ML072830151

From kanterella
Jump to navigation Jump to search
Technical Specification Bases, B 3.3 Instrumentation, Pages B 3.3.1-1 Through B 3.3.12-4
ML072830151
Person / Time
Site: Calvert Cliffs  Constellation icon.png
Issue date: 09/05/2007
From:
Constellation Energy Group
To:
Office of Nuclear Reactor Regulation
References
Download: ML072830151 (147)


Text

RPS Instrumentation-Operating B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation-Operating BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and breaching the reactor coolant pressure boundary during anticipated operational occurrences (AOOs). By tripping the reactor, the RPS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

The protective systems have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as Limiting Conditions for Operation (LCOs) on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling;
  • Fuel centerline melting shall not occur; and

Maintaining the parameters within the above values ensures that the offsite dose will be within Reference 2, 10 CFR Parts 50 and 100, criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within the acceptance criteria given in the Reference 1, Chapter 14.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-1 Revision 2

RPS Instrumentation-Operating B 3.3.1 BASES The RPS is segmented into four interconnected modules.

These modules are:

  • Measurement channels;
  • Bistable trip units;

This LCO addresses measurement channels and bistable trip units. It also addresses the automatic bypass removal channel for those trips with operating bypasses. The RPS logic and RTCBs are addressed in LCO 3.3.3.

An instrument channel consists of the measurement channel and bistable trip unit for one channel of one Function.

The role of each of these modules in the RPS, including those associated with the logic and RTCBs, is discussed below.

Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

The Power Range excore nuclear instrumentation drawers, Thermal Margin/Low Pressure (TM/LP) trip calculators, and Axial Power Distribution (APD) trip calculators, are considered components in the measurement channels. The power range nuclear instruments (NIs) provide average power and subchannel deviation signals. The wide range NIs provide a Rate of Change of Power-High trip. Two decades of overlap are provided between the power range NIs and the wide range NIs. Three RPS trip functions use a power level designated as Q power as an input. Q power is the higher of NI power and primary calorimetric power ('T power) based on RCS hot leg and cold leg temperatures. Trip functions using Q power as an input include the Power Level-High, TM/LP, and the APD trips.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-2 Revision 2

RPS Instrumentation-Operating B 3.3.1 BASES The TM/LP and APD trip calculators provide the complex signal processing necessary to calculate the TM/LP trip setpoint, Asymmetric Steam Generator Transient (ASGT) trip setpoint, APD trip setpoint, Power Level-High trip setpoint, and Q power calculation.

The excore NI drawers (wide range and power range) and the TM/LP and APD trip calculators are mounted in the RPS cabinet, with one channel of each in each of the four RPS bays.

Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals. These are designated Channels A through D. Measurement channels provide input to one or more RPS bistables within the same RPS channel. In addition, some measurement channels may also be used as inputs to Engineered Safety Features Actuation System (ESFAS) sensor modules, and most provide indication in the Control Room. Measurement channels used as an input to the RPS are never used for control functions.

When a measurement channel monitoring a parameter exceeds a predetermined setpoint, indicating an unsafe condition, the bistable in the bistable trip unit monitoring the parameter in that measurement channel will trip. Tripping two or more bistable trip units monitoring the same parameter de-energizes matrix logic, which in turn de-energizes the trip path logic. This causes all eight RTCBs to open, interrupting power to the control element assemblies (CEAs),

allowing them to fall into the core.

Three of the four instrument channels are necessary to meet the redundancy and testability as described in Reference 1, Appendix 1C. The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip bypass) for maintenance or testing, while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-3 Revision 2

RPS Instrumentation-Operating B 3.3.1 BASES Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of Reference 1, Section 7.2.2 and Reference 3.

Many of the RPS Function trips are generated by comparing a single measurement to a fixed bistable setpoint. Certain Functions, however, make use of more than one measurement to provide a trip. The following trips use multiple measurement channel inputs:

  • Power Level-High Trip The Power Level-High trip uses Q power as its only input. Q power is the higher of NI power and 'T power. Q power has a trip setpoint that tracks power levels downward so that the trip setpoint is always within a fixed increment above current power, subject to a minimum value.

On power increases, the trip setpoint remains fixed unless manually reset, at which point the trip setpoint increases to the new setpoint, which is a fixed increment above Q power at the time of reset, and the trip setpoint is subject to a maximum value. Thus, during power escalation, the trip setpoint must be repeatedly reset to avoid a reactor trip.

  • TM/LP and ASGT Trip Q power is only one of several inputs to the TM/LP trip. Other inputs include internal AXIAL SHAPE INDEX (ASI) and cold leg temperature based on the higher of two cold leg resistance temperature detectors. The TM/LP trip setpoint is a complex function of these CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-4 Revision 2

RPS Instrumentation-Operating B 3.3.1 BASES inputs and represents a minimum acceptable RCS pressure to be compared to actual RCS pressure in the TM/LP trip unit.

Steam generator pressure is also an indirect input to the TM/LP trip via the ASGT. This Function provides a reactor trip when the secondary pressure in either steam generator exceeds that of the other generator by greater than a fixed amount. The trip is implemented by biasing the TM/LP trip setpoint upward so as to ensure TM/LP trip if an ASGT is detected.

  • APD-High Trip Q power and subchannel deviation are inputs to the APD trip. The APD trip setpoint is a function of Q power, being more restrictive at higher power levels. It provides a reactor trip if actual ASI exceeds the APD trip setpoint.

Bistable Trip Units Bistable trip units, mounted in the RPS cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the matrix logic. They also provide local trip indication and remote annunciation.

There are four channels of bistable trip units, designated A through D, for each RPS Function, one for each measurement channel. Bistable output relays de-energize when a trip occurs.

The contacts from these bistable relays are arranged into six coincidence matrices, comprising the matrix logic. If bistables monitoring the same parameter in at least two bistable trip unit channels trip, the matrix logic will generate a reactor trip (two-out-of-four logic).

Some of the RPS measurement channels provide contact outputs to the RPS, so the comparison of an analog input to a trip setpoint is not necessary. In these cases, the bistable trip unit is replaced with an auxiliary trip unit. The auxiliary trip units provide contact multiplication so the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-5 Revision 2

RPS Instrumentation-Operating B 3.3.1 BASES single input contact opening can provide multiple contact outputs to the matrix logic, as well as trip indication and annunciation.

Trip Functions employing auxiliary trip units include the Loss of Load trip and the APD trip.

The APD trip, described above, is a complex function in which the actual trip comparison is performed within the APD calculator. Therefore the APD trip unit employs a contact input from the APD calculator.

All RPS trips, with the exception of the Loss of Load trip, generate a pretrip alarm as the trip setpoint is approached.

The trip setpoints used in the bistable trip units are based on the analytical limits stated in Reference 1, Chapter 14, except for the APD and Loss of Load Functions, which are not credited in safety analyses. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account in the respective analytical limits. To allow for calibration tolerances, instrumentation uncertainties, instrument channel drift, and severe environment errors (for those RPS channels that must function in harsh environments, as defined by Reference 2, 10 CFR 50.49) RPS trip setpoints are conservatively adjusted with respect to the analytical limits. In the case of the TM/LP trip, there is also an additional adjustment for cold leg temperature differences.

A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference 4. The nominal trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value. A channel is inoperable if its actual setpoint is not within its required Allowable Value.

Setpoints in accordance with the Allowable Value will ensure that SLs of Chapter 2.0 are not violated during AOOs and the consequences of DBAs will be acceptable, providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-6 Revision 12

RPS Instrumentation-Operating B 3.3.1 BASES Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS.

RPS Logic The RPS logic, addressed in LCO 3.3.3, consists of both matrix and trip path logic and employs a scheme that provides a reactor trip when bistables in any two of the four channels sense the same input parameter trip signal.

This is called a two-out-of-four trip logic. This logic and the RTCB configuration are shown in Figure B 3.3.1-1.

Bistable relay contact outputs from the four bistable trip unit channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable trip unit channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable trip unit channels being monitored.

Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

The logic matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths. Each trip path provides power to one of the four normally energized RTCB control relays (K1, K2, K3, and K4). Thus, the trip paths each have six contacts in series, one from each matrix, performing a logical OR function by opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition.

Each trip path is responsible for opening one set of two of the eight RTCBs. When de-energized, the RTCB control relays (K-relays) interrupt power to the breaker undervoltage trip coils and simultaneously apply power to the shunt trip coils on each of the two breakers. Actuation of either the undervoltage or shunt trip coil is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs).

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-7 Revision 12

RPS Instrumentation-Operating B 3.3.1 BASES When a coincidence occurs in two RPS instrument channels from one Function, all four matrix relays in the affected matrix de-energize. This, in turn, de-energizes all four RTCB control relays, which simultaneously de-energize the undervoltage and energize the shunt trip coils in all eight RTCBs, tripping them open.

Matrix logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable and auxiliary trip units, up to but not including the matrix relays. Contacts in the bistable and auxiliary trip units are excluded from the matrix logic definition, since they are addressed separately.

The trip path logic consists of the trip path power source, matrix relays and their associated contacts, and all interconnecting wiring through the K-relay contacts in the RTCB control circuitry.

It is possible to change the two-out-of-four RPS logic to a two-out-of-three logic for a given input parameter, in one channel at a time, by trip bypassing select portions of the matrix logic. Trip bypassing a bistable trip unit effectively shorts the bistable relay contacts in the three matrices associated with that instrument channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional instrument channels indicate a trip condition. Trip bypassing can be simultaneously performed on any number of parameters in any number of Functions, providing each parameter is bypassed in only one instrument channel per function at a time. Administrative controls prevent simultaneous trip bypassing of the same parameter in more than one instrument channel. Trip bypassing is normally employed during maintenance or testing.

In addition to the trip bypasses, there are also operating bypasses on select RPS trips. Some of these operating bypasses are enabled manually, others automatically, in all four RPS instrument channels for a Function when plant conditions do not warrant the specific trip function protection. All operating bypasses are automatically CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-8 Revision 12

RPS Instrumentation-Operating B 3.3.1 BASES removed when enabling bypass conditions are no longer satisfied. Trip Functions with operating bypasses include Rate of Change of Power-High, Reactor Coolant Flow-Low, Steam Generator Pressure-Low, APD-High, TM/LP, and Steam Generator Pressure Difference trips. The Loss-of-Load, Rate of Change of Power-High, and APD-High trips operating bypasses are automatically enabled and disabled.

RTCBs The reactor trip switchgear, addressed in LCO 3.3.3 and shown in Figure B 3.3.1-1, consists of eight RTCBs, which are operated in four sets of two breakers (four RTCB channels, including shunt trip coils and undervoltage coils). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that the loss of either MG set does not de-energize the CEDMs. There are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant trip paths. This ensures that a fault or the opening of a breaker in one trip path (i.e., for testing purposes) will not interrupt power to the CEDM buses.

Each of the four trip paths consists of two RTCBs in series.

The two RTCBs within a trip path are actuated by separate trip paths.

The eight RTCBs are operated as four sets of two breakers (four RTCB channels, including shunt trip coils and undervoltage coils). Each set of two RTCBs is opened by the same K-relay. This arrangement ensures that power is interrupted to both CEDM buses, thus preventing trip of only half of the CEAs (a half trip). Any one inoperable RTCB in a RTCB channel (set of two breakers) will make the entire RTCB channel inoperable.

Each set of RTCBs is operated by either a manual trip push button or an RPS actuated K-relay. There are four manual trip push buttons, arranged in two sets of two, as shown in Figure B 3.3.1-1. Depressing both push buttons in either set will result in a reactor trip.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-9 Revision 12

RPS Instrumentation-Operating B 3.3.1 BASES When a manual trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip coils are actuated independent of the RPS.

A manual trip channel includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip coils but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the trip path logic.

Functional testing of the RPS instrument and logic channels, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shutdown and is normally performed on a quarterly basis. Reference 1, Section 7.2 explains RPS testing in more detail.

APPLICABLE Most of the analyzed accidents and transients can be SAFETY ANALYSES detected by one or more RPS Functions. The accident analysis contained in Reference 1, Chapter 14 takes credit for most RPS trip Functions. Some Functions not specifically credited in the accident analysis are part of the Nuclear Regulatory Commission (NRC)-approved licensing basis for the plant. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. Other Functions, such as the Loss of Load trip, are purely equipment protective, and their use minimizes the potential for equipment damage.

The specific safety analyses applicable to each protective Function are identified below:

1. Power Level-High Trip The Power Level-High trip provides reactor core protection against positive reactivity excursions that are too rapid for a Pressurizer Pressure-High or TM/LP trip to protect against. The following events require Power Level-High trip protection:
  • Uncontrolled CEA withdrawal event;
  • Excess load; and
  • CEA ejection event.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-10 Revision 12

RPS Instrumentation-Operating B 3.3.1 BASES The first two events are AOOs, and fuel integrity is maintained. The third is an accident, and limited fuel damage may occur.

2. Rate of Change of Power-High Trip The Rate of Change of Power-High trip is used to trip the reactor when excore logarithmic power, measured by the wide range logarithmic neutron flux monitors, indicates an excessive rate of change. The Rate of Change of Power-High trip Function minimizes transients for events such as a born dilution event, continuous CEA withdrawal, or CEA ejection from subcritical conditions. Because of this Function, such events are assured of having much less severe consequences than events initiated from critical conditions. The trip is automatically bypassed when NUCLEAR INSTRUMENT POWER is

< 1E-4% RTP, when poor counting statistics may lead to erroneous indication. It is also bypassed at

> 12% RTP, where other RPS trips provide protection from these events. The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP. With the RTCBs open, the Rate of Change of Power-High trip is not required to be OPERABLE; however, at least two wide range logarithmic neutron flux monitor channels are required by LCO 3.3.12 to be OPERABLE. Limiting Condition for Operation 3.3.12 ensures the wide range logarithmic neutron flux monitor channels are available to detect and alert the operator to a boron dilution event.

3. Reactor Coolant Flow-Low Trip The Reactor Coolant Flow-Low trip provides protection during the following events:
  • Loss of RCS flow;
  • Loss of non-emergency AC power; and

The loss of RCS flow and of non-emergency AC power events are AOOs where fuel integrity is maintained.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-11 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES The RCP seized rotor is an accident where fuel damage may result.

4. Pressurizer Pressure-High Trip The Pressurizer Pressure-High trip, in conjunction with pressurizer safety valves and main steam safety valves, provides protection against overpressure conditions in the RCS during the following events:
  • Loss of Load; and
5. Containment Pressure-High Trip The Containment Pressure-High trip prevents exceeding the containment design pressure during certain loss of coolant accidents (LOCAs) or FWLB accidents. It ensures a reactor trip prior to, or concurrent with, a LOCA, thus assisting the ESFAS in the event of a LOCA or Main Steam Line Break (MSLB). Since these are accidents, SLs may be violated. However, the consequences of the accident will be acceptable.
6. Steam Generator Pressure-Low Trip The Steam Generator Pressure-Low trip provides protection against an excessive rate of heat extraction from the steam generators, which would result in a rapid uncontrolled cooldown of the RCS. This trip is needed to shut down the reactor and assist the ESFAS in the event of an MSLB. Since these are accidents, SLs may be violated. However, the consequences of the accident will be acceptable.
7. Steam Generator 1 and 2 Level-Low Trip The Steam Generator 1 Level-Low and Steam Generator 2 Level-Low trips are required for the loss of normal feedwater and ASGT events.

The Steam Generator Level-Low trip ensures that low DNBR, high local power density, and the RCS pressure SLs are maintained during normal operation and AOOs, and, in conjunction with the ESFAS, the consequences of CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-12 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES the Feedwater System pipe break accident will be acceptable.

8. APD-High Trip The APD-High trip ensures that excessive axial peaking, such as that due to axial xenon oscillations, will not cause fuel damage. It ensures that neither a DNBR less than the SL, nor a peak linear heat rate that corresponds to the temperature for fuel centerline melting, will occur. This trip is the primary protection against fuel centerline melting. While no event specifically credits the Axial Flux Offset trip, the ASI limits established by this trip provide ASI limits for safety and setpoint analyses.
9. Thermal Margin
a. TM/LP Trip The TM/LP trip prevents exceeding the DNBR SL during AOOs and aids the ESFAS during certain accidents. The following events require TM/LP trip protection:
  • RCS depressurization (inadvertent safety or power-operated relief valves opening);

The first event is an AOOs, and fuel integrity is maintained. The second and third events are accidents, and limited fuel damage may occur, although only the LOCA is expected to result in fuel damage. The trip is initiated whenever the RCS pressure signal drops below a minimum value (Pmin) or a computed value (Pvar) as described below, whichever is higher. The setpoint is a Function of Q power, ASI, and reactor inlet (cold leg) temperature.

The minimum value of reactor coolant flow rate, the maximum AZIMUTHAL POWER TILT (Tq), and the maximum CEA deviation permitted for continuous operation are assumed in the generation of this CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-13 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES trip signal. In addition, CEA group sequencing in accordance with LCO 3.1.7 is assumed. Finally, the maximum insertion of CEA banks that can occur during any AOO prior to a Power Level-High trip is assumed.

b. ASGT The ASGT provides protection for those AOOs associated with secondary system malfunctions that result in asymmetric primary coolant temperatures.

The most limiting event is closure of a single main steam isolation valve (MSIV). Asymmetric Steam Generator Transient is provided by comparing the secondary pressure in both steam generators in the TM/LP trip calculator. If the pressure in either exceeds that in the other by the trip setpoint, a TM/LP trip will result.

10. Loss of Load The Loss of Load trip causes a trip when operating above 15% of RTP. This trip provides turbine protection, reduces the severity of the ensuing transient, and helps avoid the lifting of the main steam safety valves during the ensuing transient, thus extending the service life of these valves. No credit was taken in the accident analyses for operation of this trip. Its functional capability is required to enhance overall plant equipment service life and reliability.

Operating Bypasses The operating bypasses are addressed in footnotes to Table 3.3.1-1. They are not otherwise addressed as specific table entries.

The automatic bypass removal features must function as a backup to manual actions for all trips credited in safety analyses to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are not bypassed. The RPS operating bypasses are:

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-14 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES Zero power mode bypass (ZPMB) removal of the TM/LP, ASGT, and reactor coolant low flow trips when NUCLEAR INSTRUMENT POWER is < 1E-4% RTP. This bypass is manually enabled below the specified setpoint to permit low power testing. The wide range NI Level 1 bistable in the wide range drawer provides a signal to auxiliary logic, which then permits manual bypassing below the setpoint and removes the bypass above the setpoint.

Power rate of change bypass removal ? The Rate of Change of Power-High trip is automatically bypassed at < 1E-4% RTP, as sensed by the wide range NI Level 1 bistable, and at

> 12% RTP by the linear range NI Level 1 bistable, mounted in their respective NI drawers (Reference 5). Automatic bypass removal is also effected by these bistables when conditions are no longer satisfied. The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP.

Loss of Load and APD-High trip bypass removal ? The Loss of Load and APD-High trips are automatically bypassed when at

< 15% RTP as sensed by the linear range NI Level 1 bistable.

The bypass is automatically removed by this bistable above the setpoint. This same bistable is used to bypass the Rate of Change of Power-High trip.

Steam Generator Pressure-Low trip bypass removal. The Steam Generator Pressure-Low trip is manually enabled below the pretrip setpoint. The permissive signal is removed, and the bypass automatically removed, when the Steam Generator Pressure-Low trip is above the pretrip setpoint.

The RPS instrumentation satisfies 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The specific criteria for determining channel OPERABILITY differ slightly between Functions. These CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-15 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES criteria are discussed on a Function-by-Function basis below.

Actions allow trip channel bypass of individual instrument channels, but administrative controls prevent operation with a second channel in the same Function bypassed. Plants are restricted to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> in a trip bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are established for the Functions via the plant-specific procedures. The nominal setpoints are selected to ensure the plant parameters do not exceed the Allowable Value if the bistable trip unit is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant-specific setpoint calculations. Each nominal trip setpoint is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument channel uncertainties appropriate to the trip Function. These uncertainties are defined in Reference 4.

The nominal trip setpoint entered into a bistable is more conservative than that specified by the Allowable Value. A channel is inoperable if its actual setpoint is not within its required Allowable Value.

The following Bases for each trip Function identify the above RPS trip Function criteria items that are applicable to establish the trip Function OPERABILITY.

1. Power Level-High Trip This LCO requires all four instrument channels of the Power Level-High trip to be OPERABLE in MODEs 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Power Level-High trips during normal plant operations. The Allowable Value is low enough for the system to CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-16 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.

The Power Level-High trip setpoint is operator adjustable and can be set at a fixed increment above the indicated THERMAL POWER level. Operator action is required to increase the trip setpoint as THERMAL POWER is increased. The trip setpoint is automatically decreased as THERMAL POWER decreases.

The trip setpoint has a maximum and a minimum setpoint.

Adding to this maximum value the possible variation in trip setpoint due to calibration and instrument errors, the maximum actual steady state THERMAL POWER level at which a trip would be actuated is 109% RTP, which is the value used in the safety analyses.

To account for these errors, the safety analysis minimum value is 40% RTP. The 10% step increase in trip setpoint is a maximum value assumed in the safety analysis. There is no uncertainty applied to the step in the safety analyses.

2. Rate of Change of Power-High Trip This LCO requires four instrument channels of Rate of Change of Power-High trip to be OPERABLE in MODEs 1 and 2.

