ML072120153

From kanterella
Jump to navigation Jump to search

NRC Response to 4/16/2007 Submittal of TSTF-493, Revision 2, Clarify Application of Setpoint Methodology for LSSS Functions, Enclosure 5b - CEOG_3.3.01d_B for TSTF-4932eITSB
ML072120153
Person / Time
Site: Technical Specifications Task Force
Issue date: 07/25/2007
From: Kobetz T
NRC/NRR/ADRO/DIRS/ITSB
To:
Technical Specifications Task Force
Schulten C. S., NRR/DIRS, 415-1192
Shared Package
ML072070202 List:
References
TAC MD5249, TSTF-493, Rev 2
Download: ML072120153 (45)
v  d  e


Text

RPS Instrumentation - Operating (Digital)

B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation - Operating (Digital)

BASES BACKGROUND The Reactor Protective System (RPS) initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

The protection and monitoring systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the Rreactor Ccore Safety Limits or the and Reactor Coolant System (RCS) pPressure boundary Ssafety Llimits during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS).

10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that an SLa SL is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEW ER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpointLTSP, the term Nominal Trip Setpoint (NTSP) is preferred. The CEOG STS B 3.3.1-1 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [LTSP] is not included in Table 3.3.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note b of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [LTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

The trip setpoint[Limiting Trip Setpoint (LTSP)] is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the AnalyticAnalytical Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint[LTSP]

accounts for uncertainties in setting the device (e.g., calibration),

uncertainties in how the device might actually perform (e.g., repeatability),

changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the trip setpoint plays an important role in ensuring[LTSP] ensures that SLs are not exceeded. As such, the trip setpoint[LTSP] meets the definition of an SLa SL-LSSS (Ref. 1) and could be used to meet the requirement that they be contained in the Technical Specifications.).

CEOG STS B 3.3.1-2 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the trip setpoint[LTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as -found" value of a protective device setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint [LTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[LTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as -found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint to account for further drift during the next surveillance interval.

However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that a channel can have during testing such that a channel is OPERABLE if the trip setpoint is found conservative with respect to the Allowable Value during theUse of the trip setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

The Allowable Valuable specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value.CHANNEL FUNCTIONAL TEST (CFT). As such, the Allowable Value differs from the trip setpoint[LTSP] by an CEOG STS B 3.3.1-3 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 amount primarily[greater than or equal to the expected instrument loopchannel uncertainties, such as drift, during the surveillance interval.

In this manner, the actual setting of the device will still meet the LSSS definition and ensure that an SLa SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the CEOG STS B 3.3.1-4 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued) surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the setpoint must be left adjusted to a value within the as-left tolerance, and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to have exceededbe non-conservative with respect to the Allowable Value the device channel would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
  • Fuel centerline melting shall not occur, and

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 100 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values CEOG STS B 3.3.1-5 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 the acceptable dose limit for an accident category and their associated

[LTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

The RPS is segmented into four interconnected modules. These modules are:

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

  • Bistable trip units,

This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal feature for those trips with operating bypasses. The RPS Logic and RTCBs are addressed in LCO 3.3.4, "Reactor Protective System (RPS) Logic and Trip Initiation."

The CEACs are addressed in LCO 3.3.3, "Control Element Assembly Calculators (CEACs)."

Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

The excore nuclear instrumentation, the core protection calculators (CPCs), and the CEACs, though complex, are considered components in the measurement channels of the Linear Power Level - High, Logarithmic Power Level - High, DNBR - Low, and Local Power Density (LPD) - High trips.

Four identical measurement channels, designated channels A through D, with electrical and physical separation, are provided for each parameter used in the generation of trip signals, with the exception of the control element assembly (CEA) position indication used in the CPCs. Each measurement channel provides input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) bistables, and most provide indication in the control room.

Measurement channels used as an input to the RPS are not used for control functions.

W hen a channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable monitoring the parameter in that channel will trip. Tripping bistables monitoring the same parameter in two or more channels will de-energize Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all eight RTCBs to open, interrupting power to the CEAs, allowing them to fall into the core.

CEOG STS B 3.3.1-7 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 2). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring.

REVIEW ERS NOTE-----------------------------------

In order to take full advantage of the four channel design, adequate channel to channel independence must be demonstrated and approved by the NRC staff. Plants not currently licensed so as to credit four channel independence and that desire this capability must have approval of the NRC staff documented by an NRC Safety Evaluation Report (SER)

(Ref. 4).---------------------------------------------------------------------------------------

Adequate channel to channel independence includes physical and electrical independence of each channel from the others. This allows operation in two-out-of-three logic with one channel removed from service until following the next MODE 5 entry. Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 5).

The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. Four separate CPCs perform the calculations independently, one for each of the four RPS channels.

The CPCs provide outputs to drive display indications (DNBR margin, LPD margin, and calibrated neutron flux power levels) and provide DNBR

- Low and LPD - High pretrip and trip signals. The CPC channel outputs for the DNBR - Low and LPD - High trips operate contacts in the Matrix Logic in a manner identical to the other RPS trips.

