NRC Response to 4/16/2007 Submittal of TSTF-493, Revision 2, Clarify Application of Setpoint Methodology for LSSS Functions, Enclosure 6b - WOG_3.3.02_B for TSTF-493R2eITSB

ML072120168
Person / Time
Site:	Technical Specifications Task Force
Issue date:	07/25/2007
From:	Kobetz T NRC/NRR/ADRO/DIRS/ITSB
To:	Technical Specifications Task Force
Schulten C. S., NRR/DIRS, 415-1192
Shared Package
ML072070202	List: ML072050146 ML072070251 ML072070260 ML072070269 ML072070355 ML072070358 ML072120059 ML072120076 ML072120083 ML072120091 ML072120096 ML072120100 ML072120105 ML072120111 ML072120119 ML072120145 ML072120153 ML072120162 ML072120164 ML072120165 ML072120168
References
TAC MD5249, TSTF-493, Rev 2
Download: ML072120168 (67)
v • d • e

Text

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other system parameters and equipment performance. The subset of LSSS that directly protect against violating the rReactor cCore Safety Limits and Reactor Coolant System (RCS)

Ppressure boundary Ssafety lLimits during anticipated operational occurrences (AOOs) are referred to as Safety Limit LSSS (SL-LSSS) 10 CFR 50.36(c)(1)(ii)(A) requires that TSs include LSSSs for variables that have significant safety functions. For variables on which a SL has been placed, the LSSS must be chosen to initiate automatic protective action to correct abnormal situations before the SL is exceeded.

Technical Specifications are required by 10 CFR 50.36 to contain SL-LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that an SLa SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

---

REVIEW ER'S NOTE ------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the setpoint value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59.

The term Limiting Trip Setpoint indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting.

W here margin is added between the Analytical Limit and trip setpoint, the standard terminology of Nominal Trip Setpoint (NTSP) should be used.

The trip setpoint (field setting) may be more conservative than the Limiting or Nominal Trip Setpoint. W here the [NTSP] is not included in Table 3.3.2-1 for the purpose of compliance with 10 CFR 50.36, the plant-specific term for the Limiting or Nominal Trip Setpoint must be cited in Note c of Table 3.3.2-1. The brackets indicate plant-specific terms may apply, as reviewed and approved by the NRC. The as-found and as-left tolerances will apply to the actual setpoint implemented in the W OG STS B 3.3.2-1 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 Surveillance procedures to confirm channel performance. [NTSP] is the standard terminology for most W estinghouse plants and is used as the preferred term in the Bases descriptions.

Licensees are to insert the name of the document(s) controlled under 10 CFR 50.59 that contain the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" throughout these Bases. Those plants that do not include the

[NTSP] in Table 3.3.2-1 must insert the name of the document(s) controlled under 10 CFR 50.59 that contain the [NTSP] and the methodology for calculating the as-left and as-found tolerances, for the phrase "[a document controlled under 10 CFR 50.59]" in the specifications.

The [Nominal Trip Setpoint (NTSP)] is a predetermined setting, plus margin, for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the [NTSP] accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the

[NTSP] ensures that SLs are not exceeded. As such, the [NTSP] meets the definition of an SLa SL-LSSS (Ref. 1).

BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Use of the [NTSP] to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protective device setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the [NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the [NTSP] to account for further drift during the next surveillance interval.

W OG STS B 3.3.2-2 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 However, there is also some point beyond which the device would have not been able to perform its function due to, for example, greater than expected drift. The Allowable Value specified in Table 3.3.2-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that an SLa SL BASES BACKGROUND (continued) is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions.

This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made.

If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

[Note: Alternatively, a Technical Specification format incorporating an Allowable Value only column may be proposed by a licensee. In this case, for SL-LSSS setpoints, the [NTSP] value and the methodologies used to calculate the as-found and as-left tolerances must be specified in

[a document controlled under 10 CFR 50.59]. Changes to the actual plant trip setpoint or [NTSP] value would be controlled by 10 CFR 50.59 or administratively as appropriate, and adjusted per the setpoint methodology and applicable surveillance requirements.

W OG STS B 3.3.2-3 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),

2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However, these values the acceptable dose limit for an accident category and their associated

[NTSPs] are not considered to be LSSS as defined in 10 CFR 50.36.

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

• Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured,

• Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications, and

• Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although a channel is "OPERABLE" under these W OG STS B 3.3.2-4 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

W OG STS B 3.3.2-5 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).