The high power rate of change trip serves as a backup to the administratively-enforced startup rate limit.

The Function is not credited in the accident analyses; therefore, the Allowable Value for the trip is not derived from analytical limits.

3. Reactor Coolant Flow-Low Trip This LCO requires four instrument channels of Reactor Coolant Flow-Low trip to be OPERABLE in MODEs 1 and 2.

The trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP. This operating bypass is part of the ZPMB circuitry, which CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-17 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES also bypasses the TM/LP trip and provides a 'T power block signal to the Q power select logic. The ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows heatup and cooldown with shutdown CEAs withdrawn.

This trip is set high enough to maintain fuel integrity during a loss of flow condition. The setting is low enough to allow for normal operating fluctuations from offsite power. Reactor Coolant System flow is maintained above design flow by LCO 3.4.1.

4. Pressurizer Pressure-High Trip This LCO requires four instrument channels of Pressurizer Pressure-High trip to be OPERABLE in MODEs 1 and 2.

The Allowable Value is set high enough to allow for pressure increases in the RCS during normal operation (i.e., plant transients) not indicative of an abnormal condition. The setting is below the lift setpoint of the pressurizer safety valves and low enough to initiate a reactor trip when an abnormal condition is indicated. The analysis setpoint includes allowance for harsh environment, where appropriate.

The Pressurizer Pressure-High trip concurrent with power-operated relief valve operation avoids unnecessary operation of the pressurizer safety valves (Reference 5).

5. Containment Pressure-High Trip This LCO requires four instrument channels of Containment Pressure-High trip to be OPERABLE in MODEs 1 and 2.

The Allowable Value is high enough to allow for small pressure increases in Containment, expected during normal operation (i.e., plant heatup) that are not indicative of an abnormal condition. The setting is low enough to initiate a reactor trip to prevent CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-18 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES containment pressure from exceeding design pressure following a DBA.

6. Steam Generator Pressure-Low Trip This LCO requires four instrument channels of Steam Generator Pressure-Low trip per steam generator to be OPERABLE in MODEs 1 and 2.

The Allowable Value is sufficiently below the full load operating value for steam pressure so as not to interfere with normal plant operation, but still high enough to provide the required protection in the event of excessive steam demand. Since excessive steam demand causes the RCS to cool down, resulting in positive reactivity addition to the core in the presence of a negative moderator temperature coefficient, a reactor trip is required to offset that effect.

The analysis setpoint value includes harsh environment uncertainties, where appropriate.

The Function may be manually bypassed as steam generator pressure is reduced during controlled plant shutdowns. This operating bypass is permitted at a preset steam generator pressure. The bypass, in conjunction with the ZPMB, allows testing at low temperatures and pressures, and heatup and cooldown with the shutdown CEAs withdrawn. From a bypass condition, the trip will be automatically reinstated as steam generator pressure increases above the preset pressure.

7. Steam Generator Level-Low Trip This LCO requires four instrument channels of Steam Generator Level - Low per steam generator to be OPERABLE in MODEs 1 and 2.

The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.

The trip setpoint is high enough to ensure a reactor CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-19 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES trip signal is generated to prevent operation with the steam generator water level below the minimum volume required for adequate heat removal capacity, and ensures that the pressure of the RCS will not exceed its SL. The specified setpoint, in combination with the Auxiliary Feedwater Actuation System (AFAS),

ensures that sufficient water inventory exists in both steam generators to remove decay heat following a Loss of Main Feedwater Flow event.

8. APD-High Trip This LCO requires four instrument channels of APD-High trip to be OPERABLE in MODE 1, NUCLEAR INSTRUMENT POWER t 15% RTP.

The Allowable Value curve was derived from an analysis of many axial power shapes with allowances for instrumentation inaccuracies and the uncertainty associated with the excore to incore ASI relationship.

The APD-High trip is automatically bypassed at

< 15% RTP, as measured by the NIs, where it is not required for reactor protection (Reference 5).

9. Thermal Margin
a. TM/LP Trip This LCO requires four instrument channels of TM/LP trip to be OPERABLE in MODEs 1 and 2.

The Allowable Value includes allowances for equipment response time, measurement uncertainties, processing error, and a further allowance to compensate for the time delay associated with providing effective termination of the occurrence that exhibits the most rapid decrease in margin to the SLs.

This trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP. This operating bypass is part of the ZPMB circuitry, which also bypasses the Reactor Coolant Flow-Low trip and provides a 'T power block signal to CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-20 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES the Q power select logic (Reference 5). The ZPMB allows low power physics testing at reduced RCS temperatures and pressures. It also allows heatup and cooldown with shutdown CEAs withdrawn.

b. ASGT This LCO requires four instrument channels of ASGT to be OPERABLE in MODEs 1 and 2.

The Allowable Value is high enough to avoid trips caused by normal operation and minor transients, but ensures DNBR protection in the event of DBAs. The difference between the Allowable Value and the analysis setpoint allows for instrument uncertainty.

The trip may be manually bypassed when NUCLEAR INSTRUMENT POWER falls below 1E-4% RTP as part of the ZPMB circuitry operating bypass. The Steam Generator Pressure Difference is subject to the ZPMB, since it is an input to the TM/LP trip and is not required for protection at low power levels (Reference 5).

10. Loss of Load The LCO requires four Loss of Load instrument channels to be OPERABLE in MODE 1, NUCLEAR INSTRUMENT POWER t 15% RTP.

The Loss of Load trip is automatically bypassed when NUCLEAR INSTRUMENT POWER falls below 15%, as measured by NIs, to allow loading the turbine.

Bypasses The LCO on automatic bypass removal features requires that the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODEs addressed in the specific LCO for each Function. All four automatic bypass removal CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-21 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES features must be OPERABLE to ensure that none of the four RPS instrument channels are inadvertently bypassed.

The LCO applies to the automatic bypass removal feature only. If the bypass channel is failed so as to prevent entering a bypass condition, operation may continue.

APPLICABILITY This LCO is applicable in accordance with Table 3.3.3-1.

Most RPS trip functions are required to be OPERABLE in MODEs 1 and 2 because the reactor is critical in these MODEs. The trips are designed to take the reactor subcritical, maintaining the SLs during AOOs and assisting the ESFAS in providing acceptable consequences during accidents. Exceptions are addressed in footnotes to the table. Exceptions to this APPLICABILITY are:

  • The APD-High and Loss-of-Load trips are only applicable in MODE 1, NUCLEAR INSTRUMENT POWER t 15% RTP because they are automatically bypassed at < 15% RTP, as measured by NIs, where they are no longer needed.
  • The Rate of Change of Power-High trip, RPS logic, RTCBs, and manual trip are also required in MODEs 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events. The Rate of Change of Power-High trip in these lower MODEs is addressed in LCO 3.3.2. The RPS logic in MODEs 1, 2, 3, 4, and 5 is addressed in LCO 3.3.3.

Most trip functions are not required to be OPERABLE in MODEs 3, 4, and 5. In MODEs 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODEs by ensuring adequate SHUTDOWN MARGIN (SDM).

ACTIONS The most common causes of instrument channel inoperability are outright failure or drift of the bistable trip unit or measurement channel sufficient to exceed the tolerance allowed by Reference 4. Typically, the drift is found to be small which, at worst, results in a delay of actuation rather than a total loss of Function. This determination is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it to within specification. Sensor Drift could also be identified during the CHANNEL CHECKS.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-22 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES CHANNEL FUNCTIONAL TESTs identify bistable trip unit drift.

If the trip setpoint is less conservative than the Allowable Value in Table 3.3.1-1, the instrument channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

In the event that either an instrument channels trip setpoint is found nonconservative with respect to the Allowable Value or the transmitter, instrument loop, signal processing electronics, RPS bistable trip unit, or applicable automatic bypass removal feature when bypass is in effect, is found inoperable, then all affected Functions provided by that channel must be declared inoperable, and the plant must enter the Condition for the particular protection Function affected.

When the number of inoperable instrument channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered, if applicable, in the current MODE of operation.

A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered.

A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single instrument channel in any RPS automatic trip Function. Reactor Protective System coincidence logic is normally two-out-of-four.

If one RPS bistable trip unit or associated measurement channel is inoperable, startup or power operation is allowed to continue, providing the inoperable bistable trip unit is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass, or trip the instrument channel is sufficient to allow the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-23 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES operator to take all appropriate actions for the failed channel, while ensuring that the risk involved in operating with the failed channel is acceptable.

The failed instrument channel is restored to OPERABLE status or is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1 or Required Action A.2.2). Required Action A.2.1 restores the full capability of the Function.

Required Action A.2.2 places the Function in a one-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent a trip.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is based on operating experience, which has demonstrated that a random failure of a second instrument channel occurring during the 48-hour period is a low probability event.

B.1 and B.2 Condition B applies to the failure of two instrument channels in any RPS automatic trip Function.

Required Action B.1 provides for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels, while ensuring that the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the RPS Function is in a two-out-of-three logic; but with another channel failed, the RPS Function may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected.

To correct the problem, the second channel is placed in trip. This places the RPS Function in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

One instrument channel should be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for reasons similar to those stated under Condition A. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-24 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES remaining inoperable channel. Therefore, the channel that is still inoperable after completion of Required Action B.2 must be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> have elapsed since the initial channel failure.

C.1 and C.2 The excore detectors are used to generate the internal ASI used as an input to the TM/LP and APD-High trips. Incore detectors provide a more accurate measurement of ASI. If one or more excore channels cannot be calibrated to match incore detectors, power is restricted or reduced during subsequent operations because of increased uncertainty associated with using uncalibrated excore channels.

The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate to perform the Surveillance Requirement (SR) while minimizing the risk of operating in an unsafe condition.

D.1, D.2.1, D.2.2.1, and D.2.2.2 Condition D applies to one automatic bypass removal feature inoperable. If the automatic bypass removal feature for any operating bypass channel cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the bypass either removed or the automatic bypass removal feature repaired. The Bases for Required Actions and Completion Times are the same as discussed for Condition A.

E.1, E.2.1, and E.2.2 Condition E applies to two inoperable automatic bypass removal features. If the automatic bypass removal features cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypasses are not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypasses either removed or the automatic bypass removal features repaired. Also, Required Action E.2.2 provides for the restoration of the one affected RPS channel to OPERABLE status within the rules of Completion Time specified under CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-25 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES Condition B. Completion Times are consistent with Condition B.

F.1 Condition F is entered when the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met for the APD-High trip and Loss-of-Load trip Functions.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to reduce THERMAL POWER to < 15% RTP is reasonable, based on operating experience, to decrease power to < 15%

RTP from full power conditions in an orderly manner and without challenging plant systems.

G.1 Condition G is entered when the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met except for the APD-High trip and Loss-of-Load trip Functions.

If the Required Actions associated with these Conditions cannot be completed within the required Completion Times, the reactor must be brought to a MODE in which the Required Actions do not apply. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to be in MODE 3 is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The SRs for any particular RPS Function are found in the SR REQUIREMENTS column of Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-26 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES indicated on one instrument channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument channel drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a qualitative assessment of the instrument channel combined with the instrument channel uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits. CHANNEL CHECKS are performed on the wide range logarithmic neutron flux monitor for the Rate of Change of Power-High trip Function.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of instrument channel failure. Since the probability of two random failures in redundant channels in any 12-hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of RPS Function due to failure of redundant channels.

The CHANNEL CHECK supplements less formal, but more frequent, checks of the channel during normal operational use of the displays.

SR 3.3.1.2 A daily calibration (heat balance) is performed when THERMAL POWER is t 15%. The daily calibration shall consist of adjusting the nuclear power calibrate potentiometers to agree with the calorimetric calculation if the absolute difference is > 1.5%. The 'T power calibrate potentiometers are then used to null the nuclear power -'T power indicators on the RPS Calibration and Indication Panel. Performance of the daily calibration ensures that the two inputs to the Q power measurement are indicating accurately with respect to the much more accurate secondary CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-27 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES calorimetric calculation. The heat balance addresses overall gain of the instruments and does not include ASI.

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience and takes into account indications and alarms located in the Control Room to detect deviations in channel outputs. The Frequency is modified by a Note indicating that once the unit reaches 15% RTP, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the maximum time allowed for completing this Surveillance. The secondary calorimetric is inaccurate at lower power levels.

The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time for plant stabilization, data-taking, and instrument calibration.

A second Note indicates the daily calibration may be suspended during PHYSICS TESTS. This ensures that calibration is proper both preceding and following physics testing at each plateau, recognizing that during testing, changes in power distribution and RCS temperature may render the calibration inaccurate.

SR 3.3.1.3 It is necessary to calibrate the excore power range channel upper and lower subchannel amplifiers such that the internal ASI used in the TM/LP trip and APD-High trip Functions reflects the true core power distribution as determined by the incore detectors. A Note indicates that once the unit reaches 20% RTP, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is the maximum time allowed for completion of this Surveillance. The Surveillance is required to be performed prior to operation above 90% RTP.

Uncertainties in the excore and incore measurement process make it impractical to calibrate when THERMAL POWER is

< 20% RTP. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allows time for plant stabilization, data-taking, and instrument calibration. The Frequency requires the SR be performed every 31 days after the initial performance prior to operation above 90% RTP. Requiring the SR prior to operations above 90% RTP is because of the increased uncertainties associated with using uncalibrated excore detectors. If the excore channels are not properly calibrated to agree with the incore detectors, power is restricted during subsequent operations because of increased uncertainty associated with using uncalibrated excore channels. The 31-day Frequency is adequate, based on CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-28 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES operating experience of the excore linear amplifiers and the slow burnup of the detectors. The excore readings are a strong function of the power produced in the peripheral fuel bundles and do not represent an integrated reading across the core. Slow changes in neutron flux during the fuel cycle can also be detected at this Frequency.

SR 3.3.1.4 A CHANNEL FUNCTIONAL TEST is performed on each RPS instrument channel, except Loss of Load and Rate of Change of Power, every 92 days to ensure the entire channel will perform its intended function when needed.

In addition to reference voltage power supply tests, the RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 1, Section 7.2. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

Bistable Tests The bistable setpoint must be found to trip within the Allowable Values specified in the LCO and left set consistent with the assumptions of Reference 4. As-found values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis.

The requirements for this review are outlined in Reference 8.

A test signal is substituted as the input in one instrument channel at a time to verify that the bistable trip unit trips within the specified tolerance around the setpoint.

This is done with the affected RPS channel bistable trip unit bypassed. Any setpoint adjustment shall be consistent with the assumptions of Reference 4.

Matrix Logic Tests Matrix logic tests are addressed in LCO 3.3.3. This test is performed one matrix at a time. It verifies that a coincidence in the two instrument channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-29 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip bypass contacts.

Trip Path Tests Trip path logic tests are addressed in LCO 3.3.3. These tests are similar to the matrix logic tests, except that test power is withheld from one matrix relay at a time, allowing the trip path circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three trip path circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in Reference 6.

SR 3.3.1.5 A CHANNEL CALIBRATION of the excore power range channels every 92 days ensures that the channels are reading accurately and within tolerance. The SR verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant-specific SRs.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the Frequency extension analysis. The requirements for this review are outlined in Reference 8.

A Note is added stating that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal (Reference 7). Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2) and the monthly linear subchannel gain check (SR 3.3.1.3). In addition, associated control room indications are continuously monitored by the operators.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-30 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES The Frequency of 92 days is acceptable, based on plant operating experience, and takes into account indications and alarms available to the operator in the Control Room.

SR 3.3.1.6 A CHANNEL FUNCTIONAL TEST on the Loss of Load, and Rate of Change of Power channels is performed prior to a reactor startup to ensure the entire channel will perform its intended function if required. The Loss of Load sensor cannot be tested during reactor operation without causing reactor trip. The Power Rate of Change-High trip Function is required during startup operation and is bypassed when shut down or > 12% RTP.

SR 3.3.1.7 Surveillance Requirement 3.3.1.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.4, except SR 3.3.1.7 is applicable only to Functions with automatic bypass removal features.

Proper operation of operating bypasses are critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips.

A 24-month SR Frequency is adequate to ensure proper automatic bypass removal feature operation as described in Reference 5. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.4. Therefore, further testing of the automatic bypass removal feature after startup is unnecessary.

SR 3.3.1.8 Surveillance Requirement 3.3.1.8 is the performance of a CHANNEL CALIBRATION every 24 months.

CHANNEL CALIBRATION is a check of the instrument channel, including the sensor. The SR verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument channel drift between successive calibrations to ensure that the channel remains CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-31 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 4.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the frequency extension analysis. The requirements for this review are outlined in Reference 6.

The Frequency is based upon the assumption of a 24-month calibration interval for the determination of the magnitude of equipment drift.

The SR is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift, and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.2) and the monthly linear subchannel gain check (SR 3.3.1.3).

SR 3.3.1.9 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on a 24-month STAGGERED TEST BASIS. Response time testing acceptance criteria are included in Reference 1, Section 7.2. This results in the interval between successive SRs of a given channel of n x 24 months, where n is the number of channels in the function. The Frequency of 24 months is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at power since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-32 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Reference 9 provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the reference.

Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

Instrument loop or test cables and wiring add an insignificant response time and can be ignored.

A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimum drift, and because of the difficulty of simulating a meaningful signal. Slow changes in detector sensitivity are compensated for by performing the daily calorimetric calibration (SR 3.3.1.3).

REFERENCES 1. Updated Final Safety Analysis Report

2. Title 10 Code of Federal Regulations
3. Institute of Electrical and Electronic Engineers (IEEE)

No. 279, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, August 1968

4. CCNPP Setpoint File
5. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, Response to NRC Request for Review & Comment on Review of Preliminary Accident Precursor Analysis of Trip; Loss of 13.8 kV Bus; Short-Term Saltwater Cooling System Unavailability, CCNPP Unit 2
6. Combustion Engineering Topical Report CEN-327, RPS/ESFAS Extended Test Interval Evaluation dated June 2, 1986, including Supplement 1, March 3, 1989 CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-33 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES

7. Letter from Mr. D. G. McDonald (NRC) to Mr. R. E. Denton (BGE), dated October 19, 1995, Issuance of Amendments for Calvert Cliffs Nuclear Power Plant, Unit No. 1 (TAC No. M92479) and Unit No. 2 (TAC No. M92480)
8. Calvert Cliffs Procedure EN-4-104, Surveillance Testing
9. Combustion Engineering Owners Group Topical Report CE NPSD 1167-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, July 3, 2000 CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-34 Revision 31

RPS Instrumentation-Operating B 3.3.1 BASES Figure B 3.3.1-1 Functional Diagram of the Two-Out-of-Four Logic and RTCB Configuration CALVERT CLIFFS - UNITS 1 & 2 B 3.3.1-35 Revision 2

RPS Instrumentation-Shutdown B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Protective System (RPS) Instrumentation-Shutdown BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and reactor coolant pressure boundary integrity during AOOs.

By tripping the reactor, the RPS also assists the ESF systems in mitigating accidents.

The protective systems have been designed to ensure safe operation of the reactor. This is achieved by specifying LSSS in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during DBAs.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The DNBR shall be maintained above the SL value to prevent departure from nucleate boiling;
  • Fuel centerline melting shall not occur; and
  • The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the Reference 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within the acceptance criteria given in Reference 2.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-1 Revision 2

RPS Instrumentation-Shutdown B 3.3.2 BASES The RPS is segmented into four interconnected modules.

These modules are:

  • Measurement channels;
  • Bistable trip units;

This LCO applies only to the Rate of Change of Power-High trip Functions and associated instrument channels in MODEs 3, 4, and 5 with any of the RTCBs closed and any CEA capable of being withdrawn. In MODEs 1 and 2, this trip Function is addressed in LCO 3.3.1. Limiting Condition for Operation 3.3.12 applies when the RTCBs are open or CEDM System is not capable of CEA withdrawal. In the case of LCO 3.3.12, the wide range logarithmic neutron flux channels are required for monitoring neutron flux, although the trip Function is not required.

Measurement Channels and Bistable Trip Units The measurement channels providing input to the Rate of Change of Power-High trip Function consist of wide range NI channels using neutron flux leakage from the reactor vessel.

Other aspects of the Rate of Change of Power-High trip are similar to the other RPS measurement channels and bistable trip units. These are addressed in the Background section of LCO 3.3.1.

APPLICABLE Most of the analyzed accidents and transients can be SAFETY ANALYSES detected by one or more RPS Functions. The accident analysis contained in Reference 2 takes credit for most RPS trip Functions. Some Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff-approved licensing basis for the plant. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. Other Functions, such as the Loss of Load trip, are purely equipment protective, and their use minimizes the potential for equipment damage.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-2 Revision 2

RPS Instrumentation-Shutdown B 3.3.2 BASES The Rate of Change of Power-High trip is used to trip the reactor when excore wide range power indicates an excessive rate of change.

The Rate of Change of Power-High trip serves as a backup to the administratively-enforced startup rate limit.

The Rate of Change of Power-High trip Function minimizes transients for events such as a continuous CEA withdrawal or a boron dilution event from low power levels. The Rate of Change of Power-High trip is automatically bypassed at

 1E-4% RTP, as sensed by the wide range NI flux trip bistable, when poor counting statistics may lead to erroneous indication. It is also bypassed at ! 12% RTP, where moderator temperature coefficient and fuel temperature coefficient make high rate of change of power unlikely.

