step.

2. Power Rate of Change - High This LCO requires four channels of Power Rate of Change - High to be OPERABLE in MODES 1 and 2, as well as in MODES 3, 4, and 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.

The high power rate of change trip serves as a backup to the administratively enforced startup rate limit. The Function is not credited in the accident analyses; therefore, the Allowable Value for the trip or bypass Functions is not derived from analytical limits.

CEOG STS B 3.3.1-22 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

3. Reactor Coolant Flow - Low This LCO requires four channels of Reactor Coolant Flow - Low to be OPERABLE in MODES 1 and 2.

The trip may be manually bypassed when THERMAL POW ER falls below 1E-4% RTP. This bypass is part of the ZPMB circuitry, which also bypasses the TM/LP trip and provides a T power block signal to the Q power select logic. This ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows heatup and cooldown with shutdown CEAs withdrawn.

This trip is set high enough to maintain fuel integrity during a loss of flow condition. The setting is low enough to allow for normal operating fluctuations from offsite power. To account for analysis uncertainty, the value in the safety analysis is 93% RTP.

4. Pressurizer Pressure - High This LCO requires four channels of Pressurizer Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set high enough to allow for pressure increases in the RCS during normal operation (i.e., plant transients) not indicative of an abnormal condition. The setting is below the lift setpoint of the pressurizer safety valves and low enough to initiate a reactor trip when an abnormal condition is indicated. The difference between the Allowable Value and the analysis setpoint of 2470 psia includes allowance for harsh environment.

The Pressurizer Pressure - High trip concurrent with PORV operation avoids unnecessary operation of the pressurizer safety valves.

5. Containment Pressure - High This LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to allow for small pressure increases in containment expected during normal operation (i.e.,

plant heatup) that are not indicative of an abnormal condition. The setting is low enough to initiate a reactor trip to prevent containment pressure from exceeding design pressure following a DBA.

CEOG STS B 3.3.1-23 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

6. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator Pressure - Low per steam generator to be OPERABLE in MODES 1 and 2.

The Allowable Value is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core, a reactor trip is required to offset that effect.

The difference between the Allowable Value and the safety analysis value of 600 psia includes harsh environment uncertainties.

The Function may be manually bypassed as steam generator pressure is reduced during controlled plant shutdowns. This bypass is permitted at a preset steam generator pressure. The bypass, in conjunction with the ZPMB, allows testing at low temperatures and pressures, and heatup and cooldown with the shutdown CEAs withdrawn. From a bypass condition the trip will be reinstated automatically as steam generator pressure increases above the preset pressure.

7.a, 7.b. Steam Generator Level - Low This LCO requires four channels of Steam Generator Level - Low per steam generator to be OPERABLE in MODES 1 and 2.

The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations. The trip setpoint is high enough to ensure a reactor trip signal is generated before water level drops below the top of the feed ring. The difference between the Allowable Value and the measurement value includes 10 inches of measurement uncertainty.

The specified setpoint ensures there will be sufficient water inventory to provide a 10 minute margin before auxiliary feedwater is required for the removal of decay heat.

CEOG STS B 3.3.1-24 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

8. Axial Power Distribution (APD) - High This LCO requires four channels of APD - High to be OPERABLE in MODE 1 $ 15% RTP.

The Allowable Value curve was derived from an analysis of many axial power shapes with allowances for instrumentation inaccuracies and the uncertainty associated with the excore to incore ASI relationship.

The APD trip is automatically bypassed at < 15% RTP, where it is not required for reactor protection.

9. Thermal Margin
a. Thermal Margin/Low Pressure (TM/LP)

This LCO requires four channels of TM/LP to be OPERABLE in MODES 1 and 2.

The Allowable Value includes allowances for equipment response time, measurement uncertainties, processing error, and a further allowance to compensate for the time delay associated with providing effective termination of the occurrence that exhibits the most rapid decrease in margin to the SL.

This trip may be manually bypassed when THERMAL POW ER falls below 1E-4% RTP. This bypass is part of the ZPMB circuitry, which also bypasses the Reactor Coolant Flow - Low trip and provides a T power block signal to the Q power select logic. This ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows heatup and cooldown with shutdown CEAs withdrawn.

b. Steam Generator Pressure Difference This LCO requires four channels of Steam Generator Pressure Difference to be OPERABLE in MODES 1 and 2.