In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Trip Setpoint[NTSP] and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints[NTSPs]

established by safety analyses. These setpoints[NTSPs] are defined in FSAR, Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15]

(Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint[NTSP], an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.

W OG STS B 3.3.2-6 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

Allowable Values [NTSPs] and ESFAS Setpoints The trip setpoints [NTSPs] used in the bistables are based on the analytical limits stated in Reference 2. The selection of these trip setpoints[NTSPs] is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and ESFAS setpoints[NTSPs] including their explicit uncertainties, is provided in the plant specific setpoint methodology study (Ref. 6) which incorporates all of the known uncertainties applicable to each channel.

The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint[NTSP] and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value [NTSP]

to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification as-found trip setpoint OPERABILITY limit for the purpose of the COT. One example of such a change in measurement error is drift during the surveillance interval. If the measuredas-found setpoint does not exceed theis conservative with respect to Allowable Value, the bistable is considered OPERABLE. Note that, although a channel is OPERABLE under these circumstances, the ESFAS setpoint must be left adjusted to within the established as-left criteria and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint [NTSP] value, in conjunction with the use of as-found and as-left W OG STS B 3.3.2-7 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 tolerances, ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated BASES BACKGROUND (continued) channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint [NTSP] value is within the band as-left tolerance for CHANNEL W OG STS B 3.3.2-8 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

CALIBRATION uncertainty allowance (i.e., +/- rack calibration tolerance and comparator setting uncertainties). The ESFAS setpoint[NTSP] value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.

Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed. Note that the Allowable Values listed in Table 3.3.2-1 are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that requires trip setpoint verification.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe W OG STS B 3.3.2-9 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

W OG STS B 3.3.2-10 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. W hen any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

---

REVIEW ERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. However, qualitatively credited or backup functions are not SL-LSSS for protection system instrument channels that protect reactor core or RCS pressure boundary Safety Limits. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3)

W OG STS B 3.3.2-11 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 ESFAS Trip Actuation Setpoints that directly protect against violating the Rreactor Ccore Safety Limits or the Reactor Coolant System (RCS)

Ppressure boundary Ssafety Llimits during anticipated operational occurrences (AOOs) are Safety Limit-Limiting Safety System Settings (SL-LSSS). The ESFAS interlocks allow ESFAS functions to be blocked for shutdown operations and automatically unblocked for the ESFAS function when the plant is started up. The ESFAS interlocks do not function as part of the automatic actuation system and are not modeled in the safety analysis Therefore permissives and interlocks are not considered to be SL-LSSS.

W OG STS B 3.3.2-12 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires all instrumentation performing an ESFAS Function, listed in Table 3.3.2-1 in the accompanying LCO, to be OPERABLE. The Allowable Value specified in Table 3.3.2-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). If the actual setting of the device is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, then this condition indicates that the instrument is degraded and is not performing in accordance with the setpoint methodology assumptions. This condition must be entered into the plant corrective action program, the trip setpoint must be left adjusted to a value within the as-left tolerance band, and an immediate determination of operability decision must be made. If the actual setting of the device is found to be non-conservative with respect to the Allowable Value, the device channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE with an trip setpoint[NTSP] value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed is conservative with respect to its associated Allowable Value and provided the trip setpoint[NTSP] "as-left" value is adjusted to a value within the calibration tolerance band of the Nominal Trip Setpoint.[NTSP]A trip setpoint may be set more conservative than the Nominal Trip Setpoint[NTSP] as necessary in response to plant conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual W OG STS B 3.3.2-13 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200°F), and

2. Boration to ensure recovery and maintenance of SDM (k eff< 1.0).

W OG STS B 3.3.2-14 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

• Phase A Isolation,

• Containment Purge Isolation,

• Reactor Trip,

• Turbine Trip,

• Feedwater Isolation,

• Start of motor driven auxiliary feedwater (AFW) pumps,

• Control room ventilation isolation, and

• Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump.

These other functions ensure:

• Isolation of nonessential systems through containment penetrations,

• Trip of the turbine and reactor to limit power generation,

• Isolation of main feedwater (MFW) to limit secondary side mass losses,

• Start of AFW to ensure secondary side cooling capability,

• Isolation of the control room to ensure habitability, and

• Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low low RWST level to ensure continued cooling via use of the containment sump.

W OG STS B 3.3.2-15 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one push button and the interconnecting wiring to the actuation logic cabinet. Each push button actuates both trains. This configuration does not allow testing at power.

b. Safety Injection - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit W OG STS B 3.3.2-16 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High 1 This signal provides protection against the following accidents:

• SLB inside containment,

• LOCA, and

• Feed line break inside containment.