This bypass is effected by the power range NI Level 1 bistable. Automatic bypass removal is also effected by these bistables. The automatic bypass removal feature ensures that the Rate of Change of Power-High trip is enabled when reactor power is between 1E-4% and 12% RTP.

With the RTCBs open, the Rate of Change of Power-High trip is not required to be OPERABLE; however, the indication and alarm Functions of at least two wide range channels are required to be OPERABLE. Limiting Condition for Operation 3.3.12 ensures the wide range channels are available to detect and alert the operator to a boron dilution event, when LCOs 3.3.1 and 3.3.2 are not applicable.

The RPS instrumentation satisfies 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

Actions allow trip bypass of individual instrument channels, but administrative controls prevent operation with a second channel in the same Function bypassed. Plants are in a trip bypass condition before either restoring the Function to CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-3 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).

This LCO requires four instrument channels and automatic bypass removal features of Rate of Change of Power-High trip to be OPERABLE in MODEs 3, 4, and 5, when the RTCBs are closed and the CEDM System is capable of CEA withdrawal.

MODE 1 and 2 requirements are addressed in LCO 3.3.1. This trip is not credited in the safety analysis. Therefore, the Allowable Value is not derived from an analytical limit.

APPLICABILITY This LCO is applicable to the Rate of Change of Power-High trip in MODEs 3, 4, and 5. MODEs 1 and 2 are addressed in LCO 3.3.1.

The power rate of change trip is required in MODEs 3, 4, and 5, with the RTCBs closed and a CEA capable of being withdrawn to provide backup protection for boron dilution and CEA withdrawal events. The power rate of change trip is not credited in the safety analysis, but is part of the NRC-approved licensing basis for the plant.

The power rate of change trip has operating bypasses discussed in the LCO section. In MODEs 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODEs by ensuring adequate SDM.

ACTIONS The most common causes of instrument channel inoperability are outright failure or drift of the bistable trip unit or measurement channel sufficient to exceed the tolerance allowed by Reference 3. Typically, the drift is found to be small, which at worst results in a delay of actuation rather than a total loss of Function. This determination is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it to within specification. Sensor drift could also be identified during the CHANNEL CHECKS.

CHANNEL FUNCTIONAL TESTS identify bistable trip unit drift.

If the trip setpoint is less conservative than the Allowable Value in Table 3.3.1-1, the instrument channel is declared inoperable immediately, and the appropriate Condition(s) must be entered immediately.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-4 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES In the event that either an instrument channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, RPS bistable trip unit, or automatic bypass removal feature when bypass is in effect, is found inoperable, then the Rate of Change of Power-High trip Function provided by that instrument channel must be declared inoperable and the plant must enter the Condition for the particular RPS Function affected.

A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single instrument channel of the Rate of Change of Power-High trip RPS automatic trip Function.

Reactor Protective System coincidence logic is normally two-out-of-four. If one RPS bistable trip unit or associated measurement channel is inoperable, startup or power operation is allowed to continue, providing the inoperable bistable trip unit is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to restore, bypass, or trip the instrument channel is sufficient to allow the operator to take all appropriate actions for the failed channel, while ensuring that the risk involved in operating with the failed channel is acceptable.

The failed instrument channel is restored to OPERABLE status or is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1 or Required Action A.2.2). Required Action A.2.1 restores the full capability of the Function. Required Action A.2.2 places the Function in a one-out-of-three coincidence logic.

In this coincidence logic, common cause failure of dependent channels cannot prevent trip.

The 48-hour Completion Time is based on operating experience, which has demonstrated that a random failure of a second instrument channel occurring during the 48-hour period is a low probability event.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-5 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES B.1 and B.2 Condition B applies to the failure of two instrument channels in the Rate of Change of Power-High trip RPS automatic trip Function.

Required Action B.1 provides for placing one inoperable instrument channel in bypass and the other channel in trip within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels, while ensuring the risk involved in operating with the failed channels is acceptable. With one instrument channel bypassed, the RPS Function is in a two-out-of-three logic; but with another channel failed, the RPS Function may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the RPS Function in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the reactor will trip.

The bypassed instrument channel should be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for reasons similar to those stated under Condition A. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. Therefore, the channel that is still inoperable after completion of Required Action B.2 shall be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> have elapsed since the initial channel failure.

C.1, C.2.1, C.2.2.1, and C.2.2.2 Condition C applies to one automatic bypass removal feature inoperable. If the automatic bypass removal feature cannot be restored to OPERABLE status, the associated Rate of Change of Power-High trip RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channel must be declared inoperable, as in Condition A, and the bypass either removed or the automatic bypass removal feature repaired. The Bases for the Required Actions and Completion Times are the same as discussed for Condition A.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-6 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES D.1, D.2.1, and D.2.2 Condition D applies to two inoperable automatic bypass removal features. If the automatic bypass removal features cannot be restored to OPERABLE status, the associated Rate of Change of Power-High trip RPS channel may be considered OPERABLE only if the bypasses are not in effect. Otherwise, the affected RPS channels must be declared inoperable, as in Condition B, and the bypasses either removed or the automatic bypass removal features repaired. Also, Required Action D.2.2 provides for the restoration of the one affected automatic trip channel to OPERABLE status within the rules of Completion Time specified under Condition B.

Completion Times are consistent with Condition B.

E.1 Condition E is entered when the Required Actions and associated Completion Times of Condition A, B, C, or D are not met.

If Required Actions associated with these Conditions cannot be completed within the required Completion Time, opening the RTCBs brings the reactor to a MODE where the LCO does not apply and ensures no CEA withdrawal will occur. The basis for the Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is that it is adequate to complete the Required Actions without challenging plant systems.

SURVEILLANCE SR 3.3.2.1 REQUIREMENTS Performance of the CHANNEL CHECK on each wide range channel once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one instrument channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument channel drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-7 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a qualitative assessment of the instrument channel that considers instrument channel uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

The Frequency, once every shift, is based on operating experience that demonstrates the rarity of instrument channel failure. Since the probability of two random failures in redundant channels in any 12-hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of RPS Function due to failure of redundant channels.

The CHANNEL CHECK supplements less formal, but more frequent, checks of the channel during normal operational use of the displays.

SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on the power rate of change channels is performed once within 7 days prior to each reactor startup to ensure the entire instrument channel will perform its intended function if required. The Rate of Change of Power-High trip Function is required during startup operation and is bypassed when shut down or

! 12% RTP. Additionally, operating experience has shown that these components usually pass the SR when performed at a Frequency of once within 7 days prior to each reactor startup.

Only the Allowable Values are specified for each RPS trip Function in the SR. Nominal trip setpoints are established for the Functions via the plant-specific procedures. The nominal setpoints are selected to ensure the plant parameters do not exceed the Allowable Value if the bistable trip unit is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant-specific setpoint calculations. Each nominal trip CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-8 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES setpoint is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument channel uncertainties appropriate to the trip Function. These uncertainties are defined in Reference 3.

SR 3.3.2.3 Surveillance Requirement 3.3.2.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.2.2, except SR 3.3.2.3 is applicable only to bypass Functions and is performed once every 24 months.

Proper operation of operating bypasses is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips.

A 24-month SR Frequency is adequate to ensure proper automatic bypass removal feature operation as described in Reference 5. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by SR 3.3.2.2. Therefore, further testing of the automatic bypass removal feature after startup is unnecessary.

SR 3.3.2.4 Surveillance Requirement 3.3.2.4 is the performance of a CHANNEL CALIBRATION every 24 months.

CHANNEL CALIBRATION is a check of the instrument channel including the sensor. The SR verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 3.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the SR interval extension analysis. The requirements for this review are outlined in Reference 4.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-9 Revision 31

RPS Instrumentation-Shutdown B 3.3.2 BASES The Frequency is based upon the assumption of a 24-month calibration interval in the determination of the magnitude of equipment drift.

The SR is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift (Reference 5).

REFERENCES 1. 10 CFR Parts 50, "Domestic Licensing of Production and Utilization Facilities," and 100, "Reactor Site Criteria"

2. Updated Final Safety Analysis Report (UFSAR),

Chapter 14, "Safety Analysis"

3. CCNPP Setpoint File
4. Combustion Engineering Topical Report CEN-327, RPS/ESFAS Extended Test Interval Evaluation dated June 2, 1986, including Supplement 1, March 3, 1989
5. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, License Amendment Request; Extension of Instrument Surveillance Intervals CALVERT CLIFFS - UNITS 1 & 2 B 3.3.2-10 Revision 31

RPS Logic and Trip Initiation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Reactor Protective System (RPS) Logic and Trip Initiation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core specified acceptable fuel design limits and reactor coolant pressure boundary integrity during AOOs.

By tripping the reactor, the RPS also assists the ESF systems in mitigating accidents.

The protective systems have been designed to ensure safe operation of the reactor. This is achieved by specifying LSSS in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during DBAs.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The DNBR shall be maintained above the SL value to prevent departure from nucleate boiling;
  • Fuel centerline melting shall not occur; and
  • The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the Reference 2 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within the acceptance criteria given in Reference 1, Chapter 14.

The RPS is segmented into four interconnected modules.

These modules are:

  • Measurement channels;
  • Bistable trip units; CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-1 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES

This LCO addresses the RPS logic and RTCBs, including manual trip capability. Limiting Condition for Operation 3.3.1 provides a description of the role of this equipment in the RPS. This is summarized below:

RPS Logic The RPS logic, consisting of matrix and trip path logic, employs a scheme that provides a reactor trip when bistable trip units in any two of the four instrument channels sense the same input parameter trip. This is called a two-out-of-four trip logic. This logic and the RTCB configuration are shown in Figure B 3.3.1-1.

Bistable relay contact outputs from the four bistable trip unit channels are configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable trip unit channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable trip unit channels being monitored.

Each logic matrix contains four normally energized matrix relays. When a coincidence is detected, consisting of a trip in the same Function in the two channels being monitored by the logic matrix, all four matrix relays de-energize.

The logic matrix relay contacts are arranged into trip paths, with one of the four matrix relays in each matrix opening contacts in one of the four trip paths. Each trip path provides power to one of the four normally energized RTCB control relays (K1, K2, K3, and K4). Thus, the trip paths each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition.

Each trip path is responsible for opening one set of two of the eight RTCBs. The RTCB control relays (K-relays), when de-energized, interrupt power to the breaker undervoltage trip coils and simultaneously apply power to the shunt trip CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-2 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES coils on each of the two breakers. Actuation of either the undervoltage or shunt trip coil is sufficient to open the RTCB and interrupt power from the MG sets to the CEDMs.

When a coincidence occurs in two RPS channels from one Function, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously de-energize the undervoltage and energize the shunt trip coils in all eight RTCBs, tripping them open.

The trip path logic consists of the trip path power source, matrix relays and their associated contacts, and all interconnecting wiring, through the K-relay contacts in the RTCB control circuitry.

It is possible to change the two-out-of-four RPS logic to a two-out-of-three logic for a given input parameter in one instrument channel at a time by trip bypassing select portions of the matrix logic. Trip bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional instrument channels indicate a trip condition.

Trip bypassing can be simultaneously performed on any number of parameters in any number of Functions, providing each parameter is bypassed in only one instrument channel per Function at a time. Administrative controls prevent simultaneous trip bypassing of the same parameter in more than one instrument channel. Trip bypassing is normally employed during maintenance or testing.

RTCBs The reactor trip switchgear, shown in Figure B 3.3.1-1, consists of eight RTCBs, which are operated in four sets of two breakers (four RTCB channels including the shunt trip coils and undervoltage coils). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that the loss of either MG set does not de-energize the CEDMs. There are two separate CEDM power supply buses, each bus powering half of the CEDMs.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-3 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES Power is supplied from the MG sets to each bus via two redundant trip legs. This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses.

Each of the four trip paths consists of two RTCBs in series.

The two RTCBs within a trip path are actuated by separate trip paths.

The eight RTCBs are operated as four sets of two breakers (four RTCB channels including the shunt trip coils and undervoltage coils). Each set of two RTCBs is opened by the same K-relay. This arrangement ensures that power is interrupted to both CEDM buses, thus preventing trip of only half of the CEAs (a half trip). Any one inoperable RTCB in a RTCB channel (set of two breakers) will make the entire RTCB channel inoperable.

Each set of RTCBs is operated by either a manual trip push button or an RPS actuated K-relay. There are four manual trip push buttons, arranged in two sets of two, as shown in Figure B 3.3.1-1. Depressing both push buttons in either set will result in a reactor trip.

When a manual trip is initiated using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip coils are actuated independent of the RPS.

A manual trip channel includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip coils, but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the trip path logic.

Functional testing of the entire RPS instrument and logic channels, from bistable input through the opening of individual sets of RTCBs, can be performed either at power or shut down, and is normally performed on a quarterly basis. Reference 1, Section 7.2 explains RPS testing in more detail.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-4 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES APPLICABLE RPS Logic SAFETY ANALYSES The RPS logic provides for automatic trip initiation to maintain the SLs during AOOs and assist the ESF systems in ensuring acceptable consequences during accidents. All transients and accidents that call for a reactor trip assume the RPS logic is functioning as designed.

RTCBs All of the transient and accident analyses that call for a reactor trip assume that the RTCBs operate and interrupt power to the CEDMs.

Manual Trip There are no accident analyses that take credit for the manual trip; however, the manual trip is part of the RPS circuitry. It is used by the operator to shut down the reactor whenever any parameter is rapidly trending toward its trip setpoint. A manual trip accomplishes the same results as any one of the automatic trip Functions.

The RPS logic and initiation satisfy 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO RPS Logic Failures of individual bistable relays and their contacts are addressed in LCO 3.3.1. This Specification addresses failures of the matrix logic not addressed in the above, such as the failure of matrix relay power supplies or the failure of the trip bypass contact in the bypass condition.

Loss of a single vital bus will de-energize one of the two power supplies in each of three matrices. This will result in two sets of two RTCBs opening; however, the remaining two sets of two closed RTCBs will prevent a reactor trip. For the purposes of this LCO, de-energizing up to three matrix power supplies due to a single failure is to be treated as a single channel failure, providing the affected matrix relays de-energize as designed, opening the affected RTCBs.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-5 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES Each of the four trip path logic channels opens one set of RTCBs if any of the six logic matrices de-energize their associated matrix relays. Thus, they perform a logical OR function. Each trip path logic channel has its own power supply and is independent of the others. A trip path logic channel includes the matrix relay through to the K-relay contacts, which open the RTCB.

It is possible for two trip path logic channels affecting the same trip leg to de-energize if a matrix power supply or vital instrument bus fails. This will result in opening the two affected sets of two RTCBs.

If one set of RTCBs has been opened in response to a single RTCB channel, trip path logic channel, or manual trip channel failure, the affected set of RTCBs may be closed for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for surveillance on the OPERABLE trip path logic, RTCB, and manual trip channels. In this case, the redundant set of RTCBs will provide protection if a trip should be required. It is unlikely that a trip will be required during the SR, coincident with a failure of the remaining series RTCB channel. If a single matrix power supply or vital bus failure has opened two sets of RTCBs, manual trip and RTCB testing on the closed breakers cannot be performed without causing a trip.

1. Matrix Logic This LCO requires six channels of matrix logic to be OPERABLE in MODEs 1 and 2, and in MODEs 3, 4, and 5 when any RTCB is closed and any CEA is capable of being withdrawn.
2. Trip Path Logic This LCO requires four channels of trip path logic to be OPERABLE in MODEs 1 and 2, and in MODEs 3, 4, and 5 when any RTCB is closed and any CEA is capable of being withdrawn.
3. RTCBs The LCO requires four RTCB channels to be OPERABLE in MODEs 1 and 2, as well as in MODEs 3, 4, and 5 when any CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-6 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES RTCB is closed and any CEA is capable of being withdrawn.

Each RTCB channel consists of two breakers operated in a single set by the trip path logic or manual trip circuitry. This ensures that power is interrupted at identical locations in the trip paths for both CEDM buses, thus preventing power removal to only one CEDM bus (a half trip).

Failure of a single breaker affects the entire RTCB channel, and both breakers in the set must be opened.

Without reliable RTCBs and associated support circuitry, a reactor trip cannot occur whether initiated automatically or manually.

Each channel of RTCBs starts at the contacts actuated by the K-relay, and the contacts actuated by the manual trip, for each set of breakers. The K-relay actuated contacts and the upstream circuitry are considered to be RPS logic. Manual trip contacts and upstream circuitry are considered to be part of the manual trip channels.

A Note associated with the ACTIONS states that if one set of RTCBs has been opened in response to a single RTCB channel, trip path logic channel, or manual trip channel failure, the affected set of RTCBs may be closed for up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for a surveillance test on the OPERABLE trip path logic, RTCB, and manual trip channels. In this case, the redundant set of RTCBs will provide protection. If a single matrix power supply or vital bus failure has opened two sets of RTCBs, manual trip and RTCB testing on the closed breakers cannot be performed without causing a trip.

This Note is not applicable to Condition A, with one matrix logic channel inoperable.

4. Manual Trip The LCO requires all four manual trip channels to be OPERABLE in MODEs 1 and 2, and MODEs 3, 4, and 5 when CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-7 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES any RTCB is closed and any CEA is capable of being withdrawn.

Two independent sets of two adjacent push buttons are provided at separate locations. Each push button is considered a channel and operates two of the eight RTCBs. Depressing both push buttons in either set will cause an interruption of power to the CEDMs, allowing the CEAs to fall into the core. This design ensures that no single failure in any push button channel can either cause or prevent a reactor trip.

APPLICABILITY The RPS matrix logic, RTCBs, and manual trip are required to be OPERABLE in any MODE when any CEA is capable of being withdrawn from the core (i.e., RTCBs closed and power available to the CEDMs). This ensures the reactor can be tripped when necessary, but allows for maintenance and testing when the reactor trip is not needed.

In MODEs 3, 4, and 5, with all the RTCBs open, the CEAs are not capable of withdrawal and these Functions do not have to be OPERABLE. However, two wide range logarithmic neutron flux monitor channels must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. This is addressed in LCO 3.3.12.

ACTIONS When the number of inoperable RPS logic or trip initiation channels exceeds that specified in any related Condition, the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies if one matrix logic channel is inoperable or three logic matrices channels are inoperable due to a common power source failure de-energizing three matrix power supplies in any applicable MODE.

The matrix logic channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> provides the operator time to take appropriate actions and still ensures that any risk involved in operating with a failed CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-8 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a second matrix logic channel is low during any given 48-hour interval. If the channel cannot be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, Condition E is entered.

B.1 Condition B applies to one trip path logic channel, RTCB channel, or manual trip channel in MODEs 1 and 2, since they have the same actions. MODEs 3, 4, and 5, with the RTCBs shut, are addressed in Condition C. These Required Actions require opening the affected RTCBs. This removes the need for the affected channel by performing its associated safety function. With the RTCB open, the affected Functions are in one-out-of-two logic, which meets redundancy requirements, but testing on the OPERABLE channels cannot be performed without causing a reactor trip unless the RTCBs in the inoperable channels are closed to permit testing. Limiting Condition for Operation 3.0.5 allows the RTCBs associated with the inoperable channel to be closed to perform testing.

Required Action B.1 provides for opening the RTCBs associated with the inoperable channel within a Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Required Action is conservative, since depressing the manual trip push button associated with either set of breakers in the other trip leg will cause a reactor trip. With this configuration, a single channel failure will not prevent a reactor trip. The allotted Completion Time is adequate to open the affected RTCBs, while maintaining the risk of having them closed at an acceptable level.

C.1 Condition C applies to the failure of one trip path logic channel, RTCB channel, or manual trip channel in MODE 3, 4, or 5 with the RTCBs closed. The channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the inoperable channel cannot be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, all RTCBs must be opened, placing the plant in a MODE in which the LCO does not apply and ensuring no CEA withdrawal occurs.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-9 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is consistent with that of other RPS instrumentation and should be adequate to repair most failures.

Testing on the OPERABLE channels cannot be performed without causing a reactor trip unless the RTCBs in the inoperable channels are closed to permit testing. Limiting Condition for Operation 3.0.5 allows the RTCBs associated with the inoperable channel to be closed to perform testing.

D.1 Condition D applies to the failure of both trip path logic channels affecting the same trip leg. Since this will open two channels of RTCBs, this Condition is also applicable to the two affected channels of RTCBs. This Condition allows for loss of a single vital instrument bus or matrix power supply, which will de-energize both trip path logic channels in the same trip leg. This will open both sets of RTCBs in the affected trip leg, satisfying the Required Action of opening the affected channels of RTCBs.

Of greater concern is the failure of the trip path circuit in a nontrip condition (e.g., due to two trip path K-relay failures). With only one trip path logic channel failed in a nontrip condition, there is still the redundant set of RTCBs in the trip leg. With both failed in a nontrip condition, the reactor will not trip automatically when required. In either case, the affected RTCBs must be opened immediately by using the appropriate manual trip push buttons, since each of the four push buttons opens one set of RTCBs, independent of the trip path circuitry. Caution must be exercised, since depressing the wrong push buttons may result in a reactor trip.

If the affected RTCB(s) cannot be opened, Condition E is entered. This would only occur if there is a failure in the manual trip channel or the RTCB(s).