Each CPC receives the following inputs:

  • Hot leg and cold leg temperatures,
  • Pressurizer pressure,

CEOG STS B 3.3.1-8 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1

  • Excore neutron flux levels,
  • Target CEA positions, and
  • CEAC penalty factors.

Each CPC is programmed with "addressable constants." These are various alignment values, correction factors, etc., that are required for the CPC computations. They can be accessed for display or for the purpose of changing them as necessary.

The CPCs use this constant and variable information to perform a number of calculations. These include the calculation of CEA group and subgroup deviations (and the assignment of conservative penalty factors),

correction and calculation of average axial power distribution (APD)

(based on excore flux levels and CEA positions), calculation of coolant flow (based on pump speed), and calculation of calibrated average power level (based on excore flux levels and T power).

The DNBR calculation considers primary pressure, inlet temperature, coolant flow, average power, APD, radial peaking factors, and CEA deviation penalty factors from the CEACs to calculate the state of the limiting (hot) coolant channel in the core. A DNBR - Low trip occurs when the calculated value reaches the minimum DNBR trip setpoint.

The LPD calculation considers APD, average power, radial peaking factors (based upon target CEA position), and CEAC penalty factors to calculate the current value of compensated peak power density. An LPD

- High trip occurs when the calculated value reaches the trip setpoint.

The four CPC channels provide input to the four DNBR - Low and four LPD - High RPS trip channels. They effectively act as the sensor (using many inputs) for these trips.

The CEACs perform the calculations required to determine the position of CEAs within their subgroups for the CPCs. Two independent CEACs compare the position of each CEA to its subgroup position. If a deviation is detected by either CEAC, an annunciator sounds and appropriate "penalty factors" are transmitted to all CPCs. These penalty factors conservatively adjust the effective operating margins to the DNBR - Low and LPD - High trips. Each CEAC also drives a single cathode ray tube (CRT), which is switchable between CEACs. The CRT displays individual CEA positions and current values of the penalty factors from the selected CEAC.

CEOG STS B 3.3.1-9 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

Each CEA has two separate reed switch assemblies mounted outside the RCPB. Each of the two CEACs receives CEA position input from one of the two reed switch position transmitters on each CEA, so that the position of all CEAs is independently monitored by both CEACs.

CEACs are addressed in LCO 3.3.3.

Bistable Trip Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels. They compare the analog input to trip setpoints and provide contact output to the Matrix Logic. They also provide local trip indication and remote annunciation.

There are four channels of bistables, designated A, B, C, and D, for each RPS parameter, one for each measurement channel. Bistables de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. The Matrix Logic will generate a reactor trip (two-out-of-four logic) if the If bistables monitoring the same parameter in at least two channels trip. the Matrix Logic will generate a reactor trip (two-out-of-four logic).

Some measurement channels provide contact outputs to the PPS. In these cases, there is no bistable card, and opening the contact input directly de-energizes the associated bistable relays. These include the Loss of Load trip and the CPC generated DNBR - Low and LPD - High trips.

The trip setpoints used in the bistables are based on the analytical limits derived from the accident analysis (Ref. 6). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 7), Allowable Values specified in Table 3.3.1-1, in the accompanying LCO, are CEOG STS B 3.3.1-10 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued) conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in "Plant Protection System Selection of Trip Setpoint Values" (Ref. 8). The nominal trip setpoint entered into the bistable is normally still more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST.

One example of such a change in measurement error is drift during the interval between surveillances. A channel is inoperable if its actual setpoint is not withinnon-conservative with respect to its Allowable Value.

[Limiting Trip Setpoints] in accordance with the Allowable Value will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

Note that in LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSSleast conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION or CHANNEL FUNCTIONAL TEST, such that a channel is operable if the as-found setpoint is conservative with respect to the Allowable Value.

Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Nuclear instrumentation, the CPCs, and the CEACs can be similarly tested.

FSAR, Section [7.2] (Ref. 9), provides more detail on RPS testing.

Processing transmitter calibration is normally performed on a refueling basis.

RPS Logic The RPS Logic, addressed in LCO 3.3.4, consists of both Matrix and Initiation Logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic.

Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels being monitored. Each logic matrix contains four normally energized matrix relays. W hen a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

CEOG STS B 3.3.1-11 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

The matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths.

Each trip path provides power to one of the four normally energized RTCB control relays (K1, K2, K3, and K4). The trip paths thus each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition.

Each trip path is responsible for opening one set of two of the eight RTCBs. The RTCB control relays (K-relays), when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the two breakers. Actuation of either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs).

W hen a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all eight RTCBs, tripping them open.

Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel.

The Initiation Logic consists of the trip path power source, matrix relays and their associated contacts, all interconnecting wiring, and solid state (auxiliary) relays through the K-relay contacts in the RTCB control circuitry.

It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will CEOG STS B 3.3.1-12 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued) function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing.

Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a trip condition.

In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. These bypasses are enabled manually in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling bypass conditions are no longer satisfied. Operating bypasses are normally implemented in the bistable, so that normal trip indication is also disabled. Trips with operating bypasses include Pressurizer Pressure - Low, Logarithmic Power Level - High, Reactor Coolant Flow -

Low, and CPC (DNBR - Low and LPD - High).