Containment Pressure - High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint[NTSP]

reflects only steady state instrument uncertainties.

Containment Pressure - High 1 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

g. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:

• Inadvertent opening of a steam generator (SG) relief or safety valve,

• SLB, W OG STS B 3.3.2-17 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

• A spectrum of rod cluster control assembly ejection accidents (rod ejection),

• Inadvertent opening of a pressurizer relief or safety valve,

• LOCAs, and

• SG Tube Rupture.

At some units pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.

For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoi[NTSP]nt reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure - High 1 signal.

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE.

In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

W OG STS B 3.3.2-18 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. Safety Injection - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:

• SLB,

• Feed line break, and

• Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line.

W ith the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during a secondary side break.

Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties.

This Function is anticipatory in nature and has a typical lead/lag ratio of 50/5.

Steam Line Pressure - Low must be OPERABLE in MODES 1, 2, and 3 (above P-11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint.

Below P-11, feed line break is not a concern. Inside containment SLB will be terminated by automatic SI actuation via Containment Pressure - High 1, and outside containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

W OG STS B 3.3.2-19 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between Steam Lines provides protection against the following accidents:

• SLB,

• Feed line break, and

• Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - High Differential Pressure Between Steam Lines provides no input to any control functions.

Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

W ith the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during an SLa SLB event.

Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.

f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident W ith T avg - Low Low or Coincident W ith Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the following accidents:

• SLB, and

• the inadvertent opening of an SG relief or an SG safety valve.

W OG STS B 3.3.2-20 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for these Functions. The steam line flow channels are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the Function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation. High steam flow in two steam lines is acceptable in the case of a single steam line fault due to the fact that the remaining intact steam lines will pick up the full turbine load. The increased steam flow in the remaining intact lines will actuate the required second high steam flow trip. Additional protection is provided by Function 1.e.(2), High Differential Pressure Between Steam Lines.

One channel of T avg per loop and one channel of low steam line pressure per steam line are required OPERABLE. For each parameter, the channels for all loops or steam lines are combined in a logic such that two channels tripped will cause a trip for the parameter. For example, for three loop units, the low steam line pressure channels are combined in two-out-of- three logic. Thus, the Function trips on one-out-of-two high flow in any two-out-of-three steam lines if there is one-out-of-one low low T avg trip in any two-out-of-three RCS loops, or if there is a one-out-of-one low pressure trip in any two-out-of-three steam lines.

Since the accidents that this event protects against cause both low steam line pressure and low low T avg , provision of one channel per loop or steam line ensures no single random failure can disable both of these Functions. The steam line pressure channels provide no control inputs. The T avg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate.

The Allowable Value for high steam flow is a linear function that varies with power level. The function is a P corresponding to 44% of full steam flow between 0% and 20% load to 114% of full steam flow at 100% load. The nominal trip setpoint is similarly calculated.

W OG STS B 3.3.2-21 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

W ith the transmitters typically located inside the containment (T avg ) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state environmental conditions during an SLa SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s).

This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required OPERABLE below P-12 because the reactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray Containment Spray provides three primary functions:

1. Lowers containment pressure and temperature after an HELB in containment,

2. Reduces the amount of radioactive iodine in the containment atmosphere, and

3. Adjusts the pH of the water in the containment recirculation sump after a large break LOCA.

These functions are necessary to:

• Ensure the pressure boundary integrity of the containment structure, W OG STS B 3.3.2-22 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

• Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure, and

• Minimize corrosion of the components and systems inside containment following a LOCA.

The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. W ater is initially drawn from the RW ST by the containment spray pumps and mixed with a sodium hydroxide solution from the spray additive tank.

W hen the RW ST reaches the low low level setpoint, the spray pump suctions are shifted to the containment sump if continued containment spray is required. Containment spray is actuated manually by Containment Pressure - High 3 or Containment Pressure

- High High.

a. Containment Spray - Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent actuation of containment spray could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room. Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation signal.

Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment isolation.b.

Containment Spray - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

W OG STS B 3.3.2-23 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

c. Containment Spray - Containment Pressure This signal provides protection against a LOCA or an SLa SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

Two different logic configurations are typically used. Three and four loop units use four channels in a two-out-of-four logic configuration. This configuration may be called the Containment Pressure - High 3 Setpoint for three and four loop units, and W OG STS B 3.3.2-24 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Pressure - High High Setpoint for other units.

