Text

NRC Response to 4/16/2007 Submittal of TSTF-493, Revision 2, Clarify Application of Setpoint Methodology for LSSS Functions, Enclosure 6a - WOG_3.3.01_B for TSTF-493R2eITSB
	ML072120165
Person / Time
Site:	Technical Specifications Task Force
Issue date:	07/25/2007
From:	Kobetz T; NRC/NRR/ADRO/DIRS/ITSB
To:	; Technical Specifications Task Force
	Schulten C. S., NRR/DIRS, 415-1192
Shared Package
ML072070202	List: ML072050146; ML072070251; ML072070260; ML072070269; ML072070355; ML072070358; ML072120059; ML072120076; ML072120083; ML072120091; ML072120096; ML072120100; ML072120105; ML072120111; ML072120119; ML072120145; ML072120153; ML072120162; ML072120164; ML072120165; ML072120168;
References
	TAC MD5249, TSTF-493, Rev 2
	Download: ML072120165 (75)
	v • d • e

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance. The subset of LSSS that directly protect against violating the Rreactor cCore Safety Limits and or the Reactor Coolant System (RCS) pPressure boundary sSafety Llimit s during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS) 10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain LSSSSL-LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The AnalyticAnalytical Limit is the limit of the process variable at which a safety protective action is initiated, as established by the safety analysis, to ensure that a Safety Limit (SL) is not exceeded. Any automatic protection action that occurs on reaching the AnalyticAnalytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the AnalyticAnalytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

REVIEW ER'S NOTE ------------------------------------

The trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the trip setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In W OG STS B 3.3.1-1 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 this manner, the trip setpoint plays an important role in ensuring that SLs are not exceeded. As such, the trip setpoint meets the definition of an LSSS (Ref. 1) and could be used to meet the requirement that they be contained in the Technical Specifications.

W OG STS B 3.3.1-2 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used.

The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [NTSP] is not included in Table 3.3.1-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note c of Table 3.3.1-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left tolerances will apply to the actual setpoint implemented in the Surveillance procedures to confirm channel performance. [NTSP] is the standard terminology for most W estinghouse plants and is used as the preferred term in the Bases descriptions.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases. Those plants that do not include the

[NTSP] in Table 3.3.1-1 must insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [NTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

The [Nominal Trip Setpoint (NTSP)] is a predetermined setting, plus margin, for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [NTSP]

accounts for uncertainties in setting the device (e.g., calibration),

uncertainties in how the device might actually perform (e.g., repeatability),

changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the [NTSP] ensures that SLs are not exceeded. As such, the [NTSP]

meets the definition of an SLa SL-LSSS (Ref. 1).

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as W OG STS B 3.3.1-3 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, useUse of the trip setpoint[NTSP] to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as -found" value of a protective device setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the trip setpoint[NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the trip setpoint[NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as -found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the trip setpoint[NTSP] to account for further drift during the next surveillance interval.

Use of the trip setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

The Allowable Value specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the trip setpoint However, there is also some point beyond which the device would have not been able to perform its function due to, for example, greater than expected drift. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount primarily[greater than or] equal to the expected instrument loopchannel uncertainties, such as drift, during the surveillance interval.

In this manner, the actual setting of the device will still meet the LSSS definition and ensure that an SL W OG STS B 3.3.1-4 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should must be left adjusted to a value within the established trip setpoint calibration as-left tolerance band,, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned. (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to have exceeded the be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable from a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

[ Note: Alternatively, a Technical Specification format incorporating an Allowable Value only column may be proposed by a licensee. In this case the trip setpoint value of Table 3.3.1-1 is located in the Technical Specification Bases or in a licensee-controlled document outside the Technical Specification. In this case, for SL-LSSS setpoints, the [NTSP]

value and the methodologies used to calculate the as-found and as-left tolerances must be specified in [a document controlled under 10 CFR 50.59]. Changes to the actual plant trip setpointsetpoint or [NTSP] value would be controlled by 10 CFR 50.59 or administratively as appropriate, and adjusted per the setpoint methodology and applicable surveillance requirements. At their option, the licensee may include the trip setpoint in Table 3.3.1-1 as shown, or as suggested by the licensees' setpoint methodology or license. ]

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),

W OG STS B 3.3.1-5 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1

2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values the acceptable dose limit for an accident category and their associated

[NTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

W OG STS B 3.3.1-6 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The RTS instrumentation is segmented into four distinct but interconnected modules as illustrated in Figure [ ], FSAR, Chapter [7]

(Ref. 2), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured,

2. Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications,

3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system, and

4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoint[NTSP] and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behavior observed during performance of the CHANNEL CHECK.

W OG STS B 3.3.1-7 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Signal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints[NTSPs]

established by safety analyses. These setpoints[NTSPs] are defined in FSAR, Chapter [7] (Ref. 2), Chapter [6] (Ref. 3), and Chapter [15]

(Ref. 4). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 5). The actual number of channels required for each unit parameter is specified in Reference 2.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing trip. Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.