The Loss of Load trip bypass is automatically enabled and disabled.

Reactor Trip Circuit Breakers (RTCBs)

The reactor trip switchgear, addressed in LCO 3.3.4, consists of eight RTCBs, which are operated in four sets of two breakers (four channels).

Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel, such that the loss of either MG set does not de-energize the CEDMs. There are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant paths (trip legs). Trip legs 1A and 1B supply power to CEDM bus 1. Trip legs 2A and 2B supply power to CEDM bus 2. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses.

Each of the four trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits.

CEOG STS B 3.3.1-13 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES BACKGROUND (continued)

The eight RTCBs are operated as four sets of two breakers (four channels). For example, if a breaker receives an open signal in trip leg A (for CEDM bus 1), an identical breaker in trip leg B (for CEDM bus 2) will also receive an open signal. This arrangement ensures that power is interrupted to both CEDM buses, thus preventing trip of only half of the CEAs (a half trip). Any one inoperable breaker in a channel will make the entire channel inoperable.

Each set of RTCBs is operated by either a manual reactor trip push button or an RPS actuated K-relay. There are four Manual Trip push buttons, arranged in two sets of two. Depressing both push buttons in either set will result in a reactor trip.

W hen a Manual Trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS.

Manual Trip circuitry includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip attachments but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic.

Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. FSAR, Section [7.2] (Ref. 9), explains RPS testing in more detail.

APPLICABLE Design Basis Definition SAFETY ANALYSES The RPS is designed to ensure that the following operational criteria are met:

  • The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied,
  • Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the RPS instrumentation network.

Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions. Those functions for which no credit is taken, termed equipment protective functions, are not needed from a safety perspective.

CEOG STS B 3.3.1-14 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

Each RPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each trip setpoint falls into one of three general categories:

Category 1: To ensure that the SLs are not exceeded during AOOs, Category 2: To assist the ESFAS during accidents, and Category 3: To prevent material damage to major plant components (equipment protective).

The RPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTCBs are closed.

Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis are part of the NRC staff approved licensing basis for the plant.

Noncredited Functions include the Loss of Load. This trip is purely equipment protective, and its use minimizes the potential for equipment damage.

Trip Setpoints that directly protect against violating the Rreactor Ccore Safety Limits or the Reactor Coolant System (RCS) Ppressure boundary Safety Limits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). Permissive and interlock setpoints allow bypass of trips when they are not required by the Safety Analysis. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventative or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e. the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO). Therefore permissives and interlocks are not considered to be SL-LSSS.

The specific safety analysis applicable to each protective function are identified below:

1. Linear Power Level - High The Linear Power Level - High trip provides protection against core damage during the following events:
  • Uncontrolled CEA Withdrawal From Low Power (AOO),

CEOG STS B 3.3.1-15 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1

  • Uncontrolled CEA Withdrawal at Power (AOO), and
  • CEA Ejection (Accident).
2. Logarithmic Power Level - High The Logarithmic Power Level - High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

BASES APPLICABLE SAFETY ANALYSES (continued)

In MODES 2, 3, 4, and 5, with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when logarithmic power is < 1E-4%.

For events originating above this power level, other trips provide adequate protection.

MODES 3, 4, and 5, with the RTCBs closed, are addressed in LCO 3.3.2, "Reactor Protective System (RPS) Instrumentation -

Shutdown."

In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level - High trip does not have to be OPERABLE. However, the indication and alarm portion of two logarithmic channels must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. The indication and alarm functions are addressed in LCO 3.3.13,

"[Logarithmic] Power Monitoring Channels."

3. Pressurizer Pressure - High The Pressurizer Pressure - High trip provides protection for the high RCS pressure SL. In conjunction with the pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against overpressurization of the RCPB during the following events:
  • CEA Withdrawal From Low Power Conditions (AOO),
  • Chemical and Volume Control System Malfunction (AOO), and

CEOG STS B 3.3.1-16 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1

4. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip is provided to trip the reactor to assist the ESF System in the event of loss of coolant accidents (LOCAs). During a LOCA, the SLs may be exceeded; however, the consequences of the accident will be acceptable. A Safety Injection Actuation Signal (SIAS) and a Containment Isolation Actuation Signal (CIAS) are initiated simultaneously.

BASES APPLICABLE SAFETY ANALYSES (continued)

5. Containment Pressure - High The Containment Pressure - High trip prevents exceeding the containment design pressure psig during a design basis LOCA or main steam line break (MSLB) accident. During a LOCA or MSLB the SLs may be exceeded; however, the consequences of the accident will be acceptable. An SIAS and CIAS are initiated simultaneously.

6, 7. Steam Generator Pressure - Low The Steam Generator #1 Pressure - Low and Steam Generator #2 Pressure - Low trips provide protection against an excessive rate of heat extraction from the steam generators and resulting rapid, uncontrolled cooldown of the RCS. This trip is needed to shut down the reactor and assist the ESF System in the event of an MSLB or main feedwater line break accident. A main steam isolation signal (MSIS) is initiated simultaneously.