E.1 and E.2 Condition E is entered if Required Actions associated with Condition A, B, or D are not met within the required Completion Time or if one or more Functions with more than CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-10 Revision 2

RPS Logic and Trip Initiation B 3.3.3 BASES one manual trip, matrix logic, trip path logic, or RTCB channel is inoperable for reasons other than Condition A or D.

If the RTCBs associated with the inoperable channel cannot be opened, the reactor must be shut down within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and all the RTCBs opened. A Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner, without challenging plant systems, and to open RTCBs. All RTCBs should then be opened, placing the plant in a MODE where the LCO does not apply and ensuring no CEA withdrawal occurs.

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed on each RTCB channel every 92 days. This verifies proper operation of each RTCB.

The RTCB must then be closed prior to testing the other RTCBs, or a reactor trip may result. The frequency of 92 days is based on the reliability analysis presented in Reference 3. Scheduling SR 3.3.3.1 and SR 3.3.3.2 such that the RTCBs testing is performed at least every 6 weeks meets vendor recommended intervals for cycling of each RTCB in accordance with Reference 3.

SR 3.3.3.2 A CHANNEL FUNCTIONAL TEST on each RPS logic channel is performed every 92 days to ensure the entire channel will perform its intended function when needed.

In addition to reference voltage tests, the RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 1, Section 7.2. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. The first test, the instrument channel test, is addressed by SR 3.3.1.4 in LCO 3.3.1.

This SR addresses the two tests associated with the RPS logic: matrix logic and trip path logic.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-11 Revision 25

RPS Logic and Trip Initiation B 3.3.3 BASES Scheduling SR 3.3.3.1 and SR 3.3.3.2 such that the RTCBs testing is performed at least every 6 weeks meets vendor recommended intervals for cycling of each RTCB in accordance with Reference 3.

Matrix Logic Tests These tests are performed one matrix at a time. They verify that a coincidence in the two instrument channels for each Function removes power from the matrix relays. During testing, power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. The matrix logic tests will detect any short circuits around the bistable contacts in the coincidence logic such as may be caused by faulty bistable relay or trip bypass contacts.

Trip Path Tests These tests are similar to the matrix logic tests, except that test power is withheld from one matrix relay at a time, allowing the trip path circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three trip path circuits, or a reactor trip may result.

The Frequency of 92 days is based on the reliability analysis presented in Reference 4.

SR 3.3.3.3 A CHANNEL FUNCTIONAL TEST on the manual trip channels is performed prior to a reactor startup to ensure the entire channel will perform its intended function if required. The manual trip Function can be tested either at power or shut down. However, the simplicity of this circuitry and the absence of drift concern makes this Frequency adequate.

Additionally, operating experience has shown that these components usually pass the SR when performed once within 7 days prior to each reactor startup.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-12 Revision 25

RPS Logic and Trip Initiation B 3.3.3 BASES REFERENCES 1. UFSAR

2. 10 CFR Part 100, "Reactor Site Criteria"
3. Combustion Engineering Topical Report CE NPSD-9 51-A, Revision 01, Reactor Trip Circuit Breakers Surveillance Frequency Extension,dated September 19 9
4. Combustion Engineering Topical Report CEN-327 ,

RPS/ESFAS Extended Test Interval Evaluationdated June 2, 19 86, including Supplement 1, March 3, 19 89 CALVERT CLIFFS - UNITS 1 & 2 B 3.3.3-13 Revision 25

ESFAS Instrumentation B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Engineered Safety Features Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS actuates necessary safety systems, based upon the values of selected unit parameters to mitigate accidents in order to protect the public and plant personnel from the accidental release of radioactive fission products.

The ESFAS contains devices and circuitry that generate the following signals when the monitored variables reach levels that are indicative of conditions requiring protective action:

1. Safety Injection Actuation Signal (SIAS);
2. Containment Spray Actuation Signal (CSAS);
3. Containment Isolation Signal (CIS);
4. Steam Generator Isolation Signal (SGIS);
5. Recirculation Actuation Signal (RAS) for the Containment Sump; and
6. AFAS Signal.

Equipment actuated by each of the above signals is identified in the Reference 1, Section 7.3.

Each of the above ESFAS actuation systems is segmented into four sensor channel and two actuation logic channels. Each sensor channel includes measurement channels and bistables (sensor modules). The actuation logic channels include two sets of logic circuitry (actuation logic modules) and actuation relay equipment. The actuation logic channels actuate ESFAS equipment trains that are sequentially loaded on the diesel generators (DGs).

Each of the four sensor modules monitors redundant and independent process measurement channels. Each sensor is monitored by at least one sensor module. The sensor module associated with each ESFAS sensor channel will trip when the monitored variable exceeds the trip setpoint. When tripped, the sensor channels provide outputs to the two actuation logic channels.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-1 Revision 2

ESFAS Instrumentation B 3.3.4 BASES The two independent actuation logic channels compare the four sensor channel outputs. If a trip occurs in the same parameter in two or more sensor channels, the two-out-of-four logic in each actuation logic channel will initiate the associated train of ESFAS. Each train can provide protection to the public in the case of a DBA.

Actuation logic is addressed in LCO 3.3.5.

Each of the four sensor channels is mounted in a separate cabinet, excluding the sensors and field wiring.

The role of the sensor channel (measurement channels and sensor modules) is discussed below; actuation logic channels are discussed in LCO 3.3.5.

Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

Four measurement channels with electrical and physical separation are provided for each parameter used in the generation of actuation signals. These are designated Channels ZD through ZG. Measurement channels provide input to ESFAS sensor modules within the same ESFAS channel. In addition, some measurement channels may also be used as inputs to Reactor Protective System (RPS) bistable trip units, and most provide indication in the Control Room.

Measurement channels used as an input to the RPS or ESFAS are not used for control functions.

When a measurement channel monitoring a parameter indicates an unsafe condition, the sensor module monitoring the parameter in that channel will trip. Tripping two or more channels of sensor modules monitoring the same parameter will de-energize both channels of actuation logic of the associated ESF equipment.

Three of the four sensor channels are necessary to meet the redundancy and testability requirements of Reference 1, Appendix 1C. The fourth channel provides additional CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-2 Revision 2

ESFAS Instrumentation B 3.3.4 BASES flexibility by allowing one channel to be removed from service (maintenance bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic.

Since no single failure will either cause or prevent a protective system actuation and no protective channel feeds a control channel, this arrangement meets the requirements of proposed Reference 2.

Sensor Modules Sensor modules receive an analog input (digital for RAS) from the measurement channels, compare the input to trip setpoints, and provide contact output to the actuation logic channels (Reference 3). They also provide local trip indication and remote annunciation.

There are four channels of sensor modules, designated ZD through ZG, for each ESF Function, one for each measurement channel.

The trip setpoints and Allowable Values used in the sensor modules are based on the analytical limits used in Reference 1, Chapter 14. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account in the respective analytical limits. To allow for calibration tolerances, instrumentation uncertainties, sensor channel drift, and severe environment errors, (for those ESFAS channels that must function in harsh environments, where appropriate, as defined by Reference 4.

Engineered Safety Features Actuation System sensor modules trip setpoints are conservatively adjusted with respect to the analytical limits. A detailed description of the method used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference 5. The actual nominal trip setpoint entered into the sensor module is more conservative than that specified by the Allowable Value. If the measured setpoint does not exceed the Allowable Value, the sensor module is considered OPERABLE.

Setpoints in accordance with the Allowable Value will ensure that the consequences of AOOs and DBAs will be acceptable, CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-3 Revision 2

ESFAS Instrumentation B 3.3.4 BASES providing the plant is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

ESFAS Logic It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one sensor channel at a time by disabling one sensor channel input to the logic. Thus, the sensor modules will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the bypassed channel is effectively removed (blocked) from the coincidence logic. Sensor channel bypassing can be simultaneously performed on any number of parameters in any number of Functions, providing each parameter is bypassed in only one sensor channel per Function at a time. Sensor channel bypassing is normally employed during maintenance or testing.

Engineered Safety Features Actuation System logic is addressed in LCO 3.3.5.

APPLICABLE Most of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary or backup actuation signal for one or more other accidents. Functions such as manual actuation, not specifically credited in the accident analysis, serve as backups to Functions and are part of the NRC approved licensing basis for the plant.

ESFAS protective Functions are as follows:

1. SIAS The SIAS ensures acceptable consequences during LOCA events, including steam generator tube rupture, and other DBAs. To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will actuate SIAS. The SIAS actuates the Emergency Core Cooling System (ECCS), control room CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-4 Revision 2

ESFAS Instrumentation B 3.3.4 BASES isolation, and performs other functions, such as starting the DGs.

2. CSAS The CSAS actuates containment spray, preventing containment overpressurization during a LOCA or MSLB.

Both a high containment pressure signal and a SIAS have to actuate to provide the required protection. This configuration reduces the likelihood of inadvertent containment spray.

3. CIS The CIS actuates the Containment Isolation System, ensuring acceptable consequences during LOCAs and other DBAs (inside Containment). A high containment pressure signal will actuate CIS.
4. SGIS The SGIS ensures acceptable consequences during an excessive loss of steam from the Main Steam System by isolating both steam generators if either generator indicates a low steam generator pressure. The SGIS, concurrent with or following a reactor trip, minimizes the rate of heat extraction and subsequent cooldown of the RCS during these events.
5. RAS At the end of the injection phase of a LOCA, the refueling water tank (RWT) will be nearly empty.

Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWT to the containment sump must occur before the RWT empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction. Furthermore, early switchover must not occur so sufficient borated water is injected from the RWT to ensure the reactor remains shut down in the recirculation mode. An RWT CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-5 Revision 2

ESFAS Instrumentation B 3.3.4 BASES Level-Low trip signal, generated by a level switch, actuates the RAS.

6. AFAS Signal An AFAS Signal actuates feedwater flow to both steam generators if a low level is indicated in either steam generator, unless the generator is ruptured.

The AFAS Signal maintains a steam generator heat sink during the following events:

  • FWLB; and

A low steam generator water level signal will actuate auxiliary feed to both steam generators.

Secondary steam generator differential pressure (SG-1 > SG-2) or (SG-2 > SG-1) blocks auxiliary feedwater (AFW) to a generator identified as being ruptured. This input to the AFAS logic prevents loss of the intact generator while preventing feeding a ruptured generator during MSLBs and FWLBs. This prevents containment overpressurization and/or excessive RCS cooldown during these events.

The ESFAS satisfies 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO The LCO requires all sensor channel components necessary to provide an ESFAS actuation to be OPERABLE.

The Bases for the LCO on ESFAS Functions are:

1. SIAS
a. Containment Pressure-High Trip This LCO requires four sensor channels of SIAS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-6 Revision 2

ESFAS Instrumentation B 3.3.4 BASES The Allowable Value for this trip is set high enough to allow for small pressure increases in Containment expected during normal operation (i.e., plant heatup) and is not indicative of an offnormal condition. The setting is low enough to initiate the ESF Functions when a LOCA or other DBA condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents.

b. Pressurizer Pressure-Low Trip This LCO requires four sensor channels of SIAS Pressurizer Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value for this trip is set low enough to prevent actuating the SIAS during normal plant operation and pressurizer pressure transients. The setting is high enough that with a LOCA or some other DBA it will actuate to perform as expected, mitigating the consequences of the accidents.

The Pressurizer Pressure-Low trip may be blocked when pressurizer pressure is reduced during controlled plant shutdowns. This block is permitted below 1800 psia, and block permissive responses are annunciated in the Control Room.

This allows for a controlled depressurization of the RCS, while maintaining administrative control of ESF protection. From a blocked condition, the block will be automatically removed as pressurizer pressure increases above 1800 psia, as sensed by two of the four sensor channels, in accordance with the block philosophy of removing blocks when the enabling conditions are no longer satisfied.

This LCO requires four channels of the automatic block removal features for SIAS Pressurizer Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-7 Revision 2

ESFAS Instrumentation B 3.3.4 BASES The block permissive channels consist of four sensor channels and two actuation sensor block modules. This LCO applies to failures in the four sensor channels, including measurement channels and sensor block modules. Failures in the actuation logic channels, including the manual bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.

This LCO applies to the automatic block removal feature, not the sensor block modules. If the block enable Function is failed so as to prevent entering a block condition, operation may continue.

The block permissive is set low enough so as not to be enabled during normal plant operation, but high enough to allow blocking prior to reaching the trip setpoint.

2. CSAS The CSAS is initiated either manually or automatically.

It is also necessary to have an automatic or manual SIAS for complete actuation. The CSAS opens the containment spray valves, where as SIAS actuates other related components. The SIAS requirement should always be satisfied on a legitimate CSAS, since the Containment Pressure-High trip signal field setpoint used in the SIAS is the same or below the setpoint used in the CSAS.

a. Containment Pressure-High Trip This LCO requires four sensor channels of CSAS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value is set high enough to allow for small pressure increases in Containment expected during normal operation (i.e., plant heatup) and is not indicative of an offnormal condition. The setting is low enough to initiate CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-8 Revision 2

ESFAS Instrumentation B 3.3.4 BASES the ESF Functions when an offnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents.

The Containment Pressure-High trip setpoint is the same in the SIAS (Function 1), CIS (Function 3),

and is a different setpoint for CSAS (Function 2).

However, different logic is used in each of these Functions.

3. CIS
a. Containment Pressure-High Trip This LCO requires four sensor channels of CIS Containment Pressure-High trip to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value is set high enough to allow for small pressure increases in Containment expected during normal operation (i.e., plant heatup) and is not indicative of an offnormal condition. The setting is low enough to initiate the ESF Functions when an offnormal condition is indicated. This allows the ESF systems to perform as expected in the accident analyses to mitigate the consequences of the analyzed accidents.

The Containment Pressure-High trip setpoint is the same in the SIAS (Function 1) and CIS (Function 3), and is a different setpoint for CSAS (Function 2). However, different logic is used in each of these Functions.

4. SGIS The SGIS is required to be OPERABLE in MODEs 1, 2, and 3 except when all associated valves are closed and de-activated. De-activated means valve operating power is removed.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-9 Revision 2

ESFAS Instrumentation B 3.3.4 BASES

a. Steam Generator Pressure-Low Trip This LCO requires four sensor channels of SGIS Steam Generator Pressure-Low trip for each steam generator to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value is set below the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the setting is high enough to provide the required protection for excessive steam demand. An excessive steam demand causes the RCS to cool down, resulting in a positive reactivity addition to the core. An SGIS is required to prevent the excessive cooldown.

This Function may be manually blocked when steam generator pressure is reduced during controlled plant cooldowns. The block is permitted below 785 psia, and block permissive responses are annunciated in the Control Room. This allows a controlled depressurization of the secondary system, while maintaining administrative control of ESF protection. From a blocked condition, the block will be removed automatically as steam generator pressure increases above 785 psia, as sensed by two of the four sensor channels, in accordance with the block philosophy of removing blocks when the enabling conditions are no longer satisfied.

This LCO requires four channels per steam generator of the automatic block removal for SGIS Steam Generator Pressure-Low trip to be OPERABLE in MODEs 1, 2, and 3.

The automatic block removal features consist of four sensor channels and two actuation logic channels. This LCO applies to failures in the four sensor channels, including measurement channels and sensor block modules. Failures in the actuation logic channels, including the manual CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-10 Revision 2

ESFAS Instrumentation B 3.3.4 BASES bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.

This LCO applies to the automatic block removal feature only. If the block enable Function is failed so as to prevent entering a block condition, operation may continue.

The block permissive is set low enough so as not to be enabled during normal plant operation, but high enough to allow blocking prior to reaching the trip setpoint.

5. RAS for the Containment Sump
a. RWT Level-Low Trip This LCO requires four sensor channels of RWT Level-Low trip to be OPERABLE in MODEs 1, 2, and 3. The signal provided is a level indication from a level switch, not an analog signal.

The upper limit on the Allowable Value for this trip is set low enough to ensure RAS does not actuate before sufficient water is transferred to the containment sump. Premature recirculation could impair the reactivity control Function of safety injection by limiting the amount of boron injection. Premature recirculation could also damage or disable the recirculation system if recirculation begins before the sump has enough water to prevent air entrainment in the suction.

The lower limit on the RWT Level-Low trip Allowable Value is high enough to transfer suction to the containment sump prior to emptying the RWT.

6. AFAS Signal The AFAS logic actuates AFW to a steam generator on low level in that generator unless it has been identified as being ruptured.

A low level in either generator, as sensed by a two-out-of-four coincidence of four wide range sensors for any generator, will generate an AFAS start signal, CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-11 Revision 2

ESFAS Instrumentation B 3.3.4 BASES which starts both trains of AFW pumps, operates other equipment, and feeds both steam generators. The AFAS also monitors the secondary differential pressure in both steam generators and actuates an AFAS block signal to a ruptured generator, if the pressure in that generator is lower than that in the other generator by the differential pressure setpoint.

a. Steam Generator 1/2 Level-Low Trip This LCO requires four sensor channels for each steam generator of Steam Generator Level-Low trip to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value ensures adequate time exists to initiate AFW, while the steam generators can function as a heat sink.

b. Steam Generator Pressure Difference-High Trip (SG-1 > SG-2) or (SG-1 > SG-2)

This LCO requires four sensor channels per steam generator of Steam Generator Pressure Difference-High trip to be OPERABLE in MODEs 1, 2, and 3.

The Allowable Value for this trip is high enough to allow for small pressure differences and normal instrumentation errors between the steam generator channels during normal operation without an actuation. The setting is low enough to detect and block feeding of a ruptured steam generator in the event of an MSLB or FWLB, while permitting the feeding of the intact steam generator.

APPLICABILITY All ESFAS Functions are required to be OPERABLE in MODEs 1, 2, and 3. In MODEs 1, 2, and 3, there is sufficient energy in the primary and secondary systems to warrant automatic ESF system responses to:

  • Close the MSIVs to preclude a positive reactivity addition;

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-12 Revision 2

ESFAS Instrumentation B 3.3.4 BASES

  • Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating Containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or other DBAs; and
  • Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and reactivity control during a design basis LOCA or other DBAs.

In MODEs 4, 5, and 6, automatic actuation of ESFAS Functions is not required because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating the ESF components, if required, as addressed by LCO 3.3.5. In LCO 3.3.5, manual capability is required for Functions other than AFAS in MODE 4, even though automatic actuation is not required. Because of the large number of components actuated on each ESFAS, actuation is simplified by the use of the manual actuation push buttons. Manual start of AFAS is not required in MODE 4 because AFW or shutdown cooling will already be in operation or available in this MODE.

The ESFAS actuation logic must be OPERABLE in the same MODEs as the automatic and manual actuation. In MODE 4, only the portion of the ESFAS logic responsible for the required manual actuation must be OPERABLE.

In MODEs 5 and 6, ESFAS actuated systems are either reconfigured or disabled for shutdown cooling operation.

Accidents in these MODEs are slow to develop and would be mitigated by manual operation of individual components.

The most common cause of sensor channel inoperability is outright failure or drift of the sensor module or measurement channel sufficient to exceed the tolerance allowed by Reference 5.

Typically, the drift is small which, at worst, results in a delay of actuation rather than a total loss of Function.

Determination of setpoint drift is generally made during the performance of a CHANNEL CALIBRATION when the process CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-13 Revision 2

ESFAS Instrumentation B 3.3.4 BASES instrument is set up for adjustment to bring it to within specification. Sensor drift could also be identified during the CHANNEL CHECKS. CHANNEL FUNCTIONAL TESTS identify sensor module drift. If the actual trip setpoint is not within the Allowable Value in Table 3.3.4-1, the sensor channel is inoperable and the appropriate Condition(s) are entered.

In the event that either a sensor channel's trip setpoint is found nonconservative with respect to the Allowable Value in Table 3.3.4-1, or the sensor, instrument loop, signal processing electronics, ESFAS sensor module or applicable automatic block removal feature when block is in effect is found inoperable, all affected Functions provided by that sensor channel must be declared inoperable and the plant must enter the Condition statement for the particular protection Function affected.

When the number of inoperable sensor channels in an ESFAS Function exceeds those specified in any related Condition associated with the same ESFAS Function, the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function in Table 3.3.4-1. Completion Times for the inoperable channel of a Function will be tracked separately.

A.1, A.2.1, and A.2.2 Condition A applies to the failure of a single channel (measurement channel or sensor module) of one or more input parameters in the following ESFAS Functions:

1. SIAS Containment Pressure-High Trip Pressurizer Pressure-Low Trip
2. CSAS Containment Pressure-High Trip CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-14 Revision 2

ESFAS Instrumentation B 3.3.4 BASES

3. CIS Containment Pressure-High Trip
4. SGIS Steam Generator Pressure-Low Trip
5. RAS for the Containment Sump RWT Level-Low Trip
6. AFAS Signal Steam Generator Level-Low Trip Steam Generator Pressure Difference-High Trip Engineered Safety Features Actuation System coincidence logic is normally two-out-of-four. If one ESFAS sensor channel is inoperable, startup or power operation is allowed to continue as long as action is taken to restore the design level of redundancy.

If one ESFAS sensor channel is inoperable, startup or power operation is allowed to continue, providing the inoperable channel is placed in bypass or trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allotted to bypass or trip the sensor channel is sufficient to allow the operator to take all appropriate actions for the failed channel, and still ensures that the risk involved in operating with the failed channel is acceptable.