W OG STS B 3.3.1-8 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Allowable Values[NTSPs] and RTS Setpoints The trip setpoints [NTSPs] used in the bistables are based on the analytical limits stated in Reference 2. The selection of these trip setpoints[NTSPs] is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values, as-left tolerance, as-found tolerance and trip setpoints[NTSPs], including their explicit uncertainties, is provided in the "RTS/ESFAS Setpoint Methodology Study" (Ref. 7) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each trip setpoint [NTSP] and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by the COT. The Allowable Value serves as the as-found [NTSP] Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceedis conservative with respect to the Allowable Value, the bistable is considered OPERABLE. Note that, although a channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to within the established as-left criteria and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The trip setpoint [NTSP] is the value at which the bistable is set and is the expected value to be achieved during calibration. The [NTSP] value ensures is the LSSS and ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" [NTSP] value is within the as-left tolerance band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/- rack calibration and comparator setting uncertainties). The [NTSP] value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.

[Nominal Trip Setpoints], in conjunction with the use of as-found and as-left tolerances, consistent with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment W OG STS B 3.3.1-9 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 functions as designed). Note that the Allowable Values listed in Table 3.3.1-1 are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that requires trip setpoint verification.

The trip setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration. The trip setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/- rack calibration +

comparator setting uncertainties). The trip setpoint value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.

BASES BACKGROUND (continued)

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Reference 3. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a W OG STS B 3.3.1-10 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip Switchgear The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

W OG STS B 3.3.1-11 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. W hen the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.

This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 3. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the decision logic matrix Functions and the actuation devices while the unit is at power. W hen any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

APPLICABLE The RTS functions to maintain the SLs during all AOOs and mitigates SAFETY the consequences of DBAs in all MODES in which the Rod Control ANALYSES, LCO, System is capable of rod withdrawal or one or more rods are not fully and APPLICABILITY inserted.

Trip Setpoints that directly protect against violating the Rreactor Ccore Safety Limits or the Reactor Coolant System (RCS) pPressure boundary Ssafety Llimits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). The RTS interlocks do not function as part of the automatic protection system for accident mitigation. The interlock functions ensure that required manual actions, such as blocking the source range trip prior to entering the intermediate range, are performed in their proper sequence. The interlock functions also ensure that automatic actions occur, such as reinstating the high flux-low trip, if power decreases below the interlock setpoint. Therefore permissives and interlocks are not considered to be SL-LSSS.

Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 4 takes credit for most RTS trip Functions. RTS trip Functions not W OG STS B 3.3.1-12 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 specifically credited in the accident analysis are may be qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. However, qualitatively credited or backup functions are not SL-LSSS. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

W OG STS B 3.3.1-13 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value is conservative with respect to its BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the Nominal Trip Setpoint.[NTSP]. A trip setpoint may be set more conservative than the Nominal Trip Setpoint[NTSP] as necessary in response to plant conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection channels.

Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

W OG STS B 3.3.1-14 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains.

Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

W OG STS B 3.3.1-15 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods.

Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG) W ater Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a. Power Range Neutron Flux - High The Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations.

These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux -

High channels to be OPERABLE.

W OG STS B 3.3.1-16 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux - High trip must be OPERABLE.

This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux - High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

b. Power Range Neutron Flux - Low The LCO requirement for the Power Range Neutron Flux - Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux -

Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux - Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint.

Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux - High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.

W OG STS B 3.3.1-17 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trips use the same channels as discussed for Function 2 above.

a. Power Range Neutron Flux - High Positive Rate The Power Range Neutron Flux - High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function compliments the Power Range Neutron Flux - High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.

The LCO requires all four of the Power Range Neutron Flux -

High Positive Rate channels to be OPERABLE.

In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux - High Positive Rate trip must be OPERABLE. In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks may be withdrawn in MODE 3, 4, or 5, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.

b. Power Range Neutron Flux - High Negative Rate The Power Range Neutron Flux - High Negative Rate trip Function ensures that protection is provided for multiple rod drop accidents. At high power levels, a multiple rod drop accident could cause local flux peaking that would result in an unconservative local DNBR. DNBR is defined as the ratio of the W OG STS B 3.3.1-18 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) heat flux required to cause a DNB at a particular location in the core to the local heat flux. The DNBR is indicative of the margin to DNB. No credit is taken for the operation of this Function for those rod drop accidents in which the local DNBRs will be greater than the limit.

The LCO requires all four Power Range Neutron Flux - High Negative Rate channels to be OPERABLE.

In MODE 1 or 2, when there is potential for a multiple rod drop accident to occur, the Power Range Neutron Flux - High Negative Rate trip must be OPERABLE. In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Negative Rate trip Function does not have to be OPERABLE because the core is not critical and DNB is not a concern. Also, since only the shutdown banks may be withdrawn in MODE 3, 4, or 5, the remaining complement of control bank worth ensures a sufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn and the required SDM is increased during refueling operations. In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.

4. Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.

W OG STS B 3.3.1-19 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux - High Setpoint trip and the Power Range Neutron Flux - High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 2 below the P-6 setpoint, the Source Range Neutron Flux Trip provides the core protection for reactivity accidents. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because the control rods must be fully inserted and only the shutdown rods may be withdrawn. The reactor cannot be started up in this condition.

The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present in this MODE.

5. Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low trip Function. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5 when rods are capable of withdrawal or one or more rods are not fully inserted.

Therefore, the functional capability at the specified Trip Setpoint is assumed to be available.