8, 9. Steam Generator Level - Low The Steam Generator #1 Level - Low and Steam Generator #2 Level

- Low trips ensure that a reactor trip signal is generated for the following events to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink:

10, 11. Reactor Coolant Flow - Low The Reactor Coolant Flow, Steam Generator #1 - Low and Reactor Coolant Flow, Steam Generator #2 - Low trips provides protection against an RCP Sheared Shaft Event. The DNBR limit may be CEOG STS B 3.3.1-17 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 exceeded during this event; however, the trip ensures the consequences are acceptable.

BASES APPLICABLE SAFETY ANALYSES (continued)

12. Loss of Load The Loss of Load (turbine stop valve control oil pressure) is anticipatory for the loss of heat removal capabilities for the secondary system following a turbine trip. The Loss of Load trip prevents lifting the pressurizer safety valves and the main steam line safety valves in the event of a turbine generator trip. Thus, the trip minimizes the pressure or temperature transient on the reactor by initiating a trip well before the Pressurizer Pressure - High and safety valve setpoints are reached.

The RPS Loss of Load reactor trip channels receive their input from sensors mounted on high pressure turbine stop valve (TSV) actuators. Since there are four TSVs, one actuator per TSV and one sensor per actuator, each sensor sends its signal to a different RPS channel. W hen the control oil pressure drops to the appropriate setpoint, a reactor trip signal is generated.

13. Local Power Density - High The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following AOOs and assist the ESF systems in the mitigation of the following accidents.

The LPD - High trip provides protection against fuel centerline melting due to the occurrence of excessive local power density peaks during the following AOOs:

  • Increased Main Steam Flow (not due to the steam line rupture)

Without Turbine Trip,

  • Uncontrolled CEA Withdrawal From Low Power,
  • Uncontrolled CEA Withdrawal at Power, and
  • CEA Misoperation; Single Part Length CEA Drop.

CEOG STS B 3.3.1-18 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

For the events listed above (except CEA Misoperation; Single Part Length CEA Drop), DNBR - Low will trip the reactor first, since DNB would occur before fuel centerline melting would occur.

14. Departure from Nucleate Boiling Ratio (DNBR) - Low The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. The DNBR - Low and LPD - High trips provide plant protection during the following AOOs and assist the ESF systems in the mitigation of the following accidents.

The DNBR - Low trip provides protection against core damage due to the occurrence of locally saturated conditions in the limiting (hot) channel during the following events and is the primary reactor trip (trips the reactor first) for these events:

  • Increased Main Steam Flow (not due to steam line rupture)

Without Turbine Trip,

  • Increased Main Steam Flow (not due to steam line rupture) With a Concurrent Single Failure of an Active Component,
  • Steam Line Break With Concurrent Loss of Offsite AC Power,
  • Loss of Normal AC Power,
  • Uncontrolled CEA Withdrawal From Low Power,
  • Uncontrolled CEA Withdrawal at Power,

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

  • CEA Misoperation; Part Length CEA Subgroup Drop,
  • Primary Sample or Instrument Line Break, and

In the above list, only the steam generator tube rupture, the RCP shaft seizure, and the sample or instrument line break are accidents.

The rest are AOOs.

Interlocks/Bypasses The bypasses and their Allowable Values are addressed in footnotes to Table 3.3.1-1. They are not otherwise addressed as specific Table entries.

The automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The basis for each of the operating bypasses is discussed under individual trips in the LCO section:

a. Loss of Load,
b. Logarithmic Power Level - High,
c. Reactor Coolant Flow - Low,
d. DNBR - Low and LPD - High, and
e. Pressurizer Pressure - Low.

The RPS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

BASES LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. W ith one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values are specified for each RPS trip Function in the LCO. The [LTSP] and the methodologies for calculation of the as-left and CEOG STS B 3.3.1-20 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 as-found tolerances are described in [a document controlled under 10 CFR 50.59]. The [LTSPs] are selected to ensure that the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL FUNCTIONAL TEST (CFT). Each Allowable Value specified is more conservative than instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 8). As such, the Allowable Value differs from the

[LTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the channel device would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations.[Limiting Trip Setpoints and the methodologies to calculate the as-left and as-found tolerances are specified in [a document controlled under 10 CFR 50.59]. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the are conservative with respect to the Allowable Value if the bistable is performing as required. Operation with a plant trip setpoint less conservative than the nominal trip setpoint[LTSP], but withinconservative with respect to its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A channel is inoperable if its actual trip setpoint is not withinnon-conservative with respect to its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in CEOG STS B 3.3.1-21 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in the "Plant Protection System Selection of Trip Setpoint Values" (Ref. 8).

The Bases for the individual Function requirements are as follows:

1. Linear Power Level - High This LCO requires all four channels of Linear Power Level - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.

2. Logarithmic Power Level - High This LCO requires all four channels of Logarithmic Power Level -

High to be OPERABLE in MODE 2, and in MODE 3, 4, or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal.

CEOG STS B 3.3.1-22 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

The MODES 3, 4, and 5 Condition is addressed in LCO 3.3.2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.

The Logarithmic Power Level - High trip may be bypassed when logarithmic power is above 1E-4% to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when logarithmic power decreases below 1E-4%. Above 1E-4%, the Linear Power Level - High and Pressurizer Pressure -

High trips provide protection for reactivity transients.