One failed sensor channel is restored to OPERABLE status or is placed in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> (Required Action A.2.1 or A.2.2). Required Action A.2.1 restores the full capability of the function. Required Action A.2.2 places the function in a one-out-of-three configuration. In this configuration, common cause failure of the dependent channel cannot prevent ESFAS actuation. The 48-hour Completion Time is based upon operating experience, which has demonstrated that a random failure of a second channel occurring during the 48-hour period is a low probability event.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-15 Revision 2

ESFAS Instrumentation B 3.3.4 BASES B.1 and B.2 Condition B applies to the failure of two sensor channels in any of the following ESFAS functions:

1. SIAS Containment Pressure-High Trip Pressurizer Pressure-Low Trip
2. CSAS Containment Pressure-High Trip
3. CIS Containment Pressure-High Trip
4. SGIS Steam Generator Pressure-Low Trip
5. RAS for the Containment Sump RWT Level-Low Trip
6. AFAS Signal Steam Generator Level-Low Trip Steam Generator Pressure Difference-High Trip With two inoperable sensor channels, one channel should be placed in bypass, and the other channel should be placed in trip within the 1-hour Completion Time. With one channel of protective instrumentation bypassed, the ESFAS Function is in two-out-of-three logic; but with another channel failed, the ESFAS may be operating with a two-out-of-two logic.

This is outside the assumptions made in the analyses and should be corrected. To correct the problem, the second channel is placed in trip. This places the ESFAS in a one-out-of-two logic. If any of the other OPERABLE channels receive a trip signal, ESFAS actuation will occur.

One of the failed sensor channels should be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. Therefore, CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-16 Revision 2

ESFAS Instrumentation B 3.3.4 BASES the channel that is still inoperable after completion of Required Action B.2 must be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> has elapsed since the initial channel failure.

C.1 and C.2 Condition C applies to the failure of one automatic block removal feature when the block is in effect.

The automatic block removal features are incorporated into the four sensor block modules (per steam generator for SGIS) and two block logic modules. Condition C applies to failures in the automatic block removal feature of one of the four sensor block modules. Failures in the block logic modules, including the block logic manual bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.

In Condition C, it is permissible to continue operation with the automatic block removal feature in one sensor block module failed, providing the sensor block module is disabled (Required Action C.1). This can be accomplished by adjusting the sensor block module setpoint, which disables the sensor block modules to both block logic modules.

Therefore, a block permissive signal is not produced by the sensor block module.

Placing a sensor module in bypass defeats the block permissive input in one of the four channels to the two-out-of-four block removal logic, placing the automatic block removal feature in one-out-of-three logic. Thus, any of the remaining three channels is capable of removing the block feature when the block enable conditions are no longer valid.

In this configuration, common cause failure of the dependent channel cannot prevent block removal.

D.1, D.2.1, and D.2.2 Condition D applies to two inoperable automatic block removal features. The automatic block removal features consist of four sensor block modules (per steam generator for SGIS) and two actuation logic channels. This Condition CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-17 Revision 26

ESFAS Instrumentation B 3.3.4 BASES applies to failures in two of the four sensor block modules.

With two of the four sensor block modules failed in a nonconservative direction (enabling the block feature), the automatic block removal feature is in two-out-of-two logic.

Failures in the actuation logic channels, including the manual bypass key switches, are considered actuation logic failures and are addressed in LCO 3.3.5.

In Condition D, it is permissible to continue operation with two automatic block removal features failed, providing the sensor block modules are disabled in a similar manner as discussed for Condition C.

If the failed sensor block modules cannot be disabled, actions to address the inoperability of the affected sensor block modules must be taken. Required Action D.2.1 and Required Action D.2.2 are equivalent to the Required Actions for a two sensor channel failure (Condition B). Also similar to Condition B, after one inoperable sensor block module is restored, the provisions of Condition C still apply to the remaining inoperable automatic block removal feature, with the Completion Time measured from the point of the initial bypass channel failure. The 1-hour Completion Time minimizes the time that the plant is in two-out-of-two logic. The 48-hour Completion Time limits the time the plant is in one-out-of-two logic. Limits on the time in these logic conditions are similar to those found in Action B.

E.1 and E.2 If the Required Actions and associated Completion Times of Condition A, B, C, or D are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-18 Revision 26

ESFAS Instrumentation B 3.3.4 BASES SURVEILLANCE The SRs for any particular ESFAS Function are found in the REQUIREMENTS SRs column of Table 3.3.4-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, CHANNEL CALIBRATION, and response time testing.

SR 3.3.4.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one sensor channel to a similar parameter on other sensor channels. It is based on the assumption that sensor channels monitoring the same parameter should read approximately the same value. Significant deviations between sensor channels could be an indication of excessive sensor channel drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a qualitative assessment of the sensor channel, which considers sensor channel uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off-scale during times when surveillance testing is required, the CHANNEL CHECK will only verify that they are off-scale in the same direction. Off-scale low current loop channels are verified to be reading at the bottom of the range and not failed down-scale.

The Frequency of about once every shift is based on operating experience that demonstrates sensor channel failure is rare. Since the probability of two random failures in redundant channels in any 12-hour period is extremely low, the CHANNEL CHECK minimizes the chance of loss of ESFAS Function due to failure of redundant channels.

The CHANNEL CHECK supplements less formal, but more frequent, checks of the channel during normal operational use of displays.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-19 Revision 26

ESFAS Instrumentation B 3.3.4 BASES SR 3.3.4.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire sensor channel will perform its intended function when needed.

The CHANNEL FUNCTIONAL TEST tests the individual sensor channels using an analog or level switch test input to each bistable.

A test signal is substituted for the input in one sensor channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. Any setpoint adjustment shall be consistent with the assumptions of the Reference 5.

SR 3.3.4.3 Surveillance Requirement 3.3.4.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.4.2, except 3.3.4.3 is performed every 24 months and is only applicable to automatic block removal features of the sensor block modules. These include the Pressurizer Pressure-Low trip block and the SGIS Steam Generator Pressure-Low trip block.

The CHANNEL FUNCTIONAL TEST for proper operation of the automatic block removal features is critical during plant heatups because the blocks may be in place prior to entering MODE 3, but must be removed at the appropriate points during plant startup to enable the ESFAS Function. A 24-month SR Frequency is adequate to ensure proper automatic block removal module operation as described in Reference 3. Once the blocks are removed, the blocks must not fail in such a way that the associated ESFAS Function is inappropriately blocked. This feature is verified by the appropriate ESFAS Function CHANNEL FUNCTIONAL TEST.

The 24-month SR Frequency is adequate to ensure proper automatic block removal feature operation as described in Reference 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-20 Revision 26

ESFAS Instrumentation B 3.3.4 BASES SR 3.3.4.4 CHANNEL CALIBRATION is a check of the sensor channel, including the automatic block removal feature of the sensor block module and the sensor. The SR verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for sensor channel drift between successive calibrations to ensure that the channel remains operational between successive surveillance tests.

CHANNEL CALIBRATIONS must be performed consistent with Reference 5.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the extension analysis. The requirements for this review are outlined in Reference 6.

The Frequency is based upon the assumption of a 24-month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.5 This SR ensures that the train actuation response times are the maximum values assumed in the safety analyses.

Individual component response times are not modeled in the analyses. The analysis models the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment in both trains reaches the required functional state (e.g., pumps are rated discharge pressure, valves in full open or closed position). Response time testing acceptance criteria are included in Reference 1, Section 7.3. The test may be performed in one measurement or in overlapping segments, which verification that all components are measured.

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. Reference 7 provides the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-21 Revision 26

ESFAS Instrumentation B 3.3.4 BASES basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the reference.

Response time verification for other sensor types must be demonstrated by test. The allocation of sensor response times must be verified prior to placing a new component in operation and reverified after maintenance that may adversely affect the sensor response time.

Instrument loop or test cables and wiring add an insignificant response time and can be ignored.

Engineered Safety Feature Response Time tests are conducted on a STAGGERED TEST BASIS of once every 24 months. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the Function. Surveillance of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. Therefore, staggered testing results in Response Time verification of these devices every 24 months. The 24-month STAGGERED TEST BASIS Frequency is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES 1. UFSAR

2. IEEE No. 279, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," August 1968
3. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, Response to NRC Request for Review & Comment on Review of Preliminary Accident Precursor Analysis of Trip; Loss of 13.8 kV Bus; Short-Term Saltwater Cooling System Unavailability, CCNPP Unit 2
4. 10 CFR 50.49, Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants
5. CCNPP Setpoint File
6. Calvert Cliffs Procedure EN-4-104, Surveillance Testing CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-22 Revision 26

ESFAS Instrumentation B 3.3.4 BASES

7. Combustion Engineering Owners Group Topical Report CE NPSD 1167-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, July 3, 2000 CALVERT CLIFFS - UNITS 1 & 2 B 3.3.4-23 Revision 26

ESFAS Logic and Manual Actuation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Engineered Safety Features Actuation System (ESFAS) Logic and Manual Actuation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters to mitigate accidents in order to protect the public and plant personnel from the accidental release of radioactive fission products.

The ESFAS contains devices and circuitry that generate the following signals when the monitored variables reach levels that are indicative of conditions requiring protective action:

1. SIAS;
2. CSAS;
3. CIS;
4. SGIS;
5. RAS for the Containment Sump; and
6. AFAS.

Equipment actuated by each of the above signals is identified in Reference 1.

Each of the above ESFAS actuation systems is segmented into four sensor channels addressed by LCO 3.3.4 and two actuation subsystems addressed by this LCO. Each sensor subsystem includes measurement channels and bistables (sensor modules). The SIAS actuation logic channels include two sets of logic circuitry (actuation logic modules) and actuation relay equipment. The actuation logic channels actuate ESFAS equipment trains that are sequentially loaded on the DGs.

Each of the four sensor modules monitors redundant and independent process measurement channels. Each sensor is monitored by at least one bistable. The bistable associated with each ESFAS sensor channel will trip when the monitored variable exceeds the trip setpoint. When tripped, the sensor channels provide outputs to the two actuation logic channels.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-1 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES The two independent actuation logic channels each compare the four associated sensor channel outputs. If a trip occurs in two or more sensor channels, the two-out-of-four logic in each actuation logic channel will actuate the associated train of ESFAS. Each has sufficient equipment to provide protection to the public in the case of a DBA. The sensor logic channel is addressed in LCO 3.3.4. This LCO addresses the actuation logic channel.

Each of the four sensor channels is mounted in a separate cabinet, excluding the sensors and field wiring.

The role of the sensor channel (measurement channels and sensor module) and sensor block module is discussed in LCO 3.3.4. That of the actuation logic channel is discussed below.

ESFAS Logic The two independent actuation logic channels compare the four sensor channel outputs. If a trip occurs in the same parameter in two or more sensor channels, the two-out-of-four logic in each actuation logic channel initiates one train of ESFAS. Either train actuates sufficient redundant and independent equipment.

Each actuation logic channel is housed in two cabinets. One cabinet contains the logic circuitry (actuation logic modules) for the actuation logic channel, while the other cabinet contains the actuation relay equipment. This actuation relay equipment includes the actuation relays that actuate the ESFAS equipment in response to a signal from the actuation logic channels.

It is possible to change the two-out-of-four ESFAS logic to a two-out-of-three logic for a given input parameter in one sensor channel at a time by blocking one channel input to the logic. Thus, the actuation logic modules will function normally, producing normal trip indication and annunciation, but ESFAS actuation will not occur since the blocked channel is effectively removed from the coincidence logic.

Maintenance bypassing can be simultaneously performed on any CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-2 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES number of parameters in any number of Functions, providing each parameter is bypassed in only one sensor channel per Function at a time.

Maintenance bypassing is normally employed during maintenance or testing.

In addition to the maintenance bypasses, there are operating bypasses (blocks) on the Pressurizer Pressure-Low trip input to the SIAS and on the Steam Generator Pressure-Low trip input to the SGIS when these inputs are no longer required for protection. These blocks are enabled manually when the enabling conditions are satisfied in three of the four sensor block modules. The block circuitry employs four sensor block modules, sensing pressurizer pressure (for the SIAS) and steam generator pressure (for the SGIS). These sensor block modules provide contact output to the three-out-of-four logic in the two block logic modules.

When the logic is satisfied, manual blocking is permitted.

There are two manual block controls for each Function, one per actuation logic channel.

The block logic modules provide one of the signals to a logic circuit that senses the actuation logic output and the output from the block logic module. When block logic is met, and the block is manually enabled, the logic circuit receiving signals from both logic sources prevents an actuation signal from being sent to the ESFAS equipment.

All blocks are automatically removed when enabling block conditions are no longer satisfied.

Manual ESFAS actuation capability is provided to permit the operator to manually actuate an ESF system when necessary.

Two push buttons are provided in the Control Room for each ESFAS Function, except SGIS and AFAS. Manual AFAS start capability is provided in the Control Room. Steam generator isolation signal manual actuation requires operation of MSIV handswitches and feedwater header isolation handswitches.

Each push button actuates one equipment train via the ESFAS logic.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-3 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES The actuation logic is tested by inserting a local test signal. A coincidence logic trip will occur if there is the simultaneous presence of a sensor channel trip, either legitimate or due to testing, and block logic allows. The automatic block removal feature of block logic modules is tested with the actuation logic modules. Most ESFAS Functions employ several separate parallel two-out-of-four actuation logic module subchannels, with each subchannel actuating a subset of the ESFAS equipment associated with that Function. Each of these subchannels can be tested individually so that simultaneous actuation of an entire train can be avoided during testing.

Except in the case of actuation subchannels SIAS Nos. 5 and 10, CIS No. 5, CSAS No. 3, and SGIS No. 1, all actuation logic channels can be tested at power. The above designated subchannels must be tested when shut down because they actuate the following equipment, which cannot be actuated at power:

  • Volume control tank discharge valves;
  • Letdown stop valves;
  • Component cooling to RCPs;
  • Component Cooling from RCPs;
  • Instrument air containment isolation valves (CIVs);
  • Heater drain pumps;
  • Condensate Booster Pumps.

APPLICABLE Most of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-4 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES secondary or backup actuation signal for one or more other accidents. Functions such as manual actuation, not specifically credited in the accident analysis, serve as backups to Functions and are part of the NRC staff-approved licensing basis for the plant.

Engineered Safety Features Actuation System protective Functions are as follows:

1. SIAS The SIAS ensures acceptable consequences during LOCA events, including steam generator tube rupture, and other DBAs. To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will actuate SIAS. Safety injection actuation signal actuates the Emergency Core Cooling System (ECCS) and performs several other Functions, such as starting the DGs.
2. CSAS The CSAS actuates containment spray, preventing containment overpressurization during a LOCA or MSLB.

Both a high containment pressure signal and a SIAS have to actuate to provide the required protection. This configuration reduces the likelihood of inadvertent containment spray.

3. CIS The CIS actuates the Containment Isolation System, ensuring acceptable consequences during LOCAs and other DBAs (inside Containment). A high containment pressure signal will actuate CIS.
4. SGIS The SGIS ensures acceptable consequences during an excessive loss of steam from the Main Steam System by isolating both steam generators if either generator indicates a low steam generator pressure. The SGIS, concurrent with or following a reactor trip, minimizes the rate of heat extraction and subsequent cooldown of the RCS during these events.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-5 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES

5. RAS At the end of the injection phase of a LOCA, the refueling water tank (RWT) will be nearly empty.

Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWT to containment sump must occur before the RWT empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction. Furthermore, early switchover must not occur so sufficient borated water is injected from the RWT to ensure the reactor remains shut down in the recirculation mode. An RWT Level-Low trip signal generated by a level switch actuates the RAS.

6. AFAS Signal An AFAS signal actuates feedwater flow to both steam generators if a low level is indicated in either steam generator, unless the generator is ruptured.

The AFAS maintains a steam generator heat sink during the following events:

  • FWLB; and

A low steam generator water level signal will actuate auxiliary feed to both steam generators.

Secondary steam generator (SG) differential pressure, (SG-1 > SG-2) or (SG-2 > SG-1), blocks auxiliary feed to a ruptured steam generator. This input to the AFAS logic prevents loss of the intact generator while preventing feeding a ruptured generator during MSLBs and FWLBs. This prevents containment overpressurization and/or excessive RCS cooldown during these events.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-6 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES The ESFAS satisfies 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO The LCO requires that all components necessary to provide an ESFAS actuation be OPERABLE.

Actions allow maintenance bypass of individual sensor channels. Plants are in a maintenance bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).

The Bases for the LCO on ESFAS automatic actuation Functions are addressed in the Bases for LCO 3.3.4. Those associated with the manual actuation or actuation logic are addressed below.

1. SIAS
a. Manual Actuation This LCO requires two channels of SIAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
b. Actuation Logic This LCO requires two channels of SIAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.

Failures in the actuation logic channels, including the manual bypass key switches, are actuation logic failures and are addressed in this LCO.

Actuation logic consists of all circuitry housed within the actuation logic channels, including the actuating relay contacts responsible for actuating the ESF equipment.

2. CSAS The CSAS is actuated either manually or automatically.

It is also necessary to have an automatic or manual SIAS for a complete actuation. The CSAS opens the containment spray valves, whereas the SIAS actuates CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-7 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES other required components. The SIAS requirement should always be satisfied on a legitimate CSAS, since the Containment Pressure-High trip analytical setpoint used in the SIAS is the same analytical setpoint used in the CSAS. The transmitters used to actuate CSAS are independent of those used in the SIAS to prevent inadvertent containment spray due to failures in two sensor channels.

a. Manual Actuation This LCO requires two channels of CSAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
b. Actuation Logic This LCO requires two channels of CSAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.

Actuation logic consists of all circuitry housed within the actuation logic channels, including the actuating relay contacts responsible for actuating the ESF equipment.

3. CIS
a. Manual Actuation This LCO requires two channels of CIS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
b. Actuation Logic This LCO requires two channels of actuation logic for CIS to be OPERABLE in MODEs 1, 2, and 3.

Actuation logic consists of all circuitry housed within the actuation logic channels, including the actuating relay contacts responsible for actuating the ESF equipment.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-8 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES

4. SGIS
a. Manual Actuation This LCO requires one channel per MSIV of the SGIS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
b. Actuation Logic This LCO requires two channels of SGIS actuation logic to be OPERABLE in MODEs 1, 2, and 3.

Failures in the actuation logic channels, including the manual bypass key switches, are considered actuation logic failures and are addressed in the logic LCO.

5. RAS
a. Manual Actuation This LCO requires two channels of RAS manual actuation to be OPERABLE in MODEs 1, 2, 3, and 4.
b. Actuation Logic This LCO requires two channels of RAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.
6. AFAS Signal A low level in either generator, as sensed by a two-out-of-four coincidence of four wide range sensors for each generator, will generate an AFAS signal, which starts both trains of AFW pumps and feeds both steam generators. The AFAS also monitors the secondary differential pressure in both steam generators and actuates an AFAS block signal to a ruptured generator if the pressure in that generator is lower than the other generator by the differential pressure setpoint (Reference 2).
a. Manual Actuation This LCO requires two channels of AFAS manual actuation start to be OPERABLE in MODEs 1, 2, and 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-9 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES

b. Actuation Logic This LCO requires two channels of AFAS actuation logic to be OPERABLE in MODEs 1, 2, and 3.

Actuation logic consists of all circuitry housed within the actuation logic channels, including the actuating relay contacts responsible for actuating the ESF equipment.

APPLICABILITY All ESFAS Functions are required to be OPERABLE in MODEs 1, 2, and 3. In MODEs 1, 2, and 3, there is sufficient energy in the primary and secondary systems to warrant automatic ESF system responses to:

  • Close the MSIVs to limit a positive reactivity addition;
  • Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating Containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or other DBAs; and
  • Actuate ESF systems to ensure sufficient borated inventory to permit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident.

In MODEs 4, 5, and 6, automatic actuation of ESFAS Functions is not required, because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating the ESF components if required.

Engineered Safety Features Actuation System manual actuation capability is required for Functions other than AFAS in MODE 4, even though automatic actuation is not required.

Because of the large number of components actuated on each ESFAS, actuation is simplified by the use of the manual actuation push buttons. Manual actuation of AFAS is not required in MODE 4 because AFW or shutdown cooling will already be in operation or available.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-10 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES The ESFAS actuation logic must be OPERABLE in the same MODEs as the automatic and manual actuations. In MODE 4, only the portion of the ESFAS logic responsible for the required manual actuation must be OPERABLE.

In MODEs 5 and 6, ESFAS actuated systems are either reconfigured or disabled for shutdown cooling operation.

Accidents in these MODEs are slow to develop and would be mitigated by manual operation of individual components.

ACTIONS When the number of inoperable actuation logic or manual actuation channels in an ESFAS Function exceeds those specified in any related Condition associated with the same ESFAS Function, the plant is outside the safety analysis.

Therefore, LCO 3.0.3 should be immediately entered.

A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function in Table 3.3.5-1 in the LCO. Completion Times for the inoperable actuation logic channel of a Function will be tracked separately.

A.1 Condition A applies to one AFAS manual actuation or AFAS actuation logic channel inoperable. It is identical to Condition C for the other ESFAS Functions, except for the shutdown track imposed by Condition D.