Some two loop units use three sets of two channels, each set combined in a one-out-of-two configuration, with these outputs combined so that two-out-of-three sets tripped initiates containment spray. This configuration is called Containment Pressure - High 3 Setpoint. Since containment pressure is not used for control, both of these arrangements exceed the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip.

Containment Pressure - [High 3] [High High] must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure

- High 3 (High High) setpoints.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW ), at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CCW , are isolated.

W OG STS B 3.3.2-25 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains. Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation.

The Phase B signal isolates CCW . This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLa SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure -

High 3 or Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. W hen the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

W OG STS B 3.3.2-26 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Containment Isolation - Phase A Isolation (1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Purge Isolation.

(2) Phase A Isolation - Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

W OG STS B 3.3.2-27 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Containment Isolation - Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2). The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.

(1) Phase B Isolation - Manual Initiation (2) Phase B Isolation - Automatic Actuation Logic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation - Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.

W OG STS B 3.3.2-28 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLa SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLa SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLa SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize. For units that do not have steam line check valves, Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

a. Steam Line Isolation - Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches in the control room and either switch can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE.

b. Steam Line Isolation - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLa SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLa SLB or other accident releasing significant quantities of energy.

W OG STS B 3.3.2-29 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

c. Steam Line Isolation - Containment Pressure - High 2 This Function actuates closure of the MSIVs in the event of a LOCA or an SLa SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment.

Containment Pressure - High 2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic.

However, for enhanced reliability, this Function was designed with four channels and a two-out-of-four logic. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument uncertainties.Containment Pressure - High 2 must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure -

High 2 setpoint.

d. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLa SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.

Steam Line Pressure - Low was discussed previously under SI Function 1.e.1.

W OG STS B 3.3.2-30 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked.

The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure - Negative Rate - High Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLa SLB when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. W hen the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure -

Negative Rate - High signal is automatically enabled.

Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. The W OG STS B 3.3.2-31 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLa SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

W hile the transmitters may experience elevated ambient temperatures due to an SLa SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.

e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines Coincident with T avg - Low Low or Coincident W ith Steam Line Pressure - Low (Three and Four Loop Units)

These Functions (4.e and 4.f) provide closure of the MSIVs during an SLa SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions 1.f.

and 1.g.

These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

g. Steam Line Isolation - High Steam Flow Coincident With Safety Injection and Coincident With Tavg - Low Low (Two Loop Units)

This Function provides closure of the MSIVs during an SLa SLB or inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

W OG STS B 3.3.2-32 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

The High Steam Flow Allowable Value is a P corresponding to 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.

W ith the transmitters (d/p cells) typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during an SLa SLB event. Therefore, the Trip Setpoints reflect both steady state and adverse environmental instrument uncertainties.

The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Two channels of T avg per loop are required to be OPERABLE.

The T avg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents that this Function protects against cause reduction of T avg in the entire primary system. Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the T avg - Low Low Function. The T avg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to address control protection interaction issues.

W ith the T avg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience adverse environmental conditions during an SLa SLB event.

Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrumental uncertainties.

W OG STS B 3.3.2-33 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function must be OPERABLE in MODES 1 and 2, and in MODE 3, when above the P-12 setpoint, when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. Below P-12 this Function is not required to be OPERABLE because the High High Steam Flow coincident with SI Function provides the required protection. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated].

This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

h. Steam Line Isolation - High High Steam Flow Coincident With Safety Injection (Two Loop Units)

This Function provides closure of the MSIVs during a steam line break (or inadvertent opening of a relief or safety valve) to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.Two steam line flow channels per steam line are required to be OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the Function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements.

The Allowable Value for high steam flow is a P, corresponding to 130% of full steam flow at full steam pressure. The Trip Setpoint is similarly calculated.

W ith the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during an SLa SLB event. Therefore, the Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties.

The main steam lines isolate only if the high steam flow signal occurs coincident with an SI signal. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

W OG STS B 3.3.2-34 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.

The Function is actuated when the level in any SG exceeds the high high setpoint, and performs the following functions:

• Trips the main turbine,

• Trips the MFW pumps,

• Initiates feedwater isolation, and

• Shuts the MFW regulating valves and the bypass feedwater regulating valves.