CEOG STS B 3.3.1-25 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES LCO (continued)

The Allowable Value is high enough to avoid trips caused by normal operation and minor transients, but ensures DNBR protection in the event of Design Basis Events. The difference between the Allowable Value and the 175 psia analysis setpoint allows for 40 psia of measurement uncertainty.

The trip may be bypassed when THERMAL POW ER falls below 1E-4% RTP. The Steam Generator Pressure Difference is subject to the ZPMB, since it is an input to the TM/LP trip and is not required for protection at low power levels.

10. Loss of Load The LCO requires four Loss of Load trip channels to be OPERABLE in MODE 1 ³ 15% RTP.

The Loss of Load trip may be bypassed when THERMAL POW ER falls below 15%, since it is no longer needed to prevent lifting of the pressurizer safety valves, steam generator safety valves, or PORVs in the event of a Loss of Load. The Nuclear Steam Supply System and the Steam Dump System are capable of accommodating the Loss of Load without requiring the use of the above equipment.

Interlocks/Bypasses The LCO on bypass permissive removal channels requires that the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LCO for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

The LCO applies to the bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue.

The interlock Allowable Values are based on analysis requirements for the bypassed functions. These are discussed above as part of the LCO discussion for the affected Functions.

CEOG STS B 3.3.1-26 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES APPLICABILITY This LCO is applicable in accordance with Table 3.3.1-1. Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, maintaining the SLs during AOOs and assisting the ESFAS in providing acceptable consequences during accidents. Exceptions are addressed in footnotes to the table. Exceptions to this APPLICABILITY are:

  • The APD - High Trip and Loss of Load are only applicable in MODE 1 $ 15% RTP because they may be automatically bypassed at

< 15% RTP, where they are no longer needed.

  • The Power Rate of Change - High trip, RPS Logic, RTCBs, and Manual Trip are also required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. The Power Rate of Change - High trip in these lower MODES is addressed in LCO 3.3.2, "Reactor Protective System (RPS)

Instrumentation - Shutdown." The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.3.

Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events.

The reactor is protected in these MODES by ensuring adequate SDM.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less non-conservative thanwith respect to the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event a channel's trip setpoint is found non-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected Functions provided by that channel must be declared inoperable, and the plant must enter the Condition for the particular protection Function affected.

W hen the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

CEOG STS B 3.3.1-27 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES ACTIONS (continued)

A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered.

A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single channel in any RPS automatic trip Function. RPS coincidence logic is normally two-out-of-four.

If one RPS bistable trip unit or associated instrument channel is inoperable, startup or power operation is allowed to continue, providing the inoperable trip unit is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1). W ith one channel in bypass, no additional random failure of a single channel could spuriously trip the reactor and a valid trip signal can still trip the reactor. W ith one channel in trip, an additional random failure of a single channel could spuriously trip the reactor. Therefore, it is preferable to place an inoperable channel in bypass rather than trip.

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass, or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel while ensuring that the risk involved in operating with the failed channel is acceptable.

The failed channel is restored to OPERABLE status or is placed in trip within [48] hours (Required Action A.2.1 or Required Action A.2.2).

Required Action A.2.1 restores the full capability of the Function.

[ Required Action A.2.2 places the Function in a one-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent trip. ]

The Completion Time of [48] hours is based on operating experience, which has demonstrated that a random failure of a second channel occurring during the [48] hour period is a low probability event.

CEOG STS B 3.3.1-28 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES ACTIONS (continued)

B.1 and B.2 Condition B applies to the failure of two channels in any RPS automatic trip Function.

Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring that the risk involved in operating with the failed channels is acceptable. W ith one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

One channel should be restored to OPERABLE status within [48] hours for reasons similar to those stated under Condition A. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. Therefore, the channel that is still inoperable after completion of Required Action B.2 must be placed in trip if more than [48] hours have elapsed since the initial channel failure.

C.1 and C.2 The excore detectors are used to generate the internal ASI used as an input to the TM/LP and APD - High trips. Incore detectors provide a more accurate measurement of ASI. If one or more excore detectors cannot be calibrated to match incore detectors, power is restricted or reduced during subsequent operations because of increased uncertainty associated with using uncalibrated excore detectors.

The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate to perform the SR while minimizing the risk of operating in an unsafe condition.