The trip may be manually bypassed during physics testing pursuant to LCO 3.4.17, "RCS Loops - Test Exceptions." During this testing, the Linear Power Level - High trip and administrative controls provide the required protection.

3. Pressurizer Pressure - High This LCO requires four channels of Pressurizer Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these valves during normal plant operation.

In the event of a complete loss of electrical load from 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS.

4. Pressurizer Pressure - Low This LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1 and 2.

The Allowable Value is set low enough to prevent a reactor trip during normal plant operation and pressurizer pressure transients.

However, the setpoint is high enough that with a LOCA, the reactor trip will occur soon enough to allow the ESF systems to perform as expected in the analyses and mitigate the consequences of the accident.

CEOG STS B 3.3.1-23 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

The trip setpoint may be manually decreased to a minimum value of 300 psia as pressurizer pressure is reduced during controlled plant shutdowns, provided the margin between the pressurizer pressure and the setpoint is maintained < 400 psia. This allows for controlled depressurization of the RCS while still maintaining an active trip setpoint until the time is reached when the trip is no longer needed to protect the plant. Since the same Pressurizer Pressure - Low bistable is also shared with the SIAS, an inadvertent SIAS actuation is also prevented. The setpoint increases automatically as pressurizer pressure increases, until the trip setpoint is reached.

The Pressurizer Pressure - Low trip and the SIAS Function may be simultaneously bypassed when RCS pressure is below 500 psia, when neither the reactor trip nor an inadvertent SIAS actuation are desirable and these Functions are no longer needed to protect the plant. The bypass is automatically removed as RCS pressure increases above 500 psia.

5. Containment Pressure - High The LCO requires four channels of Containment Pressure - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set high enough to allow for small pressure increases in containment expected during normal operation (i.e.,

plant heatup) and is not indicative of an abnormal condition. It is set low enough to initiate a reactor trip when an abnormal condition is indicated.

6, 7. Steam Generator Pressure - Low This LCO requires four channels of Steam Generator #1 Pressure -

Low and Steam Generator #2 Pressure - Low to be OPERABLE in MODES 1 and 2.

This Allowable Value is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core, a reactor trip is required to offset that effect.

CEOG STS B 3.3.1-24 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

The trip setpoint may be manually decreased as steam generator pressure is reduced during controlled plant cooldown, provided the margin between steam generator pressure and the setpoint is maintained < 200 psia. This allows for controlled depressurization of the secondary system while still maintaining an active reactor trip setpoint and MSIS setpoint, until the time is reached when the setpoints are no longer needed to protect the plant. The setpoint increases automatically as steam generator pressure increases until the specified trip setpoint is reached.

8, 9. Steam Generator Level - Low This LCO requires four channels of Steam Generator #1 Level - Low and Steam Generator #2 Level - Low for each steam generator to be OPERABLE in MODES 1 and 2.

The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations. The same bistable providing the reactor trip also initiates emergency feedwater to the affected generator via the Emergency Feedwater Actuation Signals (EFAS). The minimum setpoint is governed by EFAS requirements. The reactor trip will remove the heat source (except decay heat), thereby conserving the reactor heat sink.

This trip may be manually bypassed when cold leg temperature is below the specified limit to allow for CEA withdrawal during testing.

The bypass is automatically removed when cold leg temperature reaches 200°F.

10, 11. Reactor Coolant Flow - Low This LCO requires four channels of Reactor Coolant Flow, Steam Generator #1 - Low and Reactor Coolant Flow, Steam Generator #2 -

Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal plant operations while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event.

CEOG STS B 3.3.1-25 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

The Reactor Coolant Flow - Low trip may be manually bypassed when logarithmic power is less than 1E-4%. This allows for de-energization of one or more RCPs (e.g., for plant cooldown), while maintaining the ability to keep the shutdown CEA banks withdrawn from the core if desired.

LCO 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops -

MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled,"

ensure adequate RCS flow rate is maintained. The bypass is automatically removed when logarithmic power increases above 1E-4%, as sensed by the wide range (logarithmic) nuclear instrumentation. W hen below the power range, the Reactor Coolant Flow - Low is not required for plant protection.

12. Loss of Load This LCO requires four channels of Loss of Load trip to be OPERABLE in MODES 1 and 2.

The Steam Bypass Control System is capable of passing 45% of the full power main steam flow (45% RTP bypass capability) directly to the condenser without causing the MSSVs to lift. The Nuclear Steam Supply System is capable of absorbing a 10% step change in power when a primary to secondary system energy mismatch occurs, without causing the pressurizer safety valves to lift. This means that the plant can sustain a turbine trip without causing the pressurizer safety valves or the MSSV to lift, provided power is # 55% RTP.

Therefore, the Loss of Load trip may be bypassed when reactor power is # 55% RTP, as sensed by the power range nuclear instrumentation. Both the bypass and bypass removal, when above 55% power, are automatically performed.

Loss of Load trip is equipment protective and not credited in the accident analysis. As such, the 55% bypass power permissive is a nominal value and does not include any instrument uncertainties. As such, the 55% bypass power permissive is a nominal value and does not include any instrument uncertainties.