The channel must be restored to OPERABLE status to restore redundancy of the AFAS Function. The 48-hour Completion Time is commensurate with the importance of avoiding the vulnerability of a single failure in the only remaining OPERABLE channel.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A cannot be met, the reactor should be brought to a mode in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-11 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 Condition C applies to one manual actuation or actuation logic channel inoperable for those ESFAS Functions that must be OPERABLE in MODEs 1, 2, 3, and 4 (manual actuation) or MODEs 1, 2, and 3 (actuation logic channel). Actuation logic includes the block logic modules when the affected block is in effect. The shutdown track imposed by Condition D or E requires entry into MODE 4 or 5, respectively, where the LCO does not apply to the affected Functions.

The channel must be restored to OPERABLE status to restore redundancy of the affected Functions. The 48-hour Completion Time is commensurate with the importance of avoiding the vulnerability of a single failure in the only remaining OPERABLE channel.

D.1 and D.2 Condition D is entered when the Required Action and associated Completion Time of Condition C are not met for one manual actuation channel. If Required Action C.1 for one manual actuation channel cannot be met within the required Completion Time, the plant must be brought to a mode in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 and E.2 Condition E is entered when the Required Action and associated Completion Time of Condition C are not met for one actuation logic channel. If Required Action C.1 for one actuation logic channel cannot be met within the required Completion Time, the plant must be brought to a MODE in CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-12 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire actuation logic channel will perform its intended function when needed. Sensor channel tests are addressed in LCO 3.3.4. This SR addresses actuation logic tests.

Actuation Logic Tests Actuation logic channel testing includes injecting one actuation signal into each two-out-of-four logic actuation modules in each ESFAS Function, and using a bistable trip input to satisfy the actuation logic. Testing includes block logic modules.

Note 1 requires that actuation logic tests include operation of actuation relays. Note 2 allows deferred at power testing of certain subchannel relays to allow for the fact that operating certain relays during power operation could cause plant transients or equipment damage. Those subchannel relays that cannot be tested at power must be tested in accordance with Note 2. These include SIAS No. 5, SIAS No. 10, CIS No. 5, SGIS No. 1, and CSAS No. 3.

These subchannel relays actuate the following components, which cannot be tested at power:

  • RCP seal bleedoff isolation valves;
  • Volume control tank discharge valves;
  • Letdown stop valves;
  • Component Cooling to and from the RCPs;
  • MSIVs and feedwater isolation valves; CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-13 Revision 2

ESFAS Logic and Manual Actuation B 3.3.5 BASES

  • Instrument air CIVs;
  • Heater drain pumps;
  • Condensate booster pumps.

The reasons each of the above cannot be fully tested at power are stated in Reference 1.

Actuation logic tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components.

The Frequency of 92 days is based on operating experience that has shown these components usually pass the surveillance test when performed at this Frequency.

SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed on the manual ESFAS actuation circuitry, de-energizing relays and providing manual actuation of the Function.

This surveillance test verifies that the actuation push buttons are capable of opening contacts in the actuation logic as designed, de-energizing the actuation relays and providing manual trip of the Function. The 24-month Frequency is based on the need to perform this surveillance test under the conditions that apply during a plant outage, and the potential for an unplanned transient if the test were to be performed with the reactor at power. Operating experience has shown these components usually pass the surveillance test when performed at a Frequency of once every 24 months.

REFERENCES 1. UFSAR, Section 7.3, "Engineered Safety Features Actuation Systems"

2. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 5, 1995, Response to NRC Request for Review & Comment on Review of Preliminary Accident Precursor Analysis of Trip; Loss of 13.8 kV Bus; Short-Term Saltwater Cooling System Unavailability, CCNPP Unit 2 CALVERT CLIFFS - UNITS 1 & 2 B 3.3.5-14 Revision 2

DG-LOVS B 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Diesel Generator (DG)-Loss of Voltage Start (LOVS)

BASES BACKGROUND The DGs provide a source of emergency power, when offsite power is unavailable, to allow safe plant operation.

Undervoltage protection will generate a Loss of Voltage Start (LOVS) signal in the event a loss of voltage or degraded voltage condition occurs. There are three LOVS Functions; loss of voltage, transient degraded voltage, and steady state degraded voltage, for each 4.16 kV emergency bus.

Each of the redundant 4 kV emergency buses is equipped with two sets of two undervoltage relays. Each of the four redundant and independent undervoltage relays is comprised of three sensing elements. The first element of the four relays is set to provide a two-out-of-four undervoltage signal upon a loss of bus voltage. The second element of the four relays is set to provide a two-out-of-four transient undervoltage signal on 4 kV emergency bus undervoltage. The third element of the four relays provides a two-out-of-four steady state undervoltage signal on a sustained 4 kV emergency bus undervoltage condition.

Settings and Tolerances The settings and tolerances are based on the analytical limits presented in Reference 1. The selection of these settings is such that adequate protection is provided when all test equipment time delays are taken into account. The transient and steady state undervoltage setpoints ensure that the safety-related motors relied upon for accident mitigation are provided with a minimum of 75% and 90% of their rated voltage, respectively. The setting specified in SR 3.3.6.3 allows for calibration tolerances, potential transformer correction factors, test equipment uncertainties, and relay drift. A detailed description of the methodology used to calculate the settings is provided in Reference 2. The nominal setting accounts for factors described above, plus additional margin to the analytical limit. If the measured setting does not exceed the documented surveillance trip acceptance criteria, the undervoltage relay is considered OPERABLE.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-1 Revision 2

DG-LOVS B 3.3.6 BASES Settings will ensure that the consequences of accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the accident and the equipment functions as designed. A setting is the desired characteristic, obtained as a result of having set a device, stated in terms of calibration markings or of actual performance benchmarks, such as pickup current and operating time at a given value of input. The term setpoint applies to instruments, and since protective relays discussed here are not instruments as discussed in other LCOs, the term setpoint does not apply here.

The undervoltage detection scheme has been designed to sense a degraded (transient or steady state) or total loss of voltage at the 4 kV safety buses. The LOVS is sensed by 2-second delay bistables in the ESFAS undervoltage sensor logic module. A complete loss of offsite power will result in approximately a 2-second delay in LOVS actuation. The DG starts and is available to accept loads within a 10 second time interval after the ESFAS receives a LOVS. Emergency power is established within the maximum time delay assumed for each event analyzed in the accident analysis (Reference 1).

Sensor channels, measurement channels, sensor modules and actuation logic are described in the Background for B 3.3.4.

Since there are four protective channels in a two-out-of-four logic for each division of the 4.16 kV power system, no single failure will prevent protective system actuation. This arrangement meets Reference 3 criteria.

APPLICABLE The DG-LOVS is required for ESF systems to function in any SAFETY ANALYSES accident with a loss of offsite power. Its design basis is that of the ESFAS.

Accident analyses credit the loading of the DG based on a loss of offsite power during a LOCA. The actual DG start has historically been associated with the ESFAS actuation.

The diesel loading has been included in the delay time associated with each safety system component requiring DG-supplied power following a loss of offsite power. The analysis assumes a nonmechanistic DG loading, which does not CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-2 Revision 2

DG-LOVS B 3.3.6 BASES explicitly account for each individual component of the loss of power detection and subsequent actions. This delay time includes contributions from the DG start, DG loading, and Safety Injection System component actuation. The response of the DG to a loss of power must be demonstrated to fall within this analysis response time when including the contributions of all portions of the delay.

The required channels of LOVS, in conjunction with the ESF systems powered from the DGs, provide plant protection in the event of any of the analyzed accidents discussed in Reference 1, Chapter 8 in which a loss of offsite power is assumed. Loss of voltage start channels are required to meet the redundancy and testability requirements of Reference 1, Appendix 1C.

The delay times assumed in the safety analysis for the ESF equipment include the 10-second DG start delay and the appropriate sequencing delay, if applicable. The response times for ESFAS-actuated equipment include the appropriate DG loading and sequencing delay.

The DG-LOVS channels satisfy 10 CFR 50.36(c)(2)(ii),

Criterion 3.

LCO The LCO for the LOVS requires that four channels per bus of each LOVS instrumentation Function be OPERABLE in MODEs 1, 2, 3, and 4. The LOVS supports safety systems associated with the ESFAS.

Actions allow maintenance bypass of individual sensor channels. The plant is restricted to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> in a maintenance bypass condition before either restoring the Function to four channel operation (two-out-of-four logic) or placing the channel in trip (one-out-of-three logic).

Loss of LOVS Function could result in the delay of safety system actuation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power, which is a AOO, the DG powers the motor-driven AFW pump. Failure of this pump to start would leave two turbine-driven pumps as well as an increased potential CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-3 Revision 2

DG-LOVS B 3.3.6 BASES for a loss of decay heat removal through the secondary system.

Only Allowable Values are specified for each Function in the LCO. Nominal trip settings are specified in the plant-specific procedures. The nominal settings are selected to ensure that the setting measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setting less conservative than the nominal trip setting, but within the Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant-specific setting calculation. A channel is inoperable if its actual trip setting is not within its required Allowable Value.

The Allowable Values and trip settings are established in order to start the DGs at the appropriate time, in response to plant conditions, in order to provide emergency power to start and supply the essential electrical loads necessary to safely shut down the plant and maintain it in a safe shutdown condition.

APPLICABILITY The DG-LOVS actuation Function is required in MODEs 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODEs.

ACTIONS A LOVS sensor channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function. The most common cause of sensor channel inoperability is outright failure of the bistable (sensor module) or outright failure or drift of the measurement channel sufficient to exceed the tolerance allowed by the plant-specific setting analysis. Determination of setting drift is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it to within specification. CHANNEL FUNCTIONAL TESTS check that the sensor modules are functioning properly. If the actual trip setting is not within the Allowable Value or not functioning, the channel is inoperable and the appropriate Conditions must be entered.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-4 Revision 13

DG-LOVS B 3.3.6 BASES In the event a sensor channel's setting is found to be nonconservative with respect to the Allowable Value, or the channel is found to be inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition entered. The required channels are specified on a per DG basis.

When the number of inoperable channels in a Function exceeds those specified in any related Condition associated with the same Function, the plant is outside the safety analysis.

Therefore, LCO 3.0.3 should be entered immediately if applicable in the current MODE of operation.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this LCO may be entered independently for each Function.

The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A.1, A.2.1, and A.2.2 Condition A applies if one sensor channel is inoperable for one or more Functions per DG bus.

If the channel cannot be restored to OPERABLE status, the affected channel should either be bypassed or tripped within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).

Placing this channel in either Condition ensures that logic is in a known configuration. In trip, the LOVS logic is one-out-of-three. In bypass, the LOVS logic is two-out-of-three. The 1-hour Completion Time is sufficient to perform these Required Actions.

Once Required Action A.1 has been complied with, Required Action A.2.1 allows 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to repair the inoperable sensor channel. If the channel cannot be restored to OPERABLE status, it must be tripped in accordance with Required Action A.2.2. The time allowed to repair or trip the channel is reasonable to repair the affected channel while ensuring that the risk involved in operating with the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-5 Revision 2

DG-LOVS B 3.3.6 BASES inoperable channel is acceptable. The 48-hour Completion Time is based upon operating experience, which has demonstrated that a random failure of a second channel is a rare event during any given 48-hour period.

B.1, B.2.1, and B.2.2 Condition B applies if two sensor channels are inoperable for one or more Functions per DG.

Restoring at least one channel to OPERABLE status is the preferred action. If the channel cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the Conditions and Required Actions for the associated DG made inoperable by DG-LOVS instrumentation are required to be entered. Alternatively, one affected channel is required to be bypassed and the other is tripped, in accordance with Required Action B.2.1.

This places the Function in one-out-of-two logic. The 1-hour Completion Time is sufficient to perform the Required Actions.

Once Required Action B.2.1 has been complied with, Required Action B.2.2 allows 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to repair the bypassed or inoperable channel.

After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. Therefore, the channel that is still inoperable after completion of Required Action B.2.2 shall be placed in trip if more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> have elapsed since the initial channel failure.

C.1 Condition C applies when more than two undervoltage or degraded (transient or steady state) voltage sensor channels on a single bus are inoperable.

Required Action C.1 requires all but two channels to be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. With more than two channels inoperable, the logic is not capable of providing a DG-LOVS signal for valid loss of voltage or degraded voltage conditions. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is reasonable to evaluate and take action to correct the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-6 Revision 26

DG-LOVS B 3.3.6 BASES degraded condition in an orderly manner and takes into account the low probability of an event requiring LOVS occurring during this interval.

D.1 Condition D applies if the Required Actions and associated Completion Times are not met.

Required Action D.1 ensures that Required Actions for the affected DG inoperabilities are initiated. The actions specified in LCO 3.8.1 are required immediately.

SURVEILLANCE The following SRs apply to each DG-LOVS Function.

REQUIREMENTS SR 3.3.6.1 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure that the entire sensor channel will perform its intended function when needed.

The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one sensor channel of a given function in any 92 day Frequency is a rare event. Any setting adjustment shall be consistent with the assumptions of the current plant specific setting analysis.

SR 3.3.6.2 Surveillance Requirement 3.3.6.2 is the performance of a CHANNEL CALIBRATION every 24 months. The CHANNEL CALIBRATION verifies the accuracy of each component within the sensor channel, except stepdown transformers, which are not calibrated. This includes calibration of the undervoltage relays and demonstrates that the equipment falls within the specified operating characteristics defined by the manufacturer.

The SR verifies that the sensor channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-7 Revision 26

DG-LOVS B 3.3.6 BASES successive tests. CHANNEL CALIBRATIONS must be performed consistent with the plant-specific setting analysis.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the SR interval extension analysis. The requirements for this review are outlined in Reference 4.

The settings, as well as the response to Loss of Voltage and Degraded Voltage tests, shall include a single point verification that the trip occurs within the required delay time as shown in Reference 1, Section 7.3. The Frequency is based upon the assumption of a 24-month calibration interval for the determination of the magnitude of equipment drift in the plant setting analyses.

REFERENCES 1. UFSAR

2. CCNPP Setpoint File
3. IEEE No. 279, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," August 1968
4. Calvert Cliffs Procedure EN-4-104, Surveillance Testing CALVERT CLIFFS - UNITS 1 & 2 B 3.3.6-8 Revision 26

CRS B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Containment Radiation Signal (CRS)

BASES BACKGROUND This LCO encompasses CRS actuation, which is a plant-specific instrumentation system that performs an actuation Function required to mitigate offsite dose, but is not otherwise included in LCO 3.3.5 or LCO 3.3.6. This is a non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LCOs 3.3.5 and 3.3.6.

The CRS provides protection from radioactive contamination in the Containment in the event an irradiated fuel assembly should be severely damaged during handling.

The CRS will detect abnormal amounts of radioactive material in the Containment and will initiate purge valve closure to limit the release of radioactivity to the environment. The containment purge supply and exhaust valves are closed on a CRS when a high radiation level in Containment is detected.

The CRS includes two independent, redundant actuation logic channels. One actuation logic channel (A CRS Actuation Logic Channel) secures the containment purge exhaust fan and containment purge supply fan. This actuation logic channel also initiates isolation valve closure. A list of actuated valves and an additional description of the CRS are included in Reference 1, Section 7.3. Both trains of CRS are actuated on a two-out-of-four coincidence from the same four containment radiation sensor channels.

Trip Setpoints and Allowable Values Trip setpoints used in the sensor modules are based on the analytical limits stated in Reference 1, Chapter 14. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account in the respective analytical limits. To allow for calibration tolerances, instrumentation uncertainties, and sensor channel drift, sensor module trip setpoints are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-1 Revision 19

CRS B 3.3.7 BASES provided in Reference 2. The actual nominal trip setpoint entered into the sensor module is more conservative than that specified by the Allowable Value. One example of such a change in measurement error is drift during the SR interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

Sensor channels, measurement channels, sensor modules, and actuation logic are described in the Background for B 3.3.4.

Setpoints in accordance with the Allowable Value will help ensure that 10 CFR Part 100 exposure limits are not violated during a Fuel Handling Accident, providing the plant is operated from within the LCOs at the onset of the Fuel Handling Accident and the equipment functions as designed.

APPLICABLE The CRS satisfies the requirements of 10 CFR SAFETY ANALYSES 50.36(c)(2)(ii), Criterion 3.

LCO Only the Allowable Values are specified in the LCO.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant-specific setpoint calculations.

Each nominal trip setpoint specified is more conservative than the analytical limit assumed in the Fuel Handling Accident analysis in order to account for instrument uncertainties appropriate to the actuation Function. These uncertainties are defined in Reference 2. A sensor channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

The Bases for the LCO on the CRS are discussed below for each Function:

a. Manual Actuation The LCO on manual actuation backs up the automatic actuations and ensures operators have the capability to rapidly initiate the CRS Function if any parameter is trending toward its setpoint. At least one channel CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-2 Revision 19

CRS B 3.3.7 BASES must be OPERABLE to be consistent with the requirements of LCO 3.9.3.

b. Containment Radiation-High Trip The LCO on the radiation sensor channels requires that all four be OPERABLE. The radiation sensor channels have a measurement range of 10 104 mr/hr.

The Containment Radiation-High trip setpoint is based on sensing radiation resulting from a fuel handling accident in order to prevent a release of radioactivity through the containment purge system.

c. Actuation Logic One channel of actuation logic must be OPERABLE to be consistent with the requirements of LCO 3.9.3. If one fails, it must be restored to OPERABLE status.

APPLICABILITY In MODE 5 or 6, the CRS isolation of containment purge valves is not required to be OPERABLE. However, during movement of irradiated fuel, there is the possibility of a Fuel Handling Accident requiring the CRS on high radiation in Containment. Accordingly, the CRS must be OPERABLE when moving any irradiated fuel in Containment when the containment purge valves are open.

In MODEs 1, 2, 3, and 4, the containment purge valves are sealed closed.

ACTIONS A CRS sensor channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function. The most common cause of channel inoperability is outright failure or drift of the sensor module or measurement channel sufficient to exceed the tolerance allowed by Reference 2.

Typically, the drift is not large, which at worst would result in a delay of actuation rather than a total loss of Function. This determination is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it within specification. Sensor drift could also be identified during CHANNEL CHECKS. CHANNEL FUNCTIONAL TESTS identify sensor module drift. If the actual trip setpoint is not within the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-3 Revision 29

CRS B 3.3.7 BASES Allowable Value in SR 3.3.7.2, the channel is inoperable and the appropriate Conditions must be entered.

In the event that either a sensor channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or sensor module is found inoperable, that channel should be declared inoperable and the LCO Condition entered.

A.1 and A.2 Condition A applies to the failure of one Containment Radiation-High trip CRS channel. The Required Action is to place the affected channel in the trip condition within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, or suspend movement of irradiated fuel assemblies within Containment immediately. The Completion Time accounts for the fact that three redundant channels monitoring containment radiation are still available to provide a single trip input to the CRS logic to provide the automatic mitigation of a radiation release.

B.1 and B.2 Condition B applies to the failure of the required manual actuation or actuation logic, to the failure of more than one radiation sensor channel, or if the Required Action and associated Completion Time of Condition A are not met.

Required Action B.1 is to place the containment purge and exhaust isolation valves in the closed position. The Required Action immediately performs the isolation Function of the CRS. Required Action B.2 is to immediately enter the applicable Conditions and Required Actions for the affected isolation valves of LCO 3.9.3 that were made inoperable by the inoperable instrumentation of the CRS LCO. The Required Action directs the operator to take actions appropriate for the containment isolation Function of the CRS. The Completion Time accounts for the fact that the automatic capability to isolate Containment on valid containment high radiation signals is degraded during conditions in which a Fuel Handling Accident is possible and CRS provides the only automatic mitigation of radiation release.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-4 Revision 29

CRS B 3.3.7 BASES SURVEILLANCE SR 3.3.7.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one sensor channel to a similar parameter on other channels. It is based on the assumption that sensor channels monitoring the same parameter should read approximately the same value.

Significant deviations between the two sensor channels could be an indication of excessive sensor channel drift in one of the channels or of something more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a qualitative assessment of the sensor channel that considers sensor channel uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of sensor channel failure. Since the probability of two random failures in redundant channels in any 12-hour period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of the channel during normal operational use of the displays.

SR 3.3.7.2 Proper operation of the actuation relays is verified by verification of the relay driver output signal.

The Frequency of 92 days is based on plant operating experience with regard to actuation channel OPERABILITY, which demonstrates that failure of more than one channel of a given Function in any 92-day interval is a rare event.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-5 Revision 19

CRS B 3.3.7 BASES SR 3.3.7.3 A CHANNEL FUNCTIONAL TEST is performed on each containment radiation sensor channel to ensure the entire channel, except for sensor and initiating relays, will perform its intended function.

The Frequency of 92 days is based on plant operating experience with regard to sensor channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 92-day interval is a rare event.

SR 3.3.7.4 CHANNEL CALIBRATION is a check of the sensor channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for sensor channel drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 2.

The Frequency is based upon the assumption of a 24-month calibration interval based on the refueling interval and the instruments not being inservice during power operations, but part of preparation for being placed in service is a CHANNEL CALIBRATION.

SR 3.3.7.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the manual CRS actuation circuitry.

This surveillance test verifies that the actuation push buttons are capable of opening contacts in the actuation logic as designed, de-energizing the actuation relays and providing manual actuation of the Function. The 24-month Frequency is based on the need to perform this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if the SR were performed with the reactor at power. Operating experience has shown these components usually pass the surveillance test when performed at a Frequency of once every 24 months.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-6 Revision 19

CRS B 3.3.7 BASES SR 3.3.7.6 This surveillance test ensures that the train actuation response times are less than or equal to the maximum times assumed in the analyses. Response times are defined in the same manner as ESF RESPONSE TIME. Response time testing acceptance criteria are included in Reference 1, Section 7.3. The 24-month Frequency is based upon plant operating experience, which shows random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Testing of the final actuating devices, which make up the bulk of the response time, is included. Testing of the final actuating device is one channel is included in the testing of each actuation logic channel.