CEOG STS B 3.3.1-29 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES ACTIONS (continued)

D.1, D.2.1, D.2.2.1, and D.2.2.2 Condition D applies to one automatic bypass removal channel inoperable.

If the bypass removal channel for any operating bypass cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the bypass either removed or the bypass removal channel repaired.

The Bases for Required Actions and Completion Times are the same as discussed for Condition A.

E.1, E.2.1, and E.2.2 Condition E applies to two inoperable automatic bypass removal channels. If the bypass removal channels cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypass either removed or the bypass removal channel repaired. Also, Required Action E.2.2 provides for the restoration of the one affected automatic trip channel to OPERABLE status within the rules of Completion Time specified under Condition B. Completion Times are consistent with Condition B.

F.1 Condition F is entered when the Required Action and associated Completion Time of Conditions A, B, C, D, or E are not met for the Axial Power Distribution and Loss of Load Trip Functions.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to reduce THERMAL POW ER to

< 15% RTP is reasonable, based on operating experience, to decrease power to < 15% RTP from full power conditions in an orderly manner and without challenging plant systems.

CEOG STS B 3.3.1-30 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES ACTIONS (continued)

G.1 Condition G is entered when the Required Action and associated Completion Time of Conditions A, B, C, D, E, or F are not met.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to be in MODE 3 is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

REVIEW ERS NOTE-----------------------------------

In order for a plant to take credit for topical reports as the basis for justifying Frequencies, topical reports must be supported by an NRC staff SER that establishes the acceptability of each topical report for that plant (Ref. 9).

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table.

REVIEW ERS NOTE ------------------------------------

Notes 1 and 2 are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

1. Notes 1 and 2 are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits (the latter are not explicitly modeled in the accident analysis). Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Note 1 requires a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most CEOG STS B 3.3.1-31 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 mechanical components. W hile it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement results would not provide an indication of the channel or component performance.

2. Notes 1 and 2 are not applied to Technical Specifications associated with mechanically operated safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.
3. Notes 1 and 2 are may not applyied to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, such as actuation logic circuits and associated relays, there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

An evaluation of the potential SL-LSSS Functions resulted in Notes 1 and 2 being applied to the Functions shown in the TS markups. Each licensee proposing to fully adopt this TSTF must review the potential SL-LSSS Functions to identify which of the identified functions are SL-LSSS according to the definition of SL-LSSS and their plant specific safety analysis. The two TSTF Notes are not required to be applied to any of the listed Functions which meet any of the exclusion criteria or are not SL-LSSS based on the plant specific design and analysis..

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

CEOG STS B 3.3.1-32 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 CEOG STS B 3.3.1-33 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.

SR 3.3.1.2 A daily calibration (heat balance) is performed when THERMAL POW ER is $ 20%. The daily calibration shall consist of adjusting the "nuclear power calibrate" potentiometers to agree with the calorimetric calculation if the absolute difference is > 1.5%. The " T power calibrate" potentiometers are then used to null the "nuclear power - T power" indicators on the RPS Reactor Power Calibration and Indication panel.

Performance of the daily calibration ensures that the two inputs to the Q power measurement are indicating accurately with respect to the much more accurate secondary calorimetric calculation.

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience and takes into account indications and alarms located in the control room to detect deviations in channel outputs. The Frequency is modified by a Note indicating this Surveillance must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after THERMAL POW ER is $ 20% RTP. The secondary calorimetric is inaccurate at lower power levels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time requirements for plant stabilization, data taking, and instrument calibration.

A second Note indicates the daily calibration may be suspended during PHYSICS TESTS. This ensures that calibration is proper preceding and following physics testing at each plateau, recognizing that during testing, changes in power distribution and RCS temperature may render the calorimetric inaccurate.

CEOG STS B 3.3.1-34 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.3 It is necessary to calibrate the excore power range channel upper and lower subchannel amplifiers such that the internal ASI used in the TM/LP and APD - High trips reflects the true core power distribution as determined by the incore detectors. A Note to the Frequency indicates the Surveillance is required within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after THERMAL POW ER is

$ [20]% RTP. Uncertainties in the excore and incore measurement process make it impractical to calibrate when THERMAL POW ER is

< [20]% RTP. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time for plant stabilization, data taking, and instrument calibration. If the excore detectors are not properly calibrated to agree with the incore detectors, power is restricted during subsequent operations because of increased uncertainty associated with using uncalibrated excore detectors. The 31 day Frequency is adequate, based on operating experience of the excore linear amplifiers and the slow burnup of the detectors. The excore readings are a strong function of the power produced in the peripheral fuel bundles and do not represent an integrated reading across the core.