This Function is actuated by SG W ater Level - High High, or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. In the event of SI, the unit is taken off line and the turbine generator must be tripped. The MFW System is also taken out of operation and the AFW System is automatically started. The SI signal was discussed previously.

a. Turbine Trip and Feedwater Isolation - Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

W OG STS B 3.3.2-35 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Turbine Trip and Feedwater Isolation - Steam Generator Water Level - High High (P-14)

This signal provides protection against excessive feedwater flow.

The ESFAS SG water level instruments provide input to the SG W ater Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.

For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements. For other units that have only three channels, a median signal selector is provided or justification is provided in NUREG-1218 (Ref. 7).

The transmitters (d/p cells) are located inside containment.

However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.

c. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1 and 2 [and 3] except when all MFIVs, MFRVs, [and associated bypass valves] are closed and [de-activated] [or isolated by a closed manual valve] when the MFW System is in operation and the turbine generator may be in operation. In MODES [3,] 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

W OG STS B 3.3.2-36 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available.

The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW , and during a Feedwater System pipe break.

The normal source of water for the AFW System is the condensate storage tank (CST) (normally not safety related). A low level in the CST will automatically realign the pump suctions to the Essential Service W ater (ESW ) System (safety related). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.

a. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (Solid State Protection System)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (Balance of Plant ESFAS)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

c. Auxiliary Feedwater - Steam Generator Water Level - Low Low SG W ater Level - Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW , would result in a loss of SG water level. SG W ater Level - Low Low provides input to the SG Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.

For other units that have only three channels, a median signal selector is provided or justification is provided in Reference 7.

W OG STS B 3.3.2-37 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

W ith the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

d. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

e. Auxiliary Feedwater - Loss of Offsite Power A loss of offsite power to the service buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of offsite power is detected by a voltage drop on each service bus.

Loss of power to either service bus will start the turbine driven AFW pumps to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

Functions 6.a through 6.e must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor.

SG W ater Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG W ater Level - Low Low in any two operating SGs will cause the turbine driven pumps to start. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

W OG STS B 3.3.2-38 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

f. Auxiliary Feedwater - Undervoltage Reactor Coolant Pump A loss of power on the buses that provide power to the RCPs provides indication of a pending loss of RCP forced flow in the RCS. The Undervoltage RCP Function senses the voltage downstream of each RCP breaker. A loss of power, or an open RCP breaker, on two or more RCPs, will start the turbine driven AFW pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

g. Auxiliary Feedwater - Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. A turbine driven MFW pump is equipped with two pressure switches on the control air/oil line for the speed control system. A low pressure signal from either of these pressure switches indicates a trip of that pump. Motor driven MFW pumps are equipped with a breaker position sensing device. An open supply breaker indicates that the pump is not running. Two OPERABLE channels per pump satisfy redundancy requirements with one-out-of-two taken twice logic.

A trip of all MFW pumps starts the motor driven and turbine driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.

Functions 6.f and 6.g must be OPERABLE in MODES 1 and 2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.

h. Auxiliary Feedwater - Pump Suction Transfer on Suction Pressure - Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the CST. Two pressure switches are located on the AFW pump suction line from the CST. A low pressure signal W OG STS B 3.3.2-39 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.

ESW (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.

Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RW ST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RW ST to the containment sump must occur before the RW ST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RW ST. This ensures the reactor remains shut down in the recirculation mode.

W OG STS B 3.3.2-40 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Automatic Switchover to Containment Sump - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b, c. Automatic Switchover to Containment Sump - Refueling W ater Storage Tank (RW ST) Level - Low Low Coincident W ith Safety Injection and Coincident W ith Containment Sump Level - High During the injection phase of a LOCA, the RW ST is the source of water for all ECCS pumps. A low low level in the RW ST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RW ST is equipped with four level transmitters. These transmitters provide no control functions.

Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.The RW ST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RW ST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

Automatic switchover occurs only if the RW ST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

W OG STS B 3.3.2-41 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

---

REVIEW ERS NOTE-------------------------------

In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RW ST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RW ST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the inclusion of both steady state and environmental instrument uncertainties.