REFERENCES 1. UFSAR

2. CCNPP Setpoint File CALVERT CLIFFS - UNITS 1 & 2 B 3.3.7-7 Revision 19

CRRS B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Control Room Recirculation Signal (CRRS)

BASES BACKGROUND This LCO encompasses CRRS actuation, which is a plant-specific instrumentation channel that performs an actuation Function required for plant protection, but is not otherwise included in LCO 3.3.5 or LCO 3.3.6. This is a non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LCO 3.3.5 and LCO 3.3.6.

The CRRS ensures the supply of outside air to the Control Room is terminated, shuts off the kitchen and toilet exhaust fan, and initiates actuation of the Control Room Emergency Ventilation System (CREVS) fans and places filters in service to minimize operator radiation exposure. This places CREVS in filtered recirculation mode. When the radiation level signal from the measurement channel exceeds the trip setpoint, the trip circuit sends a CRRS to actuate equipment placing CREVS in filtered recirculation mode.

Control Room isolation also occurs on a SIAS.

Trip Setpoints and Allowable Values The Trip setpoint used in the trip circuit is conservatively adjusted with respect to the Allowable Value. One example of such a change in measurement error is drift during the SR interval. If the measured setpoint does not exceed the Allowable Value, the trip circuit is considered OPERABLE.

APPLICABLE The CRRS, in conjunction with the CREVS, maintains the SAFETY ANALYSES control room atmosphere within conditions suitable for prolonged occupancy throughout the duration of any one of the accidents discussed in Reference 1, Chapter 14. The radiation exposure of control room personnel, through the duration of any one of the postulated accidents discussed in Reference 1, Chapter 14, meets the intent of Reference 1, Appendix 1C.

The CRRS satisfies the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-1 Revision 8

CRRS B 3.3.8 BASES LCO LCO 3.3.8 requires one channel of CRRS to be OPERABLE. The required channel consists of a trip circuit and the gaseous radiation monitor (measurement channel). The specific Allowable Value for the setpoint of the CRRS is listed in the SRs.

Only the Allowable Value is specified for the trip Function in the LCO. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Operation and testing are consistent with the assumptions of Reference 2. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

The Bases for the LCO on the CRRS is that one channel of airborne radiation detection and trip circuitry is required to be OPERABLE to ensure the Control Room isolates on high gaseous concentration. The Allowable Value was established as part of original plant design. It provides reasonable assurance of safety for control room personnel.

APPLICABILITY The CRRS Functions must be OPERABLE in MODEs 1, 2, 3, and 4, and during movement of irradiated fuel assemblies to ensure a habitable environment for the control room operators.

ACTIONS A CRRS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure or drift of the trip circuit or measurement channel sufficient to exceed the nominal trip setpoint. Typically, the drift is not large, which at worst would result in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it to within specification. CHANNEL FUNCTIONAL TESTS identify trip circuit drift. If the trip setpoint is not within the Allowable Value, the channel is inoperable and the appropriate Conditions must be entered.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-2 Revision 2

CRRS B 3.3.8 BASES A.1, B.1, B.2, C.1, C.2.1, and C.2.2 Conditions A, B, and C are applicable to the CRRS trip circuit and measurement channel. Condition A applies to the failure of the CRRS trip circuit or measurement channel in MODE 1, 2, 3, or 4. Entry into this Condition requires action to either restore the failed channel or manually perform the CREVS function (Required Action A.1). The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient to complete the Required Actions. If the channel cannot be restored to OPERABLE status, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The Completion Times of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> for reaching MODEs 3 and 5 from MODE 1 are reasonable, based on operating experience and normal cooldown rates, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant safety systems or operators.

Condition C applies to the failure of the CRRS trip circuit or measurement channel when moving irradiated assemblies.

The Required Actions are immediately taken to place one OPERABLE CREVS train in the recirculation mode with post-LOCA fans in service or to suspend movement of irradiated fuel assemblies. The Completion Time recognizes the fact that the radiation signal is the only Function available to initiate control room isolation in the event of a Fuel Handling Accident.

SURVEILLANCE SR 3.3.8.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Acceptance criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-3 Revision 2

CRRS B 3.3.8 BASES transmitter or the signal processing equipment has drifted outside its limit.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels. In addition, a down-scale alarm and up-scale alarm immediately alert operations to loss of the channel.

SR 3.3.8.2 A CHANNEL FUNCTIONAL TEST is performed on the control room radiation monitoring channel to ensure the entire channel will perform its intended function.

The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift.

SR 3.3.8.3 CHANNEL CALIBRATION is a check of the CRRS channel, including the sensor. The surveillance test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for channel drift between successive calibrations to ensure that the channel remains operational between successive surveillance tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 2.

The Frequency of 24 months has been shown by operating experience to be adequate to detect any failures.

REFERENCES 1. UFSAR

2. CCNPP Setpoint File CALVERT CLIFFS - UNITS 1 & 2 B 3.3.8-4 Revision 2

CVCS Isolation Signal B 3.3.9 B 3.3 INSTRUMENTATION B 3.3.9 Chemical and Volume Control System (CVCS) Isolation Signal BASES BACKGROUND This LCO encompasses CVCS Isolation Signal actuation. This is a plant-specific instrumentation channel that performs an actuation Function required for plant protection and is not otherwise included in LCO 3.3.5 or LCO 3.3.6. This is a non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LCOs 3.3.5 and 3.3.6.

The CVCS Isolation Signal isolates the RCS and provides protection from radioactive contamination, as well as personnel and equipment protection in the event of a letdown line rupture outside Containment (Reference 1).

Each of the two actuation logic channels will isolate a separate letdown isolation valve in response to a high pressure condition in either the West Penetration Room or Letdown Heat Exchanger Room. Two pressure detectors in each of these rooms feed the four sensor channels. On a two-out-of-four coincidence, both actuation logic channels will actuate.

Trip Setpoints and Allowable Values Trip setpoints used in the sensor modules are based on Reference 2 to protect personnel and equipment and minimize radioactive contamination. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, and sensor channel drift, sensor module trip setpoints are conservatively adjusted with respect to the Allowable Value. A detailed description of the methodology used to calculate the trip setpoints, including their explicit uncertainties, is provided in Reference 2. The actual nominal trip setpoint entered into the sensor module is more conservative than that specified by the Allowable Value. One example of such a change in measurement error is drift during the SR interval. If the measured setpoint does not exceed the Allowable Value, the sensor module is considered OPERABLE.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-1 Revision 2

CVCS Isolation Signal B 3.3.9 BASES Sensor modules, measurement channels, sensor channels, and actuation logic are described in the Background for B 3.3.4.

APPLICABLE The CVCS Isolation Signal is redundant to the SIAS for SAFETY ANALYSES letdown line breaks outside Containment (Reference 2). In addition, an excess flow check valve is located in Containment just downstream of the regenerative heat exchanger, which is designed to isolate letdown when flow exceeds 255 gpm.

The CVCS satisfies the requirements of 10 CFR 50.36(c)(2)(ii), Criterion 3.

LCO Only the Allowable Values are specified in the LCO.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant-specific setpoint calculations.

Each nominal trip setpoint specified is more conservative than the Allowable Value, in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in Reference 2.

Chemical and Volume Control System isolation consists of closing the appropriate valve. This is undesirable at power, since letdown isolation will result (Reference 3).

The absence of letdown flow will significantly decrease the charging flow temperature due to the absence of the regenerative heat exchanger preheating, causing unnecessary thermal stress to the charging nozzle. Therefore, the preferred action is to restore the valve function to OPERABLE status.

Four channels of west penetration room and letdown heat exchanger room pressure sensors, and two actuation logic channels are required to be OPERABLE.

The Allowable Values and trip setpoints are established in order to isolate the CVCS from Containment, in the event of a letdown line rupture outside Containment, to minimize CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-2 Revision 2

CVCS Isolation Signal B 3.3.9 BASES radioactive contamination and protect personnel and equipment.

APPLICABILITY The CVCS Isolation Signal must be OPERABLE in MODEs 1, 2, 3, and 4, since the possibility of a loss of coolant accident is greatest in these MODEs. In MODE 5 or 6, the probability is greatly diminished, and there is time to manually isolate CVCS.

ACTIONS A CVCS isolation channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's Function.

The most common cause of channel inoperability is outright failure or drift of the sensor module or measurement channel sufficient to exceed the tolerance allowed by Reference 2.

Typically, the drift is not large and would result in a delay of actuation rather than a total loss of function.

This determination is generally made during the performance of a CHANNEL CALIBRATION when the process instrument is set up for adjustment to bring it to within specification.

Sensor drift could also be identified during CHANNEL CHECKS.

CHANNEL FUNCTIONAL TESTS identify sensor module drift. If the trip setpoint is not consistent with the Allowable Value in SR 3.3.9.2, the channel must be declared inoperable immediately and the appropriate Conditions must be entered.

In the event a sensor channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or bistable is found inoperable, that channel should be declared inoperable and the LCO Condition entered.

When the number of inoperable sensor channels in a trip Function exceeds those specified in any related Condition associated with the same trip Function, the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to the failure of one CVCS actuation logic channel associated with the CVCS Isolation Signal.

Required Action A.1 requires restoration of the inoperable CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-3 Revision 2

CVCS Isolation Signal B 3.3.9 BASES channel to restore redundancy of the affected Function. The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is consistent with the Completion Time of other ESFAS Functions and should be adequate for most repairs, while minimizing the risk of operating with an inoperable channel.

B.1, B.2.1, and B.2.2 Condition B applies if one of the four CVCS sensor channels is inoperable. The Required Actions are identical to those of ESFAS Functions employing four redundant sensors specified in LCO 3.3.4. The channel must be placed in bypass or trip if it cannot be repaired within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action B.1). The provision of four sensor channels allows one channel to be bypassed (removed from service) during operations, placing the ESFAS in two-out-of-three coincidence logic. Placing the channel in bypass is preferred, since the CVCS isolation Function will be in two-out-of-three logic. This will avoid possible inadvertent CVCS isolation if an additional channel fails.

The 1-hour Completion Time to bypass or trip the channel is sufficient time to perform the Required Actions.

Once the Required Action to trip or bypass the sensor channel has been complied with, Required Action B.2.1 and Required Action B.2.2 provide for restoring the channel to OPERABLE status or placing it in trip within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

Required Action B.2.1 restores the full capability of the Function. Required Action B.2.2 places the Function in a one-out-of-three configuration. In this configuration, common cause failure of dependent channels cannot prevent CVCS isolation actuation. The Completion Time provides the operator with time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. It is improbable that a failure of a second channel will occur during any given 48-hour period.

C.1 and C.2 Condition C applies if two of the four CVCS west penetration room/letdown heat exchanger room Pressure-High trip sensor channels are inoperable. The Required Actions are identical to those for other ESFAS Functions employing four redundant sensors in LCO 3.3.4.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-4 Revision 2

CVCS Isolation Signal B 3.3.9 BASES Restoring at least one sensor channel to OPERABLE status is the preferred Required Action. If this cannot be accomplished, one channel should be placed in bypass and the other channel in trip. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient time to perform the Required Actions.

Once the Required Action to trip or bypass the channel has been complied with, Required Action C.2 provides for restoring one channel to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

The justification of the 48-hour Completion Time is the same as for Condition B.

After one channel is restored to OPERABLE status, the provisions of Condition C still apply to the remaining inoperable channel.

D.1 and D.2 Condition D specifies the shutdown track to be followed if the Required Actions and associated Completion Times of Condition A, B, or C are not met. If the Required Actions cannot be met within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

The Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.9.1 REQUIREMENTS Performance of the CHANNEL CHECK on each CVCS isolation pressure indicating sensor channel once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that sensor channels monitoring the same parameter should read approximately the same value.

Significant deviations between the two sensor channels could be an indication of excessive sensor channel drift in one of the channels or of something more serious. CHANNEL CHECK CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-5 Revision 26

CVCS Isolation Signal B 3.3.9 BASES will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a qualitative assessment of the sensor channel that considers sensor channel uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.

Since the probability of two random failures in redundant channels in any 12-hour period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays.

SR 3.3.9.2 A CHANNEL FUNCTIONAL TEST is performed on each sensor channel to ensure the entire channel, except for sensor and initiation logic, will perform its intended function.

The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 92-day interval is a rare event.

Note 1 indicates proper operation of the individual actuation relays is verified by verification of proper relay driver output signal. Note 2 indicates that relays that cannot be tested at power are excepted from the SR while at power. These relays must, however, be tested once per 24 months.

SR 3.3.9.3 CHANNEL CALIBRATION is a check of the sensor channel including the sensor. The surveillance test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-6 Revision 26

CVCS Isolation Signal B 3.3.9 BASES the channel adjusted to account for sensor channel drift between successive calibrations to ensure that the channel remains operational between successive tests. CHANNEL CALIBRATIONS must be performed consistent with Reference 2.

The as-found and as-left values must also be recorded and reviewed for consistency with the assumptions of the SR interval extension analysis. The requirements for this review are outlined in Reference 4.

Radiation detectors may be removed and calibrated in a laboratory, calibrated in place using a transfer source, or replaced with an equivalent laboratory calibrated unit.

The Frequency is based upon the assumptions of a 24-month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis, and includes operating experience, as well as consistency with a 24-month fuel cycle.

SR 3.3.9.4 This surveillance test ensures that the train actuation response times are less than or equal to the maximum times assumed in the analyses. Response times are defined in the same manner as ESF RESPONSE TIME. The 24-month Frequency is based upon plant operating experience, which shows random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Testing of the final actuating devices, which make up the bulk of the response time, is included. Testing of the final actuating device in one channel is included in the testing of each actuation logic channel.

REFERENCES 1. Updated Final Safety Analysis Report, Section 7.3, "Engineered Safety Features Actuation Systems" and Section 10A.7.17, Leak Detection Equipment

2. CCNPP Setpoint File
3. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, License Amendment Request; Extension of Instrument Surveillance Intervals CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-7 Revision 26

CVCS Isolation Signal B 3.3.9 BASES

4. Calvert Cliffs Procedure EN-4-104, Surveillance Testing CALVERT CLIFFS - UNITS 1 & 2 B 3.3.9-8 Revision 26

PAM Instrumentation B 3.3.10 B 3.3 INSTRUMENTATION B 3.3.10 Post-Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety Functions for DBAs (Reference 1).

The OPERABILITY of the PAM instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident.

The availability of PAM instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined.

These essential indicator channels are identified by plant-specific documents (Reference 2) addressing the recommendations of Reference 3, as required by Reference 4.

Type A variables are included in this LCO because they provide the primary information required to permit the control room operator to take specific manually-controlled actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions for some DBAs.

Category I variables are the key variables deemed risk significant because they are needed to:

  • Determine whether other systems important to safety are performing their intended functions;
  • Provide information to the operators that will enable them to determine the potential for causing a gross breach of the barriers to radioactivity release; and
  • Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-1 Revision 2

PAM Instrumentation B 3.3.10 BASES These key variables are identified by plant-specific analyses in Reference 2. These analyses identified the plant-specific Type A and Category I variables and provided justification for deviating from the NRC proposed list of Category I variables.

APPLICABLE The PAM instrumentation ensures the OPERABILITY of SAFETY ANALYSES Reference 3 Type A variables, so that the control room operating staff can:

  • Perform the diagnosis specified in the emergency operating procedures. These variables are restricted to preplanned actions for the primary success path of DBAs; and
  • Take the specified, preplanned, manually-controlled actions, for which no automatic control is provided, that are required for safety systems to accomplish their safety functions.

The PAM instrumentation also ensures OPERABILITY of Category I, non-Type A variables. This ensures the control room operating staff can:

  • Determine whether systems important to safety are performing their intended functions;
  • Determine the potential for causing a gross breach of the barriers to radioactivity release;
  • Determine if a gross breach of a barrier has occurred; and
  • Initiate action necessary to protect the public, as well as to obtain an estimate of the magnitude of any impending threat.

Post-accident monitoring instrumentation that satisfies the definition of Type A in Reference 3 meets 10 CFR 50.36(c)(2)(ii), Criterion 3.

Category I, non-Type A PAM instruments are retained in the Specification because they are intended to assist operators in minimizing the consequences of accidents. Therefore, CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-2 Revision 2

PAM Instrumentation B 3.3.10 BASES these Category I variables are important in reducing public risk.

LCO Limiting Condition for Operation 3.3.10 requires two OPERABLE indication channels for all but one Function to ensure no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident.

Furthermore, provision of two indication channels allows a CHANNEL CHECK during the post-accident phase to confirm the validity of displayed information.

An indication channel consists of field transmitters or process sensors and associated instrumentation, providing a measurable electronic signal based upon the physical characteristics of the parameter being measured, plus a display of the measured parameter.

The exceptions to the two-channel requirement are CIV position and the subcooled margin monitoring (SMM) instrumentation. In the case of valve position, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active CIV. This is sufficient to redundantly verify the isolation status of each isolable penetration, either via indicated status of the active valve and prior knowledge of the passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not needed to determine status.

Therefore, the position indication for valves in this state is not required to be OPERABLE. Alternate means are available for obtaining information provided by the SMM instrumentation.

Listed below are discussions of the specified instrument Functions listed in Table 3.3.10-1.

1. Wide Range Logarithmic Neutron Flux Monitors Wide range logarithmic neutron flux is a Category I variable indication is provided to verify reactor shutdown.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-3 Revision 14

PAM Instrumentation B 3.3.10 BASES The wide range logarithmic neutron flux PAM channels consist of two wide range neutron monitoring channels.

2, 3. RCS Outlet and Inlet Temperature Reactor Coolant System outlet and inlet temperatures are Category I variables provided for verification of core cooling and long-term surveillance.

Reactor outlet temperature inputs to the PAM are provided by four resistance elements and associated transmitters in each loop. The channels provide indication over a range of 50qF to 700qF.

4. SMM The RCS SMM is part of the PAM System and is provided to monitor inadequate core cooling by calculating the margin to saturation based on the RCS pressure/

temperature relationships and displaying the calculated margin in degrees F on a control room display. Also, a control room low subcooled margin alarm is provided.

The RCS SMM portion of the PAM System is microprocessor-based and is provided with inputs from the RCS hot legs, cold legs, and wide range RCS pressure channels. The core exit thermocouple (CET)

SMM and upper head SMM functions are not required for channel operability.

The RCS SMM is one of three components of inadequate core cooling instrumentation. With the SMM portion of the PAM System inoperable, the CETs and the reactor vessel water level heated junction thermocouple (HJTC) sensors provide diverse indication of core cooling.

Alternate indications and methods for calculating subcooled margin exist in the event of a PAM System failure.

5. Reactor Vessel Water Level Reactor vessel water level indication is provided for verification and long-term surveillance testing of core cooling.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-4 Revision 19

PAM Instrumentation B 3.3.10 BASES This indication uses HJTC technology. This technology measures reactor coolant inventory with discrete heated junction thermocouple sensors located in different levels within a separator tube. The sensors enable a direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it is a direct indication of the water inventory. The collapsed level is obtained over the same temperature and pressure range as the saturation measurements, thereby encompassing all operating and accident conditions where it must function. Also, it functions during the recovery interval. Therefore, it is designed to survive the high steam temperature that may occur during the preceding core recovery interval.

The level range extends from the top of the vessel down to 10 above the top of the fuel alignment plate. The response time is short enough to track the level during small break LOCA events. The resolution is sufficient to show the initial level drop, the key locations near the hot leg elevation, and the lowest levels just above the alignment plate. This provides the operator with adequate indication to track the progression of the accident and to detect the consequences of its mitigating actions or the functionality of automatic equipment.

A channel has eight sensors in a probe. A channel is OPERABLE if four sensors, one in the upper three and three in the lower five, are OPERABLE.

6. Containment Sump Water Level (wide range) Monitor Containment sump water level monitors are provided for verification and long-term surveillance of RCS integrity.

Containment sump water level instrumentation consists of two level transmitters that provide input to control room indicators. The transmitters are located above CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-5 Revision 19

PAM Instrumentation B 3.3.10 BASES the containment flood level and utilize sealed reference legs to sense water level.

7. Containment Pressure (wide range) Monitor The containment pressure monitor is provided for verification of RCS and containment OPERABILITY.

Containment pressure instrumentation consists of three containment pressure transmitters with overlapping ranges that provide input to control room indicators.

The transmitters are located outside the Containment and are not subject to a harsh environment.

8. CIV Position Indicator Containment isolation valve position indicators are provided for verification of containment OPERABILITY and integrity.

In the case of CIV position, the important information is the isolation status of the containment penetration.

The LCO requires one channel of valve position indication in the Control Room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active CIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the CIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE.

The CIV position PAM instrumentation consists of ZL-505, 506, 515, 516, 2080, 2180, 2181, 3832, 3833, 4260, 5291, 5292, 6900, and 6901 (Reference 5).

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-6 Revision 19

PAM Instrumentation B 3.3.10 BASES

9. Containment Area Radiation (high range) Detector Containment area radiation detectors are provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operations in determining the need to invoke site emergency plans.

Containment area radiation instrumentation consists of two radiation detectors with displays and alarm in the Control Room. The radiation detectors have a measurement range of 1 to 108 R/hr.

10. Pressurizer Pressure (wide range)

Pressurizer wide range pressure is a Category I variable provided for verification of core cooling and RCS integrity long-term surveillance.

Wide range pressurizer pressure is measured by two pressure transmitters with a span of 0 psia to 4000 psia. The pressure transmitters are located inside the Containment. Redundant monitoring capability is provided by two indication channels.

Control Room indications are provided.

Pressurizer pressure is a Type I variable because the operator uses this indication to monitor the cooldown of the RCS following a LOCA and other DBAs. Operator actions to maintain a controlled cooldown, such as adjusting steam generator pressure or level, would use this indication. Furthermore, pressurizer pressure is one factor that may be used in decisions to terminate RCP operation.

11. Steam Generator Pressure Transmitter Steam generator pressure transmitters are Category 1 instruments and are provided to monitor operation of decay heat removal via the steam generators.

There are four redundant pressure transmitters per steam generator, but only two per steam generator are required to satisfy the Technical Specification CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-7 Revision 19

PAM Instrumentation B 3.3.10 BASES Requirements. The transmitter provides wide range indication over the range from 0 to 1200 psia. Each transmitter provides input to control room indication.

Since the primary indication used by the operator during an accident is the control room indicator, the PAM instrumentation Specification deals specifically with this portion of the instrument channel.

12. Pressurizer Level Transmitters Pressurizer level transmitters are used to determine whether to terminate safety injection, if still in progress, or to reinitiate safety injection if it has been stopped. Knowledge of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition.

Pressurizer Level instrumentation consists of two pressurizer level transmitters that provide input to control room indicators.

13. Steam Generator Water Level Transmitters Steam Generator Water Level transmitters are provided to monitor operation of decay heat removal via the steam generators. The Category I indication of steam generator level is the extended startup range level instrumentation. The extended startup range level covers a span of -40 inches to -63 inches (relative to normal operating level), above the lower tubesheet.

The measured differential pressure is displayed in inches of water at process conditions of the fluid.

Redundant monitoring capability is provided by four transmitters. The uncompensated level signal is input to the plant computer and a control room indicator.

Steam generator water level instrumentation consists of two level transmitters.

Operator action is based on the control room indication of steam generator water level. The RCS response during a design basis small break LOCA is dependent on the break size. For a certain range of break sizes, CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-8 Revision 19

PAM Instrumentation B 3.3.10 BASES the boiler condenser mode of heat transfer is necessary to remove decay heat. Extended startup range level is a Type A variable because the operator must manually raise and control the steam generator level to establish boiler condenser heat transfer. Feedwater flow is increased until indication is in range.

14. Condensate Storage Tank Level Monitor Condensate storage tank (CST) level monitoring is provided to ensure water supply for AFW. Condensate Storage Tank 12 provides the ensured safety grade water supply for the AFW System. Inventory in CST 12 is monitored by level indication covering the full range of required usable water level. Condensate storage tank level is displayed on control room indicators and the plant computer. In addition, a control room annunciator alarms on low level.

Condensate storage tank level is considered a Type A variable because the control room meter and annunciator are considered the primary indication used by the Operator. The DBAs that require AFW are the steam line break and loss of main feedwater. Condensate Storage Tank 12 is the initial source of water for the AFW System. However, as the CST is depleted, manual operator action is necessary to replenish the CST or align suction to the AFW pumps from an alternate source.

15, 16, 17, 18. Core Exit Temperature Core Exit Temperature indication is provided for verification and long-term surveillance of core cooling.

An evaluation was made of the minimum number of valid CETs necessary for inadequate core cooling detection.

The evaluation determined the reduced complement of CETs necessary to detect initial core uncovery and trend the ensuing core heatup. The evaluations account for core nonuniformities, including incore effects of the radial decay power distribution and excore effects of condensate runback in the hot legs and nonuniform CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-9 Revision 19

PAM Instrumentation B 3.3.10 BASES inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is ensured with two valid CETs per quadrant for each channel. The two CETs per quadrant must consist of 1 interior CET and either 1 peripheral CET or 1 shroud peripheral CET.

The design of the Incore Instrumentation System includes a Type K (chromel alumel) thermocouple within each of the 35 incore instrument detector assemblies.

The junction of each thermocouple is located more than a foot above the fuel assembly, inside a structure that supports and shields the incore instrument detector assembly string from flow forces in the outlet plenum region. These CETs monitor the temperature of the reactor coolant as it exits the fuel assemblies.

The CETs have a usable temperature range from 40°F to 2300°F, although accuracy is reduced at temperatures above 1800°F.

19. Pressurizer Pressure (low range)

Pressurizer low range pressure is a Category I variable provided for verification of core cooling and RCS integrity long-term surveillance.

Low-range pressurizer pressure is measured by two pressure transmitters with a span of 0 psia to 1600 psia. The pressure transmitters are located inside the Containment. Redundant monitoring capability is provided by two indication channels.

Control Room indications are provided.

Pressurizer pressure is a Type I variable because the operator uses this indication to monitor the cooldown of the RCS following a LOCA and other DBAs. Operator actions to maintain a controlled cooldown, such as adjusting steam generator pressure or level, would use this indication. Furthermore, pressurizer pressure is one factor that may be used in decisions to terminate RCP operations.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-10 Revision 32

PAM Instrumentation B 3.3.10 BASES Two indication channels are required to be OPERABLE for all but two Functions. Two OPERABLE channels ensure that no single failure, within either the PAM instrumentation or its auxiliary supporting features or power sources (concurrent with the failures that are a condition of or result from a specific accident), prevents the operators from being presented the information necessary for them to determine the safety status of the plant, and to bring the plant to and maintain it in a safe condition following that accident.

In Table 3.3.10-1 the exceptions to the two channel requirement are CIV position and the SMM.

Two OPERABLE CETs are required for each channel in each quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core. Power distribution symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Therefore, two randomly selected thermocouples may not be sufficient to meet the two thermocouples per channel requirement in any quadrant. The two thermocouples in each channel must meet the additional requirement that one be located near the center of the core and the other near the core perimeter (either peripheral or shroud peripheral), such that the pair of CETs indicate the radial temperature gradient across their core quadrant. The two channels in each core quadrant must be electronically independent. A CETs operability is based on a comparison of the CET temperature indication with the hot leg resistance temperature detector temperature indication. Different criteria have been specified for interior CETs, peripheral CETs, and shroud peripheral CETs to account for the core radial power distribution. Plant specific evaluations in response to Item II.F.2 of NUREG-0737 should have identified the thermocouple pairings that satisfy these requirements.

Two sets of two thermocouples in each quadrant ensure a single failure will not disable the ability to determine the radial temperature gradient.

For loop- and steam generator-related variables, the required information is individual loop temperature and individual steam generator level. In these cases, two CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-11 Revision 32

PAM Instrumentation B 3.3.10 BASES channels are required to be OPERABLE for each loop of steam generator to redundantly provide the necessary information.

In the case of CIV position, the important information is the status of the containment penetrations. The LCO requires one position indicator for each active CIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of the passive valve or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

The SMM, CETs, and the HJTC-based reactor vessel water level indication comprise the inadequate core cooling instrumentation. The function of the inadequate core cooling instrumentation is to enhance the ability of the plant operator to diagnose the approach to, and recovery from, inadequate core cooling.

APPLICABILITY The PAM instrumentation LCO is applicable in MODEs 1, 2, and 3. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODEs 1, 2, and 3.

In MODEs 4, 5, and 6, plant conditions are such that the likelihood of an event occurring requiring PAM instrumentation is low; therefore, PAM instrumentation is not required to be OPERABLE in these MODEs.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.10-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A.1 When one or more Functions have one required indication channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-12 Revision 32

PAM Instrumentation B 3.3.10 BASES 30-day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Reference 3 indication channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 This Required Action specifies initiation of actions in accordance with Specification 5.6.7, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative Required Actions. This Required Action is appropriate in lieu of a shutdown requirement, given the likelihood of plant conditions that would require information provided by this instrumentation. Also, alternative Required Actions such as grab sampling or diverse indications are identified before a loss of functional capability condition occurs.

C.1 When one or more Functions have two required indication channels inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrumentation operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.10-1. The applicable CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-13 Revision 32

PAM Instrumentation B 3.3.10 BASES Condition referenced in the Table is Function-dependent.

Each time Required Action C.1 is not met and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met, and Table 3.3.10-1 directs entry into Condition E, the plant must be brought to a MODE in which the requirements of this LCO do not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Alternate means of monitoring containment area radiation have been developed and tested. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The HJTC-based reactor vessel water level instrumentation is one of three components of the inadequate core cooling instrumentation. The SMM instrumentation and CETs could be used to monitor inadequate core cooling. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.7. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

SURVEILLANCE A Note at the beginning of the SRs specifies that the REQUIREMENTS following SRs apply to each PAM instrumentation Function in Table 3.3.10-1.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-14 Revision 32

PAM Instrumentation B 3.3.10 BASES SR 3.3.10.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one indication channel to a similar parameter on other channels. It is based on the assumption that indication channels monitoring the same parameter should read approximately the same value. Significant deviations between the two indication channels could be an indication of excessive instrument drift in one of the channels or of something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a qualitative assessment of the indication channel that considers indication channel uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off-scale during times when surveillance testing is required, the CHANNEL CHECK will only verify that they are off-scale in the same direction. Off-scale low current loop channels are verified to be reading at the bottom of the range and not failed down-scale.

The Frequency of 31 days is based upon plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one indication channel of a given Function in any 31 day interval is a rare event. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel during normal operational use of the displays associated with this LCO's required channels.

SR 3.3.10.2 Deleted.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-15 Revision 32

PAM Instrumentation B 3.3.10 BASES SR 3.3.10.3 A CHANNEL CALIBRATION is performed every 24 months or approximately every refueling. CHANNEL CALIBRATION is a check of the indication channel including the sensor. The SR verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION of the CIV position indication channels will consist of verification that the position indication changes from not-closed to closed when the valve is exercised to the isolation position as required by Technical Specification 5.5.8, Inservice Testing Program. The position switch is the sensor for the CIV position indication channels. A Note allows exclusion of neutron detectors, CETs, and reactor vessel level (HJTC) from the CHANNEL CALIBRATION.

The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by an 24 month calibration interval for the determination of the magnitude of equipment drift.

REFERENCES 1. Letter from Mr. R. E. Denton (BGE) to NRC Document Control Desk, dated June 6, 1995, License Amendment Request; Extension of Instrument Surveillance Intervals

2. Letter from Mr. J. A. Tiernan (BGE) to NRC Document Control Desk, dated August 9, 1988, "Regulatory Guide 1.97 Review Update"
3. Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident (Errata Published July 1981), December 1975
4. NUREG-0737, Supplement 1, Requirements for Emergency Response Capabilities (Generic Letter 82-33),

December 17, 1982

5. UFSAR, Chapter 7, "Instrumentation and Control" CALVERT CLIFFS - UNITS 1 & 2 B 3.3.10-16 Revision 32

Remote Shutdown Instrumentation B 3.3.11 B 3.3 INSTRUMENTATION B 3.3.11 Remote Shutdown Instrumentation BASES BACKGROUND The Remote Shutdown Instrumentation provides the control room operator with sufficient instrumentation to help place and maintain the unit in a safe shutdown condition from a location other than the Control Room. This capability is necessary to protect against the possibility that the Control Room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the AFW System and the steam generator safety valves or the steam generator atmospheric dump valves can be used to remove core decay heat and meet all safety requirements.

The long term supply of water for the AFW System and the ability to borate the RCS from outside the Control Room allow extended operation in MODE 3.

In the event that the Control Room becomes inaccessible, the operators can establish control outside the control room and monitor remote shutdown instrumentation at the remote shutdown panel and place and maintain the unit in MODE 3.

The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the Remote Shutdown Instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3, should the Control Room become inaccessible.

APPLICABLE The Remote Shutdown Instrumentation is required to provide SAFETY ANALYSES equipment at appropriate locations outside the Control Room to help operators promptly shut down and maintain the plant in a safe condition in MODE 3.

Remote Shutdown Instrumentation assists in meeting the requirements of Reference 1.

The Remote Shutdown Instrumentation does not meet any of the criteria in 10 CFR 50.36(c)(2)(ii) but has been retained at the request of the NRC.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-1 Revision 2

Remote Shutdown Instrumentation B 3.3.11 BASES LCO The Remote Shutdown Instrumentation LCO provides the requirements for the OPERABILITY of the instrumentation necessary to help place and maintain the unit in MODE 3 from a location other than the Control Room.

The instrumentation typically required are listed in Table 3.3.11-1 in the accompanying LCO.

The instrumentation are those required for:

  • Core Reactivity Monitoring (initial and long term);
  • RCS Pressure Monitoring;
  • RCS Inventory Monitoring.

A Function of a Remote Shutdown Instrumentation is OPERABLE if all indication channels needed to support the remote shutdown Functions are OPERABLE. In some cases, Table 3.3.11-1 may indicate that the required information capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information sources for each Function is OPERABLE.

An indication channel consists of field transmitters or process sensors and associated instrumentation, providing a measurable electronic signal based upon the physical characteristics of the parameter being measured, plus a display of the measured parameter.

The Remote Shutdown Instrumentation circuits covered by this LCO do not need to be energized to be considered OPERABLE.

This LCO is intended to ensure that the instrument circuits will be OPERABLE if plant conditions require that the Remote Shutdown Instrumentation be placed in operation.

APPLICABILITY The Remote Shutdown Instrumentation LCO is applicable in MODEs 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the Control Room.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-2 Revision 2

Remote Shutdown Instrumentation B 3.3.11 BASES This LCO is not applicable in MODE 4, 5, or 6. In these MODEs, the unit is already subcritical and in the condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument Functions if control room instruments become unavailable.

ACTIONS A Remote Shutdown Instrumentation Function is inoperable when the Function is not accomplished by at least one designated Remote Shutdown Instrumentation channel that satisfies the OPERABILITY criteria for each Function requirement, except Manual Reactor Shutdown Control, which requires two channels. These criteria are outlined in the LCO section of the Bases.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The conditions of this Specification may be entered independently for each Function listed in Table 3.3.11-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A.1 Condition A addresses the situation where one or more Functions of the Remote Shutdown System are inoperable.

This includes any Function listed in Table 3.3.11-1.

The Required Action is to restore the Functions to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the Control Room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-3 Revision 26

Remote Shutdown Instrumentation B 3.3.11 BASES SURVEILLANCE SR 3.3.11.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one indication channel to a similar parameter on other channels. It is based on the assumption that indication channels monitoring the same parameter should read approximately the same value. Significant deviations between the indication channels could be an indication of excessive instrument drift in one of the channels or of something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a qualitative assessment of the indication channel that considers indication channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off-scale during times when surveillance testing is required, the CHANNEL CHECK will only verify that they are off-scale in the same direction. Off-scale low current loop channels are verified to be reading at the bottom of the range and not failed down-scale.

The Frequency is based on plant operating experience that demonstrates indication channel failure is rare.

SR 3.3.11.2 CHANNEL CALIBRATION is a check of the indication channel including the sensor. The surveillance test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

The 24-month Frequency is based upon the need to perform this SR under the conditions that apply during a plant outage, and the potential for an unplanned transient if the CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-4 Revision 26

Remote Shutdown Instrumentation B 3.3.11 BASES surveillance test were to be performed with the reactor at power.

The SR is modified by a Note, which excludes neutron detectors and reactor trip breaker indication from the CHANNEL CALIBRATION.

REFERENCES 1. Updated Final Safety Analysis Report, Appendix 1C, "AEC Proposed General Design Criteria for Nuclear Power Plants" CALVERT CLIFFS - UNITS 1 & 2 B 3.3.11-5 Revision 26

Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 B 3.3 INSTRUMENTATION B 3.3.12 Wide Range Logarithmic Neutron Flux Monitor Channels BASES BACKGROUND The wide range logarithmic neutron flux monitor channels provide neutron flux power indication from < 1E-7% RATED THERMAL POWER to > 100% RATED THERMAL POWER. They also provide reactor protection when the RTCBs are shut, in the form of a Rate of Change of Power-High trip.

This LCO addresses MODEs 3, 4, and 5 with the RTCBs open.

When the RTCBs are shut, the wide range logarithmic neutron flux monitor channels are addressed by LCO 3.3.2.

When the RTCBs are open, two of the four wide range logarithmic neutron flux monitor channels must be available to monitor neutron flux power. In this application, the RPS channels need not be OPERABLE since the reactor trip Function is not required. By monitoring neutron flux power when the RTCBs are open, loss of SHUTDOWN MARGIN (SDM) caused by boron dilution can be detected as an increase in flux. Alarms are also provided when power increases above the fixed bistable setpoints. Two channels must be OPERABLE to provide single failure protection and to facilitate detection of channel failure by providing CHANNEL CHECK capability.

APPLICABLE The wide range logarithmic neutron flux monitor channels SAFETY ANALYSES are necessary to monitor core reactivity changes. They are the primary means for detecting and triggering operator actions to respond to reactivity transients initiated from conditions in which the RPS is not required to be OPERABLE.

They also trigger operator actions to anticipate RPS actuation in the event of reactivity transients starting from shutdown or low power conditions.

The OPERABILITY of wide range logarithmic neutron flux monitor channels is not necessary to meet the assumptions of the safety analyses and provide for the mitigation of accident and transient conditions.

The wide range logarithmic neutron flux monitor channels satisfy 10 CFR 50.36(c)(2)(ii), Criterion 3.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-1 Revision 2

Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES LCO The LCO on the wide range logarithmic neutron flux monitor channels ensures that adequate information is available to verify core reactivity conditions while shut down. A minimum of two wide range logarithmic neutron flux monitor channels are required to be OPERABLE.

APPLICABILITY In MODEs 3, 4, and 5, with RTCBs open or the CEDM System not capable of CEA withdrawal, wide range logarithmic neutron flux monitor channels must be OPERABLE to monitor core power for reactivity changes. In MODEs 1 and 2, and in MODEs 3, 4, and 5 with the RTCBs shut and the CEAs capable of withdrawal, the wide range logarithmic neutron flux monitor channels are addressed as part of the RPS in LCO 3.3.1.

The requirements for source range neutron flux monitoring in MODE 6 are addressed in LCO 3.9.2. The source range nuclear instrumentation channels provide neutron flux coverage the logarithmic channels use during refueling, when neutron flux may be extremely low. They are built into the wide range logarithmic neutron flux channels and PAM channels.

ACTIONS A.1 and A.2 With one required channel inoperable, it may not be possible to perform a CHANNEL CHECK to verify that the other required channel is OPERABLE. Therefore, with one or more required channels inoperable, the wide range logarithmic neutron flux monitoring Function cannot be reliably performed.

Consequently, the Required Actions are the same for one required channel inoperable or more than one required channel inoperable. The absence of reliable neutron flux indication makes it difficult to ensure SDM is maintained.

Required Action A.1 restricts the addition of positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) to those that are accounted for in the calculated SDM.

SHUTDOWN MARGIN must be verified periodically to ensure that it is being maintained. Both required channels must be restored as soon as possible. The initial Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter, to perform SDM verification takes into consideration that Required Action A.1 eliminates many of the means by which SDM can be CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-2 Revision 19

Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES reduced. These Completion Times are also based on operating experience in performing the Required Actions and the fact that plant conditions will change slowly.

SURVEILLANCE SR 3.3.12.1 REQUIREMENTS Surveillance Requirement 3.3.12.1 is the performance of a CHANNEL CHECK on each required channel every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based upon the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff and should be based on a qualitative assessment of the indication channel that considers indication channel uncertainties, including control isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limits. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.

Since the probability of two random failures in redundant channels in any 12-hour period is extremely low, CHANNEL CHECK minimizes the chance of loss of indication due to failure of redundant channels. CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of displays associated with the LCO required channels.

CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-3 Revision 2

Wide Range Logarithmic Neutron Flux Monitor Channels B 3.3.12 BASES SR 3.3.12.2 A CHANNEL FUNCTIONAL TEST is performed once within 7 days prior to each reactor startup. This SR ensures that the entire channel is capable of properly indicating neutron flux. Internal test circuitry is used to feed pre-adjusted test signals into the preamplifier to verify channel alignment. It is not necessary to test the detector, because generating a meaningful test signal is difficult; the detectors are of simple construction, and any failures in the detectors will be apparent as change in channel output. This Frequency is the same as that employed for the same channels in the other applicable MODEs.

SR 3.3.12.3 Surveillance Requirement 3.3.12.3 is the performance of a CHANNEL CALIBRATION. A CHANNEL CALIBRATION is performed every 24 months. The surveillance test is a complete check and readjustment of the wide range logarithmic neutron flux monitor channel from the preamplifier input through to the remote indicators. The surveillance test verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillance tests. CHANNEL CALIBRATIONS must be performed consistent with the plant-specific setpoint analysis.

This SR is modified by a Note to indicate that it is not necessary to test the detector because generating a meaningful test signal is difficult; the detectors are of simple construction, and any failures in the detectors will be apparent as change in channel output. This Frequency is the same as that employed for the same channels in the other applicable MODEs.

REFERENCES None CALVERT CLIFFS - UNITS 1 & 2 B 3.3.12-4 Revision 2