The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution and control rod ejection events.

W OG STS B 3.3.1-20 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 2 when below the P-6 setpoint and in MODES 3, 4, and 5 when there is a potential for an uncontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux - Low trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energized.

In MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE 6, the outputs of the Function to RTS logic are not required OPERABLE. The requirements for the NIS source range detectors to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution are addressed in LCO 3.3.9 "Boron Dilution Protection System (BDPS)," for MODE 3, 4, or 5 and LCO 3.9.3, "Nuclear Instrumentation," for MODE 6.

6. Overtemperature T The Overtemperature T trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection.

The inputs to the Overtemperature T trip include all pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on T as a power increase. The Overtemperature T trip Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature, W OG STS B 3.3.1-21 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

pressurizer pressure - the Trip Setpoint is varied to correct for changes in system pressure, and

axial power distribution - f( I), the Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

Dynamic compensation is included for system piping delays from the core to the temperature measurement system.

The Overtemperature T trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. Trip occurs if Overtemperature T is indicated in two loops. At some units, the pressure and temperature signals are used for other control functions. For those units, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.

The LCO requires all four channels of the Overtemperature T trip Function to be OPERABLE for two and four loop units (the LCO requires all three channels on the Overtemperature T trip Function to be OPERABLE for three loop units). Note that the Overtemperature T Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

W OG STS B 3.3.1-22 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Overpower T The Overpower T trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions.

This trip Function also limits the required range of the Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux - High Setpoint trip. The Overpower T trip Function ensures that the allowable heat generation rate (kW /ft) of the fuel is not exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature, and

rate of change of reactor coolant average temperature - including dynamic compensation for the delays between the core and the temperature measurement system.

The Overpower T trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower T is indicated in two loops. At some units, the temperature signals are used for other control functions. At those units, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.

The LCO requires four channels for two and four loop units (three channels for three loop units) of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

W OG STS B 3.3.1-23 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure - High and - Low trips and the Overtemperature T trip. At some units, the Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System. For those units, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.

a. Pressurizer Pressure - Low The Pressurizer Pressure - Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires four channels for two and four loop units (three channels for three loop units) of Pressurizer Pressure -

Low to be OPERABLE.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure - Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.

b. Pressurizer Pressure - High The Pressurizer Pressure - High trip Function ensures that protection is provided against overpressurizing the RCS. This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

W OG STS B 3.3.1-24 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 W OG STS B 3.3.1-25 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels for two and four loop units (three channels for three loop units) of the Pressurizer Pressure

- High to be OPERABLE.

The Pressurizer Pressure - High LSSS[SL-]LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure - High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure - High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions. Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.

9. Pressurizer W ater Level - High The Pressurizer W ater Level - High trip Function provides a backup signal for the Pressurizer Pressure - High trip and also provides protection against water relief through the pressurizer safety valves.

These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer W ater Level - High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer W ater Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 W OG STS B 3.3.1-26 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow - Low The Reactor Coolant Flow - Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-7.

In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE 1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.

11. Reactor Coolant Pump (RCP) Breaker Position Both RCP Breaker Position trip Functions operate together on two sets of auxiliary contacts, with one set on each RCP breaker. These Functions anticipate the Reactor Coolant Flow - Low trips to avoid RCS heatup that would occur before the low flow trip actuates.

W OG STS B 3.3.1-27 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Reactor Coolant Pump Breaker Position (Single Loop)

The RCP Breaker Position (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The position of each RCP breaker is monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is initiated. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Single Loop) Trip Setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this trip Function because the RCS Flow - Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of a pump.

This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be OPERABLE. In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR.

b. Reactor Coolant Pump Breaker Position (Two Loops)

The RCP Breaker Position (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The position of each RCP breaker is monitored. Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached.

W OG STS B 3.3.1-28 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow - Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of an RCP.

This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE.

Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.

12. Undervoltage Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored.

Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops)

Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires three Undervoltage RCPs channels (one per phase) per bus to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low W OG STS B 3.3.1-29 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled. This Function uses the same relays as the ESFAS Function 6.f, "Undervoltage Reactor Coolant Pump (RCP)" start of the auxiliary feedwater (AFW ) pumps.

13. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires three Underfrequency RCPs channels per bus to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss

[LTSPs] of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

14. Steam Generator W ater Level - Low Low The SG W ater Level - Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.

W OG STS B 3.3.1-30 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels of SG W ater Level - Low Low per SG to be OPERABLE for four loop units in which these channels are shared between protection and control. In two, three, and four loop units where three SG W ater Levels are dedicated to the RTS, only three channels per SG are required to be OPERABLE.

In MODE 1 or 2, when the reactor requires a heat sink, the SG W ater Level - Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW ) System (not safety related). The MFW System is only in operation in MODE 1 or 2. The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. During normal startups and shutdowns, the AFW System provides feedwater to maintain SG level. In MODE 3, 4, 5, or 6, the SG W ater Level - Low Low Function does not have to be OPERABLE because the MFW System is not in operation and the reactor is not operating or even critical. Decay heat removal is accomplished by the AFW System in MODE 3 and by the Residual Heat Removal (RHR) System in MODE 4, 5, or 6.