Units only have one of the Functions, 7.b or 7.c.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

W OG STS B 3.3.2-42 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Engineered Safety Feature Actuation System Interlocks - Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Once the P-4 interlock is enabled, automatic SI initiation is blocked after a [ ] second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed. The functions of the P-4 interlock are:

• Trip the main turbine,

• Isolate MFW with coincident low Tavg,

• Prevent reactuation of SI after a manual reset of SI,

• Transfer the steam dump from the load rejection controller to the unit trip controller, and

• Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level - High High.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other four Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

W OG STS B 3.3.2-43 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

g. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. W ith two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). W hen the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLa SLB by closure of the MSIVs. W ith two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. W hen the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure - Negative Rate - High is disabled. The Trip Setpoint reflects only steady state instrument uncertainties.This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

W OG STS B 3.3.2-44 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

h. Engineered Safety Feature Actuation System Interlocks - Tavg -

Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock reinstates SI on High Steam Flow Coincident W ith Steam Line Pressure - Low or Coincident W ith T avg - Low Low and provides an arming signal to the Steam Dump System. On decreasing reactor coolant temperature, the P-12 interlock allows the operator to manually block SI on High Steam Flow Coincident W ith Steam Line Pressure - Low or Coincident with T avg - Low Low. On a decreasing temperature, the P-12 interlock also removes the arming signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.

Since T avg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. In three loop units, these channels are used in two-out-of-three logic. In four loop units, they are used in two-out-of-four logic.

This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.

The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

ACTIONS ----------------------------REVIEW ERS NOTE------------------------------------------ In Table 3.3.2-1, Functions 7.b and 7.c were not included in the generic evaluations approved in either W CAP-10271, as supplemented, W CAP-15376 or W CAP-14333. In order to apply the W CAP-10271, as supplemented, and W CAP-15376 or W CAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

W OG STS B 3.3.2-45 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

In the event a channel's Trip Setpointtrip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. W hen the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

W hen the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

---

REVIEW ERS NOTE------------------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

• SI,

• Containment Spray,

• Phase A Isolation, and

• Phase B Isolation.

W OG STS B 3.3.2-46 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable. Condition B, therefore, encompasses both situations.

The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.C.1, C.2.1, and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:

• SI,

• Containment Spray,

• Phase A Isolation,

• Phase B Isolation, and

• Automatic Switchover to Containment Sump.

This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within W OG STS B 3.3.2-47 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of W CAP-10271-P-A (Ref. 9) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

D.1, D.2.1, and D.2.2 Condition D applies to:

• Containment Pressure - High 1,

• Pressurizer Pressure - Low (two, three, and four loop units),

• Steam Line Pressure - Low,

• Steam Line Differential Pressure - High,

• High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low,

• Containment Pressure - High 2,

• Steam Line Pressure - Negative Rate - High,

• High Steam Flow Coincident With Safety Injection Coincident With Tavg - Low Low,

• High High Steam Flow Coincident With Safety Injection,

• High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low,

• SG Water level - Low Low (two, three, and four loop units), and

• [SG Water level - High High (P-14) (two, three, and four loop units). ]

W OG STS B 3.3.2-48 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-three configuration that satisfies redundancy requirements.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 8.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 8. ]

---

REVIEW ERS NOTE------------------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

E.1, E.2.1, and E.2.2 Condition E applies to:

• Containment Spray Containment Pressure - High 3 (High, High) (two, three, and four loop units), and

• Containment Phase B Isolation Containment Pressure - High 3 (High, High).

W OG STS B 3.3.2-49 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements.

However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 8. ]

---

REVIEW ERS NOTE------------------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

W OG STS B 3.3.2-50 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

F.1, F.2.1, and F.2.2 Condition F applies to:

• Manual Initiation of Steam Line Isolation,

• Loss of Offsite Power,

• Auxiliary Feedwater Pump Suction Transfer on Suction Pressure -

Low, and

• P-4 Interlock.

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power Function, this action recognizes the lack of manual trip provision for a failed channel. For the AFW System pump suction transfer channels, this action recognizes that placing a failed channel in trip during operation is not necessarily a conservative action.

Spurious trip of this function could align the AFW System to a source that is not immediately capable of supporting pump suction. If a train or channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

G.1, G.2.1, and G.2.2 Condition G applies to the automatic actuation logic and actuation relays for the Steam Line Isolation [,Turbine Trip and Feedwater Isolation,] and AFW actuation Functions.

W OG STS B 3.3.2-51 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

[ H.1 and H.2 Condition H applies to the automatic actuation logic and actuation relays for the Turbine Trip and Feedwater Isolation Function.

This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

W OG STS B 3.3.2-52 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance. ]

I.1 and I.2 Condition I applies to:

• [ SG Water Level - High High (P-14) (two, three, and four loop units),

and ]

• Undervoltage Reactor Coolant Pump.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two or one-out-of-three logic will result in actuation. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to [12] hours for surveillance testing of other channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8. ]

---

REVIEW ERS NOTE------------------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8.