CEOG STS B 3.3.1-26 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

13. Local Power Density - High This LCO requires four channels of LPD - High to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function.

The CPC channels may be manually bypassed below 1E-4%, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.

During special testing pursuant to LCO 3.4.17, the CPC channels may be manually bypassed when THERMAL POW ER is below 5% RTP to allow special testing without generating a reactor trip.

The Linear Power Level - High trip setpoint is reduced, so as to provide protection during testing.

14. Departure from Nucleate Boiling Ratio (DNBR) - Low This LCO requires four channels of DNBR - Low to be OPERABLE.

The LCO on the CPCs ensures that the SLs are maintained during all AOOs and the consequences of accidents are acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function.

CEOG STS B 3.3.1-27 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES LCO (continued)

The CPC channels may be manually bypassed below 1E-4%, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR - Low and LPD - High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure - Low or RCPs off.

During special testing pursuant to LCO 3.4.17, the CPC channels may be manually bypassed when THERMAL POW ER is below 5% RTP to allow special testing without generating a reactor trip.

The Linear Power Level - High trip setpoint is reduced, so as to provide protection during testing.

Interlocks/Bypasses The LCO on bypass permissive removal channels requires that the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LCO for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

This LCO applies to the bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level -

High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.

The interlock function Allowable Values are based upon analysis of functional requirements for the bypassed Functions. These are discussed above as part of the LCO discussion for the affected Functions.

CEOG STS B 3.3.1-28 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during AOOs and assists the ESFAS in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:

  • The Logarithmic Power Level - High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events.

The Logarithmic Power Level - High trip in these lower MODES is addressed in LCO 3.3.2. The Logarithmic Power Level - High trip is bypassed prior to MODE 1 entry and is not required in MODE 1. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.4.

ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it to within specification. If the trip setpoint is less non-conservative thanwith respect to the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event a channel's trip setpoint is found non-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable, and the unit must enter the Condition for the particular protection Function affected.

W hen the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

BASES ACTIONS (continued)

A Note has been added to the ACTIONS. The Note has been added to clarify the application of the Completion Time rules. The Conditions of CEOG STS B 3.3.1-29 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A.1 and A.2 Condition A applies to the failure of a single trip channel or associated instrument channel inoperable in any RPS automatic trip Function. RPS coincidence logic is two-out-of-four.

If one RPS channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1). The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to bypass or trip the channel is sufficient to allow the operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering MODE 2 following the next MODE 5 entry. W ith a channel in bypass, the coincidence logic is now in a two-out-of-three configuration.

The Completion Time of prior to entering MODE 2 following the next MODE 5 entry is based on adequate channel to channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip.

B.1 Condition B applies to the failure of two channels in any RPS automatic trip Function.

Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk involved in operating with the failed channels is acceptable. W ith one channel of protective instrumentation bypassed, the RPS is in a two-out-of-three logic; but with another channel failed, the RPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

BASES ACTIONS (continued)

One of the two inoperable channels will need to be restored to operable OPERABLE status prior to the next required CHANNEL FUNCTIONAL TEST, because channel surveillance testing on an OPERABLE channel CEOG STS B 3.3.1-30 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 requires that the OPERABLE channel be placed in bypass. However, it is not possible to bypass more than one RPS channel, and placing a second channel in trip will result in a reactor trip. Therefore, if one RPS channel is in trip and a second channel is in bypass, a third inoperable channel would place the unit in LCO 3.0.3.

C.1, C.2.1, and C.2.2 Condition C applies to one automatic bypass removal channel inoperable.

If the inoperable bypass removal channel for any bypass channel cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect.

Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the affected automatic trip channel placed in bypass or trip. The bypass removal channel and the automatic trip channel must be repaired prior to entering MODE 2 following the next MODE 5 entry. The Bases for the Required Actions and required Completion Times are consistent with Condition A.

D.1 and D.2 Condition D applies to two inoperable automatic bypass removal channels. If the bypass removal channels for two operating bypasses cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypass either removed or one automatic trip channel placed in bypass and the other in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

The restoration of one affected bypassed automatic trip channel must be completed prior to the next CHANNEL FUNCTIONAL TEST, or the plant must shut down per LCO 3.0.3 as explained in Condition B.

BASES ACTIONS (continued)

E.1 Condition E applies if any CPC cabinet receives a high temperature alarm. There is one temperature sensor in each of the four CPC bays.

Since CPC bays B and C also house CEAC calculators 1 and 2, respectively, a high temperature in either of these bays may also indicate a problem with the associated CEAC. CEAC OPERABILITY is addressed in LCO 3.3.3.

CEOG STS B 3.3.1-31 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 If a CPC cabinet high temperature alarm is received, it is possible for the CPC to be affected and not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is adequate considering the low probability of undetected failure, the consequences of a single channel failure, and the time required to perform a CHANNEL FUNCTIONAL TEST.

F.1 Condition F applies if an OPERABLE CPC has three or more autorestarts in a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period.

CPCs and CEACs will attempt to autorestart if they detect a fault condition, such as a calculator malfunction or loss of power. A successful autorestart restores the calculator to operation; however, excessive autorestarts might be indicative of a calculator problem.