15. Steam Generator W ater Level - Low, Coincident W ith Steam Flow/Feedwater Flow Mismatch SG W ater Level - Low, in conjunction with the Steam Flow/Feedwater Flow Mismatch, ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. In addition to a decreasing water level in the SG, the difference between feedwater flow and steam flow is evaluated to determine if feedwater flow is significantly less than steam flow. W ith less feedwater flow than steam flow, SG level will decrease at a rate dependent upon the magnitude of the difference in flow rates. There are two SG level channels and two Steam Flow/Feedwater Flow Mismatch channels per SG. One narrow range level channel sensing a low level coincident with one Steam Flow/Feedwater Flow Mismatch channel sensing flow mismatch (steam flow greater than feed flow) will actuate a reactor trip.

The LCO requires two channels of SG W ater Level - Low coincident with Steam Flow/Feedwater Flow Mismatch.

W OG STS B 3.3.1-31 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, when the reactor requires a heat sink, the SG W ater Level - Low coincident with Steam Flow/Feedwater Flow Mismatch trip must be OPERABLE. The normal source of water for the SGs is the MFW System (not safety related). The MFW System is only in operation in MODE 1 or 2. The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. During normal startups and shutdowns, the AFW System provides feedwater to maintain SG level. In MODE 3, 4, 5, or 6, the SG W ater Level - Low coincident with Steam Flow/Feedwater Flow Mismatch Function does not have to be OPERABLE because the MFW System is not in operation and the reactor is not operating or even critical. Decay heat removal is accomplished by the AFW System in MODE 3 and by the RHR System in MODE 4, 5, or 6. The MFW System is in operation only in MODE 1 or 2 and, therefore, this trip Function need only be OPERABLE in these MODES.

16. Turbine Trip

a. Turbine Trip - Low Fluid Oil Pressure The Turbine Trip - Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, approximately 50% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizer safety valves.

The LCO requires three channels of Turbine Trip - Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-9.

Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip - Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

W OG STS B 3.3.1-32 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Turbine Trip - Turbine Stop Valve Closure The Turbine Trip - Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level below the P-9 setpoint, approximately 50% power. This action will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close.

Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip - Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbine Trip - Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-9. All four channels must trip to cause reactor trip.

Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip - Stop Valve Closure trip Function does not need to be OPERABLE.

17. Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. This is a condition of acceptability for the LOCA. However, other transients W OG STS B 3.3.1-33 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown.

Therefore, a reactor trip is initiated every time an SI signal is present.

Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by relay in the ESFAS. Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

A reactor trip is initiated every time an SI signal is present.

Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

18. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:

a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

W OG STS B 3.3.1-34 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip.

This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed,

on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip, and

on increasing power, the P-6 interlock provides a backup block signal to the source range flux doubling circuit.

Normally, this Function is manually blocked by the control room operator during the reactor startup.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary.

In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

W OG STS B 3.3.1-35 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low (low flow in two or more RCS loops),

RCPs Breaker Open (Two Loops),

Undervoltage RCPs, and

Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power). The reactor trips provide protection against violating the DNBR limit.

Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low (low flow in two or more RCS loops),

RCP Breaker Position (Two Loops),

Undervoltage RCPs, and

Underfrequency RCPs.

Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

W OG STS B 3.3.1-36 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.

c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow - Low and RCP Breaker Position (Single Loop) reactor trips on low flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than approximately 48% power. On decreasing power, the reactor trip on low flow in any loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

d. Power Range Neutron Flux, P-9 The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure and Turbine Trip - Turbine Stop Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1.

W OG STS B 3.3.1-37 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at a power level sufficient to have a load rejection beyond the capacity of the Steam Dump System.

e. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:

on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal,

on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux - Low reactor trip,

on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors,

the P-10 interlock provides one of the two inputs to the P-7 interlock, and

on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux

- Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

W OG STS B 3.3.1-38 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

f. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the rated full power pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE 1.

The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.

19. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

W OG STS B 3.3.1-39 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

20. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 19 above.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

21. Automatic Trip Logic The LCO requirement for the RTBs (Functions 19 and 20) and Automatic Trip Logic (Function 21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.

Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

W OG STS B 3.3.1-40 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS -----------------------------------REVIEW ERS NOTE-----------------------------------

In Table 3.3.1-1, Functions 11.a and 11.b were not included in the generic evaluations approved in either W CAP-10271, as supplemented, W CAP-15376, or W CAP-14333. In order to apply the W CAP-10271, as supplemented, and W CAP-15376 or W CAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1.

In the event a channel's Trip Setpointtrip setpoint is found non-conservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

W hen the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

REVIEW ERS NOTE-----------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

W OG STS B 3.3.1-41 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. W ith one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. W ith the unit in MODE 3, ACTION C would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

C.1, C.2.1, and C.2.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted:

Manual Reactor Trip,

RTBs,

RTB Undervoltage and Shunt Trip Mechanisms, and

Automatic Trip Logic.

This action addresses the train orientation of the SSPS for these Functions. W ith one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time, the unit must be placed in a MODE in W OG STS B 3.3.1-42 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) which the requirement does not apply. To achieve this status, action must be initiated within the same 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner.

W ith rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are no longer required.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1.1, D.1.2, D.2.1, D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux - High Function.

The NIS power range detectors provide input to the Rod Control System and the SG W ater Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is justified in W CAP-14333-P-A (Ref. 8).

In addition to placing the inoperable channel in the tripped condition, THERMAL POW ER must be reduced to £ 75% RTP within 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months .

Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. W ith one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost.

As an alternative to the above actions, the inoperable channel can be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and the QPTR monitored once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels < 75% RTP. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is consistent with LCO 3.2.4, "QUADRANT POW ER TILT RATIO (QPTR)."

W OG STS B 3.3.1-43 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy-eight hours are allowed to place the plant in MODE 3. The 78 hour9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months Completion Time includes 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for channel corrective maintenance, and an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for the MODE reduction as required by Required Action D.3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.

[ The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8. ]

REVIEW ERS NOTE-----------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing, and setpoint adjustments when a setpoint reduction is required by other Technical Specifications. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8.

Required Action D.2.2 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using this movable incore detectors once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months may not be necessary.

W OG STS B 3.3.1-44 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

E.1 and E.2 Condition E applies to the following reactor trip Functions:

Power Range Neutron Flux - Low,

Overtemperature T,

Overpower T,

Power Range Neutron Flux - High Positive Rate,

Power Range Neutron Flux - High Negative Rate,

Pressurizer Pressure - High,

SG Water Level - Low Low, and

SG Water Level - Low coincident with Steam Flow/Feedwater Flow Mismatch.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is justified in Reference 8.

If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

[ The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8. ]

W OG STS B 3.3.1-45 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

REVIEW ERS NOTE-----------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 9.

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POW ER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POW ER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to reduce THERMAL POW ER below the P-6 setpoint or increase to THERMAL POW ER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POW ER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POW ER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. W ith no intermediate range channels OPERABLE, the Required Actions are to W OG STS B 3.3.1-46 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 suspend operations involving positive reactivity additions immediately.

This will preclude any power level increase since there are no W OG STS B 3.3.1-47 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POW ER below the P-6 setpoint within two hours. Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

Required Action G.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

H.1 Condition H applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. W ith the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. W ith one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. W ith only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

Required Action H.1 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

I.1 Condition I applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. W ith the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions.

W ith both source range channels inoperable, the RTBs must be opened immediately. W ith the RTBs open, the core is in a more stable condition.

W OG STS B 3.3.1-48 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

J.1, J.2.1, and J.2.2 Condition J applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. W ith the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions.

W ith one of the source range channels inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour.

K.1 and K.2 Condition K applies to the following reactor trip Functions:

Pressurizer Pressure - Low,

Pressurizer Water Level - High,

Reactor Coolant Flow - Low,

Undervoltage RCPs, and

Underfrequency RCPs.

W ith one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (Ref. 8). For the Pressurizer Pressure - Low, Pressurizer W ater Level - High, Undervoltage RCPs, and Underfrequency RCPs trip Functions, placing the channel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. For the Reactor Coolant Flow - Low trip Function, placing the channel in the tripped condition when above the P-8 setpoint results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. For the latter trip Function, two tripped channels in two RCS loops are required to W OG STS B 3.3.1-49 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint. These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips below the P-7 setpoint.

There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the channel in the tripped condition is justified in Reference 8. An additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to reduce THERMAL POW ER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition K.

[ The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8. ]

REVIEW ERS NOTE-----------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8.

L.1 and L.2 Condition L applies to the RCP Breaker Position (Single Loop) reactor trip Function. There is one breaker position device per RCP breaker. W ith one channel inoperable, the inoperable channel must be restored to OPERABLE status within [6] hours. If the channel cannot be restored to OPERABLE status within the [6] hours, then THERMAL POW ER must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

This places the unit in a MODE where the LCO is no longer applicable.

This Function does not have to be OPERABLE below the P-8 setpoint because other RTS Functions provide core protection below the P-8 setpoint. The [6] hours allowed to restore the channel to OPERABLE status and the 4 additional hours allowed to reduce THERMAL POW ER to below the P-8 setpoint are justified in Reference 11.

W OG STS B 3.3.1-50 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to [4] hours while performing routine surveillance testing of the other channels. The

[4] hour time limit is justified in Reference 11.

M.1 and M.2 Condition M applies to the RCP Breaker Position (Two Loops) reactor trip Function. There is one breaker position device per RCP breaker. W ith one channel inoperable, the inoperable channel must be placed in trip within [6] hours. If the channel cannot be placed in trip within the [6]

hours, then THERMAL POW ER must be reduced below the P-7 setpoint within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

This places the unit in a MODE where the LCO is no longer applicable.

This Function does not have to be OPERABLE below the P-7 setpoint because other RTS Functions provide core protection below the P-7 setpoint. The [6] hours allowed to place the channel in trip and the 6 additional hours allowed to reduce THERMAL POW ER to below the P-7 setpoint are justified in Reference 11.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to [4] hours while performing routine surveillance testing of the other channels. The

[4] hour time limit is justified in Reference 11.

N.1 and N.2 Condition N applies to Turbine Trip on Low Fluid Oil Pressure or on Turbine Stop Valve Closure. W ith one channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is justified in Reference 8. Four hours is allowed for reducing power.

W OG STS B 3.3.1-51 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

[ The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8. ]

REVIEW ERS NOTE-----------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is justified in Reference 8.

O.1 and O.2 Condition O applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. W ith one train inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status (Required Action O.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Required Action O.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed to restore the inoperable RTS Automatic Trip Logic train to OPERABLE status is justified in Reference 8. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Required Action O.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to [4] hours for surveillance testing, provided the other train is OPERABLE. [The [4] hour time limit for testing the RTS Automatic Trip logic train may include testing the RTB also, if both the Logic test and RTB test are conducted within the [4] hour time limit. The

[4] hour time limit is justified in Reference 8.]

REVIEW ERS NOTE-----------------------------------

The below text should replace the bracketed information in the previous paragraph if W CAP-14333 and W CAP-15376 are being incorporated:

The [4] hour time limit for the RTS Automatic Trip Logic train testing is greater than the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months time limit for the RTBs, which the logic train W OG STS B 3.3.1-52 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) supports. The longer time limit for the logic train ([4] hours) is acceptable based on Reference 12 P.1 and P.2

REVIEW ERS NOTE-----------------------------------

W CAP-14333-P-A, Rev. 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and the associated TSTF (TSTF-418) and W CAP-15376-P, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," and the associated TSTF (TSTF-411) both modify Condition P.

W CAP-14333-P-A, Rev. 1 and the associated TSTF-418 provide a Completion Time for Required Action P.1 of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and Required Action P.2 of 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . W CAP-14333-P-A, Rev. 1 contains three Notes to TS 3.3.1 Condition P. Note 1 states, "One train may be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing, provided the other train is OPERABLE."

Note 2 states, "One RTB may be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for maintenance on undervoltage or shunt trip mechanisms, provided the other train is OPERABLE." W CAP-14333-P-A, Rev. 1 also adds a third Note, which states: "One RTB train may be bypassed for up to [4] hours for concurrent surveillance testing of the RTB and automatic trip logic, provided the other train is OPERABLE."

W CAP-15376-P and the associated TSTF-411 provide a Completion Time for Required Action P.1 of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and Required Action P.2 of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . W CAP-15376-P relaxes the time that an RTB train may be bypassed for surveillance testing from 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , and deletes Notes 2 and 3 that are added by W CAP-14333-P-A, Rev. 1.

Implementation of TS 3.3.1, Condition P:

1. If W CAP-14333-P-A, Rev. 1 is implemented without implementing W CAP-15376-P, the Completion Time for Required Action P.1 will be 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and for Required Action P.2 will be 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . Condition P will contain the three Notes as discussed above, with 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to bypass an RTB train for surveillance testing in Note 1.

2. If W CAP-15376-P is implemented without implementing W CAP-14333-P-A, Rev. 1, the Completion Time for Required Action P.1 will be 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and for Required Action P.2 will be 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . Condition P will only contain one Note (Note 1 as discussed in the first W OG STS B 3.3.1-53 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) paragraph above), with 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to bypass an RTB train for surveillance testing in the Note.

3. If W CAP-14333-P-A, Rev. 1, and W CAP-15376-P are both implemented, follow the direction for Item 2, above.

Use the following Bases if W CAP-14333-P-A, Rev. 1 is adopted without adopting W CAP-15376-P:

Condition P applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. W ith one train inoperable, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

Placing the unit in MODE 3 results in Condition C entry while an RTB is inoperable.

The Required Actions have been modified by three Notes. Note 1 allows one channel to be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing, provided the other train is OPERABLE. Note 1 applies to RTB testing that is performed independently from the corresponding automatic trip logic testing. Note 2 allows one RTB to be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for maintenance if the other RTP train is OPERABLE. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months time limit is justified in Reference 9. Note 3 applies to RTB testing that is performed concurrently with the corresponding automatic trip logic test. For concurrent testing of the automatic trip logic and RTB, one RTB train may be bypassed for up to [4] hours provided the other train is OPERABLE. The [4] hour time limit is approved by Reference 8.

Use the following Bases if W CAP-15376-P is adopted without adopting W CAP-14333-P-A, Rev. 1 or if both are adopted:

Condition P applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. W ith one train inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is justified in Reference 13. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

W OG STS B 3.3.1-54 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Placing the unit in MODE 3 results in Condition C entry while an RTB is inoperable.

The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months time limit is justified in Reference 13.

Q.1 and Q.2 Condition Q applies to the P-6 and P-10 interlocks. W ith one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

R.1 and R.2 Condition R applies to the P-7, P-8, P-9, and P-13 interlocks. W ith one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

W OG STS B 3.3.1-55 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

S.1 and S.2 Condition S applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. W ith one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time). The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. W ith the unit in MODE 3, ACTION C would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for the reasons stated under Condition P.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for Required Action S.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

SURVEILLANCE -----------------------------------REVIEW ERS NOTE-----------------------------------

REQUIREMENTS In Table 3.3.1-1, Functions 11.a and 11.b were not included in the generic evaluations approved in either W CAP-10271, as supplemented, or W CAP-14333. In order to apply the W CAP-10271, as supplemented, and W CAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

REVIEW ERS NOTE ------------------------------------

The Notes in Table 3.3.1-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table, but doing so is not required. to comply with 10 CFR 50.36.

REVIEW ERS NOTE ------------------------------------

Notes b and c are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

W OG STS B 3.3.1-56 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1

1. Notes b and c are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits. Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Notes b and c require a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. W hile it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance test result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement test results would not provide an indication of the channel or component performance.

2. Notes b and c are not applied to the Technical Specifications associated with safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.

3. Notes b and c are may not appliedy to SL-LSSS Functions and Surveillances which test only digital components, although some adjustment to Notes 1 and 2 may be warranted. For purely digital components, (such as actuation logic and associated relays) there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance results does not provide an indication of channel or component performance.

A generic evaluation of SL-LSSS Functions resulted in Notes b and c being applied to the Functions shown in TS 3.3.1. Each licensee adopting this change must review the list of potential SL-LSSS Functions to identify whether any of the identified functions are not SL-LSSS or meet any of the exclusion criteria based on the plant-specific design and safety analysis (AOOs). It is assumed that each generically identified Function is a plant-specific SL-LSSS unless it can be demonstrated by the licensee that the Function does not meet the definition of an SLa SL-LSSS or it meets one of the exclusion criteria. In addition, each plant adopting this change must evaluate any plant-specific Functions that do not appear in the ISTS NUREG to determine if the plant-specific Function is an SLa SL-LSSS.

W OG STS B 3.3.1-57 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The SRs for each RTS Function are identified by the SRs column of Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. W hen testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

REVIEW ERS NOTE-----------------------------------

Certain Frequencies are based on approval topical reports. In order for a licensee to use these times, the licensee must justify the Frequencies as required by the staff SER for the topical report.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

W OG STS B 3.3.1-58 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If the calorimetric heat balance calculation results exceed the power range channel output by more than 2% RTP, the power range channel is not declared inoperable, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceed the power range channel output by more than + 2% RTP. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

If the calorimetric is performed at part power (< [70]% RTP), adjusting the power range channel indication in the increasing power direction will assure a reactor trip below the safety analysis limit (< [118]% RTP).

Making no adjustment to the power range channel in the decreasing power direction due to a part power calorimetric assures a reactor trip consistent with the safety analyses.

This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range channels are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (< [70]% RTP). This action may introduce a non-conservative bias at higher power levels which may result in an NIS reactor trip above the safety analysis limit ( > [118]% RTP).

The cause of the potential non-conservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error contributor to the instrument uncertainty for a secondary side power calorimetric measurement is the feedwater flow measurement, which is typically a DP measurement across a feedwater venturi. W hile the measurement uncertainty remains constant in DP as power decreases, when translated into flow, the uncertainty increases as a square term.

Thus a 1% flow error at 100% power can approach a 10% flow error at W OG STS B 3.3.1-59 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) 30% RTP even though the DP error has not changed. An evaluation of extended operation at part power conditions would conclude that it is prudent to administratively adjust the setpoint of the Power Range Neutron Flux - High bistables to # [85]% RTP when: 1) the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below [70]% RTP; or 2) for a post refueling startup.

The evaluation of extended operation at part power conditions would also conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the decreasing power direction is quite small, primarily to address operation in the intermediate range about P-10 (nominally 10% RTP) to allow enabling of the Power Range Neutron Flux

- Low setpoint and the Intermediate Range Neutron Flux reactor trips.

Before the Power Range Neutron Flux - High bistables are reset to

[109]% RTP, the power range channel adjustment must be confirmed based on a calorimetric performed at $ [70]% RTP.

REVIEW ERS NOTE-----------------------------------

A plant specific evaluation based on the guidance in W estinghouse Technical Bulletin ESBU-TB-92-14 is required to determine the power level below which power range channel adjustments in a decreasing power direction become a concern. This evaluation must reflect the plant specific RTS setpoint study. In addition, this evaluation should determine if additional administrative controls are required for Power Range Neutron Flux-High trip setpoint setting changes The Note clarifies that this Surveillance is required only if reactor power is

$ 15% RTP and that 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months are allowed for performing the first Surveillance after reaching 15% RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.

The Frequency of every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Together these factors demonstrate that a difference between the calorimetric heat balance calculation and the power range channel output of more than +2% RTP is not expected in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

W OG STS B 3.3.1-60 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output every 31 EFPD. If the absolute difference is $ 3%, the NIS channel is still OPERABLE, but must be readjusted. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is

$ 3%.

If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f( I) input to the overtemperature T Function.

A Note clarifies that the Surveillance is required only if reactor power is

$ [15%] RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching [15%] RTP.

The Frequency of every 31 EFPD is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.

SR 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT every 62 days on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.14. The bypass breaker test shall include a local shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

W OG STS B 3.3.1-61 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of every 62 days on a STAGGERED TEST BASIS is justified in Reference 13.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 13.

SR 3.3.1.6 SR 3.3.1.6 is a calibration of the excore channels to the incore channels.

If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f( I) input to the overtemperature T Function.

A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is > 50% RTP and that [24] hours is allowed for performing the first surveillance after reaching 50% RTP.

The Frequency of 92 EFPD is adequate. It is based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

W OG STS B 3.3.1-62 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT every 184 days.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Setpoints must be within conservative with respect to the Allowable Values specified in Table 3.3.1-1.

The difference between the current "as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as -found" [and "as -left""] values must also be recorded and reviewed for consistency with the assumptions of Reference 9.

SR 3.3.1.7 is modified by a Note that provides a 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months this Surveillance must be performed prior to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after entry into MODE 3.

The Frequency of 184 days is justified in Reference 9.

W OG STS B 3.3.1-63 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 SR 3.3.1.7 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP]. W here a setpoint more conservative than the

[NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP],

then the instrument channel shall be declared inoperable.

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.1-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay.

This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 184 days of the Frequencies prior to reactor startup and four hours after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the W OG STS B 3.3.1-64 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 source, intermediate and power range low instrument channels. The Frequency of [12] hours after reducing power below P-10 (applicable to intermediate and power range low channels) and 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reducing power below P-6 (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and [12] and four hours after reducing power below P-10 or P-6, respectively. The MODE of Applicability for this surveillance is < P-10 for the power range low and intermediate range channels and < P-6 for the source range channels.

Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than [12] hours or < P-6 for more than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , then the testing required by this surveillance must be performed prior to the expiration of the time limit. [Twelve] hours and four hours are reasonable times to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for periods > [12] and 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , respectively. The Frequency of 184 days is justified in Reference 13.

SR 3.3.1.8 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP]. W here a setpoint more conservative than the

[NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP],

then the instrument channel shall be declared inoperable.

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.1-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.1-1.

W OG STS B 3.3.1-65 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

W OG STS B 3.3.1-66 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.9 SR 3.3.1.9 is the performance of a TADOT and is performed every

[92] days, as justified in Reference 9. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.10 A CHANNEL CALIBRATION is performed every [18] months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as -found" values and the [NTSP or previous test "as -left" values] must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.1.10 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis W OG STS B 3.3.1-67 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP]. W here a setpoint more conservative than the

[NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP],

then the instrument channel shall be declared inoperable.

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.1-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

W OG STS B 3.3.1-68 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every [18] months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. The

[18] month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the [18] month Frequency.

SR 3.3.1.11 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP]. W here a setpoint more conservative than the

[NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP],

then the instrument channel shall be declared inoperable.

W OG STS B 3.3.1-69 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.1-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

SR 3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every [18] months. This SR is modified by a Note stating that this test shall include verification of the RCS resistance temperature detector (RTD) bypass loop flow rate. W henever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

This test will verify the rate lag compensation for flow from the core to the RTDs.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

W OG STS B 3.3.1-70 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 SR 3.3.1.12 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP]. W here a setpoint more conservative than the

[NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP],

then the instrument channel shall be declared inoperable.

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.1-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.1-1.

The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks every

[18] months. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The Frequency is based on the known reliability of the interlocks and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

W OG STS B 3.3.1-71 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed every [18] months. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

W OG STS B 3.3.1-72 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is as described in SR 3.3.1.4, except that this test is performed prior to exceeding the [P-9] interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the [P-9] interlock.

SR 3.3.1.16 SR 3.3.1.16 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in Technical Requirements Manual, Section 15 (Ref. 14).

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,

control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

REVIEW ERS NOTE-----------------------------------

Applicable portions of the following Bases are applicable for plants adopting W CAP-13632-P-A and/or W CAP-14036-P.

W OG STS B 3.3.1-73 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering specifications. W CAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," (Ref. 10) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the W CAP. Response time verification for other sensor types must be demonstrated by test.

[W CAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," (Ref. 15) provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.]

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the W CAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

As appropriate, each channel's response must be verified every

[18] months on a STAGGERED TEST BASIS. Testing of the final actuation devices is included in the testing. Response times cannot be determined during unit operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed at the 18 months Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

W OG STS B 3.3.1-74 Rev. 3.0, 03/31/04

RTS Instrumentation B 3.3.1 BASES REFERENCES 1. Regulatory Guide 1.105, Revision 3, "Setpoints for Safety Related Instrumentation."

2. FSAR, Chapter [7].

3. FSAR, Chapter [6].

4. FSAR, Chapter [15].

5. IEEE-279-1971.

6. 10 CFR 50.49.

7. Plant specific setpoint methodology study.

8. W CAP-14333-P-A, Rev. 1, October 1998.

9. W CAP-10271-P-A, Supplement 1, May 1986.

10. W CAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," January 1996.

11. [ Plant specific evaluation reference].

12. W CAP-10271-P-A, Supplement 2, June 1990.

13. W CAP-15376, Rev. 0, October 2000.

14. Technical Requirements Manual, Section 15, "Response Times."

15. W CAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.

W OG STS B 3.3.1-75 Rev. 3.0, 03/31/04

v t e Letter Sequence Other
TAC:MD5249, Clarify Application of Setpoint Methodology for LSSS Functions (Open)
Initiation Acceptance Administration Questions 4 November 2008 Answers Results Approval... Other: ML072050146, ML072070251, ML072070260, ML072070269, ML072070355, ML072070358, ML072120059, ML072120076, ML072120083, ML072120091, ML072120096, ML072120100, ML072120105, ML072120111, ML072120119, ML072120145, ML072120153, ML072120162, ML072120164, ML072120165, ML072120168
MONTHYEAR2007-07-25 [Table View]

ML072120165

Text

Navigation menu

Search