W OG STS B 3.3.2-53 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

J.1 and J.2 Condition J applies to the AFW pump start on trip of all MFW pumps.

This action addresses the train orientation of the SSPS for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to return the train to an OPERABLE status is justified in Reference 9.

K.1, K.2.1, and K.2.2 Condition K applies to:

• RWST Level - Low Low Coincident with Safety Injection, and

• RWST Level - Low Low Coincident with Safety Injection and Coincident with Containment Sump Level - High.

RW ST Level - Low Low Coincident W ith SI and Coincident W ith Containment Sump Level - High provides actuation of switchover to the containment sump. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function. However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimum volume from the RW ST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required. Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within [6] hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the W OG STS B 3.3.2-54 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) inoperable channel has failed high). The [6] hour Completion Time is justified in Reference 10. If the channel cannot be returned to OPERABLE status or placed in the bypass condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the unit must be brought to MODE 3 within the following [6] hours and MODE 5 within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

[ The Required Actions are modified by a Note that allows placing a second channel in the bypass condition for up to [4] hours for surveillance testing. The total of [12] hours to reach MODE 3 and [4] hours for a second channel to be bypassed is acceptable based on the results of Reference 10.]

---

REVIEW ERS NOTE------------------------------------------

The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The channel to be tested can be tested in bypass with the inoperable channel also in bypass. The total of [12] hours to reach MODE 3 and [4] hours for a second channel to be bypassed is acceptable based on the results of Reference 10.

L.1, L.2.1, and L.2.2 Condition L applies to the P-11 and P-12 [and P-14] interlocks.

W ith one or more channels inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.

W OG STS B 3.3.2-55 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE ----------------------------REVIEW ERS NOTE------------------------------------------

REQUIREMENTS In Table 3.3.2-1, Functions 7.b and 7.c were not included in the generic evaluations approved in either W CAP-10271, as supplemented, or W CAP-14333. In order to apply the W CAP-10271, as supplemented, and W CAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval.

---

REVIEW ERS NOTE -------------------------------------------The Notes in Table 3.3.2-1 requiring reset of the channel to a predefined as-left tolerance and the verification of the as-found tolerance are only associated with SL-LSSS values. Therefore, the Notes are applied to specific SRs for the associated functions in the SR column only. The Notes may be placed at the top of the Allowable Value column in the Table and applied to all Functions with allowable values in the table, but doing so is not required to comply with 10 CFR 50.36. ----------------------------------------------------------

---

REVIEW ERS NOTE ------------------------------------Notes b and c are applied to the setpoint verification Surveillances for all SL-LSSS Functions unless one or more of the following exclusions apply:

1. Notes b and c are not applied to SL-LSSS Functions which utilize mechanical components to sense the trip setpoint or to manual initiation circuits. Examples of mechanical components are limit switches, float switches, proximity detectors, manual actuation switches, and other such devices that are normally only checked on a "go/no go" basis. Notes b and c require a comparison of the periodic surveillance requirement results to provide an indication of channel (or individual device) performance. This comparison is not valid for most mechanical components. While it is possible to verify that a limit switch functions at a point of travel, a change in the surveillance test result probably indicates that the switch has moved, not that the input/output relationship has changed. Therefore, a comparison of surveillance requirement tests results would not provide an indication of the channel or component performance.

2. Notes b and c are not applied to the Technical Specifications associated with safety relief valves. The performance of these components is already controlled (i.e., trended with as-left and as-found limits) under the ASME Section XI testing program.

3. Notes b and c mayare not apply ied to SL-LSSS Functions and Surveillances which test only digital components. For purely digital components, (such as actuation logic and associated relays) there is no expected change in result between surveillance performances other than measurement and test errors (M&TE) and, therefore, justification is needed to confirm that comparison of Surveillance W OG STS B 3.3.2-56 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 results does not provide an indication of channel or component performance.

A generic evaluation of SL-LSSS Functions resulted in Notes b and c being applied to the Functions shown in TS 3.3.2. Each licensee adopting this change must review the list of potential SL-LSSS Functions to identify whether any of the identified functions are not SL-LSSS or meet any of the exclusion criteria based on the plant-specific design and safety analysis (AOOs). It is assumed that each generically identified Function is a plant-specific SL-LSSS unless it can be demonstrated by the licensee that the Function does not meet the definition of an SLa SL-LSSS or it meets one of the exclusion criteria. In addition, each plant adopting this change must evaluate any plant-specific Functions that do not appear in the ISTS NUREG to determine if the plant-specific Function is an SLa SL-LSSS.----

The SRs for each ESFAS Function are identified by the SRs column of Table 3.3.2-1.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. W hen testing channel I, train A and train B must be examined.

Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

---

REVIEW ERS NOTE-----------------------------------------

Certain Frequencies are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the Frequencies as required by the staff SER for the topical report.

SR 3.3.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

W OG STS B 3.3.2-57 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 11.

SR 3.3.2.3 SR 3.3.2.3 is the performance of an ACTUATION LOGIC TEST as described in SR 3.3.2.2, except that the semiautomatic tester is not used and the continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of plant actuation logic and relays that do not have the SSPS test circuits installed to utilize the semiautomatic tester or perform the continuity check. This test is also performed every 31 days on a STAGGERED TEST BASIS. The Frequency is adequate based on industry operating experience, considering instrument reliability and operating history data.

W OG STS B 3.3.2-58 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 11. The Frequency of 92 days is justified in Reference 9.

SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within conservative with respect to the Allowable Values specified in Table Table 3.3.2-1-1.. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.The difference between the current "as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as -found" and "as -left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11.

W OG STS B 3.3.2-59 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 SR 3.3.2.5 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysisbehave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP].

W here a setpoint more conservative than the [NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP], then the instrument channel shall be declared inoperable.

---

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.2-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.2-1.

The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every [92] days. The Frequency is adequate, W OG STS B 3.3.2-60 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The test also includes trip devices that provide actuation signals directly to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

W OG STS B 3.3.2-61 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8 SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every [18] months. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

W OG STS B 3.3.2-62 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 SR 3.3.2.9 SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every [18] months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as -found" values and the previous test "as -left" values must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of [18] months is based on the assumption of an

[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.2.9 for SL-LSSS functions is modified by two Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with safety analysisbehave in accordance with safety analysis setpoint methodology assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to within the as-left tolerance of the [NTSP].

W here a setpoint more conservative than the [NTSP] is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left instrument setting cannot be returned to a setting within the as-left tolerance of the [NTSP], then the instrument channel shall be declared inoperable.

---

REVIEW ERS NOTE-----------------------------------

The bracketed section '[NTSP and the]' of the sentence in Note (c) in Table 3.3.2-1 is not required in plant-specific Technical Specifications which include a [Nominal Trip Setpoint] column in Table 3.3.2-1.

W OG STS B 3.3.2-63 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 The second Note also requires that the [NTSP and the] methodologies for calculating the as-left and the as-found tolerances be in [a document controlled under 10 CFR 50.59].

W OG STS B 3.3.2-64 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.10 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response Time testing acceptance criteria are included in the Technical Requirements Manual, Section 15 (Ref. 12). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g.,

pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

---

REVIEW ERS NOTE-----------------------------------------

Applicable portions of the following Bases are applicable for plants adopting W CAP-13632-P-A (Ref. 9). and/or W CAP-14036-P (Ref. 10).

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering specifications. W CAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," (Ref. 13) dated January 1996, provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the W CAP. Response time verification for other sensor types must be demonstrated by test.

W OG STS B 3.3.2-65 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

W CAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," (Ref. 14) provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the W CAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

ESF RESPONSE TIME tests are conducted on an [18] month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every [18] months. The [18] month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching [1000] psig in the SGs.

SR 3.3.2.11 SR 3.3.2.11 is the performance of a TADOT as described in SR 3.3.2.8, except that it is performed for the P-4 Reactor Trip Interlock, and the Frequency is once per RTB cycle. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This Frequency is based on operating experience demonstrating that undetected failure of the P-4 interlock sometimes occurs when the RTB is cycled.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Function tested has no associated setpoint.

W OG STS B 3.3.2-66 Rev. 3.0, 03/31/04

Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES REFERENCES 1. FSAR, Chapter [6].

2. FSAR, Chapter [7].

3. FSAR, Chapter [15].

4. IEEE-279-1971.

5. 10 CFR 50.49.

6. Plant-specific setpoint methodology study.

7. NUREG-1218, April 1988.

8. W CAP-14333-P-A, Rev. 1, October 1998.

9. W CAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

10. [Plant specific evaluation reference.]

11. W CAP-15376, Rev. 0. October 2000.

12. Technical Requirements Manual, Section 15, "Response Times."

13. W CAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," January 1996.

14. W CAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.

W OG STS B 3.3.2-67 Rev. 3.0, 03/31/04