If a nonbypassed CPC has three or more autorestarts, it may not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST must be performed on the CPC to ensure it is functioning properly. Based on plant operating experience, the Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate and reasonable to perform the test while still keeping the risk of operating in this condition at an acceptable level, since overt channel failure will most likely be indicated and annunciated in the control room by CPC online diagnostics.

G.1 Condition G is entered when the Required Action and associated Completion Time of Condition A, B, C, D, E, or F are not met.

BASES ACTIONS (continued)

If the Required Actions associated with these Conditions cannot be completed within the required Completion Time, the reactor must be brought to a MODE where the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

REVIEW ERS NOTE-----------------------------------

CEOG STS B 3.3.1-32 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 In order for a plant to take credit for topical reports as the basis for justifying Frequencies, topical reports must be supported by an NRC staff SER that establishes the acceptability of each topical report for that unit.

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table.

REVIEW ERS NOTE ------------------------------------

Notes 1 and 2 are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

1. Notes 1 and 2 are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits (the latter are not explicitly modeled in the accident analysis). Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Note 1 requires a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. W hile it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement results would not provide an indication of the channel or component performance.
2. Notes 1 and 2 are not applied to Technical Specifications associated with mechanically operated safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.
3. Notes 1 and 2 are may not applyied to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, such as actuation logic circuits and associated relays, there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

An evaluation of the potential SL-LSSS Functions resulted in Notes 1 and 2 being applied to the Functions shown in the TS markups. Each CEOG STS B 3.3.1-33 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 licensee proposing to fully adopt this TSTF must review the potential SL-LSSS Functions to identify which of the identified functions are SL-LSSS according to the definition of SL-LSSS and their plant specific safety analysis. The two TSTF Notes are not required to be applied to any of the listed Functions which meet any of the exclusion criteria or are not SL-LSSS based on the plant specific design and analysis.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure. Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.

CEOG STS B 3.3.1-34 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

In the case of RPS trips with multiple inputs, such as the DNBR and LPD inputs to the CPCs, a CHANNEL CHECK must be performed on all inputs.

SR 3.3.1.2 The RCS flow rate indicated by each CPC is verified, as required by a Note, to be less than or equal to the actual RCS total flow rate every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> when THERMAL POW ER is $ 70% RTP. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 70% RTP is for plant stabilization, data taking, and flow verification. This check (and if necessary, the adjustment of the CPC addressable constant flow coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications, as determined by the Core Operating Limits Supervisory System (COLSS).

SR 3.3.1.3 The CPC autorestart count is checked every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to monitor the CPC and CEAC for normal operation. If three or more autorestarts of a nonbypassed CPC occur within a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> period, the CPC may not be completely reliable. Therefore, the Required Action of Condition F must be performed. The Frequency is based on operating experience that demonstrates the rarity of more than one channel failing within the same 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> interval.

SR 3.3.1.4 A daily calibration (heat balance) is performed when THERMAL POW ER is $ 20%. The Linear Power Level signal and the CPC addressable constant multipliers are adjusted to make the CPC T power and nuclear power calculations agree with the calorimetric calculation if the absolute difference is $ 2%. The value of 2% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the Linear Power Level signal and the CPC addressable constant coefficients) are adequate to ensure that the accuracy of these CPC calculations is maintained within the analyzed error margins. The power level must be > 20% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.

CEOG STS B 3.3.1-35 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience and takes into account indications and alarms located in the control room to detect deviations in channel outputs. The Frequency is modified by a Note indicating this Surveillance need only be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 20% RTP. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 20% RTP is required for plant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A second Note in the SR indicates the SR may be suspended during PHYSICS TESTS. The conditional suspension of the daily calibrations under strict administrative control is necessary to allow special testing to occur.

SR 3.3.1.5 The RCS flow rate indicated by each CPC is verified to be less than or equal to the RCS total flow rate every 31 days. The Note indicates the Surveillance is performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after THERMAL POW ER is

$ 70% RTP. This check (and, if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications as determined by a calorimetric calculation. Operating experience has shown the specified Frequency is adequate, as instrument drift is minimal and changes in actual flow rate are minimal over core life.

SR 3.3.1.6 The three vertically mounted excore nuclear instrumentation detectors in each channel are used to determine APD for use in the DNBR and LPD calculations. Because the detectors are mounted outside the reactor vessel, a portion of the signal from each detector is from core sections not adjacent to the detector. This is termed shape annealing and is compensated for after every refueling by performing SR 3.3.1.12, which adjusts the gains of the three detector amplifiers for shape annealing.

SR 3.3.1.6 ensures that the preassigned gains are still proper. Power must be > 15% because the CPCs do not use the excore generated signals for axial flux shape information at low power levels. The Note allowing 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 15% RTP is required for plant stabilization and testing.

The 31 day Frequency is adequate because the demonstrated long term drift of the instrument channels is minimal.

CEOG STS B 3.3.1-36 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 A CHANNEL FUNCTIONAL TEST on each channel except Loss of Load, power range neutron flux, and logarithmic power level channels is performed every 92 days to ensure the entire channel will perform its intended function when needed. The SR is modified by two Notes.

Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level - High channels to be performed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after logarithmic power drops below 1E-4% and is required to be performed only if the RTCBs are closed.

In addition to power supply tests, the RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 9.

These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint analysis.

The as -found and as -left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference [10].

Matrix Logic Tests Matrix Logic tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays.

During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

SR 3.3.1.7 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance CEOG STS B 3.3.1-37 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

Trip Path Tests Trip path (Initiation Logic) tests are addressed in LCO 3.3.4. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, thereby opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10).

The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.

The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.

The power range excore test signal is inserted at the drawer input, since there is no preamplifier.

CEOG STS B 3.3.1-38 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using software. This software includes preassigned addressable constant values that may differ from the current values. Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.8 A Note indicates that neutron detectors are excluded from CHANNEL CALIBRATION. A CHANNEL CALIBRATION of the power range neutron flux channels every 92 days ensures that the channels are reading accurately and within tolerance (Ref. 10). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests.

CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as -found and as -left values must also be recorded and reviewed for consistency with the assumptions of the interval between surveillance interval extension analysis. The requirements for this review are outlined in Reference 10. Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators.

SR 3.3.1.8 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis CEOG STS B 3.3.1-39 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 setpoint methology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

[ SR 3.3.1.9 The characteristics and Bases for this Surveillance are as described for SR 3.3.1.7. This Surveillance differs from SR 3.3.1.7 only in that the CHANNEL FUNCTIONAL TEST on the Loss of Load functional unit is only required above 55% RTP. W hen above 55% and the trip is in effect, the CHANNEL FUNCTIONAL TEST will ensure the channel will perform its equipment protective function if needed. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Note allowing 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after reaching 55% RTP is necessary for Surveillance performance. This Surveillance cannot be performed below 55% RTP, since the trip is bypassed. ]

CEOG STS B 3.3.1-40 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.10 SR 3.3.1.10 is the performance of a CHANNEL CALIBRATION every

[18] months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant specific setpoint analysis.

The as -found and as -left values must also be recorded and reviewed for consistency with the assumptions of the surveillance interval extension analysis. The requirements for this review are outlined in Reference [10].

The Frequency is based upon the assumption of an [18] month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical [18] month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the monthly linear subchannel gain check (SR 3.3.1.6).

SR 3.3.1.10 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will CEOG STS B 3.3.1-41 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.11 Every [18] months, a CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

BASES SURVEILLANCE REQUIREMENTS (continued)

The basis for the [18] month Frequency is that the CPCs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS. This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

Operating experience has shown that undetected CPC or CEAC failures do not occur in any given [18] month interval.

SR 3.3.1.11 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodolgy assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. These channels will also be identified in the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [LTSP].

W here a setpoint more conservative than the [LTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will CEOG STS B 3.3.1-42 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [LTSP], then the instrument channel shall be declared inoperable.

The second Note also requires that [LTSP] and the methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.12 The three excore detectors used by each CPC channel for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using the predetermined shape annealing matrix elements in the CPC software.

After refueling, it is necessary to re-establish or verify the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary because refueling could possibly produce a significant change in the shape annealing matrix coefficients.

Incore detectors are inaccurate at low power levels. THERMAL POW ER should be significant but < 70% to perform an accurate axial shape calculation used to derive the shape annealing matrix elements.

By restricting power to # 70% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided.

Operating experience has shown this Frequency to be acceptable.

SR 3.3.1.13 SR 3.3.1.13 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.13 is applicable only to bypass functions and is performed once within 92 days prior to each startup. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical CEOG STS B 3.3.1-43 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Specifications tests at least once per refueling interval with applicable extensions. Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup.

The allowance to conduct this Surveillance within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 10). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.7 or SR 3.3.1.9. Therefore, further testing of the bypass function after startup is unnecessary.

SR 3.3.1.14 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an

[18] month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 18 months, where n is the number of channels in the function. The Frequency of

[18] months is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

Also, response times cannot be determined at power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

REVIEW ERS NOTE-----------------------------------

Applicable portions of the following TS Bases are applicable to plants adopting CEOG Topical Report CE NPSD-1167-1, "Elimination of Pressure Sensor Response Time Testing Requirements."

CEOG STS B 3.3.1-44 Rev. 3.0, 03/31/04

RPS Instrumentation - Operating (Digital)

B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements,"

(Ref. 11) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the Topical Report. Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4).

REFERENCES 1. Regulatory Guide 1.105, Revision 3, "Setpoints for Safety-Related Instrumentation."

2. 10 CFR 50, Appendix A, GDC 21.
3. 10 CFR 100.
4. NRC Safety Evaluation Report.
5. IEEE Standard 279-1971, April 5, 1972.
6. FSAR, Chapter [14].
7. 10 CFR 50.49.
8. "Plant Protection System Selection of Trip Setpoint Values."
9. FSAR, Section [7.2].
10. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
11. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

CEOG STS B 3.3.1-45 Rev. 3.0, 03/31/04

Retrieved from "https://kanterella.com/w/index.php?title=ML072120153&oldid=2575491"