Slow changes in neutron flux during the fuel cycle can also be detected at this Frequency.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each RPS instrument channel, except Loss of Load and Power Rate of Change, every [92] days to ensure the entire channel will perform its intended function when needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

In addition to power supply tests, The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 8.

These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

CEOG STS B 3.3.1-35 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Bistable Tests The bistable setpoint must be found to trip withinconservative with respect to the Allowable Values specified in the LCO and left set consistent with the assumptions of the plant specific setpoint analysis (Ref. 7). As -found

[and as -left] values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis. The requirements for this review are outlined in Reference 10.

A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

SR 3.3.1.4 for SL-LSSS Functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.3. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays.

During testing, power is applied to the matrix relay test coils and prevents CEOG STS B 3.3.1-36 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trip Path Tests Trip Path (Initiation Logic) tests are addressed in LCO 3.3.3. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of [92] days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10).

CEOG STS B 3.3.1-37 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.5 A CHANNEL CALIBRATION of the excore power range channels every 92 days ensures that the channels are reading accurately and within tolerance. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as -found and as -left values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis.

The requirements for this review are outlined in Reference [10].

A Note is added stating that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2) and the monthly linear subchannel gain check (SR 3.3.1.3). In addition, associated control room indications are continuously monitored by the operators.

SR 3.3.1.5 for SL-LSSS Functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

CEOG STS B 3.3.1-38 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

The Frequency of 92 days is acceptable, based on plant operating experience, and takes into account indications and alarms available to the operator in the control room.

SR 3.3.1.6 A CHANNEL FUNCTIONAL TEST on the Loss of Load and Power Rate of Change channels is performed prior to a reactor startup to ensure the entire channel will perform its intended function if required. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Loss of Load pressure sensor cannot be tested during reactor operation without closing the high pressure TSV, which would result in a turbine trip or reactor trip. The Power Rate of Change - High trip Function is required during startup operation and is bypassed when shut down or > 15% RTP.

CEOG STS B 3.3.1-39 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 SR 3.3.1.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.4, except SR 3.3.1.7 is applicable only to bypass Functions and is performed once within 92 days prior to each startup. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup.

The allowance to conduct this test within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.4.

Therefore, further testing of the bypass function after startup is unnecessary.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a CHANNEL CALIBRATION every

[18] months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as -found [and as -left] values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis.

The requirements for this review are outlined in Reference [10].

SR 3.3.1.8 for SL-LSSS Functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel CEOG STS B 3.3.1-40 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

The Frequency is based upon the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift.

CEOG STS B 3.3.1-41 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2) and the monthly linear subchannel gain check (SR 3.3.1.3).

SR 3.3.1.9 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an

[18] month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 18 months, where n is the number of channels in the function. The Frequency of

[18] months is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

Also, response times cannot be determined at power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

REVIEW ERS NOTE-----------------------------------

Applicable portions of the following TS Bases are applicable to plants adopting CEOG Topical Report CE NPSD-1167-1, "Elimination of Pressure Sensor Response Time Testing Requirements."

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements,"

(Ref. 11) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

CEOG STS B 3.3.1-42 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2).

REFERENCES 1. Regulatory Guide 1.105, Revision 3, "Setpoints for Safety-Related Instrumentation."

2. 10 CFR 50, Appendix A, GDC 21.
3. 10 CFR 100.
4. IEEE Standard 279-1971, April 5, 1972.
5. FSAR, Chapter [14].
6. 10 CFR 50.49.
7. "Plant Protection System Selection of Trip Setpoint Values."
8. FSAR, Section [7.2].
9. NRC Safety Evaluation Report, [Date].
10. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
11. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

CEOG STS B 3.3.1-43 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Analog)

B 3.3.1 BASES CB EO3.G 3.1 S-T4S 4

Rev. 3.0, 03/31/04

Retrieved from "https://kanterella.com/w/index.php?title=ML072120145&oldid=